moflo 4.8.22 → 4.8.23

package/src/@claude-flow/guidance/dist/manifest-validator.js

@@ -0,0 +1,838 @@
+/**
+ * Manifest Validator & Conformance Suite
+ *
+ * Validates AgentCellManifest documents against the Agentic Container spec,
+ * computes risk scores, selects execution lanes, and fails closed on any
+ * validation error. The ConformanceSuite runs golden traces through an
+ * evaluator to prove the platform behaves as specified.
+ *
+ * @module @claude-flow/guidance/manifest-validator
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+const SUPPORTED_API_VERSION = 'agentic_cells.v0_1';
+const SHA256_DIGEST_RE = /^sha256:[a-f0-9]{64}$/;
+/** Maximum budget limits (sanity caps) */
+const MAX_BUDGET_LIMITS = {
+    maxWallClockSeconds: 86_400, // 24 hours
+    maxToolCalls: 100_000,
+    maxBytesEgress: 10_737_418_240, // 10 GiB
+    maxTokensInMtok: 100, // 100M tokens
+    maxTokensOutMtok: 100, // 100M tokens
+    maxMemoryWrites: 1_000_000,
+};
+/** Data sensitivity levels ordered by severity */
+const DATA_SENSITIVITY_LEVELS = ['public', 'internal', 'confidential', 'restricted'];
+/** Write modes for memory policy */
+const WRITE_MODES = ['append', 'overwrite', 'merge'];
+/** Authority scopes for memory policy */
+const AUTHORITY_SCOPES = ['self', 'team', 'tenant', 'global'];
+/** Known tool names the system recognizes */
+const KNOWN_TOOLS = new Set([
+    'Read', 'Write', 'Edit', 'MultiEdit', 'Glob', 'Grep',
+    'Bash', 'Task', 'TodoWrite', 'NotebookEdit', 'WebFetch', 'WebSearch',
+    'mcp_memory', 'mcp_swarm', 'mcp_hooks', 'mcp_agent',
+]);
+/** Trace levels for observability */
+const TRACE_LEVELS = ['none', 'errors', 'decisions', 'full'];
+/** Execution lanes ordered by privilege (lowest to highest) */
+const LANES = ['wasm', 'sandboxed', 'native'];
+// ============================================================================
+// ManifestValidator
+// ============================================================================
+/**
+ * Validates AgentCellManifest documents against the Agentic Container spec.
+ *
+ * Fails closed: any validation error results in a 'reject' decision.
+ * Warnings alone do not block admission but may trigger a 'review' decision
+ * when the risk score is between thresholds.
+ */
+export class ManifestValidator {
+    /** Risk score threshold: below this, admit. Above reject threshold, reject. Between, review. */
+    admitThreshold;
+    rejectThreshold;
+    constructor(options) {
+        this.admitThreshold = options?.admitThreshold ?? 30;
+        this.rejectThreshold = options?.rejectThreshold ?? 70;
+    }
+    /**
+     * Validate a manifest, compute its risk score, select a lane, and decide admission.
+     *
+     * FAILS CLOSED: any validation error leads to reject.
+     */
+    validate(manifest) {
+        const errors = [];
+        const warnings = [];
+        // Structural validation
+        errors.push(...this.validateRequiredFields(manifest));
+        errors.push(...this.validateApiVersion(manifest));
+        errors.push(...this.validateDigest(manifest));
+        errors.push(...this.validateBudgets(manifest.budgets));
+        errors.push(...this.validateToolPolicy(manifest.toolPolicy));
+        errors.push(...this.validateDataPolicy(manifest.dataPolicy));
+        warnings.push(...this.validateWarnings(manifest));
+        // Compute risk score (even if there are errors, for diagnostics)
+        const riskScore = this.computeRiskScore(manifest);
+        // FAIL CLOSED: any error means reject
+        if (errors.length > 0) {
+            return {
+                valid: false,
+                errors,
+                warnings,
+                admissionDecision: 'reject',
+                laneSelection: null,
+                riskScore,
+            };
+        }
+        // Lane selection
+        const laneSelection = this.selectLane(manifest, riskScore);
+        // Admission decision based on risk score
+        let admissionDecision;
+        if (riskScore > this.rejectThreshold) {
+            admissionDecision = 'reject';
+        }
+        else if (riskScore > this.admitThreshold) {
+            admissionDecision = 'review';
+        }
+        else {
+            admissionDecision = 'admit';
+        }
+        return {
+            valid: true,
+            errors,
+            warnings,
+            admissionDecision,
+            laneSelection,
+            riskScore,
+        };
+    }
+    /**
+     * Compute a risk score (0-100) from tool risk, data sensitivity, and privilege surface.
+     *
+     * Components:
+     * - tool_risk (0-40): based on tool types and network access
+     * - data_sensitivity (0-30): based on sensitivity level and PII
+     * - privilege_surface (0-30): based on memory scope, write mode, native threads
+     */
+    computeRiskScore(manifest) {
+        let toolRisk = 0;
+        let dataSensitivity = 0;
+        let privilegeSurface = 0;
+        // --- Tool risk (0-40) ---
+        const tools = manifest.toolPolicy?.toolsAllowed ?? [];
+        const networkList = manifest.toolPolicy?.networkAllowlist ?? [];
+        // Bash/command execution is high risk
+        if (tools.includes('Bash') || tools.includes('bash')) {
+            toolRisk += 15;
+        }
+        // Task spawning
+        if (tools.includes('Task') || tools.includes('task')) {
+            toolRisk += 8;
+        }
+        // Write operations
+        if (tools.some(t => ['Write', 'Edit', 'MultiEdit', 'NotebookEdit'].includes(t))) {
+            toolRisk += 5;
+        }
+        // MCP tools
+        if (tools.some(t => t.startsWith('mcp_'))) {
+            toolRisk += 5;
+        }
+        // Network access
+        if (networkList.length > 0) {
+            toolRisk += 5;
+        }
+        // Wildcard in network (already caught as error if not privileged, but score anyway)
+        if (networkList.some(h => h === '*' || h.startsWith('*.'))) {
+            toolRisk += 10;
+        }
+        // No confirmation on writes
+        if (manifest.toolPolicy && !manifest.toolPolicy.writeActionsRequireConfirmation) {
+            toolRisk += 3;
+        }
+        toolRisk = Math.min(toolRisk, 40);
+        // --- Data sensitivity (0-30) ---
+        const sensitivityIndex = DATA_SENSITIVITY_LEVELS.indexOf(manifest.dataPolicy?.dataSensitivity);
+        if (sensitivityIndex >= 0) {
+            dataSensitivity += sensitivityIndex * 8; // 0, 8, 16, 24
+        }
+        if (manifest.dataPolicy?.piiAllowed) {
+            dataSensitivity += 6;
+        }
+        dataSensitivity = Math.min(dataSensitivity, 30);
+        // --- Privilege surface (0-30) ---
+        const scopeIndex = AUTHORITY_SCOPES.indexOf(manifest.memoryPolicy?.authorityScope);
+        if (scopeIndex >= 0) {
+            privilegeSurface += scopeIndex * 5; // 0, 5, 10, 15
+        }
+        if (manifest.memoryPolicy?.writeMode === 'overwrite') {
+            privilegeSurface += 5;
+        }
+        if (manifest.lanePolicy?.needsNativeThreads) {
+            privilegeSurface += 8;
+        }
+        if (manifest.memoryPolicy && !manifest.memoryPolicy.requiresCoherenceGate) {
+            privilegeSurface += 3;
+        }
+        if (manifest.memoryPolicy && !manifest.memoryPolicy.requiresAntiHallucinationGate) {
+            privilegeSurface += 3;
+        }
+        privilegeSurface = Math.min(privilegeSurface, 30);
+        return Math.min(toolRisk + dataSensitivity + privilegeSurface, 100);
+    }
+    /**
+     * Select the execution lane based on risk score and manifest policy.
+     *
+     * Lane selection rules:
+     * - If portabilityRequired or risk <= 30: wasm
+     * - If needsNativeThreads and risk > 50: native
+     * - Otherwise: sandboxed
+     * - Always respect preferredLane if risk score allows it
+     * - Risk exceeding maxRiskScore forces the most restrictive lane
+     */
+    selectLane(manifest, riskScore) {
+        const policy = manifest.lanePolicy;
+        // If risk exceeds the manifest's own maxRiskScore, force wasm
+        if (riskScore > policy.maxRiskScore) {
+            return 'wasm';
+        }
+        // Portability requirement forces wasm
+        if (policy.portabilityRequired) {
+            return 'wasm';
+        }
+        // Native threads require native lane
+        if (policy.needsNativeThreads) {
+            // Only grant native if risk is acceptable
+            if (riskScore <= 50) {
+                return 'native';
+            }
+            return 'sandboxed';
+        }
+        // Low risk can go to wasm
+        if (riskScore <= 20) {
+            return policy.preferredLane;
+        }
+        // Medium risk gets sandboxed
+        if (riskScore <= 50) {
+            // Respect preference if it's not native
+            if (policy.preferredLane !== 'native') {
+                return policy.preferredLane;
+            }
+            return 'sandboxed';
+        }
+        // High risk gets wasm
+        return 'wasm';
+    }
+    /**
+     * Validate budget values: no negatives, within sanity limits.
+     */
+    validateBudgets(budgets) {
+        const errors = [];
+        if (!budgets) {
+            errors.push({
+                code: 'MISSING_FIELD',
+                field: 'budgets',
+                message: 'Budget configuration is required',
+                severity: 'error',
+            });
+            return errors;
+        }
+        const budgetFields = [
+            { key: 'maxWallClockSeconds', max: MAX_BUDGET_LIMITS.maxWallClockSeconds },
+            { key: 'maxToolCalls', max: MAX_BUDGET_LIMITS.maxToolCalls },
+            { key: 'maxBytesEgress', max: MAX_BUDGET_LIMITS.maxBytesEgress },
+            { key: 'maxTokensInMtok', max: MAX_BUDGET_LIMITS.maxTokensInMtok },
+            { key: 'maxTokensOutMtok', max: MAX_BUDGET_LIMITS.maxTokensOutMtok },
+            { key: 'maxMemoryWrites', max: MAX_BUDGET_LIMITS.maxMemoryWrites },
+        ];
+        for (const { key, max } of budgetFields) {
+            const value = budgets[key];
+            if (value === undefined || value === null) {
+                errors.push({
+                    code: 'MISSING_FIELD',
+                    field: `budgets.${key}`,
+                    message: `Budget field "${key}" is required`,
+                    severity: 'error',
+                });
+                continue;
+            }
+            if (typeof value !== 'number' || Number.isNaN(value)) {
+                errors.push({
+                    code: 'INVALID_TYPE',
+                    field: `budgets.${key}`,
+                    message: `Budget field "${key}" must be a number`,
+                    severity: 'error',
+                });
+                continue;
+            }
+            if (value < 0) {
+                errors.push({
+                    code: 'BUDGET_NEGATIVE',
+                    field: `budgets.${key}`,
+                    message: `Budget field "${key}" must not be negative (got ${value})`,
+                    severity: 'error',
+                });
+            }
+            if (value > max) {
+                errors.push({
+                    code: 'BUDGET_EXCEED',
+                    field: `budgets.${key}`,
+                    message: `Budget field "${key}" exceeds maximum (${value} > ${max})`,
+                    severity: 'error',
+                });
+            }
+        }
+        return errors;
+    }
+    /**
+     * Validate tool policy: network allowlist must not contain wildcards
+     * unless the cell explicitly has Bash (privileged).
+     */
+    validateToolPolicy(toolPolicy) {
+        const errors = [];
+        if (!toolPolicy) {
+            errors.push({
+                code: 'MISSING_FIELD',
+                field: 'toolPolicy',
+                message: 'Tool policy is required',
+                severity: 'error',
+            });
+            return errors;
+        }
+        if (!Array.isArray(toolPolicy.toolsAllowed)) {
+            errors.push({
+                code: 'INVALID_TYPE',
+                field: 'toolPolicy.toolsAllowed',
+                message: 'toolsAllowed must be an array',
+                severity: 'error',
+            });
+        }
+        if (!Array.isArray(toolPolicy.networkAllowlist)) {
+            errors.push({
+                code: 'INVALID_TYPE',
+                field: 'toolPolicy.networkAllowlist',
+                message: 'networkAllowlist must be an array',
+                severity: 'error',
+            });
+        }
+        // Check for wildcards in network allowlist
+        const isPrivileged = Array.isArray(toolPolicy.toolsAllowed) &&
+            toolPolicy.toolsAllowed.includes('Bash');
+        if (Array.isArray(toolPolicy.networkAllowlist)) {
+            for (let i = 0; i < toolPolicy.networkAllowlist.length; i++) {
+                const entry = toolPolicy.networkAllowlist[i];
+                if (entry === '*' || entry.startsWith('*.')) {
+                    if (!isPrivileged) {
+                        errors.push({
+                            code: 'WILDCARD_NETWORK',
+                            field: `toolPolicy.networkAllowlist[${i}]`,
+                            message: `Wildcard "${entry}" in network allowlist requires privileged access (Bash tool)`,
+                            severity: 'error',
+                        });
+                    }
+                }
+            }
+        }
+        return errors;
+    }
+    /**
+     * Validate data policy fields.
+     */
+    validateDataPolicy(dataPolicy) {
+        const errors = [];
+        if (!dataPolicy) {
+            errors.push({
+                code: 'MISSING_FIELD',
+                field: 'dataPolicy',
+                message: 'Data policy is required',
+                severity: 'error',
+            });
+            return errors;
+        }
+        if (!DATA_SENSITIVITY_LEVELS.includes(dataPolicy.dataSensitivity)) {
+            errors.push({
+                code: 'INVALID_ENUM',
+                field: 'dataPolicy.dataSensitivity',
+                message: `dataSensitivity must be one of: ${DATA_SENSITIVITY_LEVELS.join(', ')} (got "${dataPolicy.dataSensitivity}")`,
+                severity: 'error',
+            });
+        }
+        if (typeof dataPolicy.retentionDays !== 'number' || dataPolicy.retentionDays < 0) {
+            errors.push({
+                code: 'INVALID_VALUE',
+                field: 'dataPolicy.retentionDays',
+                message: 'retentionDays must be a non-negative number',
+                severity: 'error',
+            });
+        }
+        if (!dataPolicy.exportControls) {
+            errors.push({
+                code: 'MISSING_FIELD',
+                field: 'dataPolicy.exportControls',
+                message: 'exportControls is required in data policy',
+                severity: 'error',
+            });
+        }
+        else {
+            if (!Array.isArray(dataPolicy.exportControls.allowedRegions)) {
+                errors.push({
+                    code: 'INVALID_TYPE',
+                    field: 'dataPolicy.exportControls.allowedRegions',
+                    message: 'allowedRegions must be an array',
+                    severity: 'error',
+                });
+            }
+            if (!Array.isArray(dataPolicy.exportControls.blockedRegions)) {
+                errors.push({
+                    code: 'INVALID_TYPE',
+                    field: 'dataPolicy.exportControls.blockedRegions',
+                    message: 'blockedRegions must be an array',
+                    severity: 'error',
+                });
+            }
+            // Check for overlap between allowed and blocked regions
+            if (Array.isArray(dataPolicy.exportControls.allowedRegions) &&
+                Array.isArray(dataPolicy.exportControls.blockedRegions)) {
+                const overlap = dataPolicy.exportControls.allowedRegions.filter(r => dataPolicy.exportControls.blockedRegions.includes(r));
+                if (overlap.length > 0) {
+                    errors.push({
+                        code: 'REGION_CONFLICT',
+                        field: 'dataPolicy.exportControls',
+                        message: `Regions appear in both allowed and blocked lists: ${overlap.join(', ')}`,
+                        severity: 'error',
+                    });
+                }
+            }
+        }
+        return errors;
+    }
+    // ===== Private validation helpers =====
+    validateRequiredFields(manifest) {
+        const errors = [];
+        if (!manifest) {
+            errors.push({
+                code: 'MISSING_FIELD',
+                field: '',
+                message: 'Manifest is required',
+                severity: 'error',
+            });
+            return errors;
+        }
+        // Top-level required sections
+        const requiredSections = [
+            'apiVersion', 'cell', 'lanePolicy', 'budgets',
+            'dataPolicy', 'toolPolicy', 'memoryPolicy', 'observability',
+        ];
+        for (const section of requiredSections) {
+            if (manifest[section] === undefined || manifest[section] === null) {
+                errors.push({
+                    code: 'MISSING_FIELD',
+                    field: section,
+                    message: `Required field "${section}" is missing`,
+                    severity: 'error',
+                });
+            }
+        }
+        // Cell sub-fields
+        if (manifest.cell) {
+            for (const field of ['name', 'purpose', 'ownerTenant']) {
+                if (!manifest.cell[field]) {
+                    errors.push({
+                        code: 'MISSING_FIELD',
+                        field: `cell.${field}`,
+                        message: `Required field "cell.${field}" is missing`,
+                        severity: 'error',
+                    });
+                }
+            }
+            if (!manifest.cell.codeRef) {
+                errors.push({
+                    code: 'MISSING_FIELD',
+                    field: 'cell.codeRef',
+                    message: 'Required field "cell.codeRef" is missing',
+                    severity: 'error',
+                });
+            }
+            else {
+                for (const field of ['kind', 'digest', 'entry']) {
+                    if (!manifest.cell.codeRef[field]) {
+                        errors.push({
+                            code: 'MISSING_FIELD',
+                            field: `cell.codeRef.${field}`,
+                            message: `Required field "cell.codeRef.${field}" is missing`,
+                            severity: 'error',
+                        });
+                    }
+                }
+            }
+        }
+        // Memory policy sub-fields
+        if (manifest.memoryPolicy) {
+            if (!manifest.memoryPolicy.namespace) {
+                errors.push({
+                    code: 'MISSING_FIELD',
+                    field: 'memoryPolicy.namespace',
+                    message: 'Required field "memoryPolicy.namespace" is missing',
+                    severity: 'error',
+                });
+            }
+            if (!AUTHORITY_SCOPES.includes(manifest.memoryPolicy.authorityScope)) {
+                errors.push({
+                    code: 'INVALID_ENUM',
+                    field: 'memoryPolicy.authorityScope',
+                    message: `authorityScope must be one of: ${AUTHORITY_SCOPES.join(', ')}`,
+                    severity: 'error',
+                });
+            }
+            if (!WRITE_MODES.includes(manifest.memoryPolicy.writeMode)) {
+                errors.push({
+                    code: 'INVALID_ENUM',
+                    field: 'memoryPolicy.writeMode',
+                    message: `writeMode must be one of: ${WRITE_MODES.join(', ')}`,
+                    severity: 'error',
+                });
+            }
+        }
+        // Observability sub-fields
+        if (manifest.observability) {
+            if (!TRACE_LEVELS.includes(manifest.observability.traceLevel)) {
+                errors.push({
+                    code: 'INVALID_ENUM',
+                    field: 'observability.traceLevel',
+                    message: `traceLevel must be one of: ${TRACE_LEVELS.join(', ')}`,
+                    severity: 'error',
+                });
+            }
+        }
+        return errors;
+    }
+    validateApiVersion(manifest) {
+        if (!manifest.apiVersion)
+            return []; // caught by requiredFields
+        if (manifest.apiVersion !== SUPPORTED_API_VERSION) {
+            return [{
+                    code: 'UNSUPPORTED_API_VERSION',
+                    field: 'apiVersion',
+                    message: `API version "${manifest.apiVersion}" is not supported (expected "${SUPPORTED_API_VERSION}")`,
+                    severity: 'error',
+                }];
+        }
+        return [];
+    }
+    validateDigest(manifest) {
+        if (!manifest.cell?.codeRef?.digest)
+            return []; // caught by requiredFields
+        if (!SHA256_DIGEST_RE.test(manifest.cell.codeRef.digest)) {
+            return [{
+                    code: 'INVALID_DIGEST',
+                    field: 'cell.codeRef.digest',
+                    message: `Digest must match "sha256:<64 hex chars>" format (got "${manifest.cell.codeRef.digest}")`,
+                    severity: 'error',
+                }];
+        }
+        return [];
+    }
+    validateWarnings(manifest) {
+        const warnings = [];
+        // Warn about unknown tools
+        if (manifest.toolPolicy?.toolsAllowed) {
+            for (const tool of manifest.toolPolicy.toolsAllowed) {
+                if (!KNOWN_TOOLS.has(tool)) {
+                    warnings.push({
+                        code: 'UNKNOWN_TOOL',
+                        field: 'toolPolicy.toolsAllowed',
+                        message: `Tool "${tool}" is not a recognized system tool`,
+                        severity: 'warning',
+                    });
+                }
+            }
+        }
+        // Warn if both coherence and anti-hallucination gates are disabled
+        if (manifest.memoryPolicy &&
+            !manifest.memoryPolicy.requiresCoherenceGate &&
+            !manifest.memoryPolicy.requiresAntiHallucinationGate) {
+            warnings.push({
+                code: 'NO_MEMORY_GATES',
+                field: 'memoryPolicy',
+                message: 'Both coherence and anti-hallucination gates are disabled; memory writes are ungated',
+                severity: 'warning',
+            });
+        }
+        // Warn about high retention with sensitive data
+        if (manifest.dataPolicy &&
+            manifest.dataPolicy.dataSensitivity === 'restricted' &&
+            manifest.dataPolicy.retentionDays > 30) {
+            warnings.push({
+                code: 'HIGH_RETENTION_SENSITIVE',
+                field: 'dataPolicy.retentionDays',
+                message: `Retention of ${manifest.dataPolicy.retentionDays} days is high for restricted data`,
+                severity: 'warning',
+            });
+        }
+        // Warn if no trace level is set to full but artifacts are emitted
+        if (manifest.observability &&
+            manifest.observability.emitArtifacts &&
+            manifest.observability.traceLevel === 'none') {
+            warnings.push({
+                code: 'ARTIFACTS_WITHOUT_TRACING',
+                field: 'observability',
+                message: 'Artifact emission is enabled but trace level is "none"',
+                severity: 'warning',
+            });
+        }
+        return warnings;
+    }
+}
+// ============================================================================
+// ConformanceSuite
+// ============================================================================
+/**
+ * Runs golden traces through an evaluator and reports conformance.
+ *
+ * Each trace contains events with expected outcomes. The suite feeds every
+ * event to the evaluator and compares the actual decision to the expectation.
+ */
+export class ConformanceSuite {
+    traces = [];
+    /**
+     * Add a golden trace to the suite.
+     */
+    addTrace(trace) {
+        this.traces.push(trace);
+    }
+    /**
+     * Run every event in every trace through the evaluator and compare
+     * actual decisions against expected outcomes.
+     */
+    run(evaluator) {
+        let totalEvents = 0;
+        let matchedEvents = 0;
+        const mismatches = [];
+        for (const trace of this.traces) {
+            for (const event of trace.events) {
+                totalEvents++;
+                const { decision, details } = evaluator(event);
+                const expected = trace.expectedDecisions[String(event.seq)] ?? event.expectedOutcome;
+                if (decision === expected) {
+                    matchedEvents++;
+                }
+                else {
+                    mismatches.push({
+                        traceId: trace.traceId,
+                        seq: event.seq,
+                        expected,
+                        actual: decision,
+                        details,
+                    });
+                }
+            }
+        }
+        return {
+            passed: mismatches.length === 0,
+            totalEvents,
+            matchedEvents,
+            mismatches,
+        };
+    }
+    /**
+     * Get all registered traces.
+     */
+    getTraces() {
+        return [...this.traces];
+    }
+    /**
+     * Create built-in default golden traces that verify core platform invariants:
+     *
+     * 1. Destructive command blocked
+     * 2. Secret detected and blocked
+     * 3. Budget exceeded and denied
+     * 4. Memory write without evidence blocked
+     * 5. Valid operation allowed
+     */
+    createDefaultTraces() {
+        const traces = [
+            // Trace 1: Destructive command must be blocked
+            {
+                traceId: 'default-destructive-blocked',
+                name: 'Destructive command blocked',
+                description: 'Verifies that destructive commands (rm -rf, DROP TABLE) are denied',
+                events: [
+                    {
+                        seq: 1,
+                        eventType: 'command',
+                        payload: { command: 'rm -rf /', tool: 'Bash' },
+                        expectedOutcome: 'deny',
+                    },
+                    {
+                        seq: 2,
+                        eventType: 'command',
+                        payload: { command: 'DROP TABLE users', tool: 'Bash' },
+                        expectedOutcome: 'deny',
+                    },
+                    {
+                        seq: 3,
+                        eventType: 'command',
+                        payload: { command: 'git push --force origin main', tool: 'Bash' },
+                        expectedOutcome: 'deny',
+                    },
+                ],
+                expectedDecisions: { '1': 'deny', '2': 'deny', '3': 'deny' },
+                expectedMemoryLineage: {},
+            },
+            // Trace 2: Secret detected and blocked
+            {
+                traceId: 'default-secret-blocked',
+                name: 'Secret detected and blocked',
+                description: 'Verifies that secrets in tool parameters are detected and blocked',
+                events: [
+                    {
+                        seq: 1,
+                        eventType: 'tool-use',
+                        payload: {
+                            tool: 'Write',
+                            params: { content: 'api_key = "sk-abc123456789012345678901234567890"' },
+                        },
+                        expectedOutcome: 'deny',
+                    },
+                    {
+                        seq: 2,
+                        eventType: 'tool-use',
+                        payload: {
+                            tool: 'Edit',
+                            params: { content: '-----BEGIN RSA PRIVATE KEY-----' },
+                        },
+                        expectedOutcome: 'deny',
+                    },
+                ],
+                expectedDecisions: { '1': 'deny', '2': 'deny' },
+                expectedMemoryLineage: {},
+            },
+            // Trace 3: Budget exceeded and denied
+            {
+                traceId: 'default-budget-exceeded',
+                name: 'Budget exceeded and denied',
+                description: 'Verifies that operations exceeding budget limits are denied',
+                events: [
+                    {
+                        seq: 1,
+                        eventType: 'budget-check',
+                        payload: {
+                            resource: 'toolCalls',
+                            current: 999,
+                            limit: 1000,
+                            requested: 5,
+                        },
+                        expectedOutcome: 'deny',
+                    },
+                    {
+                        seq: 2,
+                        eventType: 'budget-check',
+                        payload: {
+                            resource: 'wallClockSeconds',
+                            current: 3500,
+                            limit: 3600,
+                            requested: 200,
+                        },
+                        expectedOutcome: 'deny',
+                    },
+                ],
+                expectedDecisions: { '1': 'deny', '2': 'deny' },
+                expectedMemoryLineage: {},
+            },
+            // Trace 4: Memory write without evidence blocked
+            {
+                traceId: 'default-memory-no-evidence',
+                name: 'Memory write without evidence blocked',
+                description: 'Verifies that memory writes without proof/evidence trail are denied',
+                events: [
+                    {
+                        seq: 1,
+                        eventType: 'memory-write',
+                        payload: {
+                            key: 'critical-decision',
+                            namespace: 'coordination',
+                            hasEvidence: false,
+                            coherenceScore: 0.3,
+                        },
+                        expectedOutcome: 'deny',
+                    },
+                    {
+                        seq: 2,
+                        eventType: 'memory-write',
+                        payload: {
+                            key: 'hallucinated-data',
+                            namespace: 'facts',
+                            hasEvidence: false,
+                            antiHallucinationPassed: false,
+                        },
+                        expectedOutcome: 'deny',
+                    },
+                ],
+                expectedDecisions: { '1': 'deny', '2': 'deny' },
+                expectedMemoryLineage: {
+                    'critical-decision': ['initial-assessment', 'root-task'],
+                },
+            },
+            // Trace 5: Valid operation allowed
+            {
+                traceId: 'default-valid-allowed',
+                name: 'Valid operation allowed',
+                description: 'Verifies that well-formed, safe operations are allowed through',
+                events: [
+                    {
+                        seq: 1,
+                        eventType: 'command',
+                        payload: { command: 'git status', tool: 'Bash' },
+                        expectedOutcome: 'allow',
+                    },
+                    {
+                        seq: 2,
+                        eventType: 'tool-use',
+                        payload: {
+                            tool: 'Read',
+                            params: { file_path: '/home/user/project/src/index.ts' },
+                        },
+                        expectedOutcome: 'allow',
+                    },
+                    {
+                        seq: 3,
+                        eventType: 'memory-write',
+                        payload: {
+                            key: 'agent-status',
+                            namespace: 'coordination',
+                            hasEvidence: true,
+                            coherenceScore: 0.95,
+                            antiHallucinationPassed: true,
+                        },
+                        expectedOutcome: 'allow',
+                    },
+                ],
+                expectedDecisions: { '1': 'allow', '2': 'allow', '3': 'allow' },
+                expectedMemoryLineage: {},
+            },
+        ];
+        return traces;
+    }
+}
+// ============================================================================
+// Factory Functions
+// ============================================================================
+/**
+ * Create a new ManifestValidator instance.
+ */
+export function createManifestValidator(options) {
+    return new ManifestValidator(options);
+}
+/**
+ * Create a new ConformanceSuite instance, optionally pre-loaded with default traces.
+ */
+export function createConformanceSuite(options) {
+    const suite = new ConformanceSuite();
+    if (options?.includeDefaults) {
+        for (const trace of suite.createDefaultTraces()) {
+            suite.addTrace(trace);
+        }
+    }
+    return suite;
+}
+//# sourceMappingURL=manifest-validator.js.map