/** * Tier 0: Invariant Enforcement * * Hard boundaries that enforce what a skill is ALLOWED to do, * regardless of what its description says or how it phrases requests. * * This is NOT pattern matching. It is permission checking. * A skill declares capabilities in its manifest. Any action outside * the manifest is immediately denied with severity=critical. * * Inspired by Tesla's AEB (Automatic Emergency Braking): * it doesn't care what the neural network thinks -- it enforces physics. * * @module agent-threat-rules/tier0-invariant */ import type { AgentEvent, ATRMatch } from './types.js'; /** Skill capability manifest -- declares what a skill is allowed to do */ export interface SkillManifest { readonly skillId: string; readonly allowedPaths?: readonly string[]; readonly allowedHosts?: readonly string[]; readonly allowedEnvVars?: readonly string[]; readonly allowedCommands?: readonly string[]; readonly maxNetworkCalls?: number; readonly allowConfigModification?: boolean; } export type InvariantViolationType = 'path_scope' | 'host_scope' | 'env_scope' | 'command_scope' | 'config_modification' | 'network_limit'; /** Result when an invariant is violated */ export interface InvariantViolation { readonly skillId: string; readonly violationType: InvariantViolationType; readonly description: string; readonly observedValue: string; readonly allowedValues: readonly string[]; } export declare class InvariantChecker { private readonly manifests; constructor(manifests: ReadonlyMap | SkillManifest[]); /** * Check an event against the skill's manifest. * Returns empty array if no violations (or no manifest for the skill). */ check(event: AgentEvent): readonly InvariantViolation[]; /** Build a synthetic ATRMatch from an invariant violation */ buildDenyMatch(violation: InvariantViolation): ATRMatch; /** Resolve skill ID from event metadata */ private resolveSkillId; } //# sourceMappingURL=tier0-invariant.d.ts.map