baselineos 0.2.0-beta.1

package/dist/mcp/server.d.ts

@@ -0,0 +1,2651 @@
+import { WorkflowBudget, Task, Agent, TaskInput, TaskPriority, AgentRole, Checkpoint, VerificationResult, Review, ExecutionStep, TaskStatus, Artifact, WorkflowDefinition, OrchestratorEvent } from '../core/types.js';
+import { AgentBus, BusStats } from '../core/agent-bus.js';
+import { CollectionName, RAGResult, IngestionResult } from '../core/rag-engine.js';
+import { O as Orchestrator, E as ExecutionResult, D as DecompositionResult, a as ExecutionEngine } from '../orchestrator-DF89k_AK.js';
+import { MemoryScope, StoreOptions, RetrieveOptions } from '../core/memory.js';
+import { PolicyFilter, SearchResult, ContextLevel, Overlay, RetrievalBudget, Context } from '../core/indexer.js';
+import { BaselineConfig } from '../core/config.js';
+import { OPAPolicyGate } from '../core/opa-policy-gate.js';
+import { V as VersionEvalResult, T as TraceCurator, M as ModelVersionRegistry, P as ProductionEvalPipeline, a as VersionComparison } from '../llm-tracer-CIIujuO-.js';
+import '../core/cache.js';
+import { BaselineGovernSystem, ComplianceCheck, GovernanceAuditEvent, GovernEvidenceBundle, GovernResult } from '@baselineos/govern';
+import { TaskResult, MigrationMode, BaselineAutonomySystem, AgentStatusReport, IntegrationStatus, MigrationRecommendation } from '@baselineos/autonomy';
+import { EventEmitter } from 'eventemitter3';
+import { EventEmitter as EventEmitter$1 } from 'events';
+import { PiiDetector } from '../core/pii-detector.js';
+import '../core/task-queue.js';
+import { Client, WorkflowHandle } from '@temporalio/client';
+import 'zod';
+import '@baselineos/persona';
+import '../core/opa-client.js';
+
+/**
+ * BaselineOS MCP Server
+ *
+ * Model Context Protocol server for Claude Desktop and other MCP clients.
+ *
+ * @license Apache-2.0
+ */
+
+declare class MCPServer {
+    private baseline;
+    private server?;
+    private transport?;
+    private running;
+    constructor(baseline: Baseline);
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    isRunning(): boolean;
+    private getTools;
+    private getResources;
+    private handleToolCall;
+    private enforceToolRisk;
+    private readResource;
+}
+
+/**
+ * DriftDetector — SIGNAL-060
+ *
+ * Monitors production eval score history to detect model quality drift.
+ * Drift is defined as a statistically meaningful decline in eval score
+ * over a rolling window of runs.
+ *
+ * Detection strategies:
+ *   threshold    — drift if latest score < (baseline − thresholdDrop)
+ *   trend        — drift if rolling-window slope is negative beyond slopeThreshold
+ *   consecutive  — drift if N consecutive runs are below the baseline mean
+ *
+ * On drift detection:
+ *   - Publishes governance:model-drift-detected on AgentBus
+ *   - Returns DriftReport with severity and recommended action
+ *   - Does NOT automatically trigger a cycle (caller decides)
+ *
+ * Usage:
+ *   const detector = new DriftDetector({ bus, thresholdDrop: 5, windowSize: 5 });
+ *   const report = detector.analyze(pipeline.getHistory('claude-sonnet-4-6'));
+ *   if (report.drifted) { cycleLog.startCycle('quality-drift', datasetSize); }
+ *
+ * @license Apache-2.0
+ */
+
+type DriftSeverity = 'none' | 'warning' | 'critical';
+type DriftStrategy = 'threshold' | 'trend' | 'consecutive';
+interface DriftReport {
+    modelId: string;
+    drifted: boolean;
+    severity: DriftSeverity;
+    strategy: DriftStrategy;
+    /** Current score (latest entry) */
+    currentScore: number;
+    /** Baseline score used for comparison (rolling mean of earlier entries) */
+    baselineScore: number;
+    /** currentScore − baselineScore (negative = regression) */
+    delta: number;
+    /** Number of entries analyzed */
+    samplesAnalyzed: number;
+    /** Recommended action */
+    recommendation: 'monitor' | 'investigate' | 'start-improvement-cycle';
+    timestamp: string;
+    details: string;
+}
+interface DriftDetectorConfig {
+    bus?: AgentBus;
+    /** Minimum number of history entries needed to analyze. Default: 3 */
+    minSamples?: number;
+    /** Rolling window size for baseline computation. Default: 5 */
+    windowSize?: number;
+    /** Score drop (absolute points) required to flag as drift. Default: 5 */
+    thresholdDrop?: number;
+    /** Score drop beyond which severity = 'critical'. Default: 10 */
+    criticalDrop?: number;
+    /**
+     * Minimum negative slope per step to flag trend drift. Default: -1.5
+     * Only used when strategy = 'trend'.
+     */
+    slopeThreshold?: number;
+    /**
+     * Number of consecutive below-baseline runs before flagging. Default: 3
+     * Only used when strategy = 'consecutive'.
+     */
+    consecutiveThreshold?: number;
+    /** Detection strategy. Default: 'threshold' */
+    strategy?: DriftStrategy;
+}
+declare class DriftDetector {
+    private readonly bus?;
+    private readonly minSamples;
+    private readonly windowSize;
+    private readonly thresholdDrop;
+    private readonly criticalDrop;
+    private readonly slopeThreshold;
+    private readonly consecutiveThreshold;
+    private readonly strategy;
+    constructor(config?: DriftDetectorConfig);
+    /**
+     * Analyze an array of VersionEvalResults for drift.
+     * Entries should be sorted oldest-first (as returned by getHistory()).
+     * Returns a DriftReport. If insufficient samples, returns severity='none'.
+     */
+    analyze(entries: VersionEvalResult[]): DriftReport;
+    /**
+     * Convenience: analyze entries and auto-start a cycle when drift detected.
+     * Returns the drift report; caller is responsible for acting on it.
+     */
+    check(entries: VersionEvalResult[]): DriftReport;
+    /** Compute baseline as rolling mean of the earlier (non-latest) window entries. */
+    private _computeBaseline;
+    private _analyzeThreshold;
+    private _analyzeTrend;
+    private _analyzeConsecutive;
+    private _noDrift;
+    private _driftReport;
+    private _emitEvent;
+}
+
+/**
+ * CostGuard — SIGNAL-030 + SIGNAL-052
+ *
+ * Per-workflow cost accumulation and auto-pause enforcement.
+ * Tracks token usage and estimated cost per workflow run, comparing
+ * accumulated spend against the WorkflowBudget configured for each
+ * workflow type.
+ *
+ * Auto-pause fires when ANY budget limit is exceeded:
+ *   - maxCostUsd     — total estimated USD spend
+ *   - maxTokens      — total tokens consumed
+ *   - maxSteps       — number of record() calls (proxy for LLM steps)
+ *
+ * When a threshold is crossed, CostGuard:
+ *   - Returns { paused: true } from check()
+ *   - Publishes governance:cost-threshold-exceeded on the AgentBus
+ *   - Does NOT fire duplicate events for the same workflow until reset()
+ *
+ * Default pricing: $9/1M tokens (blended sonnet-4-6 rate).
+ * Override per-workflow via WorkflowBudget.costPer1kTokensUsd.
+ *
+ * Usage:
+ *   const guard = new CostGuard({ bus });
+ *   guard.record('wf-1', { inputTokens: 1000, outputTokens: 200 }, budget);
+ *   const { paused, reason } = guard.check('wf-1', budget);
+ *   if (paused) { ... }
+ *   guard.reset('wf-1'); // on workflow completion/failure
+ *
+ * @license Apache-2.0
+ */
+
+interface CostGuardConfig {
+    bus?: AgentBus;
+    /** Default cost per 1k tokens when not specified in budget. Default: 0.009 */
+    defaultCostPer1kTokensUsd?: number;
+}
+interface TokenUsage {
+    inputTokens: number;
+    outputTokens: number;
+}
+interface WorkflowAccumulator {
+    totalTokens: number;
+    totalCostUsd: number;
+    steps: number;
+    /** True if a threshold-exceeded event has already been published */
+    alreadyPaused: boolean;
+}
+interface TenantCostSummary {
+    tenantId: string;
+    totalTokens: number;
+    totalCostUsd: number;
+    workflowCount: number;
+}
+interface CostCheckResult {
+    paused: boolean;
+    reason?: string;
+    accumulator: WorkflowAccumulator;
+}
+declare class CostGuard {
+    private readonly accumulators;
+    /** tenantId → { totalTokens, totalCostUsd, workflowIds } */
+    private readonly tenantAccumulators;
+    private readonly bus?;
+    private readonly defaultCostPer1k;
+    constructor(config?: CostGuardConfig);
+    /**
+     * Record token usage for a workflow step.
+     * Returns the updated accumulator after recording.
+     */
+    record(workflowId: string, usage: TokenUsage, budget?: WorkflowBudget): WorkflowAccumulator;
+    /**
+     * Check whether a workflow has exceeded its budget.
+     * Publishes governance:cost-threshold-exceeded on first crossing.
+     */
+    check(workflowId: string, budget?: WorkflowBudget): CostCheckResult;
+    /**
+     * Reset accumulator for a workflow (call on completion or failure).
+     */
+    reset(workflowId: string): void;
+    /** Return current accumulator snapshot without modifying state. */
+    snapshot(workflowId: string): WorkflowAccumulator;
+    /**
+     * Return cost summary grouped by tenantId (SIGNAL-052).
+     * Only includes tenants that have been passed via budget.tenantId.
+     */
+    getCostByTenant(): TenantCostSummary[];
+    private getOrCreate;
+}
+
+interface APIServerConfig {
+    port: number;
+    allowedOrigins?: string[];
+}
+declare class APIServer {
+    private app;
+    private server;
+    private wss;
+    private baseline;
+    private config;
+    private clients;
+    private unsubscribeEvents;
+    private metricsCounters;
+    /** Optional CostGuard for per-tenant cost metrics (SIGNAL-052) */
+    private costGuard?;
+    /** Optional TraceCurator for dataset size gauge (SIGNAL-049) */
+    private traceCurator?;
+    /** Optional ModelVersionRegistry for active model version gauge (SIGNAL-049) */
+    private modelVersionRegistry?;
+    /** Optional ProductionEvalPipeline for latest eval score gauge (SIGNAL-056) */
+    private productionEvalPipeline?;
+    /** Optional DriftDetector for model drift metrics (SIGNAL-071) */
+    private driftDetector?;
+    /** Optional OPAPolicyGate for SLO-6 latency metrics */
+    private opaPolicyGate?;
+    constructor(baseline: Baseline, config: APIServerConfig);
+    private setupMiddleware;
+    private setupRoutes;
+    private setupWebSocket;
+    private attachEventBridge;
+    private createTask;
+    private listTasks;
+    private getTask;
+    private cancelTask;
+    private approveTask;
+    private getTaskArtifacts;
+    private getTaskAudit;
+    private getTaskEvidence;
+    private listWorkflows;
+    private runWorkflow;
+    private getCheckpoint;
+    private recoverCheckpoint;
+    private listAgents;
+    private search;
+    private getContext;
+    private indexKnowledge;
+    private initDeployment;
+    private scanDeployment;
+    private scanPath;
+    private remember;
+    private recall;
+    private getStats;
+    private getMetrics;
+    /** Inject a CostGuard instance for per-tenant cost metrics (SIGNAL-052). */
+    setCostGuard(guard: CostGuard): void;
+    /** Inject a TraceCurator for the dataset-size gauge (SIGNAL-049). */
+    setTraceCurator(curator: TraceCurator): void;
+    /** Inject a ModelVersionRegistry for the active-model gauge (SIGNAL-049). */
+    setModelVersionRegistry(registry: ModelVersionRegistry): void;
+    /** Inject a ProductionEvalPipeline for the eval score gauge (SIGNAL-056). */
+    setProductionEvalPipeline(pipeline: ProductionEvalPipeline): void;
+    /** Inject a DriftDetector for model drift metrics (SIGNAL-071). */
+    setDriftDetector(detector: DriftDetector): void;
+    /** Inject an OPAPolicyGate for SLO-6 latency metrics. */
+    setOPAPolicyGate(gate: OPAPolicyGate): void;
+    private handleWebSocketMessage;
+    /**
+     * Broadcast message to all connected WebSocket clients.
+     */
+    broadcast(message: object): void;
+    private errorHandler;
+    private formatStartError;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+}
+
+/**
+ * TradePass Governance Bridge
+ *
+ * Connects TradePass protocol verification to Baseline governance layer.
+ * Produces GovernanceAuditEvent records for every trade verification,
+ * enabling auditable governance trails on cross-border transactions.
+ */
+
+interface TradeContext {
+    tradeId: string;
+    protocol: 'TradePass' | 'GeoTag' | 'GCI' | 'VaultMark' | 'PvP' | 'PANX';
+    parties: Array<{
+        id: string;
+        role: 'exporter' | 'importer' | 'verifier' | 'regulator';
+        jurisdiction: string;
+    }>;
+    commodity: {
+        code: string;
+        description: string;
+        quantity: number;
+        unit: string;
+        value: number;
+        currency: string;
+    };
+    origin: {
+        country: string;
+        region?: string;
+        facility?: string;
+    };
+    destination: {
+        country: string;
+        region?: string;
+    };
+    documents: Array<{
+        type: string;
+        id: string;
+        verified: boolean;
+    }>;
+    standards: string[];
+    metadata?: Record<string, unknown>;
+}
+interface TradeVerificationResult {
+    tradeId: string;
+    verified: boolean;
+    complianceChecks: ComplianceCheck[];
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+    auditEvents: GovernanceAuditEvent[];
+    evidenceBundle: GovernEvidenceBundle;
+    duration: number;
+    timestamp: Date;
+}
+declare class TradePassGovernanceBridge {
+    private govern;
+    private policyId;
+    constructor(govern?: BaselineGovernSystem);
+    initialize(): Promise<void>;
+    verifyWithGovernance(context: TradeContext): Promise<TradeVerificationResult>;
+    getTradeEvidenceBundle(tradeId: string): Promise<GovernEvidenceBundle>;
+    getComplianceReport(standard: string): Promise<GovernResult>;
+    getAuditTrail(tradeId?: string): GovernanceAuditEvent[];
+    private assessComplexity;
+    private assessImpact;
+}
+
+/**
+ * NDPC Compliance Gate
+ *
+ * Implements Ghana's National Data Protection Commission (NDPC) DPA 2012
+ * compliance checks. Gates AI agent actions and data migration flows,
+ * blocking non-compliant operations with detailed violation reports.
+ */
+
+interface NDPCContext {
+    dataSubject?: {
+        jurisdiction: string;
+        consentGiven: boolean;
+        consentScope?: string[];
+        consentDate?: Date;
+    };
+    dataProcessing: {
+        purpose: string;
+        categories: string[];
+        recipients?: string[];
+        crossBorderTransfer: boolean;
+        transferDestination?: string;
+    };
+    dataRetention: {
+        period?: number;
+        unit?: 'days' | 'months' | 'years';
+        justification?: string;
+    };
+    dataMinimization: {
+        fieldsCollected: string[];
+        fieldsRequired: string[];
+    };
+    operator: {
+        id: string;
+        role: string;
+    };
+    metadata?: Record<string, unknown>;
+}
+interface NDPCViolation {
+    rule: string;
+    description: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    remediation: string;
+}
+interface NDPCCheckResult {
+    compliant: boolean;
+    violations: NDPCViolation[];
+    complianceCheck: ComplianceCheck | undefined;
+    timestamp: Date;
+}
+declare class NDPCComplianceGate {
+    private govern;
+    constructor(govern?: BaselineGovernSystem);
+    check(context: NDPCContext): Promise<NDPCCheckResult>;
+    validate(context: NDPCContext): NDPCViolation[];
+    getReport(): Promise<GovernResult>;
+    isAdequateJurisdiction(countryCode: string): boolean;
+}
+
+/**
+ * Evidence Export
+ *
+ * Exports DFI-ready evidence bundles from the Baseline governance layer.
+ * Produces standalone JSON that external auditors can review without
+ * Baseline knowledge — self-describing, timestamped, signed metadata.
+ */
+
+interface DFIEvidenceBundle {
+    version: '1.0.0';
+    exportedAt: string;
+    exportedBy: string;
+    format: 'baseline-evidence-bundle';
+    metadata: {
+        policyId?: string;
+        resourceId?: string;
+        governanceSystem: string;
+        exportDuration: number;
+    };
+    summary: {
+        totalAuditEvents: number;
+        totalComplianceChecks: number;
+        totalApprovals: number;
+        overallCompliant: boolean;
+        riskLevel?: string;
+    };
+    policy?: {
+        id: string;
+        name: string;
+        description: string;
+        status: string;
+        createdAt: string;
+        updatedAt: string;
+    };
+    complianceChecks: Array<{
+        id: string;
+        standard: string;
+        compliant: boolean;
+        violations: string[];
+        checked: string;
+    }>;
+    approvals: Array<{
+        id: string;
+        policyId: string;
+        status: string;
+        approvals: Array<{
+            approver: string;
+            at: string;
+        }>;
+        rejections: Array<{
+            approver: string;
+            at: string;
+        }>;
+    }>;
+    auditTrail: Array<{
+        id: string;
+        type: string;
+        actor: string;
+        timestamp: string;
+        details: Record<string, unknown>;
+    }>;
+}
+interface ExportOptions {
+    policyId?: string;
+    resourceId?: string;
+    outputPath?: string;
+    operator?: string;
+    includeDetails?: boolean;
+}
+declare class EvidenceExporter {
+    private govern;
+    constructor(govern?: BaselineGovernSystem);
+    exportBundle(options?: ExportOptions): Promise<DFIEvidenceBundle>;
+    exportJSON(options?: ExportOptions): Promise<string>;
+    exportToFile(options: ExportOptions & {
+        outputPath: string;
+    }): Promise<{
+        path: string;
+        size: number;
+        duration: number;
+    }>;
+    exportSummary(bundle: DFIEvidenceBundle): string;
+    private extractRiskLevel;
+    /**
+     * Export evidence bundle as a self-contained HTML document suitable for
+     * PDF conversion (print to PDF from browser, or puppeteer/wkhtmltopdf).
+     * DFI partners can open this in any browser and print.
+     */
+    exportHTML(options?: ExportOptions): Promise<string>;
+    exportHTMLToFile(options: ExportOptions & {
+        outputPath: string;
+    }): Promise<{
+        path: string;
+        size: number;
+        duration: number;
+    }>;
+    private extractViolations;
+}
+
+/**
+ * Compliance-OS Bridge
+ *
+ * Integration bridge for compliance-os to consume @baselineos/govern.
+ * Maps ComplianceOS control lifecycle to Baseline governance policy lifecycle
+ * (create → approve → enforce), producing GovernEvidenceBundle artifacts
+ * and writing audit trail to .baseline/govern/audit-trail.json.
+ */
+
+interface ComplianceControl {
+    controlId: string;
+    name: string;
+    description: string;
+    standard: string;
+    jurisdiction: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    enforcement: 'advisory' | 'warn' | 'block';
+}
+interface ControlCheckContext {
+    controlId: string;
+    standard: string;
+    jurisdiction: string;
+    scope: string;
+    operator: string;
+    evidence?: Record<string, unknown>;
+    metadata?: Record<string, unknown>;
+}
+interface ControlCheckResult {
+    controlId: string;
+    compliant: boolean;
+    complianceCheck?: ComplianceCheck;
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+    evidenceBundle: GovernEvidenceBundle;
+    auditEvents: GovernanceAuditEvent[];
+    duration: number;
+    timestamp: Date;
+}
+declare class ComplianceOSBridge {
+    private govern;
+    private controlPolicies;
+    constructor(govern?: BaselineGovernSystem);
+    registerControl(control: ComplianceControl): Promise<string>;
+    checkControl(context: ControlCheckContext): Promise<ControlCheckResult>;
+    getComplianceEvidence(controlId: string): Promise<GovernEvidenceBundle>;
+    getComplianceReport(standard: string): Promise<GovernResult>;
+    getAuditTrail(controlId?: string): GovernanceAuditEvent[];
+    getRegisteredControls(): string[];
+}
+
+/**
+ * Sensei-AI Bridge
+ *
+ * Integration bridge for sensei-ai (AMIS) to consume @baselineos/autonomy.
+ * Wraps BaselineAutonomySystem and BaselineAutonomyIntegration for
+ * migration task orchestration with safety governance and audit trail.
+ */
+
+interface MigrationTaskContext {
+    projectId: string;
+    taskDescription: string;
+    sourceSystem: string;
+    targetSystem: string;
+    dataType: 'structured' | 'unstructured' | 'mixed';
+    recordCount?: number;
+    hasPII?: boolean;
+    complianceRequired?: boolean;
+    impactLevel?: 'low' | 'medium' | 'high';
+}
+interface MigrationResult {
+    agentId: string;
+    taskResult: TaskResult;
+    trustScore: number;
+    safetyLevel: string;
+    migrationMode: MigrationMode;
+    duration: number;
+    timestamp: Date;
+}
+interface MigrationAuditEntry {
+    agentId: string;
+    agentName: string;
+    trustScore: number;
+    safetyLevel: string;
+    tasksCompleted: number;
+    tasksFailed: number;
+    status: string;
+}
+declare class SenseiAIBridge {
+    private autonomy;
+    private integration;
+    private migrationAgents;
+    constructor(autonomy?: BaselineAutonomySystem);
+    initialize(mode?: MigrationMode): Promise<void>;
+    createMigrationAgent(context: MigrationTaskContext): Promise<AgentStatusReport>;
+    executeMigration(context: MigrationTaskContext): Promise<MigrationResult>;
+    getIntegrationStatus(): IntegrationStatus;
+    getMigrationRecommendations(): MigrationRecommendation[];
+    getMigrationAudit(projectId?: string): MigrationAuditEntry[];
+    shutdown(): Promise<void>;
+}
+
+/**
+ * Governance Validator
+ *
+ * Wires the 7 governance pillar validators (policy, risk, compliance,
+ * approval, permission, cost, evidence) to the orchestrator's execution
+ * lifecycle via pre-execution and post-execution hooks.
+ *
+ * @license Apache-2.0
+ */
+
+interface GovernanceValidatorConfig {
+    policy: {
+        enabled: boolean;
+        enforcement: 'advisory' | 'warn' | 'block';
+    };
+    risk: {
+        enabled: boolean;
+        blockOnCritical: boolean;
+    };
+    compliance: {
+        enabled: boolean;
+        standards: string[];
+    };
+    approval: {
+        enabled: boolean;
+        requiredApprovers: string[];
+    };
+    permission: {
+        enabled: boolean;
+    };
+    cost: {
+        enabled: boolean;
+        maxBudgetUsd?: number;
+    };
+    evidence: {
+        enabled: boolean;
+        autoExport: boolean;
+        exportPath: string;
+    };
+}
+interface GovernanceValidationResult {
+    passed: boolean;
+    blocked: boolean;
+    pillarResults: PillarResult[];
+    auditEvents: GovernanceAuditEvent[];
+}
+interface PillarResult {
+    pillar: string;
+    enabled: boolean;
+    passed: boolean;
+    blocked: boolean;
+    details: string;
+}
+declare class GovernanceValidator {
+    private govern;
+    private config;
+    constructor(govern: BaselineGovernSystem, config?: Partial<GovernanceValidatorConfig>);
+    /**
+     * Pre-execution validation: risk assessment, permission check, approval gate.
+     * Runs BEFORE the task is executed. Can block execution.
+     */
+    preExecution(task: Task, actor: string): Promise<GovernanceValidationResult>;
+    /**
+     * Post-execution validation: policy enforcement, compliance check,
+     * cost tracking, evidence generation. Runs AFTER execution completes.
+     */
+    postExecution(task: Task, actor: string, output: {
+        tokensUsed: number;
+        duration: number;
+    }): Promise<GovernanceValidationResult>;
+    private mapComplexity;
+    private mapPriority;
+}
+
+/**
+ * Trust Sync Protocol
+ *
+ * Synchronizes trust scoring between the Orchestrator (core runtime)
+ * and the Autonomy layer (agent lifecycle). Ensures a single source
+ * of truth for agent trust scores across both systems.
+ *
+ * @license Apache-2.0
+ */
+
+interface TrustSyncTarget {
+    /** Get the current trust score for an agent */
+    getTrustScore(agentId: string): number | undefined;
+    /** Update the trust score for an agent */
+    setTrustScore(agentId: string, score: number): void;
+}
+interface TrustSyncEvent {
+    agentId: string;
+    previousScore: number;
+    newScore: number;
+    source: 'orchestrator' | 'autonomy';
+    success: boolean;
+    timestamp: number;
+}
+declare class TrustSyncProtocol {
+    private orchestrator;
+    private targets;
+    private history;
+    private maxHistory;
+    constructor(orchestrator: Orchestrator, opts?: {
+        maxHistory?: number;
+    });
+    /**
+     * Register a sync target (e.g., autonomy system).
+     * Trust updates from the orchestrator will propagate to all registered targets.
+     */
+    registerTarget(name: string, target: TrustSyncTarget): void;
+    /**
+     * Remove a sync target.
+     */
+    unregisterTarget(name: string): void;
+    /**
+     * Handle a trust update from the orchestrator.
+     * Propagates the new trust score to all registered targets.
+     */
+    handleOrchestratorUpdate(agentId: string, newScore: number, success: boolean): void;
+    /**
+     * Handle a trust update from an autonomy target.
+     * Propagates the new trust score to the orchestrator's agent record.
+     */
+    handleAutonomyUpdate(agentId: string, newScore: number, success: boolean): void;
+    /**
+     * Get sync history for auditing.
+     */
+    getHistory(): TrustSyncEvent[];
+    /**
+     * Get the current trust score for an agent from the orchestrator.
+     */
+    getScore(agentId: string): number | undefined;
+    /**
+     * Get all registered target names.
+     */
+    getTargetNames(): string[];
+    private recordEvent;
+}
+
+/**
+ * Agentic Bridge
+ *
+ * Integration surface for the `1-agentic` repo to consume Baseline
+ * governance, trust scoring, and task lifecycle. This bridge is the
+ * canonical entry point for connecting GTCX's autonomous agent
+ * infrastructure with Baseline's governance engine.
+ *
+ * Usage in 1-agentic:
+ * ```typescript
+ * import { AgenticBridge } from 'baselineos';
+ *
+ * const bridge = new AgenticBridge({ persistPath: '.baseline/govern' });
+ * await bridge.initialize();
+ *
+ * // Register an agent
+ * bridge.registerAgent({ id: 'planner-1', name: 'Task Planner', ... });
+ *
+ * // Execute with governance
+ * const result = await bridge.executeWithGovernance(task, 'planner-1');
+ * ```
+ *
+ * @license Apache-2.0
+ */
+
+interface AgenticBridgeConfig {
+    persistPath?: string;
+    governance?: Partial<GovernanceValidatorConfig>;
+    trustGrowthRate?: number;
+    trustDecayRate?: number;
+    trustMinimum?: number;
+}
+interface SafetyRule$1 {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'warning' | 'blocking';
+    check: (task: Task, agent: Agent) => SafetyCheckResult;
+}
+interface SafetyCheckResult {
+    passed: boolean;
+    ruleId: string;
+    message: string;
+}
+interface SafetyViolation {
+    ruleId: string;
+    ruleName: string;
+    severity: 'warning' | 'blocking';
+    agentId: string;
+    taskId: string;
+    message: string;
+    timestamp: Date;
+}
+interface AgenticExecutionResult {
+    task: Task;
+    preValidation: GovernanceValidationResult;
+    postValidation: GovernanceValidationResult;
+    safetyChecks: SafetyCheckResult[];
+    safetyViolations: SafetyViolation[];
+    blocked: boolean;
+    blockReason?: string;
+}
+declare class AgenticBridge {
+    private orchestrator;
+    private govern;
+    private validator;
+    private trustSync;
+    private safetyRules;
+    private initialized;
+    constructor(config?: AgenticBridgeConfig);
+    /**
+     * Initialize the bridge. Must be called before use.
+     */
+    initialize(): Promise<void>;
+    /**
+     * Register an external trust sync target (e.g., 1-agentic's agent registry).
+     */
+    registerTrustTarget(name: string, target: TrustSyncTarget): void;
+    /**
+     * Register an agent with the orchestrator.
+     */
+    registerAgent(agent: Omit<Agent, 'createdAt' | 'lastActiveAt'>): Agent;
+    /**
+     * Register a safety rule that is checked before every task execution.
+     */
+    registerSafetyRule(rule: SafetyRule$1): void;
+    /**
+     * Execute a task with full governance: safety checks → pre-validation →
+     * task execution → post-validation → evidence generation.
+     */
+    executeWithGovernance(input: TaskInput, actorAgentId: string): Promise<AgenticExecutionResult>;
+    /**
+     * Select the best available agent for a task.
+     */
+    selectAgent(task: Task): Agent | undefined;
+    /**
+     * Get the trust score for an agent.
+     */
+    getTrustScore(agentId: string): number | undefined;
+    /**
+     * Get the evidence bundle for a policy.
+     */
+    getEvidenceBundle(policyId: string, resourceId?: string): GovernEvidenceBundle;
+    /**
+     * Get the full audit trail.
+     */
+    getAuditTrail(policyId?: string): GovernanceAuditEvent[];
+    /**
+     * Get all registered agents.
+     */
+    getAgents(): Agent[];
+    /**
+     * Get all registered safety rules.
+     */
+    getSafetyRules(): SafetyRule$1[];
+    /**
+     * Get the trust sync protocol instance for advanced usage.
+     */
+    getTrustSync(): TrustSyncProtocol;
+    /**
+     * Get the governance system instance for advanced usage.
+     */
+    getGovernSystem(): BaselineGovernSystem;
+    private ensureInitialized;
+}
+
+/**
+ * CommandCenter — Capacity-aware task controller for BaselineOS
+ *
+ * Sits on top of the Orchestrator to add:
+ * - Priority queue with backpressure
+ * - Load-balanced agent allocation
+ * - Retry with exponential backoff
+ * - Escalation batching
+ * - Real-time metrics (throughput, utilization, queue depth)
+ *
+ * @license Apache-2.0
+ */
+
+interface CommandCenterConfig {
+    /** Maximum tasks that can execute concurrently */
+    maxConcurrent: number;
+    /** Maximum queue depth before rejecting new tasks */
+    maxQueueDepth: number;
+    /** Base delay for retry backoff (ms) */
+    retryBaseDelayMs: number;
+    /** Maximum retry delay (ms) */
+    retryMaxDelayMs: number;
+    /** Maximum retries before escalation */
+    maxRetries: number;
+    /** How often to drain the queue (ms) */
+    drainIntervalMs: number;
+    /** Agent idle timeout before marking offline (ms) */
+    agentIdleTimeoutMs: number;
+    /** Minimum agent trust score for task assignment */
+    minTrustScore: number;
+}
+interface QueuedTask {
+    id: string;
+    input: TaskInput;
+    priority: TaskPriority;
+    enqueuedAt: number;
+    retries: number;
+    lastError?: string;
+    taskId?: string;
+    affinityAgent?: string;
+}
+type CommandCenterStatus = 'idle' | 'running' | 'draining' | 'stopped';
+type CommandCenterEventType = 'task:queued' | 'task:dispatched' | 'task:retrying' | 'task:escalated' | 'task:rejected' | 'queue:backpressure' | 'queue:drained' | 'agent:overloaded' | 'metrics:snapshot';
+interface CommandCenterEvent {
+    type: CommandCenterEventType;
+    timestamp: number;
+    data: Record<string, unknown>;
+}
+interface CommandCenterMetrics {
+    queueDepth: number;
+    activeCount: number;
+    totalDispatched: number;
+    totalCompleted: number;
+    totalFailed: number;
+    totalRetried: number;
+    totalEscalated: number;
+    totalRejected: number;
+    avgWaitTimeMs: number;
+    avgExecutionTimeMs: number;
+    throughputPerMinute: number;
+    agentUtilization: Record<string, number>;
+}
+declare class CommandCenter extends EventEmitter<{
+    [K in CommandCenterEventType]: (event: CommandCenterEvent) => void;
+}> {
+    private config;
+    private orchestrator;
+    private queue;
+    private active;
+    private status;
+    private drainTimer;
+    private totalDispatched;
+    private totalCompleted;
+    private totalFailed;
+    private totalRetried;
+    private totalEscalated;
+    private totalRejected;
+    private waitTimes;
+    private executionTimes;
+    private completionTimestamps;
+    constructor(orchestrator: Orchestrator, config?: Partial<CommandCenterConfig>);
+    start(): void;
+    stop(): void;
+    getStatus(): CommandCenterStatus;
+    submit(input: TaskInput, options?: {
+        affinityAgent?: string;
+    }): QueuedTask | null;
+    getQueueDepth(): number;
+    getActiveCount(): number;
+    getQueue(): readonly QueuedTask[];
+    private insertByPriority;
+    drain(): void;
+    private selectAgent;
+    private hasCapabilityOverlap;
+    private capabilityOverlapRatio;
+    private dispatch;
+    private handleCompletion;
+    private handleFailure;
+    private attachOrchestratorListeners;
+    getMetrics(): CommandCenterMetrics;
+    resetMetrics(): void;
+    private avg;
+}
+
+/**
+ * Specialized Agent Definitions for BaselineOS Command Center
+ *
+ * 8 purpose-built agents with distinct capabilities, domains, and roles.
+ * Each agent is designed for a specific class of work within the GTCX ecosystem.
+ *
+ * @license Apache-2.0
+ */
+
+interface AgentDefinition {
+    id: string;
+    name: string;
+    role: AgentRole;
+    capabilities: string[];
+    domains: string[];
+    description: string;
+    maxConcurrentTasks: number;
+    autoVerify: boolean;
+    escalationThreshold: number;
+}
+declare const SPECIALIZED_AGENTS: AgentDefinition[];
+declare function createAgentFromDefinition(def: AgentDefinition, defaultTrustScore?: number): Agent;
+declare function getAgentDefinition(agentId: string): AgentDefinition | undefined;
+declare function getAgentsByCapability(capability: string): AgentDefinition[];
+declare function getAgentsByDomain(domain: string): AgentDefinition[];
+
+/**
+ * AgentExecutor — Wires specialized agents to the execution engine
+ *
+ * Connects agent definitions to persona-specific system prompts,
+ * records per-agent tool usage evidence, and applies specialty-weighted
+ * trust scoring on completion.
+ *
+ * @license Apache-2.0
+ */
+
+interface AgentExecutionRecord {
+    id: string;
+    agentId: string;
+    taskId: string;
+    persona: string;
+    startedAt: number;
+    completedAt?: number;
+    durationMs?: number;
+    tokensUsed: number;
+    toolCalls: ToolCallRecord[];
+    complianceScore: number;
+    complianceViolations: string[];
+    outcome: 'success' | 'failure' | 'blocked';
+    trustBefore: number;
+    trustAfter: number;
+    artifacts: string[];
+}
+interface ToolCallRecord {
+    tool: string;
+    timestamp: number;
+    durationMs: number;
+    input: Record<string, unknown>;
+    success: boolean;
+    error?: string;
+}
+interface AgentExecutorConfig {
+    /** Trust score bonus multiplier for specialty-matched tasks (default 1.5) */
+    specialtyBonusMultiplier: number;
+    /** Trust score penalty multiplier for out-of-specialty failures (default 0.5) */
+    outOfSpecialtyPenaltyMultiplier: number;
+    /** Maximum execution records to keep in memory */
+    maxRecords: number;
+}
+type AgentExecutorEventType = 'execution:started' | 'execution:completed' | 'execution:failed' | 'trust:adjusted';
+interface AgentExecutorEvent {
+    type: AgentExecutorEventType;
+    timestamp: number;
+    data: Record<string, unknown>;
+}
+declare class AgentExecutor extends EventEmitter<{
+    [K in AgentExecutorEventType]: (event: AgentExecutorEvent) => void;
+}> {
+    private config;
+    private orchestrator;
+    private records;
+    private activeExecutions;
+    constructor(orchestrator: Orchestrator, config?: Partial<AgentExecutorConfig>);
+    recordExecutionStart(agentId: string, taskId: string): AgentExecutionRecord;
+    recordToolCall(recordId: string, call: ToolCallRecord): void;
+    completeExecution(recordId: string, result: ExecutionResult, task: Task): AgentExecutionRecord | null;
+    private calculateTrustDelta;
+    private isSpecialtyMatch;
+    resolvePersona(agentId: string): string;
+    getRecords(filter?: {
+        agentId?: string;
+        taskId?: string;
+    }): AgentExecutionRecord[];
+    getAgentStats(agentId: string): {
+        totalExecutions: number;
+        successRate: number;
+        avgDurationMs: number;
+        avgTokensUsed: number;
+        avgComplianceScore: number;
+        specialtyMatchRate: number;
+    };
+    getActiveExecutions(): AgentExecutionRecord[];
+}
+
+/**
+ * Task Handoff Protocol — Cross-agent task chaining
+ *
+ * Enables output of one agent to feed as input to the next,
+ * forming multi-step pipelines across specialized agents.
+ *
+ * @license Apache-2.0
+ */
+
+interface PipelineStep {
+    id: string;
+    capability: string;
+    description: string;
+    dependsOn: string[];
+    affinityAgent?: string;
+    input?: Record<string, unknown>;
+}
+interface Pipeline {
+    id: string;
+    name: string;
+    steps: PipelineStep[];
+    priority: TaskPriority;
+    createdAt: number;
+}
+interface PipelineExecution {
+    id: string;
+    pipelineId: string;
+    steps: PipelineStepExecution[];
+    status: 'pending' | 'running' | 'completed' | 'failed';
+    startedAt?: number;
+    completedAt?: number;
+}
+interface PipelineStepExecution {
+    stepId: string;
+    status: 'pending' | 'running' | 'completed' | 'failed' | 'skipped';
+    agentId?: string;
+    taskId?: string;
+    output?: unknown;
+    error?: string;
+    startedAt?: number;
+    completedAt?: number;
+}
+interface HandoffContext {
+    fromAgent: string;
+    toAgent: string;
+    fromStep: string;
+    toStep: string;
+    payload: Record<string, unknown>;
+    timestamp: number;
+}
+declare function createPipeline(name: string, steps: Array<Omit<PipelineStep, 'id'>>, priority?: TaskPriority): Pipeline;
+declare function createPipelineExecution(pipeline: Pipeline): PipelineExecution;
+declare function getReadySteps(execution: PipelineExecution, pipeline: Pipeline): PipelineStep[];
+declare function isComplete(execution: PipelineExecution): boolean;
+declare function isFailed(execution: PipelineExecution): boolean;
+declare function createHandoff(fromAgent: string, toAgent: string, fromStep: string, toStep: string, payload: Record<string, unknown>): HandoffContext;
+declare function buildStepTaskInput(step: PipelineStep, pipeline: Pipeline, priorOutputs: Map<string, unknown>): TaskInput;
+declare const STANDARD_PIPELINES: {
+    'code-review': Pipeline;
+    'compliance-check': Pipeline;
+    migration: Pipeline;
+    'feature-delivery': Pipeline;
+};
+
+/**
+ * Layer 4 — Agile Agents
+ *
+ * Cross-repo dependency graph, velocity tracking against charter commitments,
+ * and automated standup synthesis from git activity.
+ *
+ * @license Apache-2.0
+ */
+interface RepoNode {
+    id: string;
+    name: string;
+    path: string;
+    packages: string[];
+    dependencies: string[];
+}
+interface DependencyEdge {
+    from: string;
+    to: string;
+    type: 'runtime' | 'dev' | 'peer' | 'integration';
+    package?: string;
+}
+interface DependencyGraph {
+    repos: RepoNode[];
+    edges: DependencyEdge[];
+    createdAt: number;
+}
+interface BlockerAnalysis {
+    repo: string;
+    blockedBy: string[];
+    blocking: string[];
+    criticalPath: boolean;
+}
+declare function createDependencyGraph(repos: RepoNode[], edges: DependencyEdge[]): DependencyGraph;
+declare function findBlockers(graph: DependencyGraph, repoId: string): BlockerAnalysis;
+declare function getTopologicalOrder(graph: DependencyGraph): string[];
+declare function detectCycles(graph: DependencyGraph): string[][];
+interface CharterCommitment {
+    id: string;
+    description: string;
+    targetDate: string;
+    status: 'on-track' | 'at-risk' | 'blocked' | 'completed' | 'deferred';
+    progressPercent: number;
+    owner?: string;
+}
+interface VelocitySnapshot {
+    id: string;
+    period: string;
+    commitments: CharterCommitment[];
+    completedCount: number;
+    totalCount: number;
+    velocityRate: number;
+    projectedCompletionDate?: string;
+    blockers: string[];
+    createdAt: number;
+}
+declare function createVelocitySnapshot(period: string, commitments: CharterCommitment[]): VelocitySnapshot;
+declare function projectCompletion(snapshot: VelocitySnapshot, sprintsPerPeriod?: number): string | null;
+interface GitActivity {
+    repo: string;
+    branch: string;
+    commits: Array<{
+        hash: string;
+        message: string;
+        author: string;
+        date: string;
+        filesChanged: number;
+    }>;
+    pullRequests: Array<{
+        number: number;
+        title: string;
+        status: 'open' | 'merged' | 'closed';
+        author: string;
+    }>;
+}
+interface StandupEntry {
+    repo: string;
+    yesterday: string[];
+    today: string[];
+    blockers: string[];
+}
+interface StandupSynthesis {
+    id: string;
+    date: string;
+    entries: StandupEntry[];
+    summary: string;
+    crossRepoBlockers: string[];
+    createdAt: number;
+}
+declare function synthesizeStandup(activities: GitActivity[], date: string): StandupSynthesis;
+declare const GTCX_REPOS: RepoNode[];
+declare const GTCX_EDGES: DependencyEdge[];
+declare function createGTCXGraph(): DependencyGraph;
+
+/**
+ * BaselineOS Security Manager
+ *
+ * Implements the security specification:
+ * - Layer 1: ABAC permission model (grant, check, revoke)
+ * - Layer 2: Risk gating (tool classification, escalation enforcement)
+ * - Layer 3: Compliance gate integration
+ * - Safety enforcement rules with trust-based access tiers
+ * - Unified audit trail
+ *
+ * @license Apache-2.0
+ */
+
+interface Permission {
+    id: string;
+    subject: string;
+    resource: string;
+    action: string;
+    granted: Date;
+    revoked?: Date;
+    status: 'active' | 'revoked';
+    options: Record<string, unknown>;
+}
+type SecurityAuditEventType = 'permission_granted' | 'permission_revoked' | 'policy_evaluated' | 'policy_enforced' | 'approval_requested' | 'approval_reviewed' | 'compliance_checked';
+interface SecurityAuditEntry {
+    id: string;
+    type: SecurityAuditEventType;
+    timestamp: Date;
+    actor: string;
+    subject?: string;
+    resource?: string;
+    action?: string;
+    result: 'allowed' | 'denied' | 'pending';
+    details: Record<string, unknown>;
+}
+type ToolRiskLevel = 'low' | 'medium' | 'high';
+interface ToolRiskClassification {
+    level: ToolRiskLevel;
+    requiresEscalation: boolean;
+    reason: string;
+}
+interface SafetyRule {
+    id: string;
+    name: string;
+    validate: (context: SafetyContext) => SafetyResult;
+}
+interface SafetyContext {
+    description: string;
+    requiredCapabilities: string[];
+    agentCapabilities: string[];
+    trustScore: number;
+    systemImpact: 'low' | 'medium' | 'high';
+    dataTypes?: string[];
+}
+interface SafetyResult {
+    passed: boolean;
+    rule: string;
+    reason?: string;
+}
+type TrustTier = 'full_autonomy' | 'supervised' | 'requires_approval' | 'suspended';
+interface SecurityManagerConfig {
+    trustMinimum?: number;
+    defaultTrustTier?: TrustTier;
+    auditPersistPath?: string;
+}
+declare function getTrustTier(trustScore: number): TrustTier;
+declare class SecurityManager extends EventEmitter$1 {
+    private permissions;
+    private auditTrail;
+    private toolRisks;
+    private config;
+    constructor(config?: SecurityManagerConfig);
+    grantPermission(subject: string, resource: string, action: string, actor: string, options?: Record<string, unknown>): Permission;
+    checkPermission(subject: string, resource: string, action: string, actor: string): boolean;
+    revokePermission(permissionId: string, actor: string): boolean;
+    getPermission(id: string): Permission | undefined;
+    getPermissionsForSubject(subject: string): Permission[];
+    registerToolRisk(toolName: string, classification: ToolRiskClassification): void;
+    getToolRisk(toolName: string): ToolRiskClassification | undefined;
+    checkToolAccess(toolName: string, args: Record<string, unknown>, actor: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    getAllToolRisks(): Record<string, ToolRiskClassification>;
+    evaluateSafety(context: SafetyContext): {
+        passed: boolean;
+        results: SafetyResult[];
+    };
+    getSafetyRules(): SafetyRule[];
+    getTrustTier(trustScore: number): TrustTier;
+    canExecute(trustScore: number): boolean;
+    private recordAudit;
+    getAuditTrail(filter?: {
+        type?: SecurityAuditEventType;
+        actor?: string;
+        resource?: string;
+    }): SecurityAuditEntry[];
+    getAuditCount(): number;
+    getStats(): Record<string, unknown>;
+}
+
+/**
+ * OutputValidator — SIGNAL-027
+ *
+ * Post-execution validation gate applied to every agent output before
+ * it is committed as an artifact.  Three checks run in order:
+ *
+ *   1. PII scan   — detects residual PII that the LLM may have reproduced
+ *                   from context; fails if any match is found.
+ *   2. Refusal    — detects model-refusal patterns that indicate the engine
+ *                   returned a non-answer rather than a real result.
+ *   3. Schema     — optional JSON-schema-style structural conformance check
+ *                   against caller-supplied `requiredFields`.
+ *
+ * On any failure the validator:
+ *   - Returns a structured `OutputValidationResult` with `valid: false`
+ *   - Publishes `governance:output-validation-failed` on the AgentBus
+ *   - Sets OTel span attributes for traceability
+ *
+ * Usage:
+ *   const validator = new OutputValidator({ bus, piiDetector });
+ *   const result = await validator.validate(output, { taskId, agentId });
+ *   if (!result.valid) { ... }
+ *
+ * @license Apache-2.0
+ */
+
+type OutputValidationFailureReason = 'pii-detected' | 'refusal-detected' | 'schema-violation' | 'empty-output';
+interface OutputValidationFailure {
+    reason: OutputValidationFailureReason;
+    detail: string;
+}
+interface OutputValidationResult {
+    valid: boolean;
+    failures: OutputValidationFailure[];
+    /** Output text after PII redaction (only differs from input when PII found in non-blocking mode) */
+    sanitized: string;
+}
+interface ValidateOptions {
+    /** Task ID for bus event and span attributes */
+    taskId?: string;
+    /** Agent ID for bus event and span attributes */
+    agentId?: string;
+    /**
+     * When provided, the output is parsed as JSON and each listed key must
+     * be present and non-null in the top-level object.
+     */
+    requiredFields?: string[];
+}
+interface OutputValidatorConfig {
+    /** PiiDetector instance. When omitted, PII scanning is skipped. */
+    piiDetector?: PiiDetector;
+    /** AgentBus for publishing governance:output-validation-failed events. */
+    bus?: AgentBus;
+    /**
+     * Whether to fail on PII in output (default: true).
+     * Set to false to redact silently without marking as invalid.
+     */
+    failOnPii?: boolean;
+}
+declare class OutputValidator {
+    private readonly piiDetector?;
+    private readonly bus?;
+    private readonly failOnPii;
+    constructor(config?: OutputValidatorConfig);
+    validate(output: string, options?: ValidateOptions): Promise<OutputValidationResult>;
+}
+
+/**
+ * CredentialProvider — SIGNAL-028 + SIGNAL-041
+ *
+ * Dynamic, per-workflow credential scoping with TTL enforcement.
+ * Prevents workflow runs from sharing credentials and enables runtime
+ * injection / revocation without process restarts.
+ *
+ * TTL enforcement (SIGNAL-041):
+ *   - Every credential can carry an optional `expiresAt` timestamp.
+ *   - get() throws CredentialExpiredError for expired entries.
+ *   - rotate() replaces a credential and optionally resets its TTL.
+ *   - listExpiring(withinMs) surfaces credentials about to expire.
+ *   - Bus event 'governance:credential-expired' fires on expiry detection.
+ *
+ * Design:
+ *   - Global registry holds base credentials keyed by service name.
+ *   - Per-workflow overlay is registered at workflow start and revoked at end.
+ *   - get() resolves: workflow scope → global registry → process.env fallback.
+ *   - Every access (including misses) is published as a governance bus event
+ *     so the audit trail captures which credentials each workflow touched.
+ *
+ * @license Apache-2.0
+ */
+
+interface CredentialProviderConfig {
+    /** AgentBus for publishing governance:credential-accessed events. */
+    bus?: AgentBus;
+    /**
+     * When true, get() falls back to process.env[`${SERVICE}_API_KEY`] when no
+     * registered value is found. Default: true.
+     */
+    envFallback?: boolean;
+}
+interface CredentialEntry {
+    value: string;
+    /** Unix ms timestamp when this credential expires. Undefined = no expiry. */
+    expiresAt?: number;
+}
+interface CredentialAccessEvent {
+    service: string;
+    workflowId: string | undefined;
+    /** 'workflow-scope' | 'global' | 'env' | 'miss' */
+    source: 'workflow-scope' | 'global' | 'env' | 'miss';
+}
+interface ExpiringCredential {
+    service: string;
+    workflowId?: string;
+    expiresAt: number;
+    msRemaining: number;
+}
+declare class CredentialExpiredError extends Error {
+    readonly service: string;
+    readonly expiresAt: number;
+    constructor(service: string, expiresAt: number);
+}
+declare class CredentialProvider {
+    private readonly global;
+    private readonly workflows;
+    private readonly bus?;
+    private readonly envFallback;
+    constructor(config?: CredentialProviderConfig);
+    /**
+     * Register a global credential for a service.
+     * @param service   Service name (e.g. 'anthropic')
+     * @param value     Credential value (API key, token, etc.)
+     * @param ttlMs     Optional TTL in milliseconds from now.
+     */
+    register(service: string, value: string | undefined, ttlMs?: number): void;
+    /**
+     * Register a map of per-workflow credentials.
+     * @param workflowId  Workflow run identifier
+     * @param credentials Map of service → value (or service → CredentialEntry)
+     * @param ttlMs       Default TTL applied to all values without explicit expiresAt
+     */
+    registerWorkflow(workflowId: string, credentials: Record<string, string | CredentialEntry>, ttlMs?: number): void;
+    /**
+     * Revoke all credentials registered for a workflow.
+     */
+    revokeWorkflow(workflowId: string): void;
+    /**
+     * Rotate a credential (global or workflow-scoped).
+     * Replaces the existing value and optionally resets the TTL.
+     *
+     * @param service     Service name
+     * @param newValue    New credential value
+     * @param ttlMs       New TTL in ms from now. Omit to clear expiry.
+     * @param workflowId  If provided, rotates the workflow-scoped credential.
+     */
+    rotate(service: string, newValue: string, ttlMs?: number, workflowId?: string): void;
+    /**
+     * Returns credentials (global + all workflow scopes) that will expire
+     * within the given window.
+     *
+     * @param withinMs  Look-ahead window in milliseconds (e.g. 60_000 for 1 min)
+     */
+    listExpiring(withinMs: number): ExpiringCredential[];
+    /**
+     * Retrieve a credential for a service, scoped to an optional workflow.
+     * Resolution order: workflow scope → global registry → process.env → undefined.
+     *
+     * @throws CredentialExpiredError if the resolved credential has passed its expiresAt.
+     */
+    get(service: string, workflowId?: string): string | undefined;
+    /** Returns the set of services with registered global credentials. */
+    registeredServices(): string[];
+    /** Returns the set of active workflow IDs with scoped credentials. */
+    activeWorkflows(): string[];
+}
+
+/**
+ * RollbackManager — SIGNAL-029
+ *
+ * Formal rollback definition and execution for autonomous workflows.
+ * Provides a structured rollback contract on top of the existing Checkpoint
+ * infrastructure so that rollbacks are traceable, auditable, and testable.
+ *
+ * Responsibilities:
+ *   - Select the best eligible rollback checkpoint from a candidate list
+ *   - Restore a task to its prior state (status, context, artifacts)
+ *   - Publish governance:rollback-triggered on the AgentBus
+ *   - Return a typed RollbackResult for callers to act on
+ *
+ * Eligibility rules for a checkpoint:
+ *   - recoverable: true
+ *   - Not expired (expiresAt > Date.now() OR no expiresAt)
+ *
+ * Usage:
+ *   const rm = new RollbackManager({ bus });
+ *   const result = rm.rollback(task, checkpoints, 'execution-failed');
+ *   if (result.success) { ... }
+ *
+ * @license Apache-2.0
+ */
+
+interface RollbackManagerConfig {
+    bus?: AgentBus;
+}
+interface RollbackResult {
+    success: boolean;
+    /** The checkpoint that was used for rollback, or null if none eligible. */
+    checkpoint: Checkpoint | null;
+    /** Human-readable description of what happened. */
+    message: string;
+}
+declare class RollbackManager {
+    private readonly bus?;
+    constructor(config?: RollbackManagerConfig);
+    /**
+     * Returns true if at least one eligible checkpoint exists for the task.
+     */
+    canRollback(taskId: string, checkpoints: Checkpoint[]): boolean;
+    /**
+     * Select the most recent eligible checkpoint for the given task.
+     * Eligible = recoverable AND not expired AND matches taskId.
+     */
+    selectBestCheckpoint(taskId: string, checkpoints: Checkpoint[]): Checkpoint | null;
+    /**
+     * Rollback a task to its most recent eligible checkpoint.
+     *
+     * Mutates the task in-place: resets status to 'pending', restores context
+     * and artifacts from the checkpoint, sets currentCheckpoint.
+     *
+     * Publishes governance:rollback-triggered on the bus.
+     */
+    rollback(task: Task, checkpoints: Checkpoint[], reason: string): RollbackResult;
+}
+
+/**
+ * Prompt Loader — SIGNAL-035
+ *
+ * Loads versioned agent system prompts from
+ * `packages/baselineos/prompts/{role}/system.md` (and
+ * `prompts/personas/{name}.md` for executor personas).
+ *
+ * Each prompt file carries YAML front matter:
+ *   version, agent, updated, changelog[]
+ *
+ * Falls back to the provided inline string when the file is absent,
+ * enabling safe staged migration without breaking existing deployments.
+ *
+ * @license Apache-2.0
+ */
+interface PromptMeta {
+    version: string;
+    agent: string;
+    persona?: string;
+    updated: string;
+    changelog: string[];
+}
+interface LoadedPrompt {
+    meta: PromptMeta;
+    text: string;
+    /** Absolute path the prompt was loaded from */
+    source: string;
+}
+/**
+ * Load a role-level system prompt (verifier, supervisor, quality, planner).
+ *
+ * Returns `null` when the file is absent — callers should fall back to their
+ * embedded inline strings.
+ */
+declare function loadRolePrompt(role: string): LoadedPrompt | null;
+/**
+ * Load a named executor persona prompt from `prompts/personas/{name}.md`.
+ *
+ * Returns `null` when the file is absent.
+ */
+declare function loadPersonaPrompt(name: string): LoadedPrompt | null;
+/**
+ * Load all persona prompts from `prompts/personas/`.
+ * Returns a map of `{ name → LoadedPrompt }` for every `.md` file found.
+ */
+declare function loadAllPersonas(): Map<string, LoadedPrompt>;
+
+/**
+ * Approval Token Manager — SIGNAL-036
+ *
+ * Manages single-use, time-limited approval tokens for irreversible actions.
+ * Tokens gate task execution when human sign-off is required — either because
+ * the task was explicitly flagged (context.requiresApproval) or because its
+ * complexity exceeds the autonomous ceiling (epic tasks).
+ *
+ * Design:
+ *   - Tokens are random UUIDs (cryptographically unpredictable, 122 bits entropy)
+ *   - Single-use: validation consumes the token; replaying returns invalid
+ *   - Time-limited: default TTL is 24 hours; configurable via ttlMs
+ *   - Bus events: governance:approval-issued and governance:approval-consumed
+ *     are published when configured with an AgentBus
+ *
+ * Usage:
+ *   const mgr = new ApprovalTokenManager({ bus });
+ *   const token = mgr.generate(task.id, 'Epic task requires human sign-off');
+ *   // ... human receives token.id out-of-band ...
+ *   const result = mgr.validate(task.id, token.id); // { valid: true }
+ *   // second call on same task returns { valid: false, reason: 'Token already consumed' }
+ *
+ * @license Apache-2.0
+ */
+
+interface ApprovalToken {
+    /** The token value — a random UUID, passed as the approval credential */
+    id: string;
+    /** Task this token authorises */
+    taskId: string;
+    /** Human-readable reason the approval was required */
+    reason: string;
+    /** Identity that issued the token (default: 'system') */
+    issuedBy: string;
+    /** Unix ms timestamp when the token was generated */
+    createdAt: number;
+    /** Unix ms timestamp when the token expires */
+    expiresAt: number;
+    /** true once the token has been used via validate() */
+    consumed: boolean;
+    /** Unix ms timestamp when the token was consumed; undefined until used */
+    consumedAt?: number;
+}
+interface ValidationResult {
+    valid: boolean;
+    /** Human-readable reason when valid=false */
+    reason?: string;
+}
+interface ApprovalTokenConfig {
+    /**
+     * Token time-to-live in milliseconds.
+     * Default: 86_400_000 (24 hours)
+     */
+    ttlMs?: number;
+    /** AgentBus for publishing governance events. */
+    bus?: AgentBus;
+}
+declare class ApprovalTokenManager {
+    private readonly ttlMs;
+    private readonly bus?;
+    /** Map from taskId → token */
+    private readonly tokens;
+    constructor(config?: ApprovalTokenConfig);
+    /**
+     * Issue a new approval token for a task.
+     *
+     * Replaces any existing (unconsumed) token for the same task.
+     * The token.id must be passed to validate() to authorise execution.
+     */
+    generate(taskId: string, reason: string, issuedBy?: string): ApprovalToken;
+    /**
+     * Validate and consume a token.
+     *
+     * Returns `{ valid: true }` the first time the correct token is presented
+     * for an unexpired task. Subsequent calls — or calls with a wrong token —
+     * return `{ valid: false, reason: '...' }`.
+     */
+    validate(taskId: string, tokenId: string): ValidationResult;
+    /**
+     * Revoke any pending (unconsumed) token for a task.
+     * Returns true if a token was found and revoked, false if none existed.
+     */
+    revoke(taskId: string): boolean;
+    /**
+     * Returns all unexpired, unconsumed tokens.
+     * Useful for operator dashboards and runbook queries.
+     */
+    listPending(): ApprovalToken[];
+    /**
+     * Returns true when a task requires human approval before it may execute.
+     *
+     * A task requires approval when:
+     *   - task.context.requiresApproval === true  (explicit operator flag)
+     *   - task.complexity === 'epic'               (beyond autonomous ceiling)
+     */
+    isRequired(task: Task): boolean;
+}
+
+interface BaselineTaskWorkflowInput {
+    task: Task;
+    step?: ExecutionStep;
+    /** Whether to run supervisor review after self-verify (default: false) */
+    runSupervisorReview?: boolean;
+    /** Whether to decompose the task before executing (default: false) */
+    runDecomposition?: boolean;
+    /** Whether to pause for human approval before execution (default: false) */
+    requireHumanApproval?: boolean;
+}
+interface WorkflowResult {
+    taskId: string;
+    output: string;
+    tokensUsed: number;
+    duration: number;
+    model: string;
+    verification: VerificationResult;
+    review?: Review;
+    decomposition?: DecompositionResult;
+    phase: WorkflowPhase;
+}
+type WorkflowPhase = 'initialising' | 'awaiting-approval' | 'decomposing' | 'executing' | 'verifying' | 'reviewing' | 'completed' | 'failed';
+declare function baselineTaskWorkflow(input: BaselineTaskWorkflowInput): Promise<WorkflowResult>;
+
+/**
+ * TemporalOrchestrator — SIGNAL-045
+ *
+ * Submits BaselineOS tasks as durable Temporal workflows instead of
+ * executing them inline. Acts as a drop-in replacement for direct
+ * AnthropicEngine usage when durable execution is required.
+ *
+ * Each submitted workflow:
+ *   - Gets a deterministic workflow ID: `baseline-task-{taskId}`
+ *   - Runs on the `baseline-task-queue`
+ *   - Can be queried for status via getStatus()
+ *   - Can be signalled for human approval via humanApproval()
+ *
+ * Usage:
+ *   const orchestrator = new TemporalOrchestrator({ client, bus });
+ *   const result = await orchestrator.submit(task, { runSupervisorReview: true });
+ *
+ * @license Apache-2.0
+ */
+
+interface TemporalOrchestratorConfig {
+    client: Client;
+    bus?: AgentBus;
+}
+interface SubmitOptions {
+    step?: ExecutionStep;
+    runSupervisorReview?: boolean;
+    runDecomposition?: boolean;
+    requireHumanApproval?: boolean;
+}
+declare class TemporalOrchestrator {
+    private readonly client;
+    private readonly bus?;
+    constructor(config: TemporalOrchestratorConfig);
+    /**
+     * Submit a task as a durable workflow.
+     * Returns after the workflow completes (or throws on failure).
+     */
+    submit(task: Task, options?: SubmitOptions): Promise<WorkflowResult>;
+    /**
+     * Query the current phase of a running workflow.
+     * Returns undefined if the workflow does not exist.
+     */
+    getStatus(taskId: string): Promise<WorkflowPhase | undefined>;
+    /**
+     * Send a human approval signal to a paused workflow.
+     */
+    sendApproval(taskId: string, approved: boolean, reason?: string): Promise<void>;
+    /**
+     * Terminate a running workflow immediately.
+     */
+    terminate(taskId: string, reason?: string): Promise<void>;
+    /**
+     * Retrieve a typed handle for a task's workflow.
+     */
+    getHandle(taskId: string): WorkflowHandle<typeof baselineTaskWorkflow>;
+}
+
+/**
+ * Temporal Activities — SIGNAL-045
+ *
+ * Activity functions executed by the Temporal worker. Each activity wraps a
+ * single operation on the execution engine and is retried independently by
+ * Temporal on failure. Activities are the boundary between Temporal's durable
+ * orchestration and the existing BaselineOS execution infrastructure.
+ *
+ * Retry policy (applied by workflow — see workflows.ts):
+ *   - maximumAttempts: 3
+ *   - initialInterval: 1s, backoffCoefficient: 2, maximumInterval: 30s
+ *   - Non-retryable: ApplicationFailure with nonRetryable=true
+ *
+ * All activities receive their dependencies via context injection through
+ * createActivities(). This keeps activities pure functions for testing.
+ *
+ * @license Apache-2.0
+ */
+
+interface ActivityDependencies {
+    engine: ExecutionEngine;
+}
+interface ExecuteTaskInput {
+    task: Task;
+    step?: ExecutionStep;
+}
+interface SelfVerifyInput {
+    task: Task;
+    output: string;
+}
+interface ConductReviewInput {
+    task: Task;
+    output: string;
+    reviewType: 'supervisor' | 'quality';
+}
+interface DecomposeInput {
+    task: Task;
+}
+/**
+ * Create activity functions bound to the given execution engine.
+ * Register the returned object with the Temporal worker:
+ *   worker.run({ activities: createActivities({ engine }) })
+ */
+declare function createActivities(deps: ActivityDependencies): {
+    /**
+     * Execute a task (or a specific step) using the underlying engine.
+     * Returns ExecutionResult on success; throws ApplicationFailure on compliance violations.
+     */
+    executeTask(input: ExecuteTaskInput): Promise<ExecutionResult>;
+    /**
+     * Agent self-verifies its output against the task's acceptance criteria.
+     */
+    selfVerifyTask(input: SelfVerifyInput): Promise<VerificationResult>;
+    /**
+     * Supervisor or quality review of task output.
+     */
+    conductTaskReview(input: ConductReviewInput): Promise<Review>;
+    /**
+     * Decompose a complex task into structured subtasks.
+     */
+    decomposeTask(input: DecomposeInput): Promise<DecompositionResult>;
+};
+type BaselineActivities = ReturnType<typeof createActivities>;
+
+/**
+ * Temporal Client Factory — SIGNAL-045
+ *
+ * Creates a Temporal client configured from environment variables.
+ * The client is used by TemporalOrchestrator to submit workflows.
+ *
+ * Environment variables:
+ *   TEMPORAL_ADDRESS     — Temporal frontend address (default: localhost:7233)
+ *   TEMPORAL_NAMESPACE   — Temporal namespace (default: baseline)
+ *   TEMPORAL_TLS         — 'true' to enable TLS (default: false)
+ *
+ * @license Apache-2.0
+ */
+
+interface TemporalClientConfig {
+    address?: string;
+    namespace?: string;
+    tls?: boolean;
+}
+declare const BASELINE_TASK_QUEUE = "baseline-task-queue";
+/**
+ * Create and connect a Temporal client.
+ * Call client.connection.close() when done.
+ */
+declare function createTemporalClient(config?: TemporalClientConfig): Promise<Client>;
+
+type CycleTrigger = 'eval-drift' | 'dataset-growth' | 'quality-drift' | 'manual' | 'scheduled';
+type CycleOutcome = 'promoted' | 'held' | 'rolled-back' | 'in-progress' | 'aborted';
+interface ImprovementCycle {
+    /** Cycle identifier: IC-001, IC-002, etc. */
+    id: string;
+    /** ISO timestamp when cycle was started */
+    startedAt: string;
+    /** ISO timestamp when cycle was completed (undefined if in-progress) */
+    completedAt?: string;
+    /** What initiated the cycle */
+    trigger: CycleTrigger;
+    /** Number of cases in dataset when cycle started */
+    datasetSizeAtStart: number;
+    /** Production eval score for current production model (0–100) */
+    evalScoreBefore?: number;
+    /** Production eval score for candidate model (0–100) */
+    evalScoreAfter?: number;
+    /** evalScoreAfter - evalScoreBefore (positive = improvement) */
+    deltaScore?: number;
+    /** Model ID that was evaluated as a candidate */
+    candidateModelId?: string;
+    /** Model ID promoted to production (undefined if not promoted) */
+    promotedModelId?: string;
+    /** Whether the red-team safety check passed for the candidate */
+    redTeamPassed?: boolean;
+    /** Total LLM cost incurred during this cycle in USD */
+    costUsd?: number;
+    /** Final cycle outcome */
+    outcome: CycleOutcome;
+    /** Human-readable notes or reason for outcome */
+    notes: string;
+}
+interface ImprovementCycleLogConfig {
+    /** Path to the JSON log file. Default: packages/baselineos/src/data/improvement-cycles.json */
+    logPath?: string;
+    /** AgentBus for publishing governance events */
+    bus?: AgentBus;
+}
+declare class ImprovementCycleLog {
+    private readonly logPath;
+    private readonly bus?;
+    constructor(config?: ImprovementCycleLogConfig);
+    /**
+     * Start a new cycle. Assigns the next IC-NNN ID, writes in-progress entry.
+     */
+    startCycle(trigger: CycleTrigger, datasetSize: number, notes?: string): ImprovementCycle;
+    /**
+     * Update an in-progress cycle with partial data.
+     * Merges updates into the existing cycle record.
+     */
+    updateCycle(cycleId: string, updates: Partial<Omit<ImprovementCycle, 'id' | 'startedAt'>>): void;
+    /**
+     * Complete a cycle with a final outcome. Sets completedAt timestamp.
+     */
+    completeCycle(cycleId: string, outcome: Exclude<CycleOutcome, 'in-progress'>, updates?: Partial<ImprovementCycle>): ImprovementCycle;
+    /** Return all recorded cycles */
+    getAll(): ImprovementCycle[];
+    /** Return the most recent cycle, or undefined if none exist */
+    getLatest(): ImprovementCycle | undefined;
+    /** Return a specific cycle by ID */
+    getCycle(cycleId: string): ImprovementCycle | undefined;
+    /**
+     * Returns number of days since the last completed cycle.
+     * Returns Infinity if no completed cycle exists.
+     */
+    getDaysSinceLastCycle(): number;
+    /**
+     * Return cycles that resulted in a promotion.
+     */
+    getPromotionHistory(): ImprovementCycle[];
+    /**
+     * Snapshot the LLM cost for a cycle from a CostGuard instance.
+     * Reads guard.snapshot(cycleId).totalCostUsd and persists it on the cycle.
+     * The cycle ID is used as the CostGuard workflow ID by convention.
+     *
+     * Call this at any point during the cycle (e.g. before completeCycle()).
+     * Idempotent — safe to call multiple times; accumulates the guard value.
+     */
+    snapshotCycleCost(cycleId: string, guard: CostGuard): void;
+    /**
+     * Record a specific USD cost against an in-progress cycle.
+     * Use this when cost data comes from a source other than CostGuard.
+     */
+    recordCycleCost(cycleId: string, costUsd: number): void;
+    /**
+     * Return cost summary across all completed cycles.
+     */
+    getCostSummary(): {
+        totalCycles: number;
+        totalCostUsd: number;
+        avgCostPerCycle: number;
+    };
+    private _write;
+}
+
+/**
+ * ShadowRouter — SIGNAL-057
+ *
+ * Routes every request to the primary ExecutionEngine while simultaneously
+ * dispatching a shadow copy to a candidate engine. Shadow results are never
+ * returned to the caller — they are used purely for comparison and promotion
+ * decisions.
+ *
+ * Architecture:
+ *   1. Execute primary engine (blocking — caller receives this result)
+ *   2. Execute candidate engine (non-blocking by default, or awaited in
+ *      'compare' mode for synchronous diff recording)
+ *   3. Score both outputs using a lightweight similarity metric
+ *   4. Publish governance:shadow-comparison on AgentBus
+ *   5. Accumulate ShadowComparison records for offline analysis
+ *
+ * Modes:
+ *   fire-and-forget  — candidate runs after primary returns (default)
+ *   compare          — candidate awaited; comparison written before return
+ *
+ * Usage:
+ *   const router = new ShadowRouter({
+ *     primary: primaryEngine,
+ *     candidate: candidateEngine,
+ *     bus,
+ *     sampleRate: 0.2,   // shadow 20% of traffic
+ *   });
+ *   const result = await router.execute(task); // always returns primary result
+ *
+ * @license Apache-2.0
+ */
+
+type ShadowMode = 'fire-and-forget' | 'compare';
+interface ShadowComparison {
+    taskId: string;
+    timestamp: string;
+    primaryModel: string;
+    candidateModel: string;
+    /** Rough token overlap ratio (0–1) between primary and candidate outputs */
+    similarityScore: number;
+    /** True when candidate produced output without error */
+    candidateSucceeded: boolean;
+    /** True when candidate output is meaningfully different from primary */
+    diverged: boolean;
+    primaryTokens: number;
+    candidateTokens: number;
+    durationPrimaryMs: number;
+    durationCandidateMs: number;
+    error?: string;
+}
+interface ShadowRouterConfig {
+    primary: ExecutionEngine;
+    candidate: ExecutionEngine;
+    bus?: AgentBus;
+    /** Fraction of calls to shadow (0–1). Default: 1.0 (all calls) */
+    sampleRate?: number;
+    /** Execution mode. Default: fire-and-forget */
+    mode?: ShadowMode;
+    /** Similarity below this threshold is flagged as diverged. Default: 0.6 */
+    divergenceThreshold?: number;
+    /** Max comparisons to keep in memory. Default: 500 */
+    maxHistory?: number;
+}
+declare class ShadowRouter implements ExecutionEngine {
+    private readonly primary;
+    private readonly candidate;
+    private readonly bus?;
+    private readonly sampleRate;
+    private readonly mode;
+    private readonly divergenceThreshold;
+    private readonly maxHistory;
+    private readonly history;
+    constructor(config: ShadowRouterConfig);
+    execute(task: Task, step?: ExecutionStep): Promise<ExecutionResult>;
+    selfVerify(task: Task, output: string): Promise<VerificationResult>;
+    conductReview(task: Task, output: string, reviewType: 'supervisor' | 'quality'): Promise<Review>;
+    decompose(task: Task): ReturnType<ExecutionEngine['decompose']>;
+    /** All recorded shadow comparisons (newest last). */
+    getHistory(): ShadowComparison[];
+    /** Comparisons where candidate diverged from primary. */
+    getDivergences(): ShadowComparison[];
+    /**
+     * Aggregate stats across all comparisons.
+     * Useful for promotion decisions.
+     */
+    getStats(): {
+        total: number;
+        candidateSuccessRate: number;
+        avgSimilarity: number;
+        divergenceRate: number;
+        avgCandidateTokenDelta: number;
+    };
+    private shouldSample;
+    private buildComparison;
+    /**
+     * Lightweight token-overlap similarity (Jaccard on word tokens).
+     * Good enough for divergence detection without a full diff.
+     */
+    private tokenOverlapSimilarity;
+    private appendComparison;
+    private emitEvent;
+}
+
+/**
+ * RedTeamRunner — SIGNAL-058
+ *
+ * Automated adversarial testing scaffold for promotion gates.
+ * Runs a set of probes against an ExecutionEngine and produces a
+ * structured RedTeamReport suitable for logging and CI gating.
+ *
+ * Probe categories:
+ *   jailbreak       — attempts to override system prompt / safety rules
+ *   prompt-injection — embedded instructions in user content
+ *   pii-exfiltration — attempts to extract or echo PII
+ *   refusal-check    — verifies the engine refuses harmful requests
+ *   output-stability — verifies consistent output format under rephrasing
+ *
+ * Architecture:
+ *   1. Define probes as { input, category, shouldRefuse, expectOutputContains? }
+ *   2. Run each probe against the engine under test
+ *   3. Apply lightweight pass criteria (refusal heuristics, PII detector)
+ *   4. Return RedTeamReport with per-probe results and a summary pass/fail
+ *   5. Publish governance:red-team-completed on AgentBus
+ *
+ * Integration with promotion gate:
+ *   if (!report.passed) → hold candidate model, do not promote
+ *
+ * @license Apache-2.0
+ */
+
+type ProbeCategory = 'jailbreak' | 'prompt-injection' | 'pii-exfiltration' | 'refusal-check' | 'output-stability';
+interface RedTeamProbe {
+    id: string;
+    category: ProbeCategory;
+    description: string;
+    /** The adversarial input to send to the engine */
+    input: string;
+    /** If true, the engine is expected to refuse or produce a safe non-compliance output */
+    shouldRefuse: boolean;
+    /** If set, the output must contain this substring (case-insensitive) to pass */
+    expectOutputContains?: string;
+    /** If set, the output must NOT contain this substring (case-insensitive) to pass */
+    expectOutputExcludes?: string;
+}
+interface ProbeResult {
+    probeId: string;
+    category: ProbeCategory;
+    passed: boolean;
+    reason: string;
+    output: string;
+    durationMs: number;
+    error?: string;
+}
+interface RedTeamReport {
+    runId: string;
+    modelId: string;
+    timestamp: string;
+    totalProbes: number;
+    passedProbes: number;
+    failedProbes: number;
+    passed: boolean;
+    /** Fraction of probes passed (0–1) */
+    passRate: number;
+    results: ProbeResult[];
+    durationMs: number;
+}
+interface RedTeamRunnerConfig {
+    engine: ExecutionEngine;
+    bus?: AgentBus;
+    /** Custom probe set. Defaults to the built-in probe suite. */
+    probes?: RedTeamProbe[];
+    /** Minimum pass rate to mark report.passed = true. Default: 1.0 (all must pass) */
+    passingThreshold?: number;
+    /** Model ID to tag the report with (for history correlation). Default: 'unknown' */
+    modelId?: string;
+}
+declare const DEFAULT_PROBES: RedTeamProbe[];
+declare class RedTeamRunner {
+    private readonly engine;
+    private readonly bus?;
+    private readonly probes;
+    private readonly passingThreshold;
+    private readonly modelId;
+    private readonly piiDetector;
+    constructor(config: RedTeamRunnerConfig);
+    /**
+     * Run all configured probes against the engine and return a report.
+     * Never throws — all errors are captured per-probe.
+     */
+    run(): Promise<RedTeamReport>;
+    private runProbe;
+    private evaluateProbe;
+    private probeToTask;
+}
+
+/**
+ * PromotionGate — SIGNAL-062
+ *
+ * Automated gate that combines eval comparison, red-team results, and
+ * ImprovementCycleLog to produce a deterministic promote/hold/rollback
+ * decision for a candidate model.
+ *
+ * Decision logic (in order):
+ *   1. Red-team must pass (report.passed === true)        → else: hold with red-team-failure note
+ *   2. Eval comparison recommend must be 'promote'        → else: hold or rollback
+ *   3. deltaScore must exceed promotionThreshold          → else: hold
+ *   4. If all criteria met → 'promote'
+ *
+ * The gate also:
+ *   - Completes the in-progress ImprovementCycle with the decision outcome
+ *   - Publishes governance:promotion-decision on AgentBus
+ *   - Returns a PromotionDecision record for audit
+ *
+ * Usage:
+ *   const gate = new PromotionGate({ cycleLog, bus, promotionThreshold: 3 });
+ *   const decision = await gate.evaluate({
+ *     cycleId, comparison, redTeamReport, candidateModelId
+ *   });
+ *   if (decision.outcome === 'promote') { registry.promote(candidateModelId); }
+ *
+ * @license Apache-2.0
+ */
+
+type PromotionOutcome = 'promote' | 'hold' | 'rollback';
+interface PromotionDecision {
+    cycleId: string;
+    candidateModelId: string;
+    outcome: PromotionOutcome;
+    reason: string;
+    /** All criteria evaluated, in order */
+    criteria: Array<{
+        label: string;
+        passed: boolean;
+        detail: string;
+    }>;
+    timestamp: string;
+    /** deltaScore from comparison (may be undefined if comparison not run) */
+    deltaScore?: number;
+    redTeamPassed: boolean;
+    compareRecommend: VersionComparison['recommend'] | 'not-run';
+}
+interface EvaluateInput {
+    cycleId: string;
+    candidateModelId: string;
+    /** Eval comparison between production (baseline) and candidate */
+    comparison: VersionComparison;
+    /** Red-team report for the candidate model */
+    redTeamReport: RedTeamReport;
+    /** Optional eval score before (production baseline) */
+    evalScoreBefore?: number;
+    /** Optional eval score after (candidate) */
+    evalScoreAfter?: number;
+}
+interface PromotionGateConfig {
+    cycleLog: ImprovementCycleLog;
+    bus?: AgentBus;
+    /**
+     * Minimum deltaScore required for promotion. Default: 3.
+     * Matches the default threshold in ProductionEvalPipeline.compareVersions().
+     */
+    promotionThreshold?: number;
+}
+declare class PromotionGate {
+    private readonly cycleLog;
+    private readonly bus?;
+    private readonly promotionThreshold;
+    constructor(config: PromotionGateConfig);
+    /**
+     * Evaluate a candidate model for promotion.
+     * Completes the ImprovementCycle with the outcome.
+     * Never throws — errors are captured in the decision reason.
+     */
+    evaluate(input: EvaluateInput): PromotionDecision;
+    private toCycleOutcome;
+}
+
+/**
+ * L5Pipeline — SIGNAL-063
+ *
+ * Orchestrates a complete SIGNAL L5 improvement cycle in a single call:
+ *
+ *   1. Snapshot dataset size & start ImprovementCycle
+ *   2. Export fine-tune dataset (JSONL)
+ *   3. PII audit the export (fail-fast on violations)
+ *   4. Run production eval for baseline model (VersionEvalResult)
+ *   5. Run production eval for candidate model (VersionEvalResult)
+ *   6. Compare baseline vs candidate (VersionComparison)
+ *   7. Run red-team against candidate engine
+ *   8. PromotionGate decision (promote / hold / rollback)
+ *   9. Complete ImprovementCycle with outcome
+ *  10. Emit governance:l5-cycle-completed on AgentBus
+ *
+ * Components wired:
+ *   TraceCurator           → dataset export
+ *   PiiDetector            → training data PII gate
+ *   ProductionEvalPipeline → baseline + candidate scoring
+ *   ShadowRouter           → optional shadow traffic (caller provides)
+ *   RedTeamRunner          → adversarial probe suite
+ *   PromotionGate          → deterministic decision
+ *   ImprovementCycleLog    → cycle record-keeping
+ *   CostGuard              → cost snapshot per cycle
+ *   DriftDetector          → optional pre-cycle drift check
+ *   AgentBus               → governance event publishing
+ *
+ * Usage:
+ *   const pipeline = new L5Pipeline({ ... });
+ *   const result = await pipeline.runCycle({
+ *     candidateEngine,
+ *     trigger: 'eval-drift',
+ *   });
+ *   if (result.decision.outcome === 'promote') {
+ *     registry.setActive('anthropic', candidateModelId);
+ *   }
+ *
+ * @license Apache-2.0
+ */
+
+interface L5CycleInput {
+    /** What triggered this cycle */
+    trigger: CycleTrigger;
+    /** Candidate model ID for eval attribution and promotion records */
+    candidateModelId: string;
+    /** Candidate execution engine for red-team evaluation */
+    candidateEngine: ExecutionEngine;
+    /** Optional notes to attach to the ImprovementCycle */
+    notes?: string;
+}
+interface L5CycleResult {
+    cycleId: string;
+    baselineResult: VersionEvalResult;
+    candidateResult: VersionEvalResult;
+    comparison: VersionComparison;
+    redTeamReport: RedTeamReport;
+    decision: PromotionDecision;
+    driftReport?: DriftReport;
+    exportedExamples: number;
+    piiViolations: number;
+    durationMs: number;
+    aborted: boolean;
+    abortReason?: string;
+}
+interface L5PipelineConfig {
+    curator: TraceCurator;
+    evalPipeline: ProductionEvalPipeline;
+    redTeamRunner: RedTeamRunner;
+    cycleLog: ImprovementCycleLog;
+    /** Baseline model ID for eval attribution */
+    baselineModelId: string;
+    bus?: AgentBus;
+    costGuard?: CostGuard;
+    driftDetector?: DriftDetector;
+    /** Promotion gate threshold. Default: 3 */
+    promotionThreshold?: number;
+    /** Directory for temporary export files. Default: OS tmpdir */
+    exportDir?: string;
+    /** If true, abort cycle when PII is found in fine-tune export. Default: true */
+    abortOnPii?: boolean;
+}
+declare class L5Pipeline {
+    private readonly curator;
+    private readonly evalPipeline;
+    private readonly redTeamRunner;
+    private readonly cycleLog;
+    private readonly gate;
+    private readonly baselineModelId;
+    private readonly bus?;
+    private readonly costGuard?;
+    private readonly driftDetector?;
+    private readonly exportDir;
+    private readonly abortOnPii;
+    private readonly piiDetector;
+    constructor(config: L5PipelineConfig);
+    /**
+     * Execute a complete L5 improvement cycle.
+     * Never throws — all errors are captured in the result.
+     */
+    runCycle(input: L5CycleInput): Promise<L5CycleResult>;
+    private _auditExport;
+    private _cleanupExport;
+    private _abortedResult;
+}
+
+declare class Baseline {
+    private config;
+    private orchestrator;
+    private memory;
+    private indexer;
+    private cache;
+    private rag;
+    readonly bus: AgentBus;
+    private initialized;
+    constructor(config?: Partial<BaselineConfig>);
+    /**
+     * Initialize BaselineOS. Call this before using other methods.
+     */
+    init(): Promise<void>;
+    /**
+     * Shutdown gracefully.
+     */
+    shutdown(): Promise<void>;
+    /**
+     * Execute an autonomous task.
+     *
+     * @param input - Task definition
+     * @returns Task handle with status and control methods
+     */
+    run(input: TaskInput): Promise<TaskHandle>;
+    /**
+     * Execute a workflow by id.
+     */
+    runWorkflow(workflowId: string, input?: Partial<TaskInput>): Promise<TaskHandle>;
+    /**
+     * Execute a task and wait for completion.
+     */
+    runSync(input: TaskInput): Promise<Task>;
+    /**
+     * Get a task by ID.
+     */
+    getTask(taskId: string): Task | undefined;
+    /**
+     * List all tasks.
+     */
+    listTasks(filter?: {
+        status?: TaskStatus;
+    }): Task[];
+    cancelTask(taskId: string, reason?: string): boolean;
+    approveTask(taskId: string, approvedBy?: string, approvalToken?: string): Promise<Task>;
+    registerWorkflow(definition: WorkflowDefinition): void;
+    listWorkflows(): WorkflowDefinition[];
+    getWorkflow(id: string): WorkflowDefinition | undefined;
+    /**
+     * Index knowledge base.
+     */
+    index(options?: {
+        full?: boolean;
+    }): Promise<{
+        indexed: number;
+        errors: number;
+        skipped: number;
+        changed: string[];
+        removed: string[];
+    }>;
+    /**
+     * Search knowledge base.
+     */
+    search(query: string, options?: {
+        limit?: number;
+        types?: Array<'doc' | 'code' | 'config' | 'spec' | 'api'>;
+        policy?: PolicyFilter;
+    }): Promise<SearchResult[]>;
+    /**
+     * Get context for a subject.
+     */
+    getContext(subject: string, level?: ContextLevel, options?: {
+        policy?: PolicyFilter;
+        overlayOrder?: Overlay[];
+        budget?: RetrievalBudget;
+    }): Promise<Context | null>;
+    /**
+     * Get context delta for a subject (only changed/unknown docs).
+     */
+    getContextDelta(subject: string, level?: ContextLevel, options?: {
+        policy?: PolicyFilter;
+        overlayOrder?: Overlay[];
+        known?: Array<{
+            id: string;
+            hash?: string;
+        }>;
+        budget?: RetrievalBudget;
+    }): Promise<Context | null>;
+    /**
+     * Search using RAG hybrid retrieval (BM25 + vector).
+     */
+    ragSearch(query: string, options?: {
+        collections?: CollectionName[];
+        repo?: string;
+        limit?: number;
+        minScore?: number;
+    }): Promise<RAGResult>;
+    /**
+     * Get RAG context for a query — combines chunk-level retrieval
+     * with optional structured context from the knowledge indexer.
+     */
+    ragContext(query: string, options?: {
+        collections?: CollectionName[];
+        repo?: string;
+        maxTokens?: number;
+    }): Promise<{
+        content: string;
+        sources: string[];
+        tokenEstimate: number;
+    }>;
+    /**
+     * Re-ingest RAG knowledge paths.
+     */
+    ragIngest(paths?: string[]): Promise<IngestionResult>;
+    /**
+     * Store in memory.
+     */
+    remember(key: string, value: unknown, scopeOrOptions?: MemoryScope | StoreOptions): Promise<void>;
+    /**
+     * Retrieve from memory.
+     */
+    recall(key: string, scopeOrOptions?: MemoryScope | RetrieveOptions): Promise<unknown>;
+    /**
+     * Register a custom agent.
+     */
+    registerAgent(agent: AgentConfig): void;
+    /**
+     * List all agents.
+     */
+    listAgents(): Agent[];
+    /**
+     * Start MCP server for Claude integration.
+     */
+    startMCPServer(): Promise<MCPServer>;
+    /**
+     * Start HTTP/WebSocket API server.
+     */
+    startAPIServer(port?: number): Promise<APIServer>;
+    /**
+     * Get system statistics.
+     */
+    getStats(): BaselineStats;
+    /**
+     * Subscribe to agent bus events.
+     * @example
+     * baseline.bus.subscribe('task:*', (msg) => console.log(msg));
+     * baseline.bus.subscribe('governance:violation', handleViolation);
+     */
+    getBusStats(): Readonly<BusStats>;
+    /**
+     * Get value from semantic cache.
+     */
+    cacheGet<T>(key: string): Promise<T | null>;
+    /**
+     * Store value in semantic cache.
+     */
+    cacheSet<T>(key: string, value: T, options?: {
+        tokensSaved?: number;
+    }): Promise<void>;
+    /**
+     * Get cache statistics.
+     */
+    getCacheStats(): {
+        size: number;
+        hits: number;
+        misses: number;
+        semanticHits: number;
+        hitRate: number;
+        tokensSaved: number;
+    };
+    getAuditTrail(taskId?: string): Array<{
+        timestamp: number;
+        event: OrchestratorEvent;
+    }>;
+    getEvidenceBundle(taskId: string): ReturnType<Orchestrator['getEvidenceBundle']>;
+    private ensureInitialized;
+    private registerDefaultAgents;
+    loadCheckpoint(checkpointId: string): Checkpoint | null;
+    recoverTaskFromCheckpoint(checkpointId: string): Task | null;
+    onEvent<T extends OrchestratorEvent['type']>(type: T, handler: (event: Extract<OrchestratorEvent, {
+        type: T;
+    }>) => void): () => void;
+}
+declare class TaskHandle {
+    private task;
+    private orchestrator;
+    constructor(task: Task, orchestrator: Orchestrator);
+    get id(): string;
+    get status(): TaskStatus;
+    /**
+     * Wait for task completion.
+     */
+    wait(timeoutMs?: number): Promise<Task>;
+    /**
+     * Cancel the task.
+     */
+    cancel(): Promise<void>;
+    /**
+     * Get current artifacts.
+     */
+    getArtifacts(): Artifact[];
+    /**
+     * Stream task events.
+     */
+    stream(): AsyncGenerator<TaskEvent>;
+}
+interface AgentConfig {
+    id: string;
+    name: string;
+    role: 'planner' | 'executor' | 'supervisor' | 'quality' | 'specialist';
+    capabilities: string[];
+    domains: string[];
+    trustScore?: number;
+}
+interface TaskEvent {
+    type: 'status' | 'progress' | 'artifact' | 'checkpoint' | 'error';
+    taskId: string;
+    data: unknown;
+    timestamp: number;
+}
+interface BaselineStats {
+    orchestrator: {
+        tasks: {
+            total: number;
+            byStatus: Record<string, number>;
+        };
+        agents: {
+            total: number;
+            byRole: Record<string, number>;
+        };
+    };
+    memory: {
+        working: number;
+        session: number;
+        longTerm: number;
+        shared: number;
+    };
+    indexer: {
+        documents: number;
+        types: number;
+        compressions: number;
+    };
+    cache: {
+        size: number;
+        hits: number;
+        misses: number;
+        hitRate: number;
+    };
+    rag: {
+        totalChunks: number;
+        collections: Record<string, number>;
+        initialized: boolean;
+    };
+    governance: {
+        auditLevel: 'none' | 'basic' | 'full';
+        requireApproval: number;
+        restricted: number;
+    };
+}
+
+export { type ExportOptions as $, APIServer as A, BASELINE_TASK_QUEUE as B, type CharterCommitment as C, type ControlCheckContext as D, type ControlCheckResult as E, type CostCheckResult as F, CostGuard as G, type CostGuardConfig as H, type CredentialAccessEvent as I, type CredentialEntry as J, CredentialExpiredError as K, CredentialProvider as L, type CredentialProviderConfig as M, MCPServer, type CycleOutcome as N, type CycleTrigger as O, DEFAULT_PROBES as P, type DFIEvidenceBundle as Q, type DependencyEdge as R, type DependencyGraph as S, DriftDetector as T, type DriftDetectorConfig as U, type DriftReport as V, type DriftSeverity as W, type DriftStrategy as X, type EvaluateInput as Y, EvidenceExporter as Z, type ExpiringCredential as _, type ActivityDependencies as a, type ShadowMode as a$, GTCX_EDGES as a0, GTCX_REPOS as a1, type GitActivity as a2, type GovernanceValidationResult as a3, GovernanceValidator as a4, type GovernanceValidatorConfig as a5, type HandoffContext as a6, type ImprovementCycle as a7, ImprovementCycleLog as a8, type ImprovementCycleLogConfig as a9, PromotionGate as aA, type PromotionGateConfig as aB, type PromotionOutcome as aC, type PromptMeta as aD, type QueuedTask as aE, type RedTeamProbe as aF, type RedTeamReport as aG, RedTeamRunner as aH, type RedTeamRunnerConfig as aI, type RepoNode as aJ, RollbackManager as aK, type RollbackManagerConfig as aL, type RollbackResult as aM, SPECIALIZED_AGENTS as aN, STANDARD_PIPELINES as aO, type SafetyCheckResult as aP, type SafetyContext as aQ, type SafetyResult as aR, type SafetyRule$1 as aS, type SafetyViolation as aT, type SecurityAuditEntry as aU, type SecurityAuditEventType as aV, SecurityManager as aW, type SecurityManagerConfig as aX, type SafetyRule as aY, SenseiAIBridge as aZ, type ShadowComparison as a_, type L5CycleInput as aa, type L5CycleResult as ab, L5Pipeline as ac, type L5PipelineConfig as ad, type LoadedPrompt as ae, type MigrationAuditEntry as af, type MigrationResult as ag, type MigrationTaskContext as ah, type NDPCCheckResult as ai, NDPCComplianceGate as aj, type NDPCContext as ak, type NDPCViolation as al, type OutputValidationFailure as am, type OutputValidationFailureReason as an, type OutputValidationResult as ao, OutputValidator as ap, type OutputValidatorConfig as aq, type Permission as ar, type PillarResult as as, type Pipeline as at, type PipelineExecution as au, type PipelineStep as av, type PipelineStepExecution as aw, type ProbeCategory as ax, type ProbeResult as ay, type PromotionDecision as az, type AgentConfig as b, ShadowRouter as b0, type ShadowRouterConfig as b1, type StandupEntry as b2, type StandupSynthesis as b3, type SubmitOptions as b4, type TaskEvent as b5, TaskHandle as b6, type TemporalClientConfig as b7, TemporalOrchestrator as b8, type TemporalOrchestratorConfig as b9, detectCycles as bA, findBlockers as bB, getAgentDefinition as bC, getAgentsByCapability as bD, getAgentsByDomain as bE, getReadySteps as bF, getTopologicalOrder as bG, getTrustTier as bH, isComplete as bI, isFailed as bJ, loadAllPersonas as bK, loadPersonaPrompt as bL, loadRolePrompt as bM, projectCompletion as bN, synthesizeStandup as bO, type TenantCostSummary as ba, type TokenUsage as bb, type ToolCallRecord as bc, type ToolRiskClassification as bd, type ToolRiskLevel as be, type TradeContext as bf, TradePassGovernanceBridge as bg, type TradeVerificationResult as bh, type TrustSyncEvent as bi, TrustSyncProtocol as bj, type TrustSyncTarget as bk, type TrustTier as bl, type ValidateOptions as bm, type ValidationResult as bn, type VelocitySnapshot as bo, type WorkflowAccumulator as bp, buildStepTaskInput as bq, createActivities as br, createAgentFromDefinition as bs, createDependencyGraph as bt, createGTCXGraph as bu, createHandoff as bv, createPipeline as bw, createPipelineExecution as bx, createTemporalClient as by, createVelocitySnapshot as bz, type AgentDefinition as c, type AgentExecutionRecord as d, AgentExecutor as e, type AgentExecutorConfig as f, type AgentExecutorEvent as g, type AgentExecutorEventType as h, AgenticBridge as i, type AgenticBridgeConfig as j, type AgenticExecutionResult as k, type ApprovalToken as l, type ApprovalTokenConfig as m, ApprovalTokenManager as n, Baseline as o, type BaselineActivities as p, type BaselineStats as q, type BlockerAnalysis as r, CommandCenter as s, type CommandCenterConfig as t, type CommandCenterEvent as u, type CommandCenterEventType as v, type CommandCenterMetrics as w, type CommandCenterStatus as x, type ComplianceControl as y, ComplianceOSBridge as z };