Trust tiers
How a verified mandate and hosted reputation resolve to a trust tier — premium, trusted, standard, cautious — that your policy gates on.
A verified mandate resolves to a TrustTier, and your policy can
gate on it (e.g. holdForReviewBelowTier). Tiers are ordered, worst → best.
| Tier | How it's earned |
|---|---|
| premium | A valid, fully-bound mandate — e.g. a Veto mandate with a good signature, decision = approve, exp > now, authorized amount ≥ cart total, and a merchant match. |
trusted | A valid mandate that binds at a lower assurance (reserved for AP2 / ACP once implemented). |
standard | No qualifying mandate, but the agent is known to reputation. |
| cautious | No mandate and an unknown agent. |
Two scales
Be careful not to conflate the two ranking scales:
TrustTier—cautious < standard < trusted < premium. Derived from the mandate.ReputationTier—risky < standard < trusted < elite. From the hosted lookup.
Your policy's holdForReviewBelowTier reads the trust tier; minReputationTier reads
the reputation tier.
Using tiers in policy
import { BALANCED } from '@veto-protocol/checkout';
const policy = {
...BALANCED(),
minReputationTier: 'trusted', // require at least a trusted reputation
holdForReviewBelowTier: 'trusted' // anything below trusted → human review
};Unknown or malformed tiers always rank lowest — a missing tier can never accidentally clear a floor. The gate fails safe toward the most cautious interpretation.
Mandates
The optional, polymorphic authorization an agent presents at checkout — veto · ap2 · acp · none. A Veto-governed agent is simply the highest-trust input, never a requirement.
Policy
The local acceptance rules the gate evaluates — caps, rate limits, reputation floor, mandate requirement, intent, and review routing — plus the STRICT / BALANCED / OPEN presets.