agentmesh-reputation-gate 0.2.0

Reputation-gated authority resolver for AgentMesh. Composes trust scoring with delegation chains via monotonic narrowing.

agentmesh-reputation-gate

Reputation-gated authority resolver for AgentMesh. Implements the AuthorityResolver protocol from microsoft/agent-governance-toolkit#275.

Composes AgentMesh's TrustManager scoring (0-1000) with delegation chains via component-wise monotonic narrowing: effective authority is the intersection of delegated capabilities and trust-tier permissions.

Design proposal: PR #274 (merged into main)

How it works

Agent requests action
  -> delegation.verify()           # existing AgentMesh
  -> trust_manager.get_score()     # existing AgentMesh
  -> resolve_effective_authority()  # THIS PACKAGE
     capability scope = delegation ∩ tier_allowed
     spend limit = min(delegation, tier_cap)
  -> allow / allow_narrowed / deny / audit

Install

pip install agentmesh-reputation-gate

Quick start

from agentmesh_reputation_gate import (
    AuthorityResolver, DelegationInfo, TrustInfo, ActionRequest
)

resolver = AuthorityResolver()

decision = resolver.resolve(
    delegation=DelegationInfo(
        delegation_id="d1",
        delegator_id="alice",
        agent_id="bot-1",
        capabilities=["read:data", "write:reports", "financial:low"],
        spend_limit=500.0,
    ),
    trust=TrustInfo(agent_id="bot-1", score=450),  # Standard tier
    action=ActionRequest(agent_id="bot-1", action="read:data"),
)

print(decision.decision)          # Decision.ALLOW
print(decision.effective_scope)   # ('read:data', 'write:reports')  -- financial:low excluded
print(decision.effective_spend_limit)  # 100.0  -- tier caps at $100
print(decision.trust_tier)        # "standard"

AgentMesh protocol integration

For use with PolicyEngine.set_authority_resolver():

from agentmesh_reputation_gate import AuthorityResolver, AuthorityRequest

resolver = AuthorityResolver()

# Single-arg form matching AgentMesh protocol
request = AuthorityRequest(delegation=d, trust=t, action=a)
decision = resolver.resolve(request)

Both calling conventions produce identical results.

6 Invariants

Every resolution enforces these properties:

1. No widening -- effective authority never exceeds delegated authority
2. Trust monotonicity -- lower trust never increases effective authority
3. Revocation precedence -- revoked delegations always deny
4. Enforcement freshness -- uses current trust score, not cached
5. Deterministic resolution -- same inputs produce same output
6. Lineage bound -- child trust <= parent trust at delegation time

Decision types

Decision	Meaning
allow	Action permitted as requested
allow_narrowed	Action permitted but parameters were capped
deny	Action blocked by trust-tier or delegation limits
audit	Action permitted but logged for review

Default tier map

Tier	Score	Capabilities	Spend cap
Untrusted	0-199	read:own	$0
Limited	200-399	read:*, write:own	$10
Standard	400-599	read:*, write:shared, execute:bounded	$100
Trusted	600-799	Above + financial:low, admin:observability	$1,000
Privileged	800-1000	Above + admin:policy, admin:identity, financial:high	Delegation limit

Custom tiers: pass your own list[TierDefinition] to AuthorityResolver(tiers=...).

Capability matching

• read:data -- exact match only
• read:* -- single-level wildcard (covers read:data, not read:data:sensitive)
• read:** -- recursive wildcard (covers any depth)
• admin:* does NOT imply read:* (no implicit inheritance)
• Intersection always produces the narrower bound

Tests

PYTHONPATH=src python3 -m pytest tests/ -v

62 tests covering all 6 invariants, capability matching, tier resolution, wildcard intersection, agent identity checks, lineage bound enforcement, adversarial inputs, and AgentMesh protocol compatibility.

References

• Reputation-Gated Authority ADR (merged PR #274)
• AuthorityResolver interface (issue #275)
• Agent Passport System -- source implementation
• Monotonic Narrowing paper

License

MIT