open-multi-agent-kit 0.78.2 → 0.78.3

package/dist/providers/router.js

@@ -1,3 +1,4 @@
+import { PROVIDER_CAPABILITY_ORDINAL } from "../contracts/provider-health.js";
 import { DEFAULT_AUTHORITY_PROVIDER, resolveFallbackProvider } from "./types.js";
 const DEEPSEEK_READ_ONLY_ROLES = new Set([
     "explorer",
@@ -41,7 +42,17 @@ export function routeProvider(input) {
     const role = input.role.toLowerCase();
     const seed = `${input.nodeId ?? ""}:${role}:${input.taskType}`;
     const authorityProvider = resolveFallbackProvider(input.authorityProvider);
-    const authorityDecision = (reason, confidence, deepseek, extra = {}) => authorityProviderDecision(authorityProvider, reason, confidence, deepseek, extra);
+    const authorityVector = input.providerHealthVectors?.[authorityProvider];
+    const authorityProviderAllowed = providerVectorAllowsAuthority(authorityVector);
+    const authorityProviderFallbackOnly = authorityVector
+        ? !providerVectorQuotaOk(authorityVector) && providerVectorAllowsDirect(authorityVector)
+        : false;
+    const authorityDecision = (reason, confidence, deepseek, extra = {}) => {
+        if (!authorityProviderAllowed || authorityProviderFallbackOnly) {
+            return authorityProviderDecision(authorityProvider, `${providerLabel(authorityProvider)} ${authorityProviderFallbackOnly ? "quota exhausted" : "auth insufficient"}; using fallback-only route`, Math.max(0.5, confidence - 0.15), deepseek, extra);
+        }
+        return authorityProviderDecision(authorityProvider, reason, confidence, deepseek, extra);
+    };
     const directDeepSeekAllowed = canUseDirectDeepSeek(role, input);
     const dedicatedDeepSeekAgent = isDedicatedDeepSeekAgent(input);
     const withRouteEnsemble = (decision, winner) => ({
@@ -60,6 +71,11 @@ export function routeProvider(input) {
     if (role === "orchestrator" || role === "merger" || role === "integrator") {
         return withRouteEnsemble(authorityDecision("Core orchestration and merge authority stay with the configured authority provider", 1), "safety-gate");
     }
+    // Hard constraint: if authority provider is blocked by vector, skip to safety gate
+    // unless an explicit, fully-available external provider is requested.
+    if (!authorityProviderAllowed && !requestedExternalProvider(input)) {
+        return withRouteEnsemble(authorityProviderDecision(authorityProvider, `${providerLabel(authorityProvider)} auth/quota insufficient for authority lanes; safety gate active`, 0.5), "safety-gate");
+    }
     const externalProvider = requestedExternalProvider(input);
     if (externalProvider) {
         if (!isProviderAvailable(input, externalProvider)) {
@@ -69,6 +85,12 @@ export function routeProvider(input) {
         }
         // If the external provider is the authority provider, route to it as authority
         if (externalProvider === authorityProvider) {
+            // Hard constraint: auth != ok → exclude authority lanes
+            if (!authorityProviderAllowed) {
+                return withRouteEnsemble(authorityDecision(`${providerLabel(externalProvider)} auth/quota insufficient for authority; using configured fallback`, 0.86, undefined, {
+                    providerModel: genericProviderModelRef(input, externalProvider, "veto"),
+                }), "safety-gate");
+            }
             return withRouteEnsemble(authorityDecision(`${providerLabel(externalProvider)} is the configured authority provider`, 0.9, undefined, {
                 providerModel: genericProviderModelRef(input, externalProvider, "authority"),
             }), "authority-provider");
@@ -178,8 +200,48 @@ function requestedExternalProvider(input) {
 function isGenericExternalProvider(value) {
     return typeof value === "string" && value !== "auto" && value !== "kimi" && value !== "deepseek";
 }
+function providerVectorMeets(vector, minState) {
+    if (!vector)
+        return true;
+    const current = PROVIDER_CAPABILITY_ORDINAL[vector.auth];
+    const required = PROVIDER_CAPABILITY_ORDINAL[minState];
+    return current >= required;
+}
+function providerVectorQuotaOk(vector) {
+    if (!vector)
+        return true;
+    return PROVIDER_CAPABILITY_ORDINAL[vector.quota] >= PROVIDER_CAPABILITY_ORDINAL["quota_available"];
+}
+function providerVectorAllowsAuthority(vector) {
+    if (!vector)
+        return true;
+    return (PROVIDER_CAPABILITY_ORDINAL[vector.auth] >= PROVIDER_CAPABILITY_ORDINAL["auth_valid"] &&
+        PROVIDER_CAPABILITY_ORDINAL[vector.model] >= PROVIDER_CAPABILITY_ORDINAL["model_available"] &&
+        PROVIDER_CAPABILITY_ORDINAL[vector.quota] >= PROVIDER_CAPABILITY_ORDINAL["quota_available"]);
+}
+function providerVectorAllowsDirect(vector) {
+    if (!vector)
+        return true;
+    return (PROVIDER_CAPABILITY_ORDINAL[vector.auth] >= PROVIDER_CAPABILITY_ORDINAL["auth_valid"] &&
+        PROVIDER_CAPABILITY_ORDINAL[vector.model] >= PROVIDER_CAPABILITY_ORDINAL["model_available"] &&
+        PROVIDER_CAPABILITY_ORDINAL[vector.quota] >= PROVIDER_CAPABILITY_ORDINAL["quota_available"]);
+}
+function providerVectorAllowsAdvisory(vector) {
+    if (!vector)
+        return true;
+    return PROVIDER_CAPABILITY_ORDINAL[vector.auth] >= PROVIDER_CAPABILITY_ORDINAL["auth_present"];
+}
 function isProviderAvailable(input, provider) {
     const explicit = input.providerAvailability?.[provider];
+    const vector = input.providerHealthVectors?.[provider];
+    if (vector) {
+        // Hard constraint: quota exhausted → fallback only (not fully available)
+        if (!providerVectorQuotaOk(vector))
+            return false;
+        // Hard constraint: auth not valid → not available for any lane
+        if (PROVIDER_CAPABILITY_ORDINAL[vector.auth] < PROVIDER_CAPABILITY_ORDINAL["auth_valid"])
+            return false;
+    }
     return explicit === undefined ? true : explicit;
 }
 function canUseGenericDirectProvider(role, input) {
@@ -187,7 +249,15 @@ function canUseGenericDirectProvider(role, input) {
         return false;
     if (input.needsMcp || input.needsToolCalling)
         return false;
-    return input.readOnly === true || GENERIC_EXTERNAL_READ_ONLY_ROLES.has(role);
+    if (!input.readOnly && !GENERIC_EXTERNAL_READ_ONLY_ROLES.has(role))
+        return false;
+    const externalProvider = requestedExternalProvider(input);
+    if (externalProvider) {
+        const vector = input.providerHealthVectors?.[externalProvider];
+        if (vector && !providerVectorAllowsDirect(vector))
+            return false;
+    }
+    return true;
 }
 function canUseGenericAdvisoryProvider(role, input) {
     if (!GENERIC_EXTERNAL_ADVISORY_FILE_ROLES.has(role))
@@ -196,6 +266,12 @@ function canUseGenericAdvisoryProvider(role, input) {
         return false;
     if (input.needsMcp || input.needsToolCalling)
         return false;
+    const externalProvider = requestedExternalProvider(input);
+    if (externalProvider) {
+        const vector = input.providerHealthVectors?.[externalProvider];
+        if (vector && !providerVectorAllowsAdvisory(vector))
+            return false;
+    }
     return true;
 }
 function canUseDeepSeekProAdvisory(role, input) {
@@ -205,12 +281,20 @@ function canUseDeepSeekProAdvisory(role, input) {
         return false;
     if (input.needsMcp || input.needsToolCalling)
         return false;
+    const vector = input.providerHealthVectors?.["deepseek"];
+    if (vector && !providerVectorAllowsAdvisory(vector))
+        return false;
     return true;
 }
 function canUseDirectDeepSeek(role, input) {
     if (input.risk !== "read")
         return false;
-    return input.readOnly === true || DEEPSEEK_READ_ONLY_ROLES.has(role);
+    if (!(input.readOnly === true || DEEPSEEK_READ_ONLY_ROLES.has(role)))
+        return false;
+    const vector = input.providerHealthVectors?.["deepseek"];
+    if (vector && !providerVectorAllowsDirect(vector))
+        return false;
+    return true;
 }
 function buildProviderRouteEnsemble(options) {
     const { input, role, decision, winner, directDeepSeekAllowed } = options;

package/dist/providers/types.d.ts

@@ -71,6 +71,8 @@ export interface ProviderRouteInput {
     authorityProvider?: ProviderId;
     preferredModel?: string;
     preferredDeepSeekTier?: DeepSeekModelTier;
+    /** v2 capability vectors for hard-constraint filtering. */
+    providerHealthVectors?: Partial<Record<ProviderId, import("../contracts/provider-health.js").ProviderHealthVector>>;
 }
 export interface ProviderRouteDecision {
     provider: ProviderId;
@@ -90,6 +92,8 @@ export interface ProviderAvailability {
     checkedAt: number;
     reason?: string;
     disableForRun: boolean;
+    /** v2 capability vector (optional; present when profiler v2 is active). */
+    healthVector?: import("../contracts/provider-health.js").ProviderHealthVector;
 }
 export interface AgentProvider {
     id: ProviderId;

package/dist/runtime/provider-maturity-gate.d.ts

@@ -6,6 +6,7 @@
  * verdict.
  */
 import type { AdapterTestKind, AdapterTestResult, ProviderAuthorityClass } from "./contracts/evidence.js";
+import type { ProviderHealthVector } from "../contracts/provider-health.js";
 /** Maturity evaluation result for a single provider. */
 export interface MaturityResult {
     /** Computed maturity score M_p ∈ [0, 1]. */
@@ -39,3 +40,4 @@ export interface ProviderMaturityTable {
 }
 export declare function createProviderMaturityTable(): ProviderMaturityTable;
 export declare function createProviderMaturityGate(): ProviderMaturityGate;
+export declare function evaluateProviderFromVector(gate: ProviderMaturityGate, vector: ProviderHealthVector): MaturityResult;

package/dist/runtime/provider-maturity-gate.js

@@ -5,6 +5,7 @@
  * produces a maturity score M_p, an authority class, and a pass/fail
  * verdict.
  */
+import { PROVIDER_CAPABILITY_ORDINAL } from "../contracts/provider-health.js";
 // ── Constants ───────────────────────────────────────────────────
 const WEIGHT_AUTH = 0.10;
 const WEIGHT_READ = 0.10;
@@ -72,6 +73,30 @@ export function createProviderMaturityTable() {
         },
     };
 }
+function vectorToAdapterResults(vector) {
+    const authOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.auth];
+    const binaryOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.binary];
+    const modelOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.model];
+    const quotaOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.quota];
+    const authScore = authOrdinal >= PROVIDER_CAPABILITY_ORDINAL["auth_valid"] ? 1.0 : authOrdinal / PROVIDER_CAPABILITY_ORDINAL["auth_valid"];
+    const readScore = vector.supportsRead ? 1.0 : 0.0;
+    const writeScore = vector.supportsWrite ? 1.0 : 0.0;
+    const shellScore = vector.supportsShell ? 1.0 : 0.0;
+    const mcpScore = binaryOrdinal >= PROVIDER_CAPABILITY_ORDINAL["tool_contract_verified"] ? 1.0 : binaryOrdinal / PROVIDER_CAPABILITY_ORDINAL["tool_contract_verified"];
+    const mergeScore = vector.evidencePassRate7d;
+    const evidenceScore = vector.evidencePassRate7d;
+    const fallbackScore = 1.0 - vector.failureEwma;
+    return [
+        { kind: "auth", passed: authScore >= 0.5, score: authScore },
+        { kind: "read", passed: readScore >= 0.5, score: readScore },
+        { kind: "write", passed: writeScore >= 0.5, score: writeScore },
+        { kind: "shell", passed: shellScore >= 0.5, score: shellScore },
+        { kind: "mcp", passed: mcpScore >= 0.5, score: mcpScore },
+        { kind: "merge", passed: mergeScore >= 0.5, score: mergeScore },
+        { kind: "evidence", passed: evidenceScore >= 0.5, score: evidenceScore },
+        { kind: "fallback", passed: fallbackScore >= 0.5, score: fallbackScore },
+    ];
+}
 export function createProviderMaturityGate() {
     return {
         evaluate(results) {
@@ -99,3 +124,6 @@ export function createProviderMaturityGate() {
         },
     };
 }
+export function evaluateProviderFromVector(gate, vector) {
+    return gate.evaluate(vectorToAdapterResults(vector));
+}

package/dist/runtime/tool-dispatch-contracts.d.ts

@@ -1,6 +1,7 @@
 import type { OmkToolCall, OmkToolDefinition } from "./tool-registry-contract.js";
-import { type ToolAuthorityDecision, type ToolOp } from "../safety/tool-authority-gate.js";
+import { type ToolAuthorityDecision, type ToolOp, type ToolOpV2 } from "../safety/tool-authority-gate.js";
 import type { ProviderAuthorityLevel } from "../contracts/provider-health.js";
+import type { EnforcementProof } from "../safety/enforcement-engine.js";
 export interface ToolDispatchResult<R = unknown> {
     readonly call: OmkToolCall;
     readonly status: "fulfilled" | "rejected";
@@ -15,13 +16,15 @@ export type ToolAuthorityMode = "shadow" | "enforce";
  */
 export interface ToolAuthorityDecisionRecord {
     readonly toolName: string;
-    readonly op: ToolOp;
+    readonly op: ToolOp | ToolOpV2;
     readonly decision: ToolAuthorityDecision;
     readonly mode: ToolAuthorityMode;
     /** True only when the verdict actually rejected the call (enforce + block). */
     readonly enforced: boolean;
     /** Redacted, human-readable reason. Never includes args or secret values. */
     readonly reason: string;
+    /** v2 enforcement proof hash when available. */
+    readonly policyHash?: string;
 }
 /**
  * Authority wiring for one dispatch turn. All inputs are non-secret enum/bool
@@ -42,6 +45,12 @@ export interface ToolAuthorityWiring {
     readonly enforce?: boolean;
     /** Optional sink for computed verdicts (invoked in both shadow and enforce). */
     readonly onDecision?: (record: ToolAuthorityDecisionRecord) => void;
+    /**
+     * v2 enforcement proof from the adapter / runtime.
+     * When present, the gate uses policy-dependent capability resolution.
+     * Runtimes without a valid proof cannot enter authority lanes.
+     */
+    readonly enforcementProof?: EnforcementProof;
 }
 /**
  * Resolve the global enforcement opt-in from the environment. Default OFF means
@@ -52,8 +61,9 @@ export declare function resolveToolAuthorityEnforcement(env?: Record<string, str
 /** Error used to reject a tool call rejected by the authority gate (enforce mode). */
 export declare class ToolAuthorityBlockedError extends Error {
     readonly toolName: string;
-    readonly op: ToolOp;
+    readonly op: ToolOp | ToolOpV2;
     readonly decision: ToolAuthorityDecision;
+    readonly policyHash?: string;
     constructor(record: ToolAuthorityDecisionRecord);
 }
 /** Compute the gate verdict for a single call. Pure (no IO, no env reads). */
@@ -61,4 +71,15 @@ export declare function evaluateToolAuthority(toolName: string, wiring: ToolAuth
     readonly record: ToolAuthorityDecisionRecord;
     readonly blocked: boolean;
 };
+/**
+ * Compute the gate verdict for a single call using v2 enforcement proof.
+ * Pure (no IO, no env reads).
+ *
+ * If `enforcementProof` is present, the gate uses policy-dependent capability
+ * resolution. Runtimes without a valid proof cannot enter authority lanes.
+ */
+export declare function evaluateToolAuthorityV2(toolName: string, wiring: ToolAuthorityWiring): {
+    readonly record: ToolAuthorityDecisionRecord;
+    readonly blocked: boolean;
+};
 export declare function dispatchToolCallsByContract<A, R>(calls: readonly OmkToolCall<A>[], registry: ReadonlyMap<string, OmkToolDefinition<A, R>>, dispatchOne: (call: OmkToolCall<A>) => Promise<R>, authority?: ToolAuthorityWiring): Promise<ToolDispatchResult<R>[]>;

package/dist/runtime/tool-dispatch-contracts.js

@@ -1,5 +1,5 @@
 import { createToolExecutionBatches } from "./tool-registry-contract.js";
-import { decideToolAuthority, mapToolNameToOp, } from "../safety/tool-authority-gate.js";
+import { decideToolAuthority, decideToolAuthorityV2, mapToolNameToOp, } from "../safety/tool-authority-gate.js";
 const ENFORCE_PATTERN = /^(1|true|yes|on)$/i;
 /**
  * Resolve the global enforcement opt-in from the environment. Default OFF means
@@ -20,12 +20,14 @@ export class ToolAuthorityBlockedError extends Error {
     toolName;
     op;
     decision;
+    policyHash;
     constructor(record) {
         super(record.reason);
         this.name = "ToolAuthorityBlockedError";
         this.toolName = record.toolName;
         this.op = record.op;
         this.decision = record.decision;
+        this.policyHash = record.policyHash;
     }
 }
 /** Compute the gate verdict for a single call. Pure (no IO, no env reads). */
@@ -57,6 +59,44 @@ export function evaluateToolAuthority(toolName, wiring) {
         blocked,
     };
 }
+/**
+ * Compute the gate verdict for a single call using v2 enforcement proof.
+ * Pure (no IO, no env reads).
+ *
+ * If `enforcementProof` is present, the gate uses policy-dependent capability
+ * resolution. Runtimes without a valid proof cannot enter authority lanes.
+ */
+export function evaluateToolAuthorityV2(toolName, wiring) {
+    const op = mapToolNameToOp(toolName);
+    if (wiring.enforcementProof) {
+        const decision = decideToolAuthorityV2({
+            op,
+            writeAuthority: wiring.writeAuthority,
+            shellAuthority: wiring.shellAuthority,
+            approvalPolicy: wiring.approvalPolicy,
+            sandboxMode: wiring.sandboxMode,
+            tty: wiring.tty,
+            enforcementProof: wiring.enforcementProof,
+        });
+        const enforce = wiring.enforce === true;
+        const wouldBlock = decision === "block" || (decision === "ask" && !wiring.tty);
+        const blocked = enforce && wouldBlock;
+        return {
+            record: {
+                toolName,
+                op,
+                decision,
+                mode: enforce ? "enforce" : "shadow",
+                enforced: blocked,
+                reason: redactedAuthorityReason(op, decision, wiring),
+                policyHash: wiring.enforcementProof.policyHash,
+            },
+            blocked,
+        };
+    }
+    // Fall back to legacy evaluation when no proof is present.
+    return evaluateToolAuthority(toolName, wiring);
+}
 /**
  * Wrap a dispatch function with the authority checkpoint. In shadow mode the
  * wrapper records the verdict and always delegates to `dispatchOne`. In enforce
@@ -64,7 +104,7 @@ export function evaluateToolAuthority(toolName, wiring) {
  */
 function buildGatedDispatch(wiring, dispatchOne) {
     return async (call) => {
-        const { record, blocked } = evaluateToolAuthority(call.toolName, wiring);
+        const { record, blocked } = evaluateToolAuthorityV2(call.toolName, wiring);
         wiring.onDecision?.(record);
         if (blocked) {
             throw new ToolAuthorityBlockedError(record);

package/dist/runtime/weakness-remediation-index.d.ts

@@ -5,7 +5,7 @@
 export { type IntegrationResultKind, type WeaknessRemediationState, type AdvancedControlLoopInput, type AdvancedControlLoopResult, type AdvancedControlLoop, type AdvancedControlLoopOptions, createAdvancedControlLoop, } from "./advanced-control-loop.js";
 export { type SurfaceItem, type ScoredSurfaceItem, type MandatoryAnchor, type CompressionResult, type PublicSurfaceCompressorOptions, computeSurfaceScore, enforceFlowInvariant, PublicSurfaceCompressor, } from "./public-surface.js";
 export { type ProofBundleScores, type TrustScoreResult, type ProofBundleTrustEngine, type DeriveScoresOptions, createProofBundleTrustEngine, } from "./proof-bundle-trust.js";
-export { type MaturityResult, type ProviderMaturityGate, createProviderMaturityGate, } from "./provider-maturity-gate.js";
+export { type MaturityResult, type ProviderMaturityGate, createProviderMaturityGate, evaluateProviderFromVector, } from "./provider-maturity-gate.js";
 export { type RuntimeScoreV2, type RuntimeRouterDecisionV2, type RouterV2Options, type RouterV2ScoringEngine, type BlastRadiusParams, type EvidenceHistoryEntry, type NodeIntent, } from "./contracts/router-v2.js";
 export { createRouterV2ScoringEngine, } from "./router-v2-scoring.js";
 export { type ReleasePromotionInputs, type ReleasePromotionResult, type ReleaseVerdict, RELEASE_GATE_WEIGHTS, TAU_EVIDENCE, TAU_EVIDENCE_HIGH, TAU_PROOF, TAU_STABLE, BETA_PRIOR_ALPHA0, BETA_PRIOR_BETA0, SURFACE_BUDGET_K, } from "./contracts/weakness-remediation.js";

package/dist/runtime/weakness-remediation-index.js

@@ -5,7 +5,7 @@
 export { createAdvancedControlLoop, } from "./advanced-control-loop.js";
 export { computeSurfaceScore, enforceFlowInvariant, PublicSurfaceCompressor, } from "./public-surface.js";
 export { createProofBundleTrustEngine, } from "./proof-bundle-trust.js";
-export { createProviderMaturityGate, } from "./provider-maturity-gate.js";
+export { createProviderMaturityGate, evaluateProviderFromVector, } from "./provider-maturity-gate.js";
 export { createRouterV2ScoringEngine, } from "./router-v2-scoring.js";
 export { RELEASE_GATE_WEIGHTS, TAU_EVIDENCE, TAU_EVIDENCE_HIGH, TAU_PROOF, TAU_STABLE, BETA_PRIOR_ALPHA0, BETA_PRIOR_BETA0, SURFACE_BUDGET_K, } from "./contracts/weakness-remediation.js";
 export { createReleasePromotionGate, } from "../cli/release-promotion-gate.js";

package/dist/safety/enforcement-engine.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Policy / Sandbox Enforcement Engine v2
+ *
+ * Capability lattice with conservative policy combination.
+ * effectivePolicy = minByAuthority(userPolicy, repoPolicy, providerPolicy, adapterPolicy, riskPolicy)
+ *
+ * Conservative by default. Any ambiguity → block.
+ */
+export type SandboxCapability = "read" | "write" | "shell" | "network" | "secret_read" | "secret_write" | "merge" | "publish";
+export declare const ALL_CAPABILITIES: readonly SandboxCapability[];
+export type CapabilityLevel = "none" | "advisory" | "direct" | "full";
+export interface CapabilityLattice {
+    read: CapabilityLevel;
+    write: CapabilityLevel;
+    shell: CapabilityLevel;
+    network: CapabilityLevel;
+    secret_read: CapabilityLevel;
+    secret_write: CapabilityLevel;
+    merge: CapabilityLevel;
+    publish: CapabilityLevel;
+}
+export type SandboxMode = "read-only" | "workspace-write" | "network-isolated" | "unrestricted";
+export type ApprovalPolicy = "interactive" | "auto" | "yolo" | "block";
+export interface PolicyLayer {
+    readonly source: "user" | "repo" | "provider" | "adapter" | "risk";
+    /** Partial lattice — omitted capabilities mean "no opinion" (inherit from other layers). */
+    readonly lattice: Partial<CapabilityLattice>;
+    readonly sandboxMode?: SandboxMode;
+    readonly approvalPolicy?: ApprovalPolicy;
+}
+export interface CombinedPolicy {
+    readonly lattice: Readonly<CapabilityLattice>;
+    readonly sandboxMode: SandboxMode;
+    readonly approvalPolicy: ApprovalPolicy;
+    /** Ordered list of sources that contributed to the combination. */
+    readonly sources: readonly PolicyLayer["source"][];
+}
+export interface EnforcementProof {
+    readonly sandboxMode: SandboxMode;
+    /** Which policy layers were active in the final combination. */
+    readonly enforcedBy: readonly string[];
+    /** Capabilities fully blocked (level === "none" or sandbox hard floor). */
+    readonly blockedCapabilities: readonly SandboxCapability[];
+    /** Capabilities that require explicit approval (level === "advisory" or interactive policy). */
+    readonly approvalRequired: readonly SandboxCapability[];
+    /** Deterministic hash of the combined policy for audit / replay. */
+    readonly policyHash: string;
+}
+export declare function rankOf(level: CapabilityLevel): number;
+export declare function defaultLattice(): CapabilityLattice;
+/**
+ * Combine multiple policy layers by taking the **most restrictive**
+ * (minimum) authority level for each capability.
+ *
+ * If no layer expresses an opinion on a capability, it defaults to "full".
+ * If any layer expresses a sandbox mode, the most restrictive mode wins.
+ * If any layer expresses an approval policy, the most restrictive wins.
+ */
+export declare function combinePoliciesByMinAuthority(layers: readonly PolicyLayer[]): CombinedPolicy;
+/**
+ * Compute the enforcement proof from a combined policy.
+ *
+ * Rules:
+ * 1. read-only sandbox blocks write, shell, network, merge, publish.
+ * 2. network-isolated sandbox blocks network.
+ * 3. Any capability with level "none" is blocked.
+ * 4. Any capability with level "advisory" requires approval.
+ * 5. interactive policy requires approval for non-read capabilities.
+ * 6. block policy blocks everything except read.
+ */
+export declare function computeEnforcementProof(combined: CombinedPolicy): EnforcementProof;
+/**
+ * Returns true when the runtime/adapter has provided a valid enforcement proof.
+ * Runtimes without enforcement proof cannot enter authority lanes.
+ */
+export declare function hasValidEnforcementProof(proof: unknown): proof is EnforcementProof;
+export declare function policyLayerFromLegacyAuthorities(source: PolicyLayer["source"], options: {
+    writeAuthority?: "none" | "advisory" | "direct" | "full";
+    shellAuthority?: "none" | "advisory" | "direct" | "full";
+    sandboxMode?: SandboxMode;
+    approvalPolicy?: ApprovalPolicy;
+}): PolicyLayer;
+export type ToolOpV2 = "read" | "write" | "shell" | "merge" | "network" | "secret";
+/**
+ * Map a capability-lattice capability to the coarse ToolOp used by the gate.
+ * This preserves backward compatibility with the existing 4-class gate while
+ * allowing the new lattice to express finer-grained restrictions.
+ */
+export declare function capabilityToToolOp(cap: SandboxCapability): ToolOpV2;