@atlasent/sdk 1.5.0 → 2.5.0

package/dist/index.d.ts

@@ -1,599 +1,4035 @@
+import { R as RateLimitState, c as AtlaSentClientOptions, E as EvaluateRequest, d as EvaluateResponse, e as EvaluatePreflightResponse, V as VerifyPermitRequest, f as VerifyPermitResponse, D as DeployGateRequest, g as DeployGateResponse, h as RevokePermitRequest, i as RevokePermitResponse, j as RevokePermitByIdInput, k as RevokePermitByIdResponse, l as VerifyPermitByIdResponse, G as GetPermitResponse, m as PermitValidResponse, L as ListPermitsRequest, n as ListPermitsResponse, o as ApiKeySelfResponse, p as AuditEventsQuery, q as AuditEventsResult, r as AuditExportRequest, s as AuditExportResult, S as StreamOptions, t as StreamEvent, b as ProtectRequest, P as Permit, a as AtlaSentError, u as protect, v as deployGate, w as configure, A as AtlaSentDeniedError } from './protect-DiRVfVLq.js';
+export { x as AtlaSentDecision, y as AtlaSentDeniedErrorInit, z as AtlaSentErrorCode, B as AtlaSentErrorInit, C as AtlaSentEscalateError, F as AtlaSentEscalateErrorInit, H as AuditDecision, I as AuditEvent, J as AuditEventsPage, K as AuditExport, M as AuditExportSignatureStatus, N as ConfigureOptions, O as ConstraintTrace, Q as ConstraintTracePolicy, T as ConstraintTraceStage, U as DEFAULT_RETRY_POLICY, W as DEPLOYMENT_PRODUCTION_ACTION, X as DEPLOY_GATE_CODES, Y as Decision, Z as DecisionCanonical, _ as DeployGateContext, $ as DeployGateDenyCode, a0 as DeployGateEvidence, a1 as DeployOverrideClaim, a2 as DeployPermitClaim, a3 as EvaluateResponsePermit, a4 as PRODUCTION_DEPLOY_ACTION, a5 as PermitOutcome, a6 as PermitRecord, a7 as PermitRevoked, a8 as PermitStatus, a9 as RetryPolicy, aa as StreamDecisionEvent, ab as StreamParseError, ac as StreamProgressEvent, ad as StreamTimeoutError, ae as computeBackoffMs, af as hasAttemptsLeft, ag as isRetryable, ah as mergePolicy, ai as normalizePermitOutcome } from './protect-DiRVfVLq.js';
 import { webcrypto } from 'node:crypto';
-import { p as protect, c as configure, a as AtlaSentError, A as AtlaSentDeniedError } from './protect-BKxcoR_2.js';
-export { d as AtlaSentDecision, e as AtlaSentDeniedErrorInit, f as AtlaSentErrorCode, g as AtlaSentErrorInit, C as ConfigureOptions, P as Permit, b as ProtectRequest } from './protect-BKxcoR_2.js';
 
 /**
- * Shared audit wire types — the `/v1/audit/*` HTTP surface.
+ * Dual-shape input bridge for the v2.0.0 wire format change.
  *
- * Source of truth: `atlasent-api/supabase/functions/v1-audit/index.ts`
- * (the edge function that serves `GET /v1/audit/events`,
- * `POST /v1/audit/exports`, and `POST /v1/audit/verify`). The docstring
- * at the top of that file describes these shapes. Keep this module in
- * lockstep with it; `test/audit-types.test.ts` contains type-level
- * assertions against the field set to make drift obvious.
+ * The v2.0.0 wire format renamed the evaluate request fields:
+ *   OLD: { action, agent, context, api_key }
+ *   NEW: { action_type, actor_id, context }
  *
- * Fields are snake_case because that is what the server emits on the
- * wire — unlike the evaluate / verify-permit types in `./types.ts`,
- * which use camelCase on the SDK side and translate at the client
- * boundary, the audit surface is intentionally wire-identical so that
- * signed export bundles round-trip byte-for-byte through verifiers.
+ * And the response fields:
+ *   OLD: { permitted, decision_id }
+ *   NEW: { decision, permit_token }
+ *
+ * TypeScript callers on the old v1.x request shape receive a
+ * deprecation warning and are transparently upgraded to the new
+ * shape. The response compat bridge normalises the legacy
+ * `permitted` boolean to `decision === "allow"`.
+ *
+ * Both shims will be removed in v3.0.0.
+ */
+/** Legacy v1.x evaluate request shape. */
+interface LegacyEvaluateRequest {
+    action?: string;
+    agent?: string;
+    context?: Record<string, unknown>;
+}
+/** v2.0 evaluate request shape (canonical wire format). */
+interface V2EvaluateRequest {
+    action_type: string;
+    actor_id: string;
+    context?: Record<string, unknown>;
+}
+/**
+ * Normalise an evaluate request from either the legacy v1.x shape
+ * (`action` / `agent`) or the current v2.0 shape (`action_type` /
+ * `actor_id`) into the canonical v2.0 wire format.
+ *
+ * When the legacy shape is detected a `console.warn` deprecation
+ * notice is emitted once per call-site process lifetime. The shim
+ * will be removed in v3.0.0.
+ */
+declare function normalizeEvaluateRequest(input: LegacyEvaluateRequest | V2EvaluateRequest): V2EvaluateRequest;
+/**
+ * Legacy v1.x evaluate response shape returned by older server
+ * deployments.
  */
-/** Policy decision enum used on `audit_events.decision`. */
-type AuditDecision = 'allow' | 'deny' | 'hold' | 'escalate';
+interface LegacyEvaluateResponse {
+    permitted?: boolean;
+    decision_id?: string;
+    reason?: string;
+    audit_hash?: string;
+    timestamp?: string;
+}
+/** v2.0 evaluate response shape (canonical wire format). */
+interface V2EvaluateResponse {
+    decision: 'allow' | 'deny' | 'hold' | 'escalate';
+    permit_token?: string;
+    request_id?: string;
+    expires_at?: string;
+    denial?: {
+        reason?: string;
+        code?: string;
+    };
+}
 /**
- * Signing status reported on an export bundle. "signed" is the normal
- * path; "unsigned" means the deployment has no active signing key;
- * "signing_failed" means a key is configured but signing errored and
- * the export was returned anyway (the signature is an empty string).
+ * Normalise an evaluate response from either the legacy v1.x shape
+ * (`permitted` / `decision_id`) or the current v2.0 shape
+ * (`decision` / `permit_token`) into the canonical v2.0 wire format.
+ *
+ * Used internally by the client to tolerate older atlasent-api
+ * deployments without surfacing the impedance mismatch to callers.
  */
-type AuditExportSignatureStatus = 'signed' | 'unsigned' | 'signing_failed';
+declare function normalizeEvaluateResponse(wire: LegacyEvaluateResponse | V2EvaluateResponse): V2EvaluateResponse;
+
 /**
- * One persisted row from `audit_events`, as returned by
- * `GET /v1/audit/events` and embedded inside `AuditExport.events`.
+ * Human-in-the-loop (HITL) types — wire shape for `/v1/hitl/*`.
  *
- * `decision` is nullable because not every event is an evaluation —
- * CRUD-style audit writes (e.g. `policy.updated`) omit it. All other
- * nullable fields follow the same "field doesn't apply to this event
- * type" convention rather than "unknown value".
+ * Mirrors `supabase/functions/_shared/hitl-policy.ts` and the
+ * `hitl_escalations` row shape after migration 20260507060000.
+ * Treat as wire-types only: do not embed business logic that the
+ * server-side resolver owns (quorum math, status transitions).
  */
-interface AuditEvent {
-    /** Event UUID. Stable; surfaces as `tampered_event_ids` on verify failure. */
+type HitlQuorumTier = "single_approver" | "simple_majority" | "two_thirds" | "unanimous";
+type HitlStatus = "pending" | "escalated" | "approved" | "rejected" | "auto_approved" | "timed_out";
+type HitlFallbackDecision = "reject" | "approve";
+interface HitlQuorumProgress {
+    required: number;
+    approved: number;
+    rejected: number;
+    remaining: number;
+    satisfied: boolean;
+    rejected_terminal: boolean;
+}
+interface HitlEscalation {
     id: string;
-    /** Organization this event belongs to. */
     org_id: string;
-    /** Per-org monotonic sequence. Used as the pagination cursor's payload. */
-    sequence: number;
-    /** Event type tag (e.g. "evaluate.allow", "policy.updated"). */
-    type: string;
-    /** Policy decision when the event is an evaluation; `null` otherwise. */
-    decision: AuditDecision | null;
-    /** Actor id (user / API key / agent) when applicable. */
+    agent_id: string;
+    sandbox_run_id: string | null;
+    status: HitlStatus;
+    escalation_reason: string;
+    proposed_action: Record<string, unknown> | null;
+    risk_score: number | null;
+    assigned_to_user_id: string | null;
+    assigned_to_role: string | null;
+    resolved_by: string | null;
+    resolution_note: string | null;
+    auto_approved_reason: string | null;
+    resolved_at: string | null;
+    timeout_at: string | null;
+    created_at: string;
+    quorum_required: HitlQuorumTier;
+    min_approvers: number;
+    approver_pool_size: number;
+    escalation_depth: number;
+    max_escalation_depth: number;
+    fallback_decision: HitlFallbackDecision;
+    governance_advisory_id: string | null;
+    expired_reason: "sla_expired" | "escalation_chain_exhausted" | "manual_expire" | null;
+    /**
+     * Arbitrary key/value metadata attached at creation time.
+     * `null` when none was provided.
+     */
+    metadata: Record<string, unknown> | null;
+    quorum_progress?: HitlQuorumProgress;
+    approver_pool?: HitlApproverPoolEntry[];
+    quorum_threshold?: number | null;
+    ai_unavailable_fallback?: HitlAiUnavailableFallback;
+    fallback_human_role?: string | null;
+    pool_unavailable_at?: string | null;
+    /** Populated when the server attaches a heterogeneous-quorum tally. */
+    heterogeneous_tally?: HitlHeterogeneousQuorumTally;
+}
+interface HitlApprovalRecord {
+    id: string;
+    user_id: string | null;
+    actor_label: string | null;
+    decision: "approve" | "reject";
+    note: string | null;
+    quorum_at_vote: HitlQuorumTier;
+    created_at: string;
+    /** Which kind of approver cast this vote (default `"human"`). */
+    approver_type?: HitlApproverType;
+}
+interface HitlChainHop {
+    id: string;
+    depth: number;
+    from_user_id: string | null;
+    from_role: string | null;
+    to_user_id: string | null;
+    to_role: string | null;
+    escalated_by: string | null;
+    reason: string | null;
+    created_at: string;
+}
+interface ListHitlEscalationsRequest {
+    status?: HitlStatus;
+    agentId?: string;
+    assignedToUserId?: string;
+    limit?: number;
+    cursor?: string;
+}
+interface ListHitlEscalationsResponse {
+    escalations: HitlEscalation[];
+    total: number;
+    next_cursor?: string;
+}
+/**
+ * Wire shape for `POST /v1/hitl` — open a new escalation.
+ *
+ * The agent-side bridge between a `hold` outcome from `protect()`
+ * and the approval queue. Only `agent_id` and `escalation_reason`
+ * are required; the rest map to defaults configured on the
+ * server-side policy. Pass `approver_pool` to use the heterogeneous
+ * N-of-M extension instead of the homogeneous quorum tier.
+ */
+interface HitlCreateRequest {
+    agent_id: string;
+    escalation_reason: string;
+    sandbox_run_id?: string;
+    proposed_action?: Record<string, unknown>;
+    risk_score?: number;
+    assigned_to_user_id?: string;
+    assigned_to_role?: string;
+    quorum_required?: HitlQuorumTier;
+    min_approvers?: number;
+    approver_pool_size?: number;
+    max_escalation_depth?: number;
+    fallback_decision?: HitlFallbackDecision;
+    timeout_at?: string;
+    governance_advisory_id?: string;
+    approver_pool?: HitlApproverPoolEntry[];
+    quorum_threshold?: number;
+    ai_unavailable_fallback?: HitlAiUnavailableFallback;
+    fallback_human_role?: string;
+    /** Arbitrary key/value metadata to attach to the escalation record. */
+    metadata?: Record<string, unknown>;
+}
+interface HitlApproveRequest {
+    note?: string;
+}
+interface HitlRejectRequest {
+    note?: string;
+}
+interface HitlEscalateRequest {
+    to_role?: string;
+    to_user_id?: string;
+    reason?: string;
+}
+/**
+ * Wire shape for `POST /v1/escalations/:id/respond` — cast a vote on an
+ * existing escalation. Mirrors the `RespondBody` schema in
+ * atlasent-control-plane `api/src/routes/hitl.ts`.
+ */
+interface HitlRespondRequest {
+    /** The approver's decision. */
+    decision: "approve" | "reject";
+    /** Optional human-readable note attached to the approval record. */
+    note?: string;
+}
+/**
+ * Translate a quorum tier and approver-pool size to the minimum
+ * number of `approve` votes required to resolve the escalation.
+ *
+ * Mirrors the canonical `requiredApproverCount()` in
+ * atlasent-api `_shared/hitl-policy.ts` and the SQL
+ * `public.hitl_required_approver_count()` helper. Provided here so
+ * SDK consumers can render a "you are the Nth of M approvers" hint
+ * without a server round-trip; the authoritative count still comes
+ * from the server's `quorum_progress` payload.
+ */
+declare function hitlRequiredApproverCount(quorum: HitlQuorumTier, poolSize: number): number;
+type HitlApproverType = "human" | "ai_supervisor" | "automated_compliance" | "hardware_signer" | "service_account";
+type HitlAiUnavailableFallback = "escalate_to_human" | "reduce_pool" | "fail_closed";
+interface HitlApproverPoolEntry {
+    type: HitlApproverType;
+    principal_id: string;
+    role?: string;
+    weight?: number;
+    required?: boolean;
+    /** Marker for slots inserted by the AI-unavailable fallback. */
+    origin?: string;
+}
+interface HitlHeterogeneousQuorumExtension {
+    approver_pool: HitlApproverPoolEntry[];
+    quorum_threshold: number | null;
+    ai_unavailable_fallback: HitlAiUnavailableFallback;
+    fallback_human_role: string | null;
+    pool_unavailable_at: string | null;
+}
+interface HitlHeterogeneousQuorumTally {
+    pool_size: number;
+    effective_pool_size: number;
+    required_threshold: number;
+    approve_count: number;
+    reject_count: number;
+    unavailable_count: number;
+    /** Per-approver-type breakdown: `{ ai_supervisor: { approve: 1, reject: 0 } }` */
+    by_type: Record<HitlApproverType, {
+        approve: number;
+        reject: number;
+    }>;
+    meets_threshold: boolean;
+    any_required_reject: boolean;
+    any_required_missing: boolean;
+}
+/**
+ * Detail response returned by `GET /v1/escalations/:id`.
+ *
+ * Mirrors `HitlDetailResponse` in atlasent-control-plane
+ * `api/src/schemas/hitl.ts`.
+ */
+interface HitlDetailResponse {
+    escalation: HitlEscalation;
+    approval_records: HitlApprovalRecord[];
+}
+/**
+ * Paginated list response returned by `GET /v1/escalations`.
+ *
+ * Mirrors `HitlListResponse` in atlasent-control-plane
+ * `api/src/schemas/hitl.ts`.
+ */
+interface HitlListResponse {
+    escalations: HitlEscalation[];
+    total: number;
+    next_cursor: string | null;
+}
+
+/**
+ * Governance graph types: named query results, graph node/edge shapes.
+ *
+ * Mirrors the `query_governance_graph()` SQL function dispatched by
+ * `GET /v1/governance/graph/query?type=<query_type>`.
+ */
+
+/**
+ * Named traversal queries dispatched by `query_governance_graph()`.
+ *
+ * | Type | Returns |
+ * |---|---|
+ * | `production_deployers` | Actors with `executed_in → environment=production` edges |
+ * | `execution_approvers` | Actors as targets of `approved_by` edges |
+ * | `quorum_bypass_connectors` | Connector nodes with outbound `violates` edges |
+ * | `emergency_override_actions` | Execution nodes with `metadata.used_override = true` |
+ * | `connected_systems` | Connector/service/external-system nodes with `connected_to`/`synced_from` edges |
+ * | `user_approvals` | `approved_by` edges where target `external_id = params.actor_id` (requires `actor_id` param) |
+ */
+type GovernanceGraphQueryType = "production_deployers" | "execution_approvers" | "quorum_bypass_connectors" | "emergency_override_actions" | "connected_systems" | "user_approvals";
+/**
+ * Node type values from the `graph_node_type` DB enum.
+ * Additional values may be introduced server-side; treat as open.
+ */
+type GraphNodeType = "execution" | "permit" | "incident" | "connector" | "service" | "external_system" | "actor" | "policy" | "environment" | (string & Record<never, never>);
+/**
+ * Edge type values from the `graph_edge_type` DB enum.
+ * Additional values may be introduced server-side; treat as open.
+ */
+type GraphEdgeType = "governed_by" | "incident_involves" | "synced_from" | "approved_by" | "executed_in" | "violates" | "connected_to" | (string & Record<never, never>);
+/** Full graph node row returned by `GET /v1/governance/graph`. */
+interface GraphNode {
+    id: string;
+    org_id: string;
+    node_type: GraphNodeType;
+    external_id: string | null;
+    metadata: Record<string, unknown>;
+    created_at: string;
+    updated_at: string;
+}
+/** Full graph edge row returned by `GET /v1/governance/graph/edges`. */
+interface GraphEdge {
+    id: string;
+    org_id: string;
+    edge_type: GraphEdgeType;
+    source_node_id: string;
+    target_node_id: string;
+    metadata: Record<string, unknown>;
+    created_at: string;
+}
+/** Row returned by `query_type = "production_deployers"`. */
+interface ProductionDeployerRow {
+    node_id: string;
+    actor_id: string | null;
+    exec_count: number;
+    last_seen: string | null;
+}
+/** Row returned by `query_type = "execution_approvers"`. */
+interface ExecutionApproverRow {
+    node_id: string;
+    actor_id: string | null;
+    approval_count: number;
+}
+/** Row returned by `query_type = "quorum_bypass_connectors"`. */
+interface QuorumBypassConnectorRow {
+    node_id: string;
+    connector_id: string | null;
+    violation_count: number;
+}
+/** Row returned by `query_type = "emergency_override_actions"`. */
+interface EmergencyOverrideActionRow {
+    node_id: string;
+    execution_id: string | null;
+    actor_id: string | null;
+    timestamp: string | null;
+}
+/** Row returned by `query_type = "connected_systems"`. */
+interface ConnectedSystemRow {
+    node_id: string;
+    system_id: string | null;
+    node_type: GraphNodeType;
+    edge_type: GraphEdgeType;
+}
+/** Row returned by `query_type = "user_approvals"`. */
+interface UserApprovalRow {
+    edge_id: string;
+    source_node_id: string;
+    created_at: string;
+}
+/**
+ * Conditional type mapping each {@link GovernanceGraphQueryType} to its
+ * per-row result shape. Use as `GovernanceGraphResultRow<"production_deployers">`.
+ */
+type GovernanceGraphResultRow<T extends GovernanceGraphQueryType = GovernanceGraphQueryType> = T extends "production_deployers" ? ProductionDeployerRow : T extends "execution_approvers" ? ExecutionApproverRow : T extends "quorum_bypass_connectors" ? QuorumBypassConnectorRow : T extends "emergency_override_actions" ? EmergencyOverrideActionRow : T extends "connected_systems" ? ConnectedSystemRow : T extends "user_approvals" ? UserApprovalRow : Record<string, unknown>;
+/**
+ * Optional parameters for `queryGovernanceGraph()`.
+ *
+ * `actor_id` is required when `query_type = "user_approvals"`.
+ */
+interface GovernanceGraphQueryParams {
+    actor_id?: string;
+}
+/** Response from {@link AtlaSentClient.queryGovernanceGraph}. */
+interface GovernanceGraphQueryResponse<T extends GovernanceGraphQueryType = GovernanceGraphQueryType> {
+    query_type: T;
+    results: GovernanceGraphResultRow<T>[];
+    org_id: string;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `listGraphNodes()`. */
+interface ListGraphNodesResponse {
+    nodes: GraphNode[];
+    total: number;
+    nextCursor?: string;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `listGraphEdges()`. */
+interface ListGraphEdgesResponse {
+    edges: GraphEdge[];
+    total: number;
+    nextCursor?: string;
+    rateLimit: RateLimitState | null;
+}
+/** Input for `createGraphNode()`. */
+interface CreateGraphNodeInput {
+    node_type: GraphNodeType;
+    external_id?: string;
+    metadata?: Record<string, unknown>;
+}
+/** Input for `createGraphEdge()`. */
+interface CreateGraphEdgeInput {
+    edge_type: GraphEdgeType;
+    source_node_id: string;
+    target_node_id: string;
+    metadata?: Record<string, unknown>;
+}
+
+/**
+ * Incident reconstruction types: shapes returned by
+ * `reconstruct_incident_chains_v2()` via
+ * `GET /v1/governance/timeline/incident/{incidentId}`.
+ */
+
+/**
+ * Single execution row returned by `reconstruct_incident_chains_v2()`.
+ *
+ * All §13.1 additive columns are nullable — rows inserted before the
+ * migration have `null` for any field added after their insert.
+ */
+interface IncidentChainExecutionRow {
+    execution_id: string;
     actor_id: string | null;
-    /** Optional resource tag — e.g. "policy". */
-    resource_type: string | null;
-    /** Optional resource id — paired with `resource_type`. */
+    action_id: string | null;
+    /** Broad action category (e.g. `"write"`, `"admin"`). */
+    action_class: string | null;
+    outcome: string | null;
+    started_at: string | null;
+    completed_at: string | null;
+    /** UUID of the delegation chain this execution belongs to. */
+    delegation_chain_id: string | null;
+    /** UUID of the original execution this is a replay of. */
+    replay_of_execution_id: string | null;
+    /** UUID of the incident this execution is linked to (§13.1 column). */
+    incident_id: string | null;
+    /** UUID of the policy version pinned at evaluate() time. */
+    policy_version_id: string | null;
+    /** UUID of the bundle version pinned at evaluate() time. */
+    bundle_version_id: string | null;
+    decision_id: string | null;
+    subject_id: string | null;
     resource_id: string | null;
-    /** Canonical JSON of the event payload. Hashed into `hash`. */
-    payload: Record<string, unknown> | null;
-    /** SHA-256(prev_hash || canonicalJSON(payload)), hex. */
-    hash: string;
-    /** Previous event's `hash` (genesis is `"0".repeat(64)`). */
-    previous_hash: string;
-    /** When the underlying action occurred (ISO 8601). */
+    /** Structured deny/abort code (e.g. `"policy_deny"`, `"quorum_failed"`). */
+    outcome_reason: string | null;
+    parent_execution_id: string | null;
+}
+/** Per-actor summary within the reconstructed incident chain. */
+interface IncidentChainActorEntry {
+    actor_id: string;
+    execution_ids: string[];
+    execution_count: number;
+}
+/** Evidence row bound to the incident chain (shape is open/forward-compat). */
+type IncidentChainEvidenceRow = Record<string, unknown>;
+/**
+ * Full response from `GET /v1/governance/timeline/incident/{incidentId}`.
+ *
+ * Backed by `reconstruct_incident_chains_v2()` which fixes the
+ * `executor_id → actor_id` bug that caused silent empty timelines
+ * in the v1 function.
+ */
+interface IncidentTimelineResponse {
+    incident_id: string;
+    /** All execution rows in the incident, newest first. */
+    execution_rows: IncidentChainExecutionRow[];
+    /** Per-actor rollup: which executions each actor was responsible for. */
+    actor_timeline: IncidentChainActorEntry[];
+    /** Evidence rows bound to this incident's chain. */
+    evidence: IncidentChainEvidenceRow[];
+    rateLimit: RateLimitState | null;
+}
+
+/**
+ * Connector management types: connector lifecycle, credential security,
+ * enforcement policies, audit log, and sync state.
+ *
+ * Mirrors the `v1-connectors`, `v1-connector-enforcement` edge functions
+ * and associated DB tables (connector_credentials, connector_enforcement_policies,
+ * connector_audit_log, connector_sync_state).
+ */
+
+/** Supported external connector types. */
+type ConnectorType = "github" | "stripe" | "slack" | "salesforce" | "jira" | "okta" | "aws" | "gcp" | "azure" | "ci_cd" | "custom" | (string & Record<never, never>);
+/** Connector lifecycle status. */
+type ConnectorStatus = "pending_install" | "active" | "syncing" | "error" | "revoked";
+/** Full connector row returned by `GET /v1/governance/connectors`. */
+interface ConnectorRow {
+    id: string;
+    org_id: string;
+    connector_type: ConnectorType;
+    name: string;
+    environment: string;
+    status: ConnectorStatus;
+    scopes: string[];
+    config: Record<string, unknown>;
+    last_synced_at: string | null;
+    created_at: string;
+    updated_at: string;
+}
+/** Credential type stored in connector_credentials. */
+type ConnectorCredentialType = "oauth_token" | "api_key" | "webhook_secret" | "service_account" | "mtls_cert";
+/**
+ * Credential metadata row.
+ * `encrypted_value` is never returned in API responses — only metadata is exposed.
+ */
+interface ConnectorCredentialRow {
+    id: string;
+    org_id: string;
+    connector_id: string;
+    credential_type: ConnectorCredentialType;
+    scope: string[];
+    expires_at: string | null;
+    rotated_at: string | null;
+    rotated_by: string | null;
+    revoked_at: string | null;
+    revoked_by: string | null;
+    revoke_reason: string | null;
+    version: number;
+    created_at: string;
+    updated_at: string;
+}
+/** Action a connector enforcement policy can require. */
+type EnforcementAction = "require_permit" | "require_quorum" | "require_approval" | "block" | "audit_only";
+/** Quorum configuration embedded in enforcement policies. */
+interface EnforcementQuorumConfig {
+    min_approvers: number;
+    required_roles?: string[];
+    timeout_minutes?: number;
+}
+/** Single connector enforcement policy row. */
+interface ConnectorEnforcementPolicy {
+    id: string;
+    org_id: string;
+    connector_type: ConnectorType;
+    /** Event type that triggers policy evaluation (e.g. `"push"`, `"deploy"`, `"merge"`). */
+    trigger_event: string;
+    /** Declarative condition evaluated against the event payload. */
+    condition: Record<string, unknown>;
+    required_action: EnforcementAction;
+    quorum_config: EnforcementQuorumConfig | null;
+    /** Environments this policy applies to (e.g. `["production"]`). Empty = all. */
+    environment_scope: string[];
+    enabled: boolean;
+    /** Higher priority policies are evaluated first. */
+    priority: number;
+    created_at: string;
+    updated_at: string;
+}
+/**
+ * Single append-only connector audit log entry from `connector_audit_log`.
+ * Entries are never updated or deleted — only inserted.
+ */
+interface ConnectorAuditLogEntry {
+    id: string;
+    org_id: string;
+    connector_id: string;
+    actor_id: string | null;
+    operation: string;
+    /** `"success"` | `"failure"` | `"blocked"` */
+    outcome: string;
+    detail: Record<string, unknown>;
+    ip_address: string | null;
     occurred_at: string;
-    /** When the row was persisted (ISO 8601). */
+}
+/** Sync state snapshot for a connector (one row per connector_id). */
+interface ConnectorSyncState {
+    id: string;
+    org_id: string;
+    connector_id: string;
+    last_sync_at: string | null;
+    /** `"success"` | `"failure"` | `"running"` | `"skipped"` */
+    last_sync_status: string | null;
+    last_sync_error: string | null;
+    /** Opaque cursor passed to the next incremental sync. */
+    sync_cursor: Record<string, unknown> | null;
+    next_sync_at: string | null;
     created_at: string;
+    updated_at: string;
+}
+/** Input event for connector enforcement evaluation via `v1-connector-enforcement`. */
+interface ConnectorEnforcementEventInput {
+    connector_id: string;
+    event_type: string;
+    actor_id?: string;
+    environment?: string;
+    payload?: Record<string, unknown>;
+}
+/** Result of a connector enforcement evaluation. */
+interface ConnectorEnforcementResult {
+    /** Enforcement decision — fail-closed: defaults to `"block"` on evaluation error. */
+    decision: "permit" | "block" | "require_quorum" | "require_approval" | "audit_only";
+    policy_id: string | null;
+    reason: string;
+    audit_log_id: string | null;
+    rateLimit: RateLimitState | null;
+}
+/** Input for `installConnector()`. */
+interface InstallConnectorInput {
+    connector_type: ConnectorType;
+    name: string;
+    environment: string;
+    scopes?: string[];
+    config?: Record<string, unknown>;
+}
+/** Input for `authenticateConnector()`. The `encrypted_value` must be pre-encrypted by the caller. */
+interface AuthenticateConnectorInput {
+    credential_type: ConnectorCredentialType;
+    /** Pre-encrypted credential value. Never transmit plaintext. */
+    encrypted_value: string;
+    scope?: string[];
+    expires_at?: string;
+}
+/** Input for `upsertEnforcementPolicy()`. */
+interface UpsertEnforcementPolicyInput {
+    connector_type: ConnectorType;
+    trigger_event: string;
+    condition?: Record<string, unknown>;
+    required_action: EnforcementAction;
+    quorum_config?: EnforcementQuorumConfig;
+    environment_scope?: string[];
+    enabled?: boolean;
+    priority?: number;
+}
+/** Response from `listConnectors()`. */
+interface ListConnectorsResponse {
+    connectors: ConnectorRow[];
+    total: number;
+    nextCursor?: string;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `installConnector()`. */
+interface InstallConnectorResponse {
+    connector: ConnectorRow;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `authenticateConnector()`. */
+interface AuthenticateConnectorResponse {
+    credential_id: string;
+    version: number;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `syncConnector()`. */
+interface SyncConnectorResponse {
+    connector_id: string;
+    status: ConnectorStatus;
+    sync_started_at: string;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `revokeConnector()`. */
+interface RevokeConnectorResponse {
+    connector_id: string;
+    revoked_at: string;
+    rateLimit: RateLimitState | null;
 }
+/** Response from `rotateConnectorCredentials()`. */
+interface RotateCredentialsResponse {
+    connector_id: string;
+    new_version: number;
+    rotated_at: string;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `listEnforcementPolicies()`. */
+interface ListEnforcementPoliciesResponse {
+    policies: ConnectorEnforcementPolicy[];
+    total: number;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `upsertEnforcementPolicy()`. */
+interface UpsertEnforcementPolicyResponse {
+    policy: ConnectorEnforcementPolicy;
+    rateLimit: RateLimitState | null;
+}
+
 /**
- * Response shape for `GET /v1/audit/events`.
+ * Organizational risk graph types: 5-dimension risk scoring and
+ * recompute trigger shapes.
  *
- * `total` is the filter's full count (not just this page) so callers
- * can show "page 1 of N" without an extra HEAD request.
+ * Mirrors `v1-risk-graph` (compute_org_risk / get_latest_org_risk ops)
+ * and the `organizational_risk_scores` DB table.
+ */
+
+/**
+ * Bucketed risk level derived from `overall_score`.
+ *
+ * | Level | Score range |
+ * |---|---|
+ * | `"low"` | 0–30 |
+ * | `"medium"` | 31–60 |
+ * | `"high"` | 61–85 |
+ * | `"critical"` | 86–100 |
+ */
+type OrgRiskLevel = "low" | "medium" | "high" | "critical";
+/**
+ * Full organizational risk score from `organizational_risk_scores`.
  *
- * `next_cursor` is an opaque base64url string. Pass it back verbatim
- * as `?cursor=...` to fetch the next page. Absent when this is the
- * last page.
+ * All sub-scores are 0–100 (higher = more risk). `overall_score` is a
+ * weighted composite of the five dimensions; weights are internal and
+ * may change between releases without a breaking-change notice.
+ */
+interface OrgRiskScore {
+    id: string;
+    org_id: string;
+    /** Composite risk score 0–100. */
+    overall_score: number;
+    risk_level: OrgRiskLevel;
+    /** Actor-level risk: recent overrides, blocked actions by specific actors. */
+    actor_risk_score: number;
+    /** Connector-level risk: revoked/errored connectors, failed sync cycles. */
+    connector_risk_score: number;
+    /** Gap between what enforcement policies require and what connectors actually enforce. */
+    enforcement_gap_score: number;
+    /** Normalized frequency of incidents within the scoring window. */
+    incident_frequency_score: number;
+    /** Rate of permits that were overridden relative to total permits issued. */
+    override_rate_score: number;
+    /** Actor IDs flagged as high-risk within the window. */
+    risky_actors: string[];
+    /** Connector IDs flagged as high-risk within the window. */
+    risky_systems: string[];
+    /** Execution IDs with repeated overrides in the window. */
+    repeated_overrides: string[];
+    /** Days of activity included in this score computation. */
+    window_days: number;
+    computed_at: string;
+    created_at: string;
+}
+/** Options for triggering an org risk recompute. */
+interface ComputeOrgRiskOptions {
+    /** Activity window in days (server default: 30). */
+    window_days?: number;
+}
+/** Response from `computeOrgRisk()`. */
+interface ComputeOrgRiskResponse {
+    score: OrgRiskScore;
+    rateLimit: RateLimitState | null;
+}
+/**
+ * Response from `getLatestOrgRisk()`.
+ * `score` is `null` if no risk computation has been run yet for the org.
  */
-interface AuditEventsPage {
-    events: AuditEvent[];
+interface GetLatestOrgRiskResponse {
+    score: OrgRiskScore | null;
+    rateLimit: RateLimitState | null;
+}
+/** Response from `listOrgRiskHistory()`. */
+interface ListOrgRiskHistoryResponse {
+    scores: OrgRiskScore[];
     total: number;
-    next_cursor?: string;
+    nextCursor?: string;
+    rateLimit: RateLimitState | null;
 }
+
 /**
- * Query parameters accepted by `GET /v1/audit/events`. Serialize as
- * URL search params — `types` is a comma-joined list on the wire
- * (e.g. `types=evaluate.allow,policy.updated`).
+ * Cross-Org Permission Negotiation.
  *
- * All fields are optional; the server defaults `limit` to 50 and caps
- * it at 500.
+ * Evaluates whether an identity in one organization is permitted to
+ * perform an action on resources owned by another organization.
+ * Resolves trust paths, conditions, and cross-org trust levels.
+ *
+ * Wire-stable as `cross_org_permission.v1`.
  */
-interface AuditEventsQuery {
-    /** Comma-joined list of event types to filter on. */
-    types?: string;
-    /** Filter to a single actor. */
-    actor_id?: string;
-    /** Inclusive lower bound on `occurred_at` (ISO 8601). */
-    from?: string;
-    /** Inclusive upper bound on `occurred_at` (ISO 8601). */
-    to?: string;
-    /** Page size. Default 50, min 1, max 500. */
+/** A single hop in the cross-org trust path. */
+interface CrossOrgTrustHop {
+    org_id: string;
+    trust_type: string;
+    trust_level: string;
+}
+/** Request payload for a cross-org permission check. */
+interface CrossOrgPermissionCheckRequest {
+    source_org_id: string;
+    target_org_id: string;
+    identity_id?: string;
+    action: string;
+    resource_type?: string;
+    resource_id?: string;
+}
+/** Result of a cross-org permission evaluation. */
+interface CrossOrgPermissionCheckResult {
+    check_id: string;
+    allowed: boolean;
+    reason: string;
+    trust_path: Array<CrossOrgTrustHop>;
+    conditions: string[];
+    checked_at: string;
+}
+/** Parameters for listing previous cross-org permission checks. */
+interface CrossOrgPermissionCheckListParams {
+    source_org_id?: string;
+    target_org_id?: string;
+    allowed?: boolean;
     limit?: number;
-    /** Opaque cursor returned as `next_cursor` by the prior page. */
-    cursor?: string;
 }
 /**
- * Response shape for `POST /v1/audit/exports` — a signed bundle of
- * audit events suitable for offline verification.
+ * Summarize whether a cross-org check result is unconditionally allowed,
+ * conditionally allowed, or denied.
+ */
+declare function summarizeCrossOrgPermission(result: CrossOrgPermissionCheckResult): "allowed" | "conditional" | "denied";
+
+/**
+ * Anomaly Response Automation.
  *
- * `signature` is detached Ed25519 over `signedBytesFor(bundle)` (see
- * `./auditBundle.ts`). An empty string means the server attempted to
- * sign but failed; check `signature_status` to distinguish.
+ * Rules-driven automated responses to governance anomalies detected
+ * during agent execution. Supports freezing agents, creating incidents,
+ * notifying administrators, requiring human-in-the-loop review,
+ * rolling back executions, and escalating to regulators.
  *
- * `tampered_event_ids` surfaces rows whose recomputed hash doesn't
- * match the stored hash — even when `chain_integrity_ok` is false,
- * the signature still covers whatever the server emitted, so callers
- * that trust the signature must still inspect this list.
+ * Wire-stable as `anomaly_response.v1`.
  */
-interface AuditExport {
-    /** Server-assigned UUID for this export. */
-    export_id: string;
-    /** Organization the bundle belongs to. */
+/** The automated action type to take when an anomaly rule triggers. */
+type AnomalyActionType = "freeze_agent" | "create_incident" | "notify_admin" | "require_hitl" | "rollback_execution" | "escalate_to_regulator";
+/** A rule that triggers an automated response when an anomaly threshold is crossed. */
+interface AnomalyResponseRule {
+    id: string;
     org_id: string;
-    /** Events in canonical (ascending sequence) order. */
-    events: AuditEvent[];
-    /** Last event's `hash`, or `"0".repeat(64)` if `events` is empty. */
-    chain_head_hash: string;
-    /** `true` iff adjacency + re-hash succeeded for every event. */
-    chain_integrity_ok: boolean;
-    /** `AuditEvent.id`s whose recomputed hash != stored hash. */
-    tampered_event_ids: string[];
-    /** Detached Ed25519 signature (base64url). Empty string on sign failure. */
-    signature: string;
-    /** Outcome of the signing attempt. */
-    signature_status: AuditExportSignatureStatus;
-    /** Registry id of the key that signed — absent when unsigned. */
-    signing_key_id?: string;
-    /** When the bundle was signed (ISO 8601). */
-    signed_at: string;
+    name: string;
+    description?: string;
+    anomaly_score_threshold: number;
+    action_type: AnomalyActionType;
+    action_config: Record<string, unknown>;
+    is_active: boolean;
+    created_at: string;
+    updated_at: string;
+}
+/** A record of an anomaly response that was triggered. */
+interface AnomalyResponseEvent {
+    id: string;
+    rule_id: string;
+    execution_id: string;
+    org_id: string;
+    anomaly_score: number;
+    action_type: AnomalyActionType;
+    action_result: Record<string, unknown>;
+    triggered_at: string;
+}
+/** Request body for creating a new anomaly response rule. */
+interface CreateAnomalyResponseRuleRequest {
+    name: string;
+    description?: string;
+    anomaly_score_threshold: number;
+    action_type: AnomalyActionType;
+    action_config?: Record<string, unknown>;
+}
+/** Request body for manually triggering an anomaly response check. */
+interface TriggerAnomalyResponseRequest {
+    execution_id: string;
+    anomaly_score: number;
+    context?: Record<string, unknown>;
+}
+/**
+ * Determine which rules from a set would trigger for a given anomaly score.
+ * Returns only active rules whose threshold is met or exceeded.
+ */
+declare function matchAnomalyRules(rules: readonly AnomalyResponseRule[], anomalyScore: number): AnomalyResponseRule[];
+/**
+ * Determine the most severe action type from a set of triggered rules.
+ * Severity order (highest first):
+ *   escalate_to_regulator > rollback_execution > freeze_agent >
+ *   require_hitl > create_incident > notify_admin
+ */
+declare function highestSeverityAction(rules: readonly AnomalyResponseRule[]): AnomalyActionType | null;
+
+/**
+ * Budget Exception Workflows.
+ *
+ * Structured request-and-approval process for temporary exceptions
+ * to budget policy limits. Supports creation, review, approval,
+ * rejection, and cancellation lifecycles with full audit trails.
+ *
+ * Wire-stable as `budget_exceptions.v1`.
+ */
+/** Lifecycle status of a budget exception request. */
+type BudgetExceptionStatus = "pending" | "under_review" | "approved" | "rejected" | "expired" | "cancelled";
+/** A formal request for a temporary exception to a budget policy limit. */
+interface BudgetExceptionRequest {
+    id: string;
+    org_id: string;
+    budget_policy_id?: string;
+    requested_by: string;
+    amount_requested: number;
+    currency: string;
+    reason: string;
+    justification?: string;
+    business_impact?: string;
+    status: BudgetExceptionStatus;
+    reviewed_by?: string;
+    reviewed_at?: string;
+    review_notes?: string;
+    effective_from?: string;
+    effective_until?: string;
+    approved_amount?: number;
+    conditions: string[];
+    created_at: string;
+    updated_at: string;
+}
+/** Request body for creating a new budget exception request. */
+interface CreateBudgetExceptionRequest {
+    budget_policy_id?: string;
+    amount_requested: number;
+    currency?: string;
+    reason: string;
+    justification?: string;
+    business_impact?: string;
+    effective_from?: string;
+    effective_until?: string;
+}
+/** Request body for approving a budget exception. */
+interface ApproveBudgetExceptionRequest {
+    review_notes?: string;
+    approved_amount: number;
+    conditions?: string[];
+    effective_from?: string;
+    effective_until?: string;
+}
+/**
+ * Returns true when an approved exception is currently in effect.
+ * An exception is in effect when:
+ *   - status is "approved"
+ *   - current time is within [effective_from, effective_until]
+ */
+declare function isBudgetExceptionActive(exception: BudgetExceptionRequest, now?: Date): boolean;
+/**
+ * Returns true when a budget exception request is in a terminal state
+ * (no further transitions are possible).
+ */
+declare function isBudgetExceptionTerminal(status: BudgetExceptionStatus): boolean;
+
+/**
+ * Regulatory Escalation Chain.
+ *
+ * Hierarchical escalation infrastructure for routing governance issues
+ * through defined authority levels. Supports multi-jurisdiction
+ * regulatory chains with SLA tracking and resolution workflows.
+ *
+ * Wire-stable as `regulatory_escalation.v1`.
+ */
+/**
+ * A defined level in the regulatory authority hierarchy.
+ * Levels are ordered numerically — lower numbers = lower authority.
+ */
+interface RegulatoryAuthorityLevel {
+    id: string;
+    org_id: string;
+    name: string;
+    level: number;
+    description?: string;
+    parent_level_id?: string;
+    jurisdiction?: string;
+    escalation_sla_hours: number;
+    created_at: string;
+}
+/** Lifecycle status of a regulatory escalation. */
+type RegulatoryEscalationStatus = "pending" | "acknowledged" | "under_review" | "resolved" | "overridden";
+/** A formal escalation between two regulatory authority levels. */
+interface RegulatoryEscalation {
+    id: string;
+    org_id: string;
+    from_level_id: string;
+    to_level_id: string;
+    subject_type: string;
+    subject_id: string;
+    reason: string;
+    details: Record<string, unknown>;
+    status: RegulatoryEscalationStatus;
+    escalated_by: string;
+    acknowledged_by?: string;
+    acknowledged_at?: string;
+    resolved_by?: string;
+    resolved_at?: string;
+    resolution?: string;
+    resolution_details?: Record<string, unknown>;
+    created_at: string;
+    updated_at: string;
+}
+/** Request body for creating a new regulatory escalation. */
+interface CreateRegulatoryEscalationRequest {
+    from_level_id: string;
+    to_level_id: string;
+    subject_type: string;
+    subject_id: string;
+    reason: string;
+    details?: Record<string, unknown>;
+}
+/**
+ * Returns true when a regulatory escalation is in a terminal state.
+ */
+declare function isRegulatoryEscalationTerminal(status: RegulatoryEscalationStatus): boolean;
+/**
+ * Determine whether an escalation has breached its SLA.
+ * Compares the SLA hours on the target authority level against the
+ * elapsed time since creation.
+ */
+declare function isEscalationSlaBreached(escalation: RegulatoryEscalation, targetLevel: RegulatoryAuthorityLevel, now?: Date): boolean;
+
+/**
+ * Incentive Signal Feedback Loop.
+ *
+ * Captures how governance actors respond to incentive alignment signals
+ * and tracks outcomes. Feeds back into signal calibration and governance
+ * health scoring over time.
+ *
+ * Wire-stable as `incentive_signal_feedback.v1`.
+ */
+/** The type of action taken in response to a governance signal. */
+type SignalActionType = "accepted" | "dismissed" | "escalated" | "delegated" | "policy_updated" | "training_initiated" | "process_changed" | "monitoring_increased" | "auto_remediated";
+/** A record of an action taken in response to a governance signal. */
+interface GovernanceSignalAction {
+    id: string;
+    signal_id: string;
+    org_id: string;
+    action_type: SignalActionType;
+    action_description?: string;
+    taken_by?: string;
+    taken_at: string;
+    outcome_score?: number;
+    outcome_description?: string;
+    outcome_recorded_at?: string;
+    metadata: Record<string, unknown>;
+}
+/** Request body for recording a new signal action. */
+interface RecordSignalActionRequest {
+    action_type: SignalActionType;
+    action_description?: string;
+    metadata?: Record<string, unknown>;
+}
+/** Request body for recording an outcome on a previous signal action. */
+interface RecordSignalOutcomeRequest {
+    outcome_score: number;
+    outcome_description?: string;
+}
+/** Aggregate summary of signal actions for an organization. */
+interface SignalActionSummary {
+    total_signals: number;
+    acted_on: number;
+    dismissed: number;
+    average_outcome_score: number;
+    by_action_type: Record<SignalActionType, {
+        count: number;
+        avg_outcome: number;
+    }>;
+}
+/**
+ * Compute a simple engagement rate from a signal action summary.
+ * Returns the fraction of signals that received a non-dismissed response.
+ */
+declare function computeSignalEngagementRate(summary: SignalActionSummary): number;
+/**
+ * Determine whether a signal action represents a substantive governance
+ * response (i.e. more than a dismissal or auto-remediation).
+ */
+declare function isSubstantiveSignalResponse(actionType: SignalActionType): boolean;
+
+/**
+ * Cross-Org Impersonation.
+ *
+ * Allows a service account in one organization to impersonate a role in
+ * another organization under explicit, audited grants. Supports bounded
+ * token issuance, grant revocation, and token validation.
+ *
+ * Wire-stable as `cross_org_impersonation.v1`.
+ */
+/** An explicit grant allowing one org's service account to impersonate a role in another org. */
+interface CrossOrgImpersonationGrant {
+    id: string;
+    grantor_org_id: string;
+    grantee_org_id: string;
+    grantee_service_account_id: string;
+    impersonated_role: string;
+    allowed_actions: string[];
+    allowed_resource_types: string[];
+    max_token_duration_seconds: number;
+    is_active: boolean;
+    created_by: string;
+    created_at: string;
+    expires_at?: string;
+    revoked_at?: string;
+}
+/** Request body for creating a new impersonation grant. */
+interface CreateImpersonationGrantRequest {
+    grantee_org_id: string;
+    grantee_service_account_id: string;
+    impersonated_role: string;
+    allowed_actions: string[];
+    allowed_resource_types: string[];
+    max_token_duration_seconds?: number;
+    expires_at?: string;
+}
+/** A short-lived impersonation token issued under a grant. */
+interface ImpersonationToken {
+    token: string;
+    expires_at: string;
+    grant_id: string;
+}
+/** Result of validating an impersonation token. */
+interface ImpersonationValidationResult {
+    valid: boolean;
+    grant?: CrossOrgImpersonationGrant;
+    impersonated_role?: string;
+    allowed_actions?: string[];
+    allowed_resource_types?: string[];
+    error?: string;
+}
+/**
+ * Returns true when an impersonation grant is currently usable:
+ * - is_active is true
+ * - not yet expired
+ * - not revoked
+ */
+declare function isImpersonationGrantUsable(grant: CrossOrgImpersonationGrant, now?: Date): boolean;
+/**
+ * Clamp a requested token duration to the grant's maximum.
+ * Returns the minimum of the requested duration and the grant ceiling.
+ */
+declare function clampTokenDuration(grant: CrossOrgImpersonationGrant, requestedSeconds: number): number;
+
+/**
+ * AtlaSent HTTP client.
+ *
+ * Two public methods, both backed by native `fetch`:
+ *   - {@link AtlaSentClient.evaluate}     → POST {baseUrl}/v1-evaluate
+ *   - {@link AtlaSentClient.verifyPermit} → POST {baseUrl}/v1-verify-permit
+ *
+ * Fail-closed: a clean policy DENY is returned (not thrown), but
+ * network, timeout, bad response, 4xx/5xx, and rate-limit conditions
+ * all throw {@link AtlaSentError}.
+ */
+
+declare class AtlaSentClient {
+    private readonly apiKey;
+    private readonly baseUrl;
+    private readonly timeoutMs;
+    private readonly fetchImpl;
+    private readonly userAgent;
+    private readonly retryPolicy;
+    constructor(options: AtlaSentClientOptions);
+    /**
+     * Ask the policy engine whether an agent action is permitted.
+     *
+     * Accepts either the current v2.0 shape (`action_type` / `actor_id`)
+     * or the legacy v1.x shape (`action` / `agent`). Legacy callers
+     * receive a deprecation warning via `console.warn`; the shim is
+     * handled by {@link normalizeEvaluateRequest} and will be removed
+     * in v3.0.0.
+     *
+     * A "deny" is **not** thrown — it is returned in
+     * `response.decision`. Network errors, invalid API key, rate
+     * limits, timeouts, and malformed responses throw
+     * {@link AtlaSentError}.
+     */
+    evaluate(input: EvaluateRequest | LegacyEvaluateRequest): Promise<EvaluateResponse>;
+    /**
+     * Pre-flight evaluation that always returns the constraint trace.
+     *
+     * Wraps `POST /v1-evaluate?include=constraint_trace`. Use this from
+     * a workflow's submission step to surface trivial defects (missing
+     * fields, wrong roles, mis-set context) BEFORE pushing the request
+     * onto an approval queue — only requests that would actually pass
+     * make it through to a human reviewer.
+     *
+     * Returns an {@link EvaluatePreflightResponse} carrying the regular
+     * {@link EvaluateResponse} plus the {@link ConstraintTrace}. Unlike
+     * {@link evaluate}, this method does NOT mark a non-allow as a
+     * thrown condition — the whole point is to inspect both the outcome
+     * AND the per-policy trace, so the caller branches on
+     * `result.evaluation.decision` and reads `result.constraintTrace`
+     * to render the failing stages.
+     *
+     * The constraint-trace shape mirrors `ConstraintTraceResponse` in
+     * atlasent-api (`packages/types/src/index.ts`). On older
+     * atlasent-api deployments that omit the trace, `constraintTrace`
+     * is `null` rather than throwing — forward-compatible degradation.
+     *
+     * Performance: one extra round-trip on submission. Latency is
+     * comparable to {@link evaluate}; the response body is fuller
+     * (includes the per-stage trace) so the wire payload is larger.
+     * If the caller does not need the trace, prefer {@link evaluate}.
+     */
+    evaluatePreflight(input: EvaluateRequest): Promise<EvaluatePreflightResponse>;
+    /**
+     * Verify that a previously issued permit is still valid.
+     *
+     * @deprecated Use {@link verifyPermitById} — the canonical REST
+     * surface (`POST /v1/permits/{id}/verify`) returns the unified
+     * verification envelope plus the full {@link PermitRecord}, instead
+     * of the legacy `{verified, outcome, permitHash}` shape this method
+     * emits. Will be removed in `@atlasent/sdk@3`.
+     *
+     * A `verified: false` response is **not** thrown — inspect the
+     * returned object. Only transport / server errors throw.
+     */
+    verifyPermit(input: VerifyPermitRequest): Promise<VerifyPermitResponse>;
+    /**
+     * Run the canonical Deploy Gate V1 flow:
+     * evaluate `production.deploy`, verify the issued permit server-side,
+     * and return allow/block plus audit/evidence metadata.
+     *
+     * This helper never treats a signed/offline permit artifact as sufficient
+     * authorization. Execution is allowed only when `POST /v1-evaluate` returns
+     * `decision: "allow"` with a permit AND `POST /v1-verify-permit` returns
+     * `verified: true` / `valid: true`.
+     */
+    deployGate(input?: DeployGateRequest): Promise<DeployGateResponse>;
+    /**
+     * Revoke a previously-issued permit so it can no longer pass
+     * {@link verifyPermit}.
+     *
+     * @deprecated Use {@link revokePermitById} — the canonical REST
+     * surface (`POST /v1/permits/{id}/revoke`) returns the full updated
+     * {@link PermitRecord} with `revoked_at`/`revoked_by`/`revoke_reason`
+     * populated, instead of the legacy `{revoked, permitId}` envelope
+     * this method emits. Will be removed in `@atlasent/sdk@3`.
+     *
+     * Use this when an agent's action is cancelled, superseded, or
+     * determined to be unauthorized after the fact. The revocation is
+     * recorded in the audit log with the optional `reason`.
+     *
+     * Throws {@link AtlaSentError} on transport / auth failures.
+     */
+    revokePermit(input: RevokePermitRequest): Promise<RevokePermitResponse>;
+    /**
+     * Revoke a permit through the canonical REST surface
+     * (`POST /v1/permits/{permitId}/revoke`).
+     *
+     * Returns the full updated {@link PermitRecord} with `status === 'revoked'`
+     * and `revoked_at` / `revoked_by` / `revoke_reason` populated. After
+     * revocation, subsequent verify calls return `410 PERMIT_REVOKED`.
+     *
+     * Idempotent on `409 permit_revoked` for already-revoked permits;
+     * server returns the existing revoked row in that case.
+     *
+     * Throws {@link AtlaSentError} on `404` (permit not in calling org),
+     * `409` (already in a terminal state), `410` (expired before revoke),
+     * or `429` (rate limited).
+     */
+    revokePermitById(permitId: string, input?: RevokePermitByIdInput): Promise<RevokePermitByIdResponse>;
+    /**
+     * Verify a permit through the canonical REST surface
+     * (`POST /v1/permits/{permitId}/verify`).
+     *
+     * Returns the unified verification envelope (`valid`,
+     * `verification_type: 'permit'`, `reason`, `verified_at`, `evidence`)
+     * plus the full {@link PermitRecord} fields preserved at the top
+     * level. The `valid` field is the contract — pin to it.
+     *
+     * A `valid: false` is **not** thrown when the server returns 200 with
+     * a denial reason (matches the verify-shape unification on the wire);
+     * it is thrown on 4xx (`404` not found, `410` expired/consumed).
+     */
+    verifyPermitById(permitId: string): Promise<VerifyPermitByIdResponse>;
+    /**
+     * Get a single permit's full lifecycle state.
+     *
+     * Calls `GET /v1/permits/{permitId}` (the canonical REST surface).
+     * Returns `status`, all timestamps, `revoked_at` / `revoked_by` /
+     * `revoke_reason` (when applicable), and the bound `payload_hash`
+     * / `decision_id`.
+     *
+     * Operator-facing introspection — answers "what state is this permit
+     * in, and why?" without reading audit logs.
+     *
+     * Throws {@link AtlaSentError} on `404` (permit not in calling org)
+     * or `410` (expired before retrieval).
+     */
+    getPermit(permitId: string): Promise<GetPermitResponse>;
+    /**
+     * Poll whether a permit is currently valid.
+     *
+     * Calls `GET /v1/permits/{permitId}/valid` — a lightweight read
+     * returning only the status snapshot optimised for guard heartbeat
+     * polling. Guards with `permitRevalidationIntervalMs` set race this
+     * against `tool.execute()` and throw {@link PermitRevoked} when
+     * `status === "revoked"` arrives.
+     *
+     * Throws {@link AtlaSentError} on transport / auth failures.
+     */
+    checkPermitValid(permitId: string): Promise<PermitValidResponse>;
+    /**
+     * List permits issued to the calling org, most-recently-issued first.
+     *
+     * Calls `GET /v1/permits` (the canonical REST surface). Cursor-paged.
+     * Filters narrow on server side; pagination uses the `created_at`
+     * timestamp opaquely (`nextCursor`).
+     *
+     * Designed for incident review, debugging, and compliance
+     * reconstruction.
+     */
+    listPermits(input?: ListPermitsRequest): Promise<ListPermitsResponse>;
+    /**
+     * Self-introspection: ask the server to describe the API key this
+     * client was constructed with. Returns the key's ID, organization,
+     * environment, scopes, IP allowlist, per-minute rate limit, the
+     * client IP the server observed, and the expiry (if any).
+     *
+     * Never includes the raw key or its hash. Safe to surface in operator
+     * dashboards. Useful for `IP_NOT_ALLOWED` debugging (the server tells
+     * you exactly which IP it saw) and for proactive expiry warnings.
+     *
+     * Throws {@link AtlaSentError} on transport / auth failures — same
+     * taxonomy as {@link AtlaSentClient.evaluate}.
+     */
+    keySelf(): Promise<ApiKeySelfResponse>;
+    /**
+     * List persisted audit events for the authenticated organization
+     * (`GET /v1-audit/events`). Returned rows are wire-identical with
+     * the server: snake_case field names, including `previous_hash` and
+     * the `hash` chain, so the response can be fed straight into the
+     * offline verifier when paired with a signed export.
+     *
+     * `query.types` is a comma-joined list (e.g.
+     * `"evaluate.allow,policy.updated"`). `cursor` is the opaque
+     * `next_cursor` from the prior page. All fields are optional; the
+     * server defaults `limit` to 50 (capped at 500).
+     *
+     * Throws {@link AtlaSentError} on transport / auth failures — same
+     * taxonomy as {@link AtlaSentClient.evaluate}.
+     */
+    listAuditEvents(query?: AuditEventsQuery): Promise<AuditEventsResult>;
+    /**
+     * Request a signed audit export bundle
+     * (`POST /v1-audit/exports`). The returned object is wire-identical
+     * with the server — `signature`, `chain_head_hash`, `events`, and
+     * friends survive untouched so the bundle can be persisted to disk
+     * and handed to the offline verifier (`verifyBundle` /
+     * `verifyAuditBundle`) without any reshaping.
+     *
+     * Pass `filter.types`, `filter.from`, `filter.to`, or `filter.actor_id`
+     * to narrow the export; omit for a full-org bundle. `rateLimit` is
+     * attached alongside the wire fields for observability.
+     *
+     * Throws {@link AtlaSentError} on transport / auth failures — same
+     * taxonomy as {@link AtlaSentClient.evaluate}.
+     */
+    createAuditExport(filter?: AuditExportRequest): Promise<AuditExportResult>;
+    /**
+     * Open a streaming evaluation session against `POST /v1-evaluate-stream`.
+     *
+     * Yields {@link StreamDecisionEvent} and {@link StreamProgressEvent} objects
+     * as the server emits them. The iterator ends cleanly when the server sends
+     * `event: done`; it throws {@link AtlaSentError} on transport errors or when
+     * the server sends `event: error`.
+     *
+     * The final {@link StreamDecisionEvent} (isFinal: true) carries a `permitId`
+     * suitable for passing to {@link verifyPermit} after the stream closes.
+     *
+     * Hardening:
+     * - Throws {@link StreamTimeoutError} when no event arrives within
+     *   `opts.timeoutMs` (default 30 s). Pass `0` to disable.
+     * - Retries up to `opts.maxRetries` times (default 3) with 1 s / 2 s / 4 s
+     *   delays on network drop (before a terminal event). Sends `Last-Event-ID`
+     *   on reconnect when the server has emitted event IDs.
+     * - Throws {@link StreamParseError} on partial / malformed JSON rather than
+     *   crashing with a raw `SyntaxError`.
+     * - Closes cleanly on `event: done` or a decision event with `done: true`.
+     *
+     * ```ts
+     * for await (const event of client.protectStream({ agent, action })) {
+     *   if (event.type === "decision" && event.isFinal) {
+     *     await client.verifyPermit({ permitId: event.permitId });
+     *   }
+     * }
+     * ```
+     */
+    protectStream(input: EvaluateRequest, opts?: StreamOptions): AsyncIterable<StreamEvent>;
+    private post;
+    private get;
+    private request;
+    /**
+     * Open a new HITL escalation. Bridges a `hold` outcome from
+     * `protect()` to the approval queue: an agent that receives a
+     * `hold` decision calls this to enroll the proposed action for
+     * human review. The returned escalation can then be polled with
+     * `getHitlEscalation()` or driven to terminal by
+     * `approveHitlEscalation()` / `rejectHitlEscalation()`.
+     *
+     * Quorum, pool size, fallback decision and routing inherit from
+     * the server-side policy when omitted from `input`.
+     *
+     * Calls `POST /v1/hitl`.
+     */
+    createHitlEscalation(input: HitlCreateRequest): Promise<{
+        escalation: HitlEscalation;
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * List HITL escalations for the calling org. Defaults to
+     * `status=pending`; pass `status` to query other queues
+     * (`escalated`, `approved`, `rejected`, `auto_approved`,
+     * `timed_out`).
+     *
+     * Calls `GET /v1/hitl`.
+     */
+    listHitlEscalations(input?: ListHitlEscalationsRequest): Promise<{
+        data: ListHitlEscalationsResponse;
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * Get a HITL escalation. The server payload includes a live
+     * `quorum_progress` snapshot when the escalation is still open.
+     *
+     * Calls `GET /v1/hitl/:id`.
+     */
+    getHitlEscalation(escalationId: string): Promise<{
+        escalation: HitlEscalation;
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * List per-approver vote rows for an escalation.
+     * Calls `GET /v1/hitl/:id/approvals`.
+     */
+    listHitlApprovals(escalationId: string): Promise<{
+        approvals: HitlApprovalRecord[];
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * List the escalation chain hops for an escalation. Each `/escalate`
+     * call appends one row.
+     * Calls `GET /v1/hitl/:id/chain`.
+     */
+    getHitlChain(escalationId: string): Promise<{
+        chain: HitlChainHop[];
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * Record an approve vote. Resolves the escalation only once the
+     * server-side quorum count is satisfied; before that the response
+     * carries a refreshed escalation row with the latest
+     * `quorum_progress`.
+     *
+     * Calls `POST /v1/hitl/:id/approve`. The server returns 409
+     * `duplicate_vote` if the same principal has already voted, and
+     * 409 `already_rejected` if a concurrent reject crossed the line.
+     */
+    approveHitlEscalation(escalationId: string, input?: HitlApproveRequest): Promise<{
+        escalation: HitlEscalation;
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * Record a reject vote. Reject is short-circuit terminal — a single
+     * reject closes the escalation regardless of how many approves have
+     * accumulated.
+     *
+     * Calls `POST /v1/hitl/:id/reject`.
+     */
+    rejectHitlEscalation(escalationId: string, input?: HitlRejectRequest): Promise<{
+        escalation: HitlEscalation;
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * Re-route an open escalation to a higher tier. Bounded by the
+     * escalation's `max_escalation_depth` — the server returns 409
+     * `chain_exhausted` and applies the configured fallback decision
+     * once the ceiling is hit.
+     *
+     * Calls `POST /v1/hitl/:id/escalate`.
+     */
+    escalateHitlEscalation(escalationId: string, input: HitlEscalateRequest): Promise<{
+        escalation: HitlEscalation;
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * Manually apply the escalation's `fallback_decision`. Useful for
+     * admin recovery of a hung escalation when the cron sweeper hasn't
+     * run yet, or to short-circuit a stuck flow during incident
+     * response.
+     *
+     * Calls `POST /v1/hitl/:id/timeout`.
+     */
+    timeoutHitlEscalation(escalationId: string): Promise<{
+        escalation: HitlEscalation;
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * Run a named governance graph traversal query.
+     *
+     * Dispatches to `GET /v1/governance/graph/query?type=<queryType>`.
+     * Each query type returns a different row shape — the return type
+     * narrows automatically based on the literal `queryType` argument.
+     *
+     * `"user_approvals"` requires `params.actor_id` — the server returns
+     * a 400 if it is absent.
+     */
+    queryGovernanceGraph<T extends GovernanceGraphQueryType>(queryType: T, params?: GovernanceGraphQueryParams): Promise<GovernanceGraphQueryResponse<T>>;
+    /**
+     * Reconstruct the multi-system execution timeline for a specific incident.
+     *
+     * Calls `GET /v1/governance/timeline/incident/{incidentId}`. Backed
+     * server-side by `reconstruct_incident_chains_v2()`, which fixes the
+     * `executor_id → actor_id` bug that silently produced empty timelines
+     * in the original function.
+     *
+     * Returns full execution rows including the §13.1 columns
+     * (`delegation_chain_id`, `replay_of_execution_id`, `incident_id`,
+     * `policy_version_id`, `bundle_version_id`) alongside the actor
+     * timeline and evidence rows.
+     */
+    getIncidentTimeline(incidentId: string): Promise<IncidentTimelineResponse>;
+    /**
+     * List connectors registered for the calling org.
+     * Calls `GET /v1/governance/connectors`.
+     */
+    listConnectors(options?: {
+        cursor?: string;
+        limit?: number;
+    }): Promise<ListConnectorsResponse>;
+    /**
+     * Register and install a new connector for the calling org.
+     * Calls `POST /v1/governance/connectors`.
+     */
+    installConnector(input: InstallConnectorInput): Promise<InstallConnectorResponse>;
+    /**
+     * Store encrypted credentials for a connector.
+     * Calls `POST /v1/governance/connectors/{id}/authenticate`.
+     */
+    authenticateConnector(connectorId: string, input: AuthenticateConnectorInput): Promise<AuthenticateConnectorResponse>;
+    /**
+     * Trigger an incremental sync for a connector.
+     * Calls `POST /v1/governance/connectors/{id}/sync`.
+     */
+    syncConnector(connectorId: string): Promise<SyncConnectorResponse>;
+    /**
+     * Revoke a connector and all its associated credentials.
+     * Calls `POST /v1/governance/connectors/{id}/revoke`.
+     */
+    revokeConnector(connectorId: string, reason?: string): Promise<RevokeConnectorResponse>;
+    /**
+     * Rotate the credentials for a connector.
+     * Calls `POST /v1/governance/connectors/{id}/rotate-credentials`.
+     */
+    rotateConnectorCredentials(connectorId: string): Promise<RotateCredentialsResponse>;
+    /**
+     * List enforcement policies for the calling org, optionally filtered by connector type.
+     * Calls `GET /v1/governance/enforcement-policies`.
+     */
+    listEnforcementPolicies(connectorType?: ConnectorType): Promise<ListEnforcementPoliciesResponse>;
+    /**
+     * Create or update a connector enforcement policy.
+     * Calls `POST /v1/governance/enforcement-policies`.
+     */
+    upsertEnforcementPolicy(input: UpsertEnforcementPolicyInput): Promise<UpsertEnforcementPolicyResponse>;
+    /**
+     * Trigger a fresh org-level risk score computation.
+     * Calls `POST /v1/governance/risk/compute`.
+     */
+    computeOrgRisk(options?: ComputeOrgRiskOptions): Promise<ComputeOrgRiskResponse>;
+    /**
+     * Retrieve the most recently computed risk score for the calling org.
+     * Calls `GET /v1/governance/risk/latest`.
+     */
+    getLatestOrgRisk(): Promise<GetLatestOrgRiskResponse>;
+    /**
+     * Page through historical org risk scores, most-recent first.
+     * Calls `GET /v1/governance/risk/history`.
+     */
+    listOrgRiskHistory(options?: {
+        cursor?: string;
+        limit?: number;
+    }): Promise<ListOrgRiskHistoryResponse>;
+    checkCrossOrgPermission(req: CrossOrgPermissionCheckRequest): Promise<CrossOrgPermissionCheckResult>;
+    listCrossOrgPermissionChecks(params?: CrossOrgPermissionCheckListParams): Promise<CrossOrgPermissionCheckResult[]>;
+    listAnomalyResponseRules(): Promise<AnomalyResponseRule[]>;
+    createAnomalyResponseRule(req: CreateAnomalyResponseRuleRequest): Promise<AnomalyResponseRule>;
+    updateAnomalyResponseRule(id: string, updates: Partial<CreateAnomalyResponseRuleRequest>): Promise<AnomalyResponseRule>;
+    deleteAnomalyResponseRule(id: string): Promise<void>;
+    triggerAnomalyResponse(req: TriggerAnomalyResponseRequest): Promise<AnomalyResponseEvent[]>;
+    listAnomalyResponseEvents(params?: {
+        limit?: number;
+        execution_id?: string;
+    }): Promise<AnomalyResponseEvent[]>;
+    listBudgetExceptions(params?: {
+        status?: BudgetExceptionStatus;
+        budget_policy_id?: string;
+        limit?: number;
+        offset?: number;
+    }): Promise<BudgetExceptionRequest[]>;
+    getBudgetException(id: string): Promise<BudgetExceptionRequest>;
+    createBudgetException(req: CreateBudgetExceptionRequest): Promise<BudgetExceptionRequest>;
+    approveBudgetException(id: string, req: ApproveBudgetExceptionRequest): Promise<BudgetExceptionRequest>;
+    rejectBudgetException(id: string, review_notes?: string): Promise<BudgetExceptionRequest>;
+    cancelBudgetException(id: string): Promise<BudgetExceptionRequest>;
+    listRegulatoryAuthorityLevels(): Promise<RegulatoryAuthorityLevel[]>;
+    createRegulatoryAuthorityLevel(req: Omit<RegulatoryAuthorityLevel, "id" | "org_id" | "created_at">): Promise<RegulatoryAuthorityLevel>;
+    listRegulatoryEscalations(params?: {
+        status?: RegulatoryEscalationStatus;
+        subject_type?: string;
+        subject_id?: string;
+    }): Promise<RegulatoryEscalation[]>;
+    createRegulatoryEscalation(req: CreateRegulatoryEscalationRequest): Promise<RegulatoryEscalation>;
+    acknowledgeRegulatoryEscalation(id: string): Promise<RegulatoryEscalation>;
+    resolveRegulatoryEscalation(id: string, resolution: string, resolution_details?: Record<string, unknown>): Promise<RegulatoryEscalation>;
+    overrideRegulatoryEscalation(id: string, reason: string): Promise<RegulatoryEscalation>;
+    listSignalActions(signal_id: string): Promise<GovernanceSignalAction[]>;
+    recordSignalAction(signal_id: string, req: RecordSignalActionRequest): Promise<GovernanceSignalAction>;
+    recordSignalOutcome(signal_id: string, action_id: string, req: RecordSignalOutcomeRequest): Promise<GovernanceSignalAction>;
+    getSignalActionSummary(): Promise<SignalActionSummary>;
+    listImpersonationGrants(): Promise<CrossOrgImpersonationGrant[]>;
+    createImpersonationGrant(req: CreateImpersonationGrantRequest): Promise<CrossOrgImpersonationGrant>;
+    revokeImpersonationGrant(id: string): Promise<void>;
+    issueImpersonationToken(grant_id: string, requested_duration_seconds?: number): Promise<ImpersonationToken>;
+    validateImpersonationToken(token: string): Promise<ImpersonationValidationResult>;
+}
+
+/** Node's webcrypto CryptoKey — kept local so the module doesn't depend on DOM types. */
+type WebCryptoKey = webcrypto.CryptoKey;
+/** Public key candidate the verifier will try, tagged with its registry id. */
+interface VerifyKey {
+    keyId: string;
+    publicKey: WebCryptoKey;
+}
+interface BundleVerificationResult {
+    /**
+     * AND of three checks: adjacency (each event's `previous_hash`
+     * equals the prior event's `hash`), per-event hash recomputation
+     * from the canonical payload, and `chain_head_hash` matching the
+     * last event's stored hash.
+     */
+    chainIntegrityOk: boolean;
+    /** Ed25519 signature verified against one of the supplied public keys. */
+    signatureValid: boolean;
+    /** `chain_head_hash` equals the last event's stored `hash`. */
+    headHashMatches: boolean;
+    /** Event ids whose recomputed hash != stored hash. */
+    tamperedEventIds: string[];
+    /** Which registry key id matched, when `signatureValid` is true. */
+    matchedKeyId?: string | undefined;
+    /** Non-fatal explanation when a flag is false. */
+    reason?: string | undefined;
+    /** Convenience: `chainIntegrityOk && signatureValid`. */
+    verified: boolean;
+}
+/** Parsed bundle shape the verifier consumes. Fields beyond these are ignored. */
+interface AuditBundle {
+    export_id?: unknown;
+    org_id?: unknown;
+    chain_head_hash?: unknown;
+    event_count?: unknown;
+    signed_at?: unknown;
+    events?: unknown;
+    signature?: unknown;
+    signing_key_id?: unknown;
+    [k: string]: unknown;
+}
+interface VerifyBundleOptions {
+    /** SPKI-PEM strings (one per key in the active trust set). */
+    publicKeysPem?: readonly string[];
+    /** Already-imported keys, paired with registry ids (rotation hint). */
+    keys?: readonly VerifyKey[];
+}
+/**
+ * Reproduces `_shared/rules.ts::canonicalJSON` byte-for-byte:
+ *   - object keys sorted at every depth
+ *   - no whitespace
+ *   - `null`, `undefined`, `NaN`, `±Infinity` all render as `"null"`
+ *   - strings use standard `JSON.stringify` escapes
+ */
+declare function canonicalJSON(value: unknown): string;
+/**
+ * Recreate the exact bytes `handleExport` signed. Key order is
+ * load-bearing — must match the object literal in
+ * `v1-audit/index.ts::handleExport`. V8 preserves insertion order, so
+ * the literal below is byte-identical with what the backend signs.
+ */
+declare function signedBytesFor(bundle: AuditBundle): Uint8Array<ArrayBuffer>;
+declare function verifyAuditBundle(bundle: AuditBundle, keys: readonly VerifyKey[]): Promise<BundleVerificationResult>;
+/**
+ * Load a bundle from disk (or a parsed object) and verify it.
+ *
+ * `publicKeysPem` is the active SPKI-PEM set from
+ * `GET /v1-signing-keys`. When omitted, the chain check still runs
+ * but `signatureValid` will be false with an explanatory `reason` —
+ * callers that want a complete offline check MUST supply the trust
+ * set.
+ */
+declare function verifyBundle(pathOrBundle: string | AuditBundle, options?: VerifyBundleOptions): Promise<BundleVerificationResult>;
+
+/**
+ * `requirePermit` — higher-order execution gate for dangerous operations.
+ *
+ * Wraps any dangerous operation so it can only run after AtlaSent
+ * authorizes it end-to-end (evaluate + verifyPermit). If authorization
+ * is denied or the transport fails, the executor is never called.
+ *
+ * ```ts
+ * import atlasent from "@atlasent/sdk";
+ *
+ * await atlasent.requirePermit(
+ *   {
+ *     action_type: "database.table.drop",
+ *     actor_id: "agent:code-agent",
+ *     resource_id: "prod-db.users",
+ *     environment: "production",
+ *     context: { reversibility: "irreversible", blast_radius: "customer_data" },
+ *   },
+ *   async () => {
+ *     await db.raw("DROP TABLE users");
+ *   },
+ * );
+ * ```
+ *
+ * Unlike calling the executor directly, dangerous code cannot bypass
+ * this gate: if `requirePermit` throws, the executor never runs.
+ */
+/**
+ * Describes a potentially dangerous action to be authorized before
+ * the executor runs. Passed as the first argument to {@link requirePermit}.
+ */
+type ProtectedAction = {
+    /** Namespaced action type — e.g. "database.table.drop". */
+    action_type: string;
+    /** Agent or user requesting the action — e.g. "agent:deploy-bot". */
+    actor_id: string;
+    /** Resource being acted upon — e.g. "prod-db.users". */
+    resource_id: string;
+    /** Target deployment environment. Controls policy strictness. */
+    environment: "development" | "staging" | "production";
+    /** Arbitrary risk context forwarded to the policy engine. */
+    context: Record<string, unknown>;
+};
+/**
+ * Authorize a dangerous operation before running it.
+ *
+ * Calls `protect` (evaluate + verifyPermit) with the {@link ProtectedAction}
+ * descriptor. If authorization succeeds, calls `execute` and returns its
+ * result. On any failure — policy deny, invalid permit, transport error —
+ * `execute` is never called and the error propagates to the caller.
+ *
+ * This is the pattern primitive: dangerous code should be callable
+ * **only** through this wrapper. In code review, any operation in the list
+ * below is illegal unless it appears inside `requirePermit(...)`:
+ *
+ *   - `db.raw(...)` / `DROP TABLE` / `DELETE FROM` / `TRUNCATE TABLE`
+ *   - `exec(...)` / `rm -rf` / `kubectl delete` / `terraform destroy`
+ *   - `stripe.transfers.create(...)` / `github.deployments.create(...)`
+ *   - `railway.volumes.delete(...)` / `supabase.from(...).delete()`
+ */
+declare function requirePermit<T>(action: ProtectedAction, execute: () => Promise<T>): Promise<T>;
+/**
+ * Classify a shell or database command as destructive.
+ *
+ * Returns the namespaced action type (e.g. `"destructive.command"`) when the
+ * command matches a known dangerous pattern, or `null` when it appears safe.
+ * Use the return value as `action_type` in a {@link requirePermit} call before
+ * executing the command:
+ *
+ * ```ts
+ * async function runCommand(command: string, actorId: string) {
+ *   const actionType = classifyCommand(command);
+ *   if (actionType) {
+ *     return requirePermit(
+ *       { action_type: actionType, actor_id: actorId, resource_id: command,
+ *         environment: "production", context: { command } },
+ *       () => exec(command),
+ *     );
+ *   }
+ *   return exec(command);
+ * }
+ * ```
+ */
+declare function classifyCommand(command: string): string | null;
+
+/**
+ * `atlasent.withPermit(...)` — the lexically-scoped form of
+ * {@link protect}. TypeScript mirror of the Python SDK's
+ * ``atlasent.with_permit(...)``.
+ *
+ * Same execution-boundary contract as {@link protect}: evaluate +
+ * verifyPermit run end-to-end before the executor is invoked, and the
+ * executor cannot run unless a verified {@link Permit} was returned.
+ * The difference is purely lexical — `withPermit` binds the execution
+ * to the permit's lifetime via a callback, so the call site reads as
+ * "execute this body under a permit" rather than "fetch a permit and
+ * run code under it manually."
+ *
+ * ```ts
+ * import atlasent from "@atlasent/sdk";
+ *
+ * const ok = await atlasent.withPermit(
+ *   {
+ *     agent: "deploy-bot",
+ *     action: "production.deploy",
+ *     context: { commit, approver },
+ *   },
+ *   async (permit) => {
+ *     const result = await runDeploy(commit);
+ *     return { ok: true, permitId: permit.permitId, result };
+ *   },
+ * );
+ * ```
+ *
+ * Pick the form that fits the call site:
+ *
+ * - {@link protect} when the caller wants the verified permit as a
+ *   value (e.g. to pass it across a process boundary, persist it
+ *   alongside their own record, or interleave it with non-trivial
+ *   control flow).
+ * - {@link withPermit} when the action body is a single lexical scope
+ *   and "no permit, no execution" is the only thing the call site
+ *   needs to express.
+ *
+ * Both surfaces use the same underlying primitive and produce the
+ * same audit-chain entry.
+ */
+
+/**
+ * Authorize a request end-to-end and invoke `fn` only on a verified
+ * permit.
+ *
+ * @param request Same shape as {@link ProtectRequest}.
+ * @param fn Invoked with the verified {@link Permit}. Its return
+ *   value (awaited if it is a promise) is propagated to the caller.
+ *
+ * @returns Whatever `fn` returns.
+ *
+ * @throws {AtlaSentDeniedError} Policy denied, hold/escalate, or
+ *   permit failed verification. `fn` is never invoked.
+ * @throws {AtlaSentError} Transport, timeout, auth, rate-limit, or
+ *   server error. `fn` is never invoked.
+ *
+ * Errors thrown inside `fn` propagate untouched — the permit is
+ * already consumed by the verify step in v1, so there is no
+ * compensating revoke.
+ */
+declare function withPermit<T>(request: ProtectRequest, fn: (permit: Permit) => Promise<T> | T): Promise<T>;
+
+/**
+ * Sandbox simulation diff — wire shape for `GET /v1/agent-sandbox/:id/diff`.
+ *
+ * Mirrors the `export_sandbox_diff()` SQL function added in migration
+ * 20260509120000. Lets a caller render a sandbox-vs-live preview
+ * before promoting a simulation to a real execution. Once a sandbox
+ * run reaches a terminal status it is auto-torn-down; a follow-up
+ * call returns the {@link SandboxDiffEmpty} shape so the UI can
+ * surface "this run has been finalised" without a 404.
+ */
+type SandboxRunMode = "dry_run" | "simulation" | "constrained_execution" | "production_execution";
+type SandboxRunStatus = "pending" | "running" | "completed" | "failed" | "cancelled" | "timed_out";
+type SandboxWriteOp = "insert" | "update" | "delete";
+interface SandboxRunWrite {
+    sequence: number;
+    live_table: string;
+    live_pk: string | null;
+    op: SandboxWriteOp;
+    payload_before: Record<string, unknown> | null;
+    payload_after: Record<string, unknown> | null;
+    metadata: Record<string, unknown>;
+    created_at: string;
+}
+interface SandboxDiffPerTable {
+    total: number;
+    insert: number;
+    update: number;
+    delete: number;
+}
+/** Returned when staging rows are still present for the run. */
+interface SandboxDiff {
+    simulation_run_id: string;
+    org_id: string;
+    final_status: SandboxRunStatus;
+    mode: SandboxRunMode;
+    total_writes: number;
+    /** Keyed by live table name. */
+    summary: Record<string, SandboxDiffPerTable>;
+    writes: SandboxRunWrite[];
+}
+/**
+ * Returned when the run has been torn down — staging rows are gone
+ * and the audit-log `agent_sandbox.teardown` event is the only
+ * post-mortem record.
+ */
+interface SandboxDiffEmpty {
+    simulation_run_id: string;
+    status: SandboxRunStatus;
+    mode: SandboxRunMode;
+    torn_down: boolean;
+    total_writes: 0;
+    summary: Record<string, never>;
+    writes: [];
+}
+type SandboxDiffResponse = SandboxDiff | SandboxDiffEmpty;
+/**
+ * `true` when the response carries staging rows (i.e. the run has not
+ * been torn down yet). Narrow before reading `summary` / `writes`.
+ */
+declare function isSandboxDiffPopulated(r: SandboxDiffResponse): r is SandboxDiff;
+
+/**
+ * Delegation revocation propagation — wire shape for the
+ * `propagate_delegation_revocation()` summary returned by
+ * `/v1/authority-delegations/:id/revoke` (and emitted as the
+ * `authority_delegation.propagated` audit event).
+ *
+ * Mirrors migration 20260509120001. The propagator is invoked
+ * automatically on `status -> revoked` via DB trigger; consumers
+ * see the summary either as the audit-event payload (asynchronous)
+ * or attached to the revoke response (synchronous).
+ */
+interface DelegationPropagationSummary {
+    delegation_id: string;
+    /** `[delegator_user_id, delegate_user_id]` — uuids as strings. */
+    principals: [string, string];
+    /** Phase-B role-justified delegations carry the role; user-justified
+     *  delegations omit it. */
+    delegator_role?: string | null;
+    hitl_reassigned: number;
+    financial_invalidated: number;
+    policies_flagged: number;
+    revoked_reason?: string | null;
+}
+/**
+ * Convenience predicate: `true` when the revocation produced any
+ * downstream effect. Useful for "are we sure?" UI guards before
+ * surfacing the summary toast.
+ */
+declare function delegationPropagationHadEffect(s: DelegationPropagationSummary): boolean;
+
+/**
+ * Public types for the AtlaSent **Identity Assertion** — a signed
+ * attestation from an identity provider (OIDC / SSO) that the
+ * reviewer named in an approval_artifact.v1 is a real human with a
+ * specific role.
+ *
+ * Wire-stable as `identity_assertion.v1`. The contract lives in
+ * `contract/schemas/identity-assertion.schema.json`. Verification is
+ * server-side inside `/v1-evaluate`; the SDK exposes the types so
+ * callers can construct or inspect the `identity_assertion` block on
+ * an approval artifact.
+ *
+ * Why this matters: without identity attestation the artifact's
+ * `reviewer.principal_kind: "human"` is a self-claim from the
+ * approval issuer alone. With it, the IdP independently vouches for
+ * the human — a separate trust root, defence in depth.
+ */
+
+/** Identity-attested subject of the assertion. The verifier requires
+ *  `principal_kind === "human"`; the other variants exist so the
+ *  schema can structurally describe denied/declined assertions. */
+interface IdentitySubject {
+    principal_id: string;
+    principal_kind: PrincipalKind;
+}
+/** Cryptographic binding tying the assertion to a specific approval. */
+interface IdentityAssertionBinding {
+    /** Must equal artifact.approval_id. */
+    approval_id: string;
+    /** Must equal the canonical action hash. */
+    action_hash: string;
+    /** Must equal the request's tenant_id. */
+    tenant_id: string;
+    /** Must equal the request's environment. Empty string allowed when
+     *  the verifier was not given one (explicit equality, no implicit
+     *  broadening). */
+    environment: string;
+}
+/** Identity issuer (the IdP). Always OIDC-shaped. */
+interface IdentityIssuer {
+    type: "oidc";
+    issuer_id: string;
+    /** Key id for rotation; looked up in IDENTITY_TRUSTED_ISSUERS. */
+    kid: string;
+}
+/** A complete signed identity assertion. */
+interface IdentityAssertionV1 {
+    version: "identity_assertion.v1";
+    subject: IdentitySubject;
+    /** Required role attested by the IdP (e.g. "qa_reviewer"). */
+    role: string;
+    binding: IdentityAssertionBinding;
+    issuer: IdentityIssuer;
+    issued_at: string;
+    expires_at: string;
+    /** Optional anti-replay nonce. The approval-artifact nonce is the
+     *  primary defence; deployments wanting assertion-level replay
+     *  protection ledger this separately. */
+    nonce?: string;
+    signature: string;
+}
+/** Per-issuer entry in IDENTITY_TRUSTED_ISSUERS. Server-side config
+ *  only — never on the wire. The SDK exposes the type so operators
+ *  can lint config in CI. */
+interface IdentityIssuerKey {
+    alg: "HS256" | "Ed25519";
+    key: string;
+    /** Per-issuer scope: roles this kid may attest. Empty/missing = unscoped. */
+    allowed_roles?: string[];
+    /** Per-issuer scope: environments this kid may attest in. Empty/missing = unscoped. */
+    allowed_environments?: string[];
+}
+/** JSON shape of IDENTITY_TRUSTED_ISSUERS. Keyed by issuer_id then by
+ *  kid. Independent trust root from APPROVAL_TRUSTED_ISSUERS. */
+type IdentityTrustedIssuersConfig = Record<string, Record<string, IdentityIssuerKey>>;
+
+/**
+ * Public types for the AtlaSent **Approval Artifact** — a signed
+ * attestation that a *human* reviewer approved a specific action.
+ *
+ * Wire-stable as `approval_artifact.v1`. The contract lives in
+ * `contract/schemas/approval-artifact.schema.json`. Verification is
+ * server-side inside `/v1-evaluate`; the SDK exposes the types so
+ * callers can construct the `approval` field on an evaluate request.
+ *
+ * Why this matters: the calling agent cannot self-declare authority
+ * by passing reviewer flags in `context`. The artifact is bound to
+ * the exact action via `action_hash`, signed by a trusted issuer,
+ * and replay-protected via `nonce`.
+ */
+/** What kind of principal performed the approval. */
+type PrincipalKind = "human" | "agent" | "service_account";
+/** Identity of the reviewer recorded inside the artifact. */
+interface ApprovalReviewer {
+    principal_id: string;
+    principal_kind: PrincipalKind;
+    email?: string;
+    groups?: string[];
+    roles?: string[];
+}
+/** Trusted issuer identification — used to look up the verification key. */
+interface ApprovalIssuer {
+    type: "oidc" | "approval_service";
+    issuer_id: string;
+    kid: string;
+}
+
+/**
+ * The full signed approval artifact. Producers (approval services)
+ * compute `action_hash` over the canonical action payload and sign
+ * the artifact with the `signature` field stripped; the SDK does not
+ * sign or verify, it only carries the artifact to the server.
+ *
+ * `identity_assertion` is REQUIRED on the wire whenever
+ * `/v1-evaluate` calls the verifier with `requireIdentityAssertion:
+ * true` — i.e. when human approval is required. Without it, the
+ * server returns deny:`missing identity assertion`. The SDK type
+ * keeps the field optional to support shadow / preflight flows that
+ * inspect an artifact without verifying.
+ */
+interface ApprovalArtifactV1 {
+    version: "approval_artifact.v1";
+    approval_id: string;
+    tenant_id: string;
+    action_type: string;
+    resource_id: string;
+    action_hash: string;
+    reviewer: ApprovalReviewer;
+    issuer: ApprovalIssuer;
+    issued_at: string;
+    expires_at: string;
+    nonce: string;
+    signature: string;
+    identity_assertion?: IdentityAssertionV1;
+}
+/**
+ * Optional `approval` field on an evaluate request. Either embed the
+ * full artifact, or pass an `approval_id` and let the server resolve
+ * it from a side channel (preferred when the artifact is large).
+ */
+interface ApprovalReference {
+    approval_id?: string;
+    artifact?: ApprovalArtifactV1;
+}
+
+/**
+ * Public types for the AtlaSent **Approval Quorum** — the additive
+ * layer that lets multiple individually-trustworthy approvals be
+ * combined into a single quorum package.
+ *
+ * Wire-stable as `approval_quorum.v1`. The contract lives in
+ * `contract/schemas/approval-quorum.schema.json`. Verification is
+ * server-side inside `/v1-evaluate`; the SDK exposes the types so
+ * callers can construct a quorum payload before submitting.
+ *
+ * Important invariant (locked): quorum does NOT relax artifact
+ * verification. Every approval inside a quorum package must first
+ * pass the locked single-approval verifier (artifact signature +
+ * identity assertion + every binding) BEFORE quorum-level policy is
+ * evaluated. If any single approval fails, the whole package is
+ * denied with that approval's exact reason — no fallthrough.
+ */
+
+/** Independence constraints on a quorum policy. Duplicate
+ *  `reviewer.principal_id` is ALWAYS rejected regardless of these
+ *  flags; these strengthen the requirement further. */
+interface QuorumIndependence {
+    /** When true, requires distinct *approval-issuer* identities so
+     *  two tokens minted by the same QA system don't count separately
+     *  even if signed for different reviewers. */
+    distinct_approval_issuers?: boolean;
+    /** When true, requires distinct *identity-issuer* identities so
+     *  collusion between IdPs vouching for the same effective
+     *  reviewer pool is harder. */
+    distinct_identity_issuers?: boolean;
+}
+/** A single role × count requirement in a quorum policy. */
+interface QuorumRoleRequirement {
+    role: string;
+    /** Minimum number of approvals carrying this role. */
+    min: number;
+}
+/** Quorum policy describing what counts as passing. */
+interface QuorumPolicy {
+    /** Minimum total approvals (regardless of role). */
+    required_count: number;
+    /** OPTIONAL role-mix requirements; each is checked independently. */
+    required_role_mix?: QuorumRoleRequirement[];
+    /** Independence constraints. Duplicate principal_id is always
+     *  rejected; these flags additionally require distinct issuers. */
+    independence?: QuorumIndependence;
+    /** OPTIONAL package-level staleness window in seconds. Layered on
+     *  top of each artifact's own `expires_at` — both must be in the
+     *  future. */
+    max_age_seconds?: number;
+}
+/** A signed quorum package carrying multiple approvals. */
+interface ApprovalQuorumV1 {
+    version: "approval_quorum.v1";
+    tenant_id: string;
+    /** Canonical action hash. Must match every approval's action_hash
+     *  and the verifier's expected_action_hash. */
+    action_hash: string;
+    environment: string;
+    issued_at: string;
+    policy: QuorumPolicy;
+    /** The approvals being counted. Each is a full ApprovalArtifactV1
+     *  carrying its own identity_assertion. */
+    approvals: ApprovalArtifactV1[];
+}
+/** Cryptographic proof material returned on a passing quorum.
+ *  Persisted on the audit row so external auditors can reconstruct
+ *  WHO approved together without per-approval row joins. */
+interface QuorumProof {
+    /** sha256(canonical({ version, tenant_id, action_hash, environment,
+     *  issued_at, policy, sorted approval_hashes })). */
+    quorum_hash: string;
+    /** approval_id of every counted approval, in the order they were
+     *  submitted. */
+    approval_ids: string[];
+}
+
+/**
+ * Shared V1 API wire types used across multiple SDK modules.
+ *
+ * These reflect the canonical domain objects returned by the
+ * atlasent-control-plane V1 API. Import from here to avoid circular
+ * dependencies between proof.ts, overrides.ts, and types.ts.
+ */
+/**
+ * Canonical Permit domain object as returned by the V1 API.
+ *
+ * All timestamps are ISO-8601 UTC strings.
+ *
+ * This is the richer V1 shape returned by `GET /v1/permits/:id` and
+ * embedded in proof bundles. It differs from the legacy `PermitRecord`
+ * in `types.ts` which uses snake_case and legacy fields from the
+ * Supabase function surface.
+ */
+interface PermitV1 {
+    id: string;
+    orgId: string;
+    /** Who the permit was issued for (actor or agent ID). */
+    subject: string;
+    /** What the permit grants (action/resource scope). */
+    scope: string;
+    status: "active" | "revoked" | "expired";
+    /** The evaluation that produced this permit, or `null` for admin issuance. */
+    evaluationId: string | null;
+    /** Actor who issued the permit (system or admin). */
+    issuedBy: string;
+    /** Actor who revoked the permit, or `null`. */
+    revokedBy: string | null;
+    /** ISO-8601 issuance timestamp. */
+    issuedAt: string;
+    /** ISO-8601 revocation timestamp, or `null`. */
+    revokedAt: string | null;
+    /** ISO-8601 expiry timestamp, or `null` if the permit does not expire. */
+    expiresAt: string | null;
+    /** Arbitrary key/value metadata. `null` when none. */
+    metadata: Record<string, unknown> | null;
+}
+/**
+ * Canonical governance event as stored in the event log.
+ *
+ * `type` is a dotted domain-prefixed string, e.g. `override.created`,
+ * `permit.revoked`, `evaluation.decided`.
+ *
+ * `actorId` is `null` for system-emitted events (expiry sweeps, etc.).
+ */
+interface GovernanceEvent {
+    id: string;
+    type: string;
+    actorId: string | null;
+    orgId: string;
+    /** ISO-8601 timestamp. */
+    at: string;
+    /** Event-type-specific payload. Optional — shape varies by `type`. */
+    payload?: Record<string, unknown>;
+}
+
+/**
+ * Override types — wire shapes for `/v1/overrides`.
+ *
+ * Overrides allow an authorized actor to bypass a deny decision for a
+ * specific evaluation. They must be approved before they take effect
+ * and can be revoked at any time.
+ *
+ * Mirrors `api/src/schemas/overrides.ts` in atlasent-control-plane.
+ */
+/**
+ * Lifecycle status of an override request.
+ *
+ * - `pending`  — created, waiting for approval
+ * - `approved` — approved and active; the evaluation's deny is lifted
+ * - `revoked`  — manually revoked
+ * - `expired`  — TTL elapsed before revocation
+ */
+type OverrideStatus = "pending" | "approved" | "revoked" | "expired";
+/**
+ * The event types that can appear on an override's event log.
+ */
+type OverrideEventType = "created" | "approved" | "revoked";
+/**
+ * Canonical Override domain object returned by the API.
+ *
+ * All timestamps are ISO-8601 UTC strings. Nullable fields are `null`
+ * rather than omitted so wire shapes are stable.
+ */
+interface OverrideV1 {
+    id: string;
+    orgId: string;
+    /** The evaluation ID this override applies to. */
+    evaluationId: string;
+    /** Human-readable justification provided at creation time. */
+    reason: string;
+    status: OverrideStatus;
+    /** Actor who requested the override. */
+    requestedBy: string;
+    /** Actor who approved the override, or `null` if not yet approved. */
+    approvedBy: string | null;
+    /** Actor who revoked the override, or `null` if not revoked. */
+    revokedBy: string | null;
+    /** ISO-8601 creation timestamp. */
+    createdAt: string;
+    /** ISO-8601 approval timestamp, or `null`. */
+    approvedAt: string | null;
+    /** ISO-8601 revocation timestamp, or `null`. */
+    revokedAt: string | null;
+    /** ISO-8601 expiry timestamp, or `null` if no TTL was set. */
+    expiresAt: string | null;
+    /** Arbitrary key/value metadata attached at creation. `null` when none. */
+    metadata: Record<string, unknown> | null;
+}
+/**
+ * Paginated list of overrides.
+ */
+interface OverrideListResponse {
+    items: OverrideV1[];
+    /** Opaque cursor for the next page. `null` when there are no more results. */
+    nextCursor: string | null;
+}
+/**
+ * Input for `POST /v1/overrides` — request a new override.
+ */
+interface CreateOverrideRequest {
+    /** Human-readable justification. Required; max 2000 characters. */
+    reason: string;
+    /** The evaluation ID to override. */
+    evaluationId: string;
+    /** Lifetime in seconds. Defaults to 3600. Max 604800 (7 days). */
+    ttlSeconds?: number;
+    /** Arbitrary metadata to attach to the override record. */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Audit event appended to an override's event log on every state mutation.
+ */
+interface OverrideEvent {
+    id: string;
+    overrideId: string;
+    orgId: string;
+    /** Actor who caused this event. */
+    actorId: string;
+    type: OverrideEventType;
+    /** ISO-8601 timestamp. */
+    at: string;
+    /** Event-specific payload. `null` when none. */
+    payload: Record<string, unknown> | null;
+}
+/**
+ * Response for `GET /v1/overrides/:id/events`.
+ */
+interface OverrideEventsResponse {
+    items: OverrideEvent[];
+}
+
+/**
+ * Proof bundle types — wire shape for `GET /v1/proof/:evaluationId`.
+ *
+ * The proof endpoint reconstructs an evaluation from the governance event
+ * log and returns it along with the associated permits, overrides, and events
+ * as a signed bundle. Consumers use this for tamper-evident audit trails.
+ *
+ * Mirrors `api/src/schemas/proof.ts` in atlasent-control-plane.
+ */
+
+/**
+ * Reconstructed summary of the evaluation that produced the proof.
+ *
+ * Drawn from the `evaluation.decided` governance event. Timestamps
+ * are ISO-8601 UTC strings.
+ */
+interface ProofEvaluationSummary {
+    evaluationId: string;
+    /** Policy decision: `"allow"` or `"deny"`. */
+    decision: "allow" | "deny";
+    /** Human-readable reasons emitted by the policy engine. */
+    reasons: string[];
+    /** The action that was evaluated. `null` when not stored on the event. */
+    action: string | null;
+    /** Resource type. `null` when not stored on the event. */
+    resourceType: string | null;
+    /** Resource identifier. `null` when not stored on the event. */
+    resourceId: string | null;
+    /** ISO-8601 timestamp of when the decision was made. */
+    decidedAt: string;
+    /** Actor who triggered the evaluation. `null` for system-initiated evaluations. */
+    decidedBy: string | null;
+}
+/**
+ * The proof payload — the data that is signed.
+ *
+ * Contains the reconstructed evaluation summary, the permits and overrides
+ * that were active at decision time, and the full governance event trail.
+ */
+interface ProofPayload {
+    evaluation: ProofEvaluationSummary;
+    permits: PermitV1[];
+    overrides: OverrideV1[];
+    events: GovernanceEvent[];
+}
+/**
+ * Full proof bundle returned by `GET /v1/proof/:evaluationId`.
+ *
+ * **Signature semantics:**
+ *
+ * When `PROOF_SIGNING_SECRET` is configured on the server:
+ * - `algorithm === "hmac-sha256"`
+ * - `signature` is the hex-encoded HMAC-SHA256 over
+ *   `evaluationId + "\n" + issuedAt + "\n" + JSON.stringify(payload)`
+ *
+ * When `PROOF_SIGNING_SECRET` is absent:
+ * - `algorithm === "none"`, `signature === null`
+ *
+ * Consumers MUST reject proofs where `algorithm === "none"` in any
+ * context where tamper-evidence is required.
+ */
+interface ProofResponse {
+    evaluationId: string;
+    /** Signing algorithm used. `"none"` means unsigned. */
+    algorithm: "none" | "hmac-sha256";
+    /** Hex-encoded HMAC-SHA256 signature, or `null` when unsigned. */
+    signature: string | null;
+    payload: ProofPayload;
+    /** ISO-8601 timestamp of when the proof was issued. */
+    issuedAt: string;
+}
+
+/**
+ * Financial Action Model — canonical types for financial execution authority.
+ *
+ * Defines the core vocabulary for all financial actions governed by
+ * AtlaSent's economic governance layer. Every consequential financial
+ * operation must be classified here before execution authorization.
+ *
+ * Wire-stable as `financial_action.v1`.
+ */
+/** ISO 4217 currency code. */
+type CurrencyCode = "USD" | "EUR" | "GBP" | "JPY" | "CAD" | "AUD" | "CHF" | "CNY" | "SEK" | "NZD" | string;
+/**
+ * Risk tier for a financial action.
+ *
+ * - low:      < $1,000 — single-approver sufficient
+ * - medium:   $1,000–$50,000 — dual-control typically required
+ * - high:     $50,000–$1,000,000 — CFO-level required
+ * - critical: > $1,000,000 or irreversible — board-level or emergency protocol
+ */
+type FinancialRiskTier = "low" | "medium" | "high" | "critical";
+/** How accountability is distributed across parties for a financial action. */
+type LiabilityClassification = "individual" | "shared" | "delegated" | "supervisory" | "emergency_override";
+/** Canonical set of financial action types. */
+type FinancialActionType = "refund" | "payment_release" | "invoice_approval" | "payroll_execution" | "procurement_approval" | "wire_transfer" | "trading_execution" | "budget_override" | "spending_authorization" | "vendor_payment" | "subscription_cancellation" | "credit_issuance" | "fee_waiver" | "chargeback" | "contract_commitment" | string;
+/**
+ * Canonical definition of a financial action class.
+ *
+ * Stored in `financial_action_classes`. Drives quorum policy,
+ * liability classification, and risk tier assignment.
+ */
+interface FinancialActionClass {
+    /** Stable identifier (e.g. "wire_transfer.domestic"). */
+    readonly action_class_id: string;
+    readonly name: string;
+    readonly action_type: FinancialActionType;
+    readonly risk_tier: FinancialRiskTier;
+    /** Minimum number of approvals before execution is permitted. */
+    readonly required_approvals: number;
+    readonly liability_classification: LiabilityClassification;
+    /** Whether this action is reversible post-execution. */
+    readonly reversible: boolean;
+    /** Maximum allowed execution value for autonomous agents (null = no ceiling). */
+    readonly autonomous_ceiling: number | null;
+    readonly ceiling_currency: CurrencyCode | null;
+    readonly created_at: string;
+    readonly description?: string;
+}
+/** Status of a financial execution record. */
+type FinancialExecutionStatus = "pending_approval" | "approved" | "executing" | "completed" | "failed" | "reversed" | "disputed" | "frozen";
+/**
+ * Immutable record of a financial action execution.
+ *
+ * Written at authorization time. Stored in `financial_execution_records`.
+ */
+interface FinancialExecutionRecord {
+    readonly execution_id: string;
+    readonly action_class_id: string;
+    readonly org_id: string;
+    readonly action_value: number;
+    readonly currency: CurrencyCode;
+    readonly risk_tier: FinancialRiskTier;
+    readonly liability_classification: LiabilityClassification;
+    readonly initiator_id: string;
+    readonly executor_id: string;
+    /** Ordered list of approver IDs. */
+    readonly approver_ids: readonly string[];
+    /** AtlaSent permit IDs — one per approval stage. */
+    readonly permit_ids: readonly string[];
+    readonly override_applied: boolean;
+    readonly override_id: string | null;
+    readonly status: FinancialExecutionStatus;
+    readonly authorized_at: string;
+    readonly executed_at: string | null;
+    /** Hash-chained audit trail entry. */
+    readonly audit_hash: string;
+    readonly context: Record<string, unknown>;
+}
+/** Threshold configuration for risk-tier escalation. */
+interface RiskTierThreshold {
+    readonly tier: FinancialRiskTier;
+    /** Inclusive lower bound in the reference currency. */
+    readonly lower_bound: number;
+    /** Exclusive upper bound; null means unbounded. */
+    readonly upper_bound: number | null;
+    readonly reference_currency: CurrencyCode;
+}
+/** Default risk tier thresholds (USD-denominated). */
+declare const DEFAULT_RISK_TIER_THRESHOLDS: readonly RiskTierThreshold[];
+/**
+ * Classify a financial action's risk tier based on its value.
+ */
+declare function classifyRiskTier(value: number, thresholds?: readonly RiskTierThreshold[]): FinancialRiskTier;
+/**
+ * Return true when the action value is within the autonomous execution ceiling.
+ * A null ceiling means no ceiling is configured (always within bounds).
+ */
+declare function withinAutonomousCeiling(actionValue: number, ceiling: number | null): boolean;
+
+/**
+ * Liability Attribution Engine.
+ *
+ * Tracks and computes liability across the full chain of parties involved
+ * in a financial action: who authorized, delegated, executed, overrode,
+ * and approved exceptions.
+ *
+ * Supports shared, delegated, supervisory, and emergency-override liability
+ * regimes. Every attribution record is immutable once written.
+ *
+ * Wire-stable as `liability_attribution.v1`.
+ */
+
+/** The role a party played in a financial action. */
+type LiabilityPartyRole = "authorizer" | "delegator" | "delegate" | "executor" | "approver" | "override_actor" | "supervisor" | "exception_approver";
+/** A single party in the liability chain. */
+interface LiabilityParty {
+    readonly party_id: string;
+    readonly party_label: string;
+    readonly party_type: "human" | "agent" | "system";
+    readonly role: LiabilityPartyRole;
+    /** Fractional liability weight (0–1); all parties in chain sum to 1. */
+    readonly liability_weight: number;
+    readonly acted_at: string;
+    readonly permit_id: string | null;
+}
+/**
+ * Immutable liability attribution record for a financial execution.
+ *
+ * Stored in `liability_attribution_records`. One record per execution.
+ */
+interface LiabilityAttributionRecord {
+    readonly attribution_id: string;
+    readonly execution_id: string;
+    readonly org_id: string;
+    readonly classification: LiabilityClassification;
+    readonly risk_tier: FinancialRiskTier;
+    /** Ordered liability chain. First party = primary. */
+    readonly liability_chain: readonly LiabilityParty[];
+    readonly delegation_present: boolean;
+    readonly supervisory_present: boolean;
+    readonly emergency_override: boolean;
+    readonly override_justification: string | null;
+    readonly created_at: string;
+    /** SHA-256 hash of the canonical chain for integrity verification. */
+    readonly chain_hash: string;
+}
+/** Input required to build a liability attribution record. */
+interface LiabilityAttributionInput {
+    readonly execution_id: string;
+    readonly org_id: string;
+    readonly classification: LiabilityClassification;
+    readonly risk_tier: FinancialRiskTier;
+    readonly authorizer: Omit<LiabilityParty, "role" | "liability_weight">;
+    readonly executor: Omit<LiabilityParty, "role" | "liability_weight">;
+    readonly approvers: readonly Omit<LiabilityParty, "role" | "liability_weight">[];
+    readonly delegations?: readonly {
+        readonly delegator_id: string;
+        readonly delegate_id: string;
+        readonly delegator_label: string;
+        readonly delegate_label: string;
+        readonly delegator_type: "human" | "agent" | "system";
+        readonly delegate_type: "human" | "agent" | "system";
+        readonly permit_id: string | null;
+        readonly acted_at: string;
+    }[];
+    readonly supervisors?: readonly Omit<LiabilityParty, "role" | "liability_weight">[];
+    readonly override?: {
+        readonly actor_id: string;
+        readonly actor_label: string;
+        readonly actor_type: "human" | "agent" | "system";
+        readonly justification: string;
+        readonly permit_id: string | null;
+        readonly acted_at: string;
+    };
+}
+/** Weight distribution strategy. */
+type WeightDistribution = "equal" | "role_weighted";
+/**
+ * Compute liability weights for all parties in a chain.
+ * Normalizes weights to sum to 1.0.
+ */
+declare function computeLiabilityWeights(parties: readonly {
+    role: LiabilityPartyRole;
+}[], distribution?: WeightDistribution): number[];
+/**
+ * Build a liability chain from attribution input.
+ * Assigns roles and computes normalized weights for each party.
+ */
+declare function buildLiabilityChain(input: LiabilityAttributionInput, distribution?: WeightDistribution): LiabilityParty[];
+/**
+ * Find all parties bearing primary liability (weight >= threshold).
+ * Used in dispute workflows and regulatory reporting.
+ */
+declare function findPrimaryLiabilityParties(chain: readonly LiabilityParty[], threshold?: number): LiabilityParty[];
+/** Result of validating a liability chain. */
+interface LiabilityChainValidation {
+    readonly valid: boolean;
+    readonly errors: readonly string[];
+}
+/**
+ * Validate structural correctness of a liability chain:
+ * - At least one party present
+ * - Weights sum to ~1.0
+ * - No duplicate party_id+role pairs
+ * - override_actor present when hasEmergencyOverride is true
+ */
+declare function validateLiabilityChain(chain: readonly LiabilityParty[], hasEmergencyOverride: boolean): LiabilityChainValidation;
+
+/**
+ * Economic Risk Engine.
+ *
+ * Computes financial exposure, approval concentration risk, override
+ * frequency risk, budgetary drift, and execution anomaly risk for an
+ * organization's financial governance posture.
+ *
+ * All computation is pure (no I/O). Inputs are derived from the
+ * financial_execution_records and liability_attribution_records tables.
+ *
+ * Wire-stable as `economic_risk.v1`.
+ */
+
+/** Aggregate financial risk score for an organization or scope. */
+interface FinancialRiskScore {
+    readonly scope_id: string;
+    /** Overall risk score (0–100; higher = riskier). */
+    readonly overall_score: number;
+    readonly exposure_score: number;
+    readonly concentration_score: number;
+    readonly override_score: number;
+    readonly drift_score: number;
+    readonly anomaly_score: number;
+    readonly implied_tier: FinancialRiskTier;
+    readonly computed_at: string;
+    readonly factors: readonly RiskFactor[];
+}
+/** A single contributing risk factor. */
+interface RiskFactor {
+    readonly name: string;
+    readonly score: number;
+    readonly weight: number;
+    readonly description: string;
+    readonly evidence?: readonly string[];
+}
+/** Alert raised when approval authority is too concentrated. */
+interface ConcentrationAlert {
+    readonly approver_id: string;
+    /** Percentage of total approvals (0–100). */
+    readonly approval_share_pct: number;
+    readonly total_value_approved: number;
+    readonly approval_count: number;
+    readonly severity: "warn" | "critical";
+    readonly window_start: string;
+    readonly window_end: string;
+}
+/** Per-approver breakdown within a concentration analysis. */
+interface ApproverBreakdown {
+    readonly approver_id: string;
+    readonly approval_count: number;
+    readonly total_value: number;
+    /** Share as a percentage (0–100). */
+    readonly share_pct: number;
+}
+/** Result of approval concentration analysis. */
+interface ApprovalConcentrationAnalysis {
+    readonly scope_id: string;
+    readonly analysis_window_days: number;
+    readonly total_approvals: number;
+    readonly total_value: number;
+    readonly approver_breakdown: readonly ApproverBreakdown[];
+    readonly alerts: readonly ConcentrationAlert[];
+    /** Herfindahl-Hirschman Index (0–10000). */
+    readonly concentration_hhi: number;
+    readonly computed_at: string;
+}
+/** Budgetary drift analysis for a scope/period. */
+interface BudgetaryDriftAnalysis {
+    readonly scope_id: string;
+    readonly department_id: string | null;
+    readonly period_start: string;
+    readonly period_end: string;
+    readonly budgeted_amount: number;
+    readonly actual_amount: number;
+    readonly variance_amount: number;
+    readonly variance_pct: number;
+    readonly drift_detected: boolean;
+    readonly drift_severity: "none" | "minor" | "moderate" | "severe";
+    readonly override_contribution_pct: number;
+    readonly unauthorized_escalation_detected: boolean;
+}
+/** A single execution anomaly signal. */
+interface ExecutionAnomaly {
+    readonly anomaly_id: string;
+    readonly execution_id: string;
+    readonly anomaly_type: AnomalyType;
+    readonly description: string;
+    readonly severity: "low" | "medium" | "high";
+    readonly detected_at: string;
+    readonly evidence: Record<string, unknown>;
+}
+/** Known anomaly types detected by the risk engine. */
+type AnomalyType = "unusual_amount" | "unusual_frequency" | "off_hours_execution" | "rapid_sequential" | "self_approval" | "jurisdiction_mismatch" | "dormant_approver" | "velocity_spike" | string;
+/**
+ * Compute the overall financial risk score from sub-scores.
+ * Returns a value in [0, 100].
+ */
+declare function computeOverallRiskScore(subScores: {
+    exposure: number;
+    concentration: number;
+    override: number;
+    drift: number;
+    anomaly: number;
+}): number;
+/**
+ * Infer a risk tier from an overall score.
+ * 0–25: low | 26–55: medium | 56–80: high | 81–100: critical
+ */
+declare function scoreToRiskTier(score: number): FinancialRiskTier;
+/**
+ * Compute the Herfindahl-Hirschman Index from a list of shares (0–100 each).
+ * HHI > 2500 indicates high concentration.
+ */
+declare function computeHHI(shares: readonly number[]): number;
+/** Map HHI (0–10000) to a concentration score (0–100). */
+declare function hhiToConcentrationScore(hhi: number): number;
+/**
+ * Compute an exposure score (0–100) from execution records.
+ * Total active-state value as a fraction of a reference ceiling.
+ */
+declare function computeExposureScore(records: readonly Pick<FinancialExecutionRecord, "action_value" | "status" | "risk_tier">[], exposureCeilingUSD?: number): number;
+/**
+ * Compute an override frequency score (0–100).
+ * More than 10% override rate → score = 100.
+ */
+declare function computeOverrideScore(totalExecutions: number, overriddenExecutions: number): number;
+/**
+ * Detect self-approval: initiator and approver are the same party.
+ */
+declare function detectSelfApproval(initiatorId: string, approverIds: readonly string[]): boolean;
+/** Compute an approval risk score from concentration analysis. */
+declare function computeApprovalRiskScore(analysis: ApprovalConcentrationAnalysis): number;
+
+/**
+ * Financial Quorum — extends the AtlaSent approval quorum model with
+ * monetary thresholds, dynamic escalation, and emergency freeze support.
+ *
+ * Builds on the base QuorumPolicy in approvalQuorum.ts. Every financial
+ * quorum check MUST first satisfy base quorum requirements before
+ * financial-layer policy is evaluated.
+ *
+ * Wire-stable as `financial_quorum.v1`.
+ */
+
+/** A financial role requirement with optional monetary and tier filters. */
+interface FinancialRoleRequirement {
+    readonly role: string;
+    readonly min: number;
+    /** Only apply this requirement when action value >= this amount. */
+    readonly applies_above?: number;
+    /** Only apply when the action's risk_tier is in this set. */
+    readonly applies_to_tiers?: readonly FinancialRiskTier[];
+}
+/** Amount-based threshold that triggers additional quorum requirements. */
+interface AmountThreshold {
+    readonly value: number;
+    readonly currency: CurrencyCode;
+    readonly additional_approvals: number;
+    readonly additional_roles: readonly FinancialRoleRequirement[];
+    readonly senior_review_required: boolean;
+}
+/**
+ * Financial quorum policy.
+ *
+ * Extends the base QuorumPolicy with amount thresholds, financial role
+ * requirements, regulator approval thresholds, and emergency freeze.
+ */
+interface FinancialQuorumPolicy extends QuorumPolicy {
+    readonly financial_role_requirements: readonly FinancialRoleRequirement[];
+    readonly amount_thresholds: readonly AmountThreshold[];
+    readonly reference_currency: CurrencyCode;
+    readonly emergency_freeze_active: boolean;
+    /** Regulator approval required above this value (null = not required). */
+    readonly regulator_approval_threshold: number | null;
+    /** Customer + vendor dual-release required above this value. */
+    readonly dual_release_threshold: number | null;
+}
+/** Emergency freeze record — applied org-wide or per scope. */
+interface EmergencyFreeze {
+    readonly freeze_id: string;
+    readonly scope_id: string;
+    readonly scope_type: "org" | "department" | "action_class";
+    readonly triggered_by: string;
+    readonly reason: string;
+    readonly triggered_at: string;
+    readonly expires_at: string | null;
+    readonly lifted: boolean;
+    readonly lifted_at: string | null;
+    readonly lifted_by: string | null;
+}
+/** Result of evaluating a financial quorum. */
+interface FinancialQuorumResult {
+    readonly passed: boolean;
+    readonly base_quorum_passed: boolean;
+    readonly amount_threshold_satisfied: boolean;
+    readonly financial_roles_satisfied: boolean;
+    readonly regulator_approval_missing: boolean;
+    readonly blocked_by_freeze: boolean;
+    readonly base_quorum_proof: QuorumProof | null;
+    readonly denial_reason: string | null;
+    readonly unmet_requirements: readonly string[];
+}
+/** Input to financial quorum evaluation. */
+interface FinancialQuorumInput {
+    readonly policy: FinancialQuorumPolicy;
+    readonly action_value: number;
+    readonly risk_tier: FinancialRiskTier;
+    /** Roles present in the approval set (role → count). */
+    readonly present_roles: Record<string, number>;
+    readonly approval_count: number;
+    readonly regulator_approval_present: boolean;
+    readonly base_quorum_proof: QuorumProof | null;
+    readonly active_freezes: readonly EmergencyFreeze[];
+}
+/**
+ * Evaluate a financial quorum policy.
+ *
+ * Checks in order: emergency freeze → base count → amount thresholds
+ * → financial roles → regulator approval.
+ */
+declare function evaluateFinancialQuorum(input: FinancialQuorumInput): FinancialQuorumResult;
+/**
+ * Determine the escalated minimum approval count for a given action value.
+ * Returns base count plus the largest additional_approvals from matching thresholds.
+ */
+declare function computeEscalatedApprovalCount(baseCount: number, actionValue: number, thresholds: readonly AmountThreshold[]): number;
+
+/**
+ * Budgetary Governance — policy and constraint infrastructure for
+ * organizational financial limits.
+ *
+ * Prevents budget overruns, unauthorized escalations, and hidden approvals
+ * by enforcing declared spending constraints before financial actions
+ * are authorized.
+ *
+ * Wire-stable as `budget_governance.v1`.
+ */
+
+/** Scope a budget limit applies to. */
+type BudgetScope = "org" | "department" | "team" | "environment" | "action_class" | "project" | "time_bounded";
+/** A declared budget limit for a scope. */
+interface BudgetLimit {
+    readonly limit_id: string;
+    readonly org_id: string;
+    readonly scope_type: BudgetScope;
+    readonly scope_id: string;
+    readonly limit_amount: number;
+    readonly currency: CurrencyCode;
+    /** Hard limits block execution; soft limits warn only. */
+    readonly enforcement: "hard" | "soft";
+    readonly period_start: string | null;
+    readonly period_end: string | null;
+    readonly active: boolean;
+    readonly created_by: string;
+    readonly created_at: string;
+}
+/** Current spending state against a budget limit. */
+interface BudgetSpendingState {
+    readonly limit_id: string;
+    readonly spent_amount: number;
+    readonly remaining_amount: number;
+    readonly exceeded: boolean;
+    /** Utilization percentage (0–100+). */
+    readonly utilization_pct: number;
+    readonly updated_at: string;
+}
+/** A spending constraint on a financial action class or type. */
+interface SpendingConstraint {
+    readonly constraint_id: string;
+    readonly org_id: string;
+    /** "*" matches all action types. */
+    readonly action_type: FinancialActionType | "*";
+    readonly max_single_transaction: number;
+    readonly max_daily_aggregate: number | null;
+    readonly max_monthly_aggregate: number | null;
+    readonly currency: CurrencyCode;
+    readonly applies_to_tier_gte: FinancialRiskTier | null;
+    readonly allow_anonymous_agents: boolean;
+    readonly active: boolean;
+}
+/** A specific budget violation. */
+interface BudgetViolation {
+    readonly violation_type: "limit_exceeded" | "single_transaction_exceeds" | "daily_aggregate_exceeds" | "monthly_aggregate_exceeds" | "anonymous_agent_blocked" | "period_expired";
+    readonly limit_id?: string;
+    readonly constraint_id?: string;
+    readonly description: string;
+    readonly overage_amount?: number;
+}
+/** Result of checking an action against budget constraints. */
+interface BudgetConstraintCheckResult {
+    readonly permitted: boolean;
+    readonly hard_blocks: readonly BudgetViolation[];
+    readonly soft_warnings: readonly BudgetViolation[];
+    readonly limits_checked: readonly string[];
+    readonly constraints_checked: readonly string[];
+}
+/** A complete budget policy document for an organization. */
+interface BudgetPolicy {
+    readonly policy_id: string;
+    readonly org_id: string;
+    readonly name: string;
+    readonly limits: readonly BudgetLimit[];
+    readonly constraints: readonly SpendingConstraint[];
+    readonly override_requires_exception: boolean;
+    readonly allow_approved_escalation: boolean;
+    readonly version: string;
+    readonly effective_from: string;
+    readonly expires_at: string | null;
+}
+/**
+ * Check an action value against applicable budget limits and constraints.
+ *
+ * Hard limits block execution; soft limits surface as warnings.
+ */
+declare function checkBudgetConstraints(params: {
+    actionValue: number;
+    currency: CurrencyCode;
+    actionType: FinancialActionType;
+    riskTier: FinancialRiskTier;
+    isAnonymousAgent: boolean;
+    currentDailySpend: number;
+    currentMonthlySpend: number;
+    applicableLimits: readonly (BudgetLimit & {
+        spending: BudgetSpendingState;
+    })[];
+    applicableConstraints: readonly SpendingConstraint[];
+    now?: Date;
+}): BudgetConstraintCheckResult;
+/**
+ * Determine budget utilization severity for dashboard display.
+ */
+declare function budgetUtilizationSeverity(utilizationPct: number): "normal" | "warn" | "critical";
+
+/**
+ * Autonomous Financial Execution — governance for AI-driven financial actions.
+ *
+ * Defines bounded authority, execution ceilings, and runtime verification
+ * requirements for autonomous agents performing financial operations:
+ * refunds, procurement, cloud-cost optimization, vendor payments, etc.
+ *
+ * Wire-stable as `autonomous_financial.v1`.
+ */
+
+/** Authority bounds for an autonomous financial agent. */
+interface AutonomousExecutionBounds {
+    readonly bounds_id: string;
+    readonly org_id: string;
+    readonly agent_id: string;
+    readonly agent_name: string;
+    /** Action types this agent is permitted to execute autonomously. */
+    readonly permitted_action_types: readonly FinancialActionType[];
+    readonly ceilings: readonly ExecutionCeiling[];
+    readonly daily_aggregate_ceiling: number;
+    readonly aggregate_currency: CurrencyCode;
+    /** Maximum risk tier the agent may autonomously execute. */
+    readonly max_risk_tier: FinancialRiskTier;
+    readonly require_runtime_verification: boolean;
+    readonly anomaly_detection_enabled: boolean;
+    readonly created_at: string;
+    readonly expires_at: string | null;
+    readonly active: boolean;
+}
+/** Per-action-type execution ceiling. */
+interface ExecutionCeiling {
+    readonly action_type: FinancialActionType;
+    readonly per_execution_max: number;
+    readonly currency: CurrencyCode;
+    readonly max_daily_count: number | null;
+    readonly require_permit: boolean;
+}
+/** Record of an autonomous execution attempt. */
+interface AutonomousExecutionRecord {
+    readonly record_id: string;
+    readonly agent_id: string;
+    readonly org_id: string;
+    readonly action_type: FinancialActionType;
+    readonly action_value: number;
+    readonly currency: CurrencyCode;
+    readonly permitted: boolean;
+    readonly denial_reason: string | null;
+    readonly permit_id: string | null;
+    readonly anomaly_detected: boolean;
+    readonly anomaly_description: string | null;
+    readonly attempted_at: string;
+    readonly executed_at: string | null;
+}
+/** Result of checking whether an autonomous execution is within bounds. */
+interface AutonomousExecutionCheckResult {
+    readonly permitted: boolean;
+    readonly action_type_permitted: boolean;
+    readonly within_execution_ceiling: boolean;
+    readonly within_daily_aggregate: boolean;
+    readonly within_risk_tier: boolean;
+    readonly bounds_active: boolean;
+    readonly bounds_not_expired: boolean;
+    readonly applicable_ceiling: ExecutionCeiling | null;
+    readonly denial_reason: string | null;
+    readonly violations: readonly string[];
+}
+/**
+ * Check whether an autonomous execution is within declared bounds.
+ */
+declare function checkAutonomousBounds(params: {
+    bounds: AutonomousExecutionBounds;
+    actionType: FinancialActionType;
+    actionValue: number;
+    currency: CurrencyCode;
+    riskTier: FinancialRiskTier;
+    currentDailyAggregate: number;
+    currentDailyCount: Partial<Record<string, number>>;
+    now?: Date;
+}): AutonomousExecutionCheckResult;
+/**
+ * Detect a potential anomaly in autonomous execution.
+ * Returns a description when an anomaly is detected, or null.
+ */
+declare function detectAutonomousAnomaly(params: {
+    actionValue: number;
+    historicalMeanValue: number;
+    historicalStdDev: number;
+    recentExecutionCount: number;
+    burstThreshold: number;
+    isOffHours: boolean;
+}): {
+    anomalyDetected: boolean;
+    description: string | null;
+};
+
+/**
+ * Incentive Alignment Engine.
+ *
+ * Detects governance anti-patterns that indicate misaligned incentives:
+ * excessive overrides, rushed approvals, emergency bypass repetition,
+ * authority concentration, and governance fatigue.
+ *
+ * These signals are leading indicators of systemic governance failure.
+ * They do not block execution but feed into risk scoring and dashboards.
+ *
+ * Wire-stable as `incentive_alignment.v1`.
+ */
+/** Categories of governance incentive signals. */
+type IncentiveSignalType = "excessive_overrides" | "rushed_approval" | "emergency_bypass_repeat" | "authority_concentration" | "rubber_stamping" | "approval_collusion" | "escalation_avoidance" | "governance_fatigue" | "delegation_chain_depth" | "approval_velocity_spike";
+/** A detected incentive alignment signal. */
+interface IncentiveSignal {
+    readonly signal_id: string;
+    readonly signal_type: IncentiveSignalType;
+    readonly party_id: string;
+    readonly party_label: string;
+    /** Severity (0–100). */
+    readonly severity: number;
+    readonly description: string;
+    readonly evidence: readonly string[];
+    readonly detected_at: string;
+    readonly reviewed: boolean;
+    readonly reviewed_by: string | null;
+}
+/** Behavior pattern analysis for a governance actor. */
+interface GovernanceBehaviorPattern {
+    readonly party_id: string;
+    readonly party_label: string;
+    readonly observation_window_days: number;
+    readonly total_approvals: number;
+    readonly total_overrides: number;
+    readonly total_emergency_bypasses: number;
+    readonly mean_approval_latency_seconds: number;
+    readonly min_approval_latency_seconds: number;
+    readonly approval_concentration_score: number;
+    readonly delegation_depth_max: number;
+    readonly signals: readonly IncentiveSignal[];
+    /** 0–100; higher = healthier governance posture. */
+    readonly governance_health_score: number;
+}
+/** Misalignment alert for operator review. */
+interface MisalignmentAlert {
+    readonly alert_id: string;
+    readonly org_id: string;
+    readonly severity: "warn" | "critical";
+    readonly alert_type: IncentiveSignalType;
+    readonly affected_party_ids: readonly string[];
+    readonly description: string;
+    readonly recommendation: string;
+    readonly signals: readonly IncentiveSignal[];
+    readonly created_at: string;
+    readonly resolved: boolean;
+    readonly resolved_at: string | null;
+}
+/** Thresholds for incentive alignment detection. */
+interface IncentiveAlignmentConfig {
+    readonly max_override_rate: number;
+    readonly min_approval_latency_seconds: number;
+    readonly max_emergency_bypasses_30d: number;
+    readonly max_concentration_share: number;
+    readonly max_delegation_depth: number;
+}
+declare const DEFAULT_INCENTIVE_CONFIG: IncentiveAlignmentConfig;
+/**
+ * Analyze a governance actor's behavior to detect misaligned incentives.
+ * Returns signals sorted by severity (highest first).
+ */
+declare function detectMisalignedIncentives(params: {
+    partyId: string;
+    partyLabel: string;
+    windowDays: number;
+    totalActions: number;
+    overrideCount: number;
+    emergencyBypassCount: number;
+    approvalLatencies: readonly number[];
+    approvalShare: number;
+    delegationDepthMax: number;
+    config?: IncentiveAlignmentConfig;
+    now?: Date;
+}): IncentiveSignal[];
+/**
+ * Compute a governance health score (0–100).
+ * 100 = perfect governance; 0 = extreme misalignment.
+ */
+declare function computeGovernanceHealthScore(signals: readonly IncentiveSignal[]): number;
+
+/**
+ * Economic Evidence Bundles.
+ *
+ * Generates signed evidence proving approval provenance, execution
+ * authorization, runtime conformity, liability chain, and policy compliance
+ * for regulatory review, insurance, financial audit, and legal discovery.
+ *
+ * Follows the same signing pattern as auditBundle.ts, scoped to financial
+ * governance evidence.
+ *
+ * Wire-stable as `economic_evidence.v1`.
+ */
+
+/** Purpose for which an economic evidence bundle is generated. */
+type EvidencePurpose = "regulator_review" | "insurance_review" | "financial_audit" | "legal_discovery" | "internal_review" | "dispute_resolution";
+/** Approval provenance record within the evidence bundle. */
+interface ApprovalProvenance {
+    readonly approver_id: string;
+    readonly approver_label: string;
+    readonly permit_id: string;
+    readonly approved_at: string;
+    readonly audit_hash: string;
+    readonly role: string;
+}
+/** Complete economic evidence bundle. */
+interface EconomicEvidenceBundle {
+    readonly version: "economic_evidence.v1";
+    readonly bundle_id: string;
+    readonly org_id: string;
+    readonly purpose: EvidencePurpose;
+    readonly execution_record: FinancialExecutionRecord;
+    readonly liability_attribution: LiabilityAttributionRecord;
+    readonly quorum_result: FinancialQuorumResult;
+    readonly budget_check: BudgetConstraintCheckResult;
+    readonly approval_provenance: readonly ApprovalProvenance[];
+    readonly runtime_conformity: boolean;
+    readonly runtime_conformity_notes: readonly string[];
+    readonly policy_compliant: boolean;
+    readonly policy_violations: readonly string[];
+    readonly generated_at: string;
+    readonly requested_by: string;
+    /** SHA-256 hex of the canonical signable content. */
+    readonly content_hash: string;
+    /** Base64url Ed25519 signature of the canonical content. */
+    readonly signature: string | null;
+    readonly signing_key_id: string | null;
+}
+/** Canonical content shape that gets hashed and signed. */
+interface EvidenceBundleSignableContent {
+    readonly bundle_id: string;
+    readonly org_id: string;
+    readonly purpose: EvidencePurpose;
+    readonly execution_id: string;
+    readonly attribution_id: string;
+    readonly liability_chain_hash: string;
+    readonly approval_count: number;
+    readonly permit_ids: readonly string[];
+    readonly policy_compliant: boolean;
+    readonly generated_at: string;
+}
+/** Verification result for an economic evidence bundle. */
+interface EvidenceBundleVerificationResult {
+    readonly valid: boolean;
+    readonly content_hash_valid: boolean;
+    readonly signature_valid: boolean;
+    readonly liability_chain_hash_matches: boolean;
+    readonly permit_ids_match: boolean;
+    readonly reason: string | null;
+}
+/**
+ * Canonicalize a value to a stable string representation.
+ *
+ * Exported (rather than file-private) to enable cross-language
+ * byte-equivalence verification against the Python implementation in
+ * ``atlasent-sdk/python/atlasent/governance/_canonical.py``. The shared
+ * fixture lives at ``compat/governance/fixtures/parity.json``.
+ */
+declare function canonicalizeForEvidence(value: unknown): string;
+/**
+ * Build the signable content object for a bundle.
+ * Key order is load-bearing — must remain stable across versions.
+ */
+declare function buildSignableContent(bundle: Omit<EconomicEvidenceBundle, "content_hash" | "signature" | "signing_key_id">): EvidenceBundleSignableContent;
+/**
+ * Serialize signable content to canonical UTF-8 bytes.
+ * Uses the same sort-keyed canonicalization as auditBundle.
+ */
+declare function serializeSignableContent(content: EvidenceBundleSignableContent): Uint8Array;
+/**
+ * Verify an economic evidence bundle's structural integrity.
+ * Does NOT verify the Ed25519 signature (requires crypto keys).
+ */
+declare function verifyEvidenceBundleStructure(bundle: EconomicEvidenceBundle): EvidenceBundleVerificationResult;
+
+/**
+ * Dispute + Reversal Workflows.
+ *
+ * Manages disputed financial actions, rollback workflows, frozen actions,
+ * and temporary suspensions. Tracks dispute origin, remediation timeline,
+ * and reversal authority.
+ *
+ * Wire-stable as `dispute_reversal.v1`.
+ */
+
+/** Who or what originated a dispute. */
+type DisputeOrigin = "counterparty" | "regulator" | "internal_audit" | "fraud_detection" | "approver_retract" | "policy_violation" | "agent_error";
+/** Current state of a dispute. */
+type DisputeStatus = "open" | "under_review" | "escalated" | "resolved_in_favor" | "resolved_against" | "reversed" | "withdrawn";
+/** A dispute record for a financial action. */
+interface DisputeRecord {
+    readonly dispute_id: string;
+    readonly execution_id: string;
+    readonly org_id: string;
+    readonly origin: DisputeOrigin;
+    readonly filed_by: string;
+    readonly description: string;
+    readonly status: DisputeStatus;
+    readonly execution_frozen: boolean;
+    readonly opened_at: string;
+    readonly resolution_deadline: string | null;
+    readonly resolved_at: string | null;
+    readonly resolved_by: string | null;
+    readonly resolution_notes: string | null;
+    readonly reversal_initiated: boolean;
+    readonly reversal_id: string | null;
+}
+/** Reversal workflow stage. */
+type ReversalStage = "initiated" | "authorization_pending" | "authorized" | "executing" | "completed" | "failed" | "cancelled";
+/** A reversal workflow for a financial execution. */
+interface ReversalWorkflow {
+    readonly reversal_id: string;
+    readonly execution_id: string;
+    readonly dispute_id: string | null;
+    readonly org_id: string;
+    readonly initiated_by: string;
+    readonly reason: string;
+    readonly stage: ReversalStage;
+    readonly authorized_by: string | null;
+    readonly authorization_permit_id: string | null;
+    readonly initiated_at: string;
+    readonly authorized_at: string | null;
+    readonly completed_at: string | null;
+    readonly reversal_value: number;
+    readonly partial: boolean;
+}
+/** Action freeze record. */
+interface ActionFreeze {
+    readonly freeze_id: string;
+    readonly execution_id: string;
+    readonly org_id: string;
+    readonly triggered_by: string;
+    readonly reason: string;
+    readonly triggered_at: string;
+    readonly expires_at: string | null;
+    readonly lifted: boolean;
+    readonly lifted_at: string | null;
+    readonly lifted_by: string | null;
+    readonly frozen_status: FinancialExecutionStatus;
+}
+/** Validate and apply a dispute status transition. */
+declare function transitionDispute(current: DisputeStatus, next: DisputeStatus): {
+    success: boolean;
+    new_status: DisputeStatus | null;
+    error: string | null;
+};
+/** Validate and apply a reversal workflow stage transition. */
+declare function transitionReversal(current: ReversalStage, next: ReversalStage): {
+    success: boolean;
+    error: string | null;
+};
+/**
+ * Return true when a freeze is currently active (not lifted and not expired).
+ */
+declare function isFreezeActive(freeze: ActionFreeze, now?: Date): boolean;
+/**
+ * Compute remediation urgency based on dispute deadline.
+ * Returns 'overdue' when past deadline, 'urgent' within 24h, else 'normal'.
+ */
+declare function computeRemediationUrgency(_openedAt: string, deadline: string | null, now?: Date): "normal" | "urgent" | "overdue";
+
+/**
+ * Financial Control Dashboard — types for governance visualization.
+ *
+ * Covers approval concentration analysis, override analytics, budget drift,
+ * economic risk timelines, and liability visualization.
+ *
+ * These are pure data types; rendering is left to UI consumers.
+ *
+ * Wire-stable as `financial_dashboard.v1`.
+ */
+
+/** Top-level financial governance summary for a dashboard view. */
+interface FinancialGovernanceSummary {
+    readonly org_id: string;
+    readonly generated_at: string;
+    readonly window_days: number;
+    readonly current_risk_score: FinancialRiskScore;
+    readonly total_actions: number;
+    readonly total_value: number;
+    readonly override_count: number;
+    readonly emergency_bypass_count: number;
+    readonly active_dispute_count: number;
+    readonly pending_reversal_count: number;
+    readonly active_freeze_count: number;
+    readonly budget_warning_count: number;
+    readonly budget_critical_count: number;
+    readonly concentration_analysis: ApprovalConcentrationAnalysis;
+    readonly budget_drift: readonly BudgetaryDriftAnalysis[];
+    readonly misalignment_alerts: readonly MisalignmentAlert[];
+    readonly risk_timeline: readonly RiskTimelinePoint[];
+}
+/** A single point on the economic risk timeline. */
+interface RiskTimelinePoint {
+    readonly date: string;
+    readonly risk_score: number;
+    readonly risk_tier: FinancialRiskTier;
+    readonly action_count: number;
+    readonly total_value: number;
+    readonly override_count: number;
+    readonly anomaly_count: number;
+}
+/** Override analytics for operator review. */
+interface OverrideAnalytics {
+    readonly org_id: string;
+    readonly window_days: number;
+    readonly total_overrides: number;
+    readonly override_rate: number;
+    readonly overrides_by_actor: readonly ActorOverrideStat[];
+    readonly overrides_by_action_type: readonly ActionTypeOverrideStat[];
+    readonly override_value_total: number;
+    readonly repeat_override_actors: readonly string[];
+    readonly emergency_override_count: number;
+    readonly computed_at: string;
+}
+interface ActorOverrideStat {
+    readonly actor_id: string;
+    readonly actor_label: string;
+    readonly override_count: number;
+    readonly override_value_total: number;
+    readonly last_override_at: string;
+}
+interface ActionTypeOverrideStat {
+    readonly action_type: string;
+    readonly override_count: number;
+    readonly total_value: number;
+}
+/** Liability visualization data for graph/chart rendering. */
+interface LiabilityVisualization {
+    readonly execution_id: string;
+    readonly org_id: string;
+    readonly nodes: readonly LiabilityNode[];
+    readonly edges: readonly LiabilityEdge[];
+    readonly total_weight: number;
+}
+interface LiabilityNode {
+    readonly id: string;
+    readonly label: string;
+    readonly party_type: "human" | "agent" | "system";
+    readonly role: string;
+    readonly liability_weight: number;
+    readonly acted_at: string;
+}
+interface LiabilityEdge {
+    readonly from_id: string;
+    readonly to_id: string;
+    readonly relationship: "authorized" | "delegated_to" | "approved_for" | "supervised" | "overrode";
+    readonly weight: number;
+}
+/** Active disputes and reversals dashboard summary. */
+interface DisputeReversalSummary {
+    readonly org_id: string;
+    readonly active_disputes: readonly DisputeRecord[];
+    readonly pending_reversals: readonly ReversalWorkflow[];
+    readonly resolved_last_30d: number;
+    readonly average_resolution_days: number;
+    readonly overdue_disputes: readonly DisputeRecord[];
+    readonly total_disputed_value: number;
+    readonly total_reversed_value: number;
+    readonly generated_at: string;
+}
+/**
+ * Build a liability visualization graph from a liability chain.
+ */
+declare function buildLiabilityVisualization(executionId: string, orgId: string, chain: readonly LiabilityParty[]): LiabilityVisualization;
+/**
+ * Build a risk timeline from daily snapshot data.
+ */
+declare function buildRiskTimeline(snapshots: readonly {
+    date: string;
+    riskScore: number;
+    actionCount: number;
+    totalValue: number;
+    overrideCount: number;
+    anomalyCount: number;
+}[]): RiskTimelinePoint[];
+
+/**
+ * Enforcement-layer helpers for the canonical economic governance primitives.
+ *
+ * The canonical EGAS modules (`financialQuorum`, `liabilityAttribution`,
+ * `economicEvidence`, `budgetaryGovernance`, `autonomousFinancial`) are
+ * **advisory**: they produce structured decision objects but never block
+ * execution. This module converts "not permitted" advisory results into
+ * thrown {@link GovernanceEnforcementError} so callers cannot silently
+ * proceed when a governance gate refuses an action.
+ *
+ * Three gates, layered in this order at consumer call sites:
+ *
+ * ```ts
+ *   enforceFinancialQuorum(quorumResult);
+ *   enforceBudgetConstraint(budgetResult);
+ *   enforceAutonomousBounds(autonomousResult);
+ * ```
+ *
+ * Each helper is a no-op when its result is permitted; otherwise it throws
+ * with a stable {@link GovernanceEnforcementError.denyCode} matching a row
+ * in `docs/APPROVAL_DENY_REASONS.md`. The deny-code taxonomy is locked
+ * cross-language by the parity fixture at
+ * `compat/governance/fixtures/parity.json`.
+ */
+
+/** Which enforcement gate fired. */
+type GovernanceGate = "financial_quorum" | "budget" | "autonomous_bounds";
+/** Stable deny codes for the financial-quorum gate. */
+type FinancialQuorumDenyCode = "blocked_by_emergency_freeze" | "base_count_unmet" | "amount_threshold_unmet" | "financial_role_unmet" | "regulator_approval_missing";
+/** Stable deny codes for the budget gate. */
+type BudgetDenyCode = "limit_exceeded" | "single_transaction_exceeds" | "daily_aggregate_exceeds" | "monthly_aggregate_exceeds" | "anonymous_agent_blocked" | "period_expired";
+/** Stable deny codes for the autonomous-bounds gate. */
+type AutonomousBoundsDenyCode = "inactive" | "expired" | "action_type_not_permitted" | "execution_ceiling_exceeded" | "daily_aggregate_exceeded" | "risk_tier_exceeded";
+/** Initialization options for {@link GovernanceEnforcementError}. */
+interface GovernanceEnforcementErrorInit {
+    gate: GovernanceGate;
+    denyCode: string;
+    reason: string;
+    details: unknown;
+    requestId?: string;
+}
+/**
+ * Thrown when an EGAS advisory result fails an enforcement gate.
+ *
+ * Extends {@link AtlaSentError} so `instanceof AtlaSentError` catches
+ * these too. Use `instanceof GovernanceEnforcementError` to distinguish
+ * a governance refusal from a transport / config error.
+ */
+declare class GovernanceEnforcementError extends AtlaSentError {
+    name: string;
+    /** Which gate fired (`financial_quorum` / `budget` / `autonomous_bounds`). */
+    readonly gate: GovernanceGate;
+    /** Stable taxonomy code; maps to a row in `docs/APPROVAL_DENY_REASONS.md`. */
+    readonly denyCode: string;
+    /** Human-readable explanation. Do NOT branch on this string — branch on `denyCode`. */
+    readonly reason: string;
+    /** The structured advisory result that produced the denial. */
+    readonly details: unknown;
+    constructor(init: GovernanceEnforcementErrorInit);
+    /** Combined `<gate>/<denyCode>` string used in audit records. */
+    get fullyQualifiedCode(): string;
+}
+/**
+ * Throw {@link GovernanceEnforcementError} when a quorum result fails.
+ * Returns silently when `result.passed` is true.
+ */
+declare function enforceFinancialQuorum(result: FinancialQuorumResult): void;
+/**
+ * Throw {@link GovernanceEnforcementError} on a budget hard block.
+ *
+ * Returns silently when `result.permitted` is true (no hard blocks; soft
+ * warnings do not cause enforcement to fire).
+ */
+declare function enforceBudgetConstraint(result: BudgetConstraintCheckResult): void;
+/**
+ * Throw {@link GovernanceEnforcementError} when autonomous bounds fail.
+ * Returns silently when `result.permitted` is true.
+ */
+declare function enforceAutonomousBounds(result: AutonomousExecutionCheckResult): void;
+/**
+ * Convenience: layer all three gates in canonical order.
+ *
+ * Order: quorum (who approved) → budget (does it fit policy spend) →
+ * autonomous_bounds (is the agent allowed to do this autonomously). The
+ * first failing gate throws; subsequent gates are not evaluated.
+ *
+ * Pass `undefined` for gates that don't apply (e.g. omit `autonomous` for
+ * human-initiated actions).
+ */
+declare function enforceEconomicGovernance(params: {
+    quorum?: FinancialQuorumResult;
+    budget?: BudgetConstraintCheckResult;
+    autonomous?: AutonomousExecutionCheckResult;
+}): void;
+
+/**
+ * Governance and enforcement webhook types — wire shapes for
+ * `v1-governance-webhooks` and `v1-enforcement-webhooks`.
+ *
+ * Covers subscription management, signed delivery callbacks, and
+ * delivery receipt records. Use `verifyWebhookSignature` in your
+ * receiver to authenticate payloads.
+ */
+type GovernanceWebhookEvent = "enforcement.blocked" | "policy.violation" | "access_review.completed" | "mfa.enrollment_required" | "contract.activated" | "replay.drift_detected";
+type EnforcementWebhookEvent = "enforcement.blocked" | "enforcement.pending_approval" | "enforcement.approved" | "enforcement.expired";
+type WebhookDeliveryStatus = "pending" | "delivered" | "failed";
+interface WebhookSubscription {
+    id: string;
+    org_id: string;
+    url: string;
+    events: string[];
+    enabled: boolean;
+    description: string | null;
+    created_at: string;
+}
+interface WebhookDelivery {
+    id: string;
+    subscription_id: string;
+    event_type: string;
+    payload: Record<string, unknown>;
+    status: WebhookDeliveryStatus;
+    response_status: number | null;
+    response_body: string | null;
+    attempted_at: string;
+}
+interface CreateWebhookSubscriptionRequest {
+    url: string;
+    events: string[];
+    enabled?: boolean;
+    description?: string;
+}
+interface ListWebhookSubscriptionsResponse {
+    subscriptions: WebhookSubscription[];
+    /** For governance webhooks, the server returns supported event names. */
+    valid_events?: string[];
+}
+interface ListWebhookDeliveriesResponse {
+    deliveries: WebhookDelivery[];
+}
+/**
+ * Signed webhook payload delivered to subscriber endpoints.
+ *
+ * AtlaSent sets two headers on every delivery:
+ * - `X-AtlaSent-Signature: sha256=<hex>` — HMAC-SHA256 of the raw body
+ * - `X-AtlaSent-Event: <event_type>`
+ *
+ * Verify with `verifyWebhookSignature` before processing.
+ */
+interface WebhookPayload<T = Record<string, unknown>> {
+    id: string;
+    org_id: string;
+    event_type: string;
+    source_id: string | null;
+    data: T;
+    created_at: string;
+}
+/**
+ * Verify a webhook delivery signature using the subscription secret.
+ *
+ * Performs a constant-time HMAC-SHA256 comparison so timing attacks
+ * cannot reveal secret length. Requires `globalThis.crypto.subtle`
+ * (Node 20+, all modern browsers, Deno, Cloudflare Workers).
+ *
+ * @param payload   Raw UTF-8 request body string.
+ * @param signature Value of the `X-AtlaSent-Signature` header.
+ * @param secret    Webhook subscription secret from the AtlaSent console.
+ * @returns `true` when the signature is valid.
+ *
+ * @example
+ * ```ts
+ * import { verifyWebhookSignature } from "@atlasent/sdk";
+ *
+ * app.post("/webhook", async (req, res) => {
+ *   const ok = await verifyWebhookSignature(
+ *     req.rawBody,
+ *     req.headers["x-atlasent-signature"],
+ *     process.env.WEBHOOK_SECRET!,
+ *   );
+ *   if (!ok) return res.status(401).send("invalid signature");
+ *   // process req.body …
+ * });
+ * ```
+ */
+declare function verifyWebhookSignature(payload: string, signature: string, secret: string): Promise<boolean>;
+
+/**
+ * Compliance evidence types — wire shapes for `v1-compliance-evidence`.
+ *
+ * Supports on-demand SOC 2 Type II control evidence collection. The
+ * same run shape is used for ISO 27001, GDPR, and HIPAA; control IDs
+ * differ per framework.
+ */
+type ComplianceFramework = "soc2" | "iso27001" | "gdpr" | "hipaa";
+type EvidenceControlStatus = "pass" | "gap" | "finding";
+type ComplianceRunStatus = "pending" | "running" | "completed" | "failed";
+/**
+ * A single evaluated control within an evidence run.
+ * `evidence` is a free-form object whose keys are framework-specific
+ * metric names (e.g. `mfa_enforced_policies`, `audit_events_last_30d`).
+ */
+interface EvidenceControl {
+    control_id: string;
+    title: string;
+    status: EvidenceControlStatus;
+    evidence: Record<string, unknown>;
+}
+interface ComplianceEvidenceSummary {
+    total: number;
+    pass: number;
+    gap: number;
+    finding: number;
+}
+interface ComplianceEvidenceRun {
+    id: string;
+    org_id: string;
+    framework: ComplianceFramework;
+    period_start: string;
+    period_end: string;
+    status: ComplianceRunStatus;
+    controls: EvidenceControl[];
+    summary: ComplianceEvidenceSummary | null;
+    applied_by: string | null;
+    created_at: string;
+}
+interface TriggerEvidenceRunRequest {
+    framework: ComplianceFramework;
+    /** ISO 8601 date string; defaults to 30 days ago on the server. */
+    period_start?: string;
+    /** ISO 8601 date string; defaults to now on the server. */
+    period_end?: string;
+}
+interface TriggerEvidenceRunResponse {
+    run: ComplianceEvidenceRun;
+}
+interface ListEvidenceRunsResponse {
+    runs: ComplianceEvidenceRun[];
 }
-
 /**
- * Public types for the AtlaSent TypeScript SDK.
+ * SOC 2 control IDs evaluated by `v1-compliance-evidence`.
  *
- * These shapes are deliberately minimal and 1:1 with the AtlaSent
- * authorization API. Request / response fields are camelCase on the
- * SDK side; the client handles snake_case translation on the wire.
+ * | ID     | Area |
+ * |--------|------|
+ * | CC6.1  | MFA enforcement |
+ * | CC6.3  | Periodic access reviews |
+ * | CC7.2  | Audit trail completeness |
+ * | CC8.1  | Change management / HITL |
+ * | CC3.2  | Policy violations |
+ */
+type SOC2ControlId = "CC6.1" | "CC6.3" | "CC7.2" | "CC8.1" | "CC3.2";
+/**
+ * Returns `true` when every control in the run has `pass` or `gap`
+ * status (no `finding`). A `gap` means a control is partially met;
+ * a `finding` is a blocking deficiency that requires remediation.
+ */
+declare function evidenceRunPasses(run: ComplianceEvidenceRun): boolean;
+/**
+ * Returns controls that do not have `pass` status, sorted so
+ * `finding` controls appear before `gap` controls.
  */
+declare function nonPassingControls(run: ComplianceEvidenceRun): EvidenceControl[];
 
-/** The two possible policy decisions. */
-type Decision = "ALLOW" | "DENY";
 /**
- * Rate-limit state parsed from the server's `X-RateLimit-*` headers.
+ * Policy-as-code GitOps sync types — wire shapes for `v1-policy-sync`.
+ *
+ * Supports a dry-run diff preview / apply workflow for pushing policy
+ * bundles from CI/CD pipelines or the AtlaSent console.
  *
- * Present on every authenticated response (success and 429) when the
- * server emits the headers. `null` when the server doesn't — older
- * deployments, or internal endpoints that skip per-key rate limiting.
+ * Typical flow:
+ * 1. POST `{ policies, dry_run: true }` → receive `run` with `diff`
+ * 2. Review diff, then POST `/{run.id}/apply` to execute
  *
- * Clients should check `remaining` and sleep until `resetAt` to
- * preemptively back off before hitting a 429.
+ * Or POST `{ policies, dry_run: false }` for an immediate apply.
  */
-interface RateLimitState {
-    /** Value of `X-RateLimit-Limit` — the per-minute budget. */
-    limit: number;
-    /** Value of `X-RateLimit-Remaining` — unused budget in the current window. */
-    remaining: number;
-    /**
-     * Parsed `X-RateLimit-Reset` — the UTC instant when the current
-     * window's counter zeroes. Accepts either a unix-seconds integer or
-     * an ISO 8601 string on the wire.
-     */
-    resetAt: Date;
+type PolicySyncStatus = "pending" | "validating" | "applying" | "completed" | "failed" | "rejected";
+interface PolicyRef {
+    name: string;
+    /** SHA-256 hex of the policy body. */
+    body_hash?: string;
 }
-/** Input to {@link AtlaSentClient.evaluate}. */
-interface EvaluateRequest {
-    /** Identifier of the calling agent (e.g. "clinical-data-agent"). */
-    agent: string;
-    /** The action being authorized (e.g. "modify_patient_record"). */
-    action: string;
-    /** Arbitrary policy context (user, environment, resource IDs). */
-    context?: Record<string, unknown>;
+interface PolicySyncDiff {
+    added: PolicyRef[];
+    updated: PolicyRef[];
+    removed: PolicyRef[];
 }
-/** Result of {@link AtlaSentClient.evaluate}. */
-interface EvaluateResponse {
-    /** "ALLOW" or "DENY". A "DENY" is not thrown — branch on this field. */
-    decision: Decision;
-    /** Opaque permit identifier, passed to {@link AtlaSentClient.verifyPermit}. */
-    permitId: string;
-    /** Human-readable explanation from the policy engine. */
-    reason: string;
-    /** Hash-chained audit-trail entry (21 CFR Part 11 / GxP-ready). */
-    auditHash: string;
-    /** ISO 8601 timestamp of the decision. */
-    timestamp: string;
-    /**
-     * Per-key rate-limit state for this request's response, parsed from
-     * `X-RateLimit-*` headers. `null` when the server didn't emit them.
-     */
-    rateLimit: RateLimitState | null;
+interface PolicySyncRun {
+    id: string;
+    org_id: string;
+    /** Identifies the caller: `"console"`, `"github-actions"`, etc. */
+    source: string;
+    commit_sha: string | null;
+    ref: string | null;
+    bundle_hash: string | null;
+    status: PolicySyncStatus;
+    policies_added: number;
+    policies_updated: number;
+    policies_removed: number;
+    /** Populated on dry-run; null after apply. */
+    diff: PolicySyncDiff | null;
+    applied_by: string | null;
+    created_at: string;
 }
-/** Input to {@link AtlaSentClient.verifyPermit}. */
-interface VerifyPermitRequest {
-    /** The permit ID returned by a prior evaluate() call. */
-    permitId: string;
-    /** Optional: re-state the action for cross-check with the server. */
-    action?: string;
-    /** Optional: re-state the agent for cross-check with the server. */
-    agent?: string;
-    /** Optional: re-state the context for cross-check with the server. */
-    context?: Record<string, unknown>;
+interface PolicyBundleEntry {
+    name: string;
+    /** Policy body — OPA Rego, JSON schema, or custom DSL depending on config. */
+    body: string;
+    description?: string;
+    tags?: string[];
 }
-/** Result of {@link AtlaSentClient.verifyPermit}. */
-interface VerifyPermitResponse {
-    /** `true` when the permit is valid and un-revoked. */
-    verified: boolean;
-    /** Verification outcome string from the server. */
-    outcome: string;
-    /** Verification hash bound to the permit. */
-    permitHash: string;
-    /** ISO 8601 timestamp of the verification. */
-    timestamp: string;
+interface SubmitPolicySyncRequest {
+    policies: PolicyBundleEntry[];
+    /** Identifies the caller (e.g. `"github-actions"`, `"console"`). */
+    source?: string;
+    commit_sha?: string;
+    ref?: string;
     /**
-     * Per-key rate-limit state for this request's response, parsed from
-     * `X-RateLimit-*` headers. `null` when the server didn't emit them.
+     * When `true` (default), computes the diff without applying changes.
+     * The returned run will have `status: "pending"` and a populated `diff`.
+     * POST to `/{run.id}/apply` to execute.
      */
-    rateLimit: RateLimitState | null;
+    dry_run?: boolean;
 }
-/**
- * Result of {@link AtlaSentClient.keySelf} — self-introspection of the API
- * key the client was constructed with. Returned by `GET /v1/api-key-self`.
- *
- * Never includes the raw key or its hash — introspection is intentionally
- * read-only and safe to surface in operator dashboards. Useful for:
- *   - "which key am I?" debugging
- *   - IP_NOT_ALLOWED failures — `clientIp` is the IP the server observed
- *   - proactive expiry warnings — `expiresAt` is the server-stored expiry
- *     (`null` means the key does not auto-expire)
- *   - verifying scopes before attempting a scope-gated action
- */
-interface ApiKeySelfResponse {
-    /** Server-side UUID of the api_keys row for this key. */
-    keyId: string;
-    /** Organization the key belongs to. */
-    organizationId: string;
-    /** "live" or "test" (or any future environment label the server introduces). */
-    environment: string;
-    /** Granted scopes — e.g. ["evaluate", "audit.read"]. */
-    scopes: string[];
-    /**
-     * Per-key IP allowlist as CIDR strings (e.g. ["10.0.0.0/8"]). `null`
-     * when the key is unrestricted.
-     */
-    allowedCidrs: string[] | null;
-    /** Server-enforced per-minute rate limit for this key. */
-    rateLimitPerMinute: number;
-    /** Client IP as the server observed it (first hop of X-Forwarded-For). */
-    clientIp: string | null;
-    /** Server-stored expiry; `null` means the key does not auto-expire. */
-    expiresAt: string | null;
-    /**
-     * Per-key rate-limit state for this request's response, parsed from
-     * `X-RateLimit-*` headers. `null` when the server didn't emit them.
-     */
-    rateLimit: RateLimitState | null;
+interface SubmitPolicySyncResponse {
+    run: PolicySyncRun;
 }
-/**
- * Result of {@link AtlaSentClient.listAuditEvents}. Extends the raw
- * wire page with a camelCase `rateLimit` alongside the snake_case
- * wire fields — the wire shape (`events`, `total`, `next_cursor`) is
- * untouched so callers that pass it to the offline verifier get
- * byte-identical behaviour.
- */
-interface AuditEventsResult extends AuditEventsPage {
-    /**
-     * Per-key rate-limit state for this request's response, parsed from
-     * `X-RateLimit-*` headers. `null` when the server didn't emit them.
-     */
-    rateLimit: RateLimitState | null;
+interface ListPolicySyncRunsResponse {
+    runs: PolicySyncRun[];
+}
+interface ApplyPolicySyncResponse {
+    run: PolicySyncRun;
 }
 /**
- * Filter accepted by {@link AtlaSentClient.createAuditExport}. Fields
- * are snake_case to match the server's `POST /v1-audit/exports`
- * request body; an empty object requests a full-org bundle.
+ * Returns a human-readable one-line diff summary suitable for CI logs.
+ *
+ * @example
+ * formatPolicySyncDiff(run) // "+3 added, ~1 updated, -2 removed"
+ * formatPolicySyncDiff(run) // "no changes"
  */
-interface AuditExportRequest {
-    /** Comma-joined list of event types to include (e.g. `"evaluate.allow,policy.updated"`). */
-    types?: string;
-    /** Filter to a single actor. */
-    actor_id?: string;
-    /** Inclusive lower bound on `occurred_at` (ISO 8601). */
-    from?: string;
-    /** Inclusive upper bound on `occurred_at` (ISO 8601). */
-    to?: string;
-}
+declare function formatPolicySyncDiff(run: Pick<PolicySyncRun, "policies_added" | "policies_updated" | "policies_removed">): string;
 /**
- * Result of {@link AtlaSentClient.createAuditExport}. Extends the
- * signed bundle shape with a camelCase `rateLimit`. The signed
- * envelope fields (`export_id`, `org_id`, `chain_head_hash`,
- * `event_count`, `signed_at`, `events`, `signature`) are preserved
- * byte-for-byte so the object can be handed straight to
- * `verifyAuditBundle(bundle, keys)`.
+ * Returns `true` when a sync run is in a terminal state
+ * (completed, failed, or rejected) and no further transitions are expected.
  */
-interface AuditExportResult extends AuditExport {
-    /**
-     * Per-key rate-limit state for this request's response, parsed from
-     * `X-RateLimit-*` headers. `null` when the server didn't emit them.
-     */
-    rateLimit: RateLimitState | null;
-}
-/** Constructor options for {@link AtlaSentClient}. */
-interface AtlaSentClientOptions {
-    /** Required. Your AtlaSent API key. */
-    apiKey: string;
-    /** API base URL. Defaults to "https://api.atlasent.io". */
-    baseUrl?: string;
-    /** Per-request timeout in milliseconds. Defaults to 10_000. */
-    timeoutMs?: number;
-    /**
-     * Inject a fetch implementation (primarily for testing).
-     * Defaults to `globalThis.fetch`.
-     */
-    fetch?: typeof fetch;
-}
+declare function isPolicySyncTerminal(run: PolicySyncRun): boolean;
 
 /**
- * AtlaSent HTTP client.
+ * Webhook signature verification for AtlaSent.
  *
- * Two public methods, both backed by native `fetch`:
- *   - {@link AtlaSentClient.evaluate}     → POST {baseUrl}/v1-evaluate
- *   - {@link AtlaSentClient.verifyPermit} → POST {baseUrl}/v1-verify-permit
+ * AtlaSent signs webhook payloads with HMAC-SHA256 using your webhook secret.
+ * The signature is sent in the `X-AtlaSent-Signature` header as `sha256=<hex>`.
  *
- * Fail-closed: a clean policy DENY is returned (not thrown), but
- * network, timeout, bad response, 4xx/5xx, and rate-limit conditions
- * all throw {@link AtlaSentError}.
+ * Usage:
+ * ```ts
+ * import { verifyWebhook, assertWebhook, WebhookVerificationError } from "@atlasent/sdk";
+ *
+ * // Returns true/false — good for middleware that needs to continue on failure
+ * const valid = verifyWebhook(rawBody, req.headers["x-atlasent-signature"], secret);
+ *
+ * // Throws WebhookVerificationError on failure — good for middleware that throws
+ * assertWebhook(rawBody, req.headers["x-atlasent-signature"], secret);
+ * ```
  */
-
-declare class AtlaSentClient {
-    private readonly apiKey;
-    private readonly baseUrl;
-    private readonly timeoutMs;
-    private readonly fetchImpl;
-    constructor(options: AtlaSentClientOptions);
-    /**
-     * Ask the policy engine whether an agent action is permitted.
-     *
-     * A "DENY" is **not** thrown — it is returned in
-     * `response.decision`. Network errors, invalid API key, rate
-     * limits, timeouts, and malformed responses throw
-     * {@link AtlaSentError}.
-     */
-    evaluate(input: EvaluateRequest): Promise<EvaluateResponse>;
-    /**
-     * Verify that a previously issued permit is still valid.
-     *
-     * A `verified: false` response is **not** thrown — inspect the
-     * returned object. Only transport / server errors throw.
-     */
-    verifyPermit(input: VerifyPermitRequest): Promise<VerifyPermitResponse>;
-    /**
-     * Self-introspection: ask the server to describe the API key this
-     * client was constructed with. Returns the key's ID, organization,
-     * environment, scopes, IP allowlist, per-minute rate limit, the
-     * client IP the server observed, and the expiry (if any).
-     *
-     * Never includes the raw key or its hash. Safe to surface in operator
-     * dashboards. Useful for `IP_NOT_ALLOWED` debugging (the server tells
-     * you exactly which IP it saw) and for proactive expiry warnings.
-     *
-     * Throws {@link AtlaSentError} on transport / auth failures — same
-     * taxonomy as {@link AtlaSentClient.evaluate}.
-     */
-    keySelf(): Promise<ApiKeySelfResponse>;
-    /**
-     * List persisted audit events for the authenticated organization
-     * (`GET /v1-audit/events`). Returned rows are wire-identical with
-     * the server: snake_case field names, including `previous_hash` and
-     * the `hash` chain, so the response can be fed straight into the
-     * offline verifier when paired with a signed export.
-     *
-     * `query.types` is a comma-joined list (e.g.
-     * `"evaluate.allow,policy.updated"`). `cursor` is the opaque
-     * `next_cursor` from the prior page. All fields are optional; the
-     * server defaults `limit` to 50 (capped at 500).
-     *
-     * Throws {@link AtlaSentError} on transport / auth failures — same
-     * taxonomy as {@link AtlaSentClient.evaluate}.
-     */
-    listAuditEvents(query?: AuditEventsQuery): Promise<AuditEventsResult>;
-    /**
-     * Request a signed audit export bundle
-     * (`POST /v1-audit/exports`). The returned object is wire-identical
-     * with the server — `signature`, `chain_head_hash`, `events`, and
-     * friends survive untouched so the bundle can be persisted to disk
-     * and handed to the offline verifier (`verifyBundle` /
-     * `verifyAuditBundle`) without any reshaping.
-     *
-     * Pass `filter.types`, `filter.from`, `filter.to`, or `filter.actor_id`
-     * to narrow the export; omit for a full-org bundle. `rateLimit` is
-     * attached alongside the wire fields for observability.
-     *
-     * Throws {@link AtlaSentError} on transport / auth failures — same
-     * taxonomy as {@link AtlaSentClient.evaluate}.
-     */
-    createAuditExport(filter?: AuditExportRequest): Promise<AuditExportResult>;
-    private post;
-    private get;
-    private request;
-}
-
-/** Node's webcrypto CryptoKey — kept local so the module doesn't depend on DOM types. */
-type WebCryptoKey = webcrypto.CryptoKey;
-/** Public key candidate the verifier will try, tagged with its registry id. */
-interface VerifyKey {
-    keyId: string;
-    publicKey: WebCryptoKey;
-}
-interface BundleVerificationResult {
-    /**
-     * AND of three checks: adjacency (each event's `previous_hash`
-     * equals the prior event's `hash`), per-event hash recomputation
-     * from the canonical payload, and `chain_head_hash` matching the
-     * last event's stored hash.
-     */
-    chainIntegrityOk: boolean;
-    /** Ed25519 signature verified against one of the supplied public keys. */
-    signatureValid: boolean;
-    /** `chain_head_hash` equals the last event's stored `hash`. */
-    headHashMatches: boolean;
-    /** Event ids whose recomputed hash != stored hash. */
-    tamperedEventIds: string[];
-    /** Which registry key id matched, when `signatureValid` is true. */
-    matchedKeyId?: string | undefined;
-    /** Non-fatal explanation when a flag is false. */
-    reason?: string | undefined;
-    /** Convenience: `chainIntegrityOk && signatureValid`. */
-    verified: boolean;
-}
-/** Parsed bundle shape the verifier consumes. Fields beyond these are ignored. */
-interface AuditBundle {
-    export_id?: unknown;
-    org_id?: unknown;
-    chain_head_hash?: unknown;
-    event_count?: unknown;
-    signed_at?: unknown;
-    events?: unknown;
-    signature?: unknown;
-    signing_key_id?: unknown;
-    [k: string]: unknown;
-}
-interface VerifyBundleOptions {
-    /** SPKI-PEM strings (one per key in the active trust set). */
-    publicKeysPem?: readonly string[];
-    /** Already-imported keys, paired with registry ids (rotation hint). */
-    keys?: readonly VerifyKey[];
-}
 /**
- * Reproduces `_shared/rules.ts::canonicalJSON` byte-for-byte:
- *   - object keys sorted at every depth
- *   - no whitespace
- *   - `null`, `undefined`, `NaN`, `±Infinity` all render as `"null"`
- *   - strings use standard `JSON.stringify` escapes
+ * Thrown by {@link assertWebhook} when the signature is missing,
+ * malformed, or does not match the payload.
  */
-declare function canonicalJSON(value: unknown): string;
+declare class WebhookVerificationError extends Error {
+    name: string;
+    constructor(message: string);
+}
 /**
- * Recreate the exact bytes `handleExport` signed. Key order is
- * load-bearing — must match the object literal in
- * `v1-audit/index.ts::handleExport`. V8 preserves insertion order, so
- * the literal below is byte-identical with what the backend signs.
+ * Verifies an AtlaSent webhook payload signature.
+ *
+ * AtlaSent signs webhook payloads with HMAC-SHA256 using your webhook secret.
+ * The signature is sent in the `X-AtlaSent-Signature` header as `"sha256=<hex>"`.
+ *
+ * @param payload   - Raw request body as a string (do **not** parse before verifying)
+ * @param signature - Value of the `X-AtlaSent-Signature` header
+ * @param secret    - Your webhook signing secret
+ * @returns `true` if the signature is valid, `false` otherwise
+ *
+ * @remarks
+ * Returns `false` (does not throw) for malformed or missing signatures.
+ * Use {@link assertWebhook} if you prefer exception-based control flow.
  */
-declare function signedBytesFor(bundle: AuditBundle): Uint8Array<ArrayBuffer>;
-declare function verifyAuditBundle(bundle: AuditBundle, keys: readonly VerifyKey[]): Promise<BundleVerificationResult>;
+declare function verifyWebhook(payload: string, signature: string, secret: string): Promise<boolean>;
 /**
- * Load a bundle from disk (or a parsed object) and verify it.
+ * Same as {@link verifyWebhook} but throws {@link WebhookVerificationError}
+ * on failure instead of returning `false`. Useful in middleware where
+ * throwing is cleaner than inspecting a boolean return value.
  *
- * `publicKeysPem` is the active SPKI-PEM set from
- * `GET /v1-signing-keys`. When omitted, the chain check still runs
- * but `signatureValid` will be false with an explanatory `reason` —
- * callers that want a complete offline check MUST supply the trust
- * set.
+ * @param payload   - Raw request body as a string (do **not** parse before verifying)
+ * @param signature - Value of the `X-AtlaSent-Signature` header
+ * @param secret    - Your webhook signing secret
+ * @throws {@link WebhookVerificationError} if the signature is invalid or malformed
  */
-declare function verifyBundle(pathOrBundle: string | AuditBundle, options?: VerifyBundleOptions): Promise<BundleVerificationResult>;
+declare function assertWebhook(payload: string, signature: string, secret: string): Promise<void>;
 
 /**
- * Retry-policy helpers for the AtlaSent TypeScript SDK.
+ * V2 Wave-A endpoints (V2-D3, V2-D4, V2-D8) — additive on top of v1.
  *
- * This module is **pure**: no I/O, no network, no globals beyond
- * `Math.random`. The intent is that {@link AtlaSentClient} (and any
- * caller wrapping `protect()` / `evaluate()`) can ask
- * {@link isRetryable} whether to retry a given {@link AtlaSentError},
- * then ask {@link computeBackoffMs} how long to sleep before the next
- * attempt.
+ * Three additional methods on top of the v1 {@link AtlaSentClient}
+ * surface that target the new wire endpoints landed in `atlasent-api`
+ * PRs #742 (batch), #745 (stream), and #746 (graphql).
  *
- * Wire-up into the client itself is intentionally deferred — see
- * ROADMAP item #7 (Post-GA). Sentry breadcrumb emission is also
- * deferred; both will land together once a transport-level retry
- * loop is wired into `client.ts`.
+ * The v1 substrate is frozen (post-GA 2026-05-17) — this module is
+ * purely additive. Existing 1.x methods (`protect`, `requirePermit`,
+ * `evaluate`, …) are untouched.
  *
- * Retry classification (matches the server's documented contract):
- *   - `network` / `timeout`        → retry (transient transport)
- *   - `server_error` (HTTP 5xx)    → retry
- *   - `rate_limited` (HTTP 429)    → retry, honour `retryAfterMs`
- *   - `bad_response`               → retry (likely truncated body)
- *   - `invalid_api_key`/`forbidden`/`bad_request` → never retry
+ * ## Closed-by-default discipline
+ *
+ * Each tenant gates the new endpoints behind `v2_batch`,
+ * `v2_streaming`, and `v2_graphql` flags. When the flag is off the
+ * API returns HTTP 404, surfaced here as {@link FeatureNotEnabledError}
+ * so callers can deterministically fall back (typically to a per-item
+ * `/v1-evaluate` loop). The SDK never silently falls back — that would
+ * change billing and audit semantics.
+ */
+
+declare const V2_BATCH_PATH = "/v1/evaluate/batch";
+declare const V2_STREAM_PATH = "/v1/evaluate/stream";
+declare const V2_GRAPHQL_PATH = "/v1/graphql";
+/** Maximum items per batch (mirrors the server-side cap, V2-D3). */
+declare const V2_MAX_BATCH_ITEMS = 100;
+/** Maximum request body size (mirrors the server-side 1MB cap). */
+declare const V2_MAX_BODY_BYTES = 1000000;
+/** GraphQL document depth cap (V2-D2). */
+declare const V2_GRAPHQL_MAX_DEPTH = 8;
+/**
+ * Identifier of the tenant flag gating a V2 endpoint.
+ */
+type V2Feature = "batch" | "streaming" | "graphql";
+/**
+ * Initialization options for {@link FeatureNotEnabledError}.
+ */
+interface FeatureNotEnabledErrorInit {
+    feature: V2Feature;
+    endpoint: string;
+    requestId?: string;
+}
+/**
+ * Thrown when a V2 endpoint returns 404 because the tenant feature
+ * flag is off.
  *
- * Backoff: capped exponential with full jitter.
- *   delay = min(maxDelayMs, baseDelayMs * 2^attempt) * random[0, 1)
+ * The three V2 endpoints (`/v1/evaluate/batch`, `/v1/evaluate/stream`,
+ * `/v1/graphql`) are close-by-default per tenant. When the
+ * corresponding flag is unset, the API returns HTTP 404; the SDK
+ * surfaces that as this distinct error so the caller can
+ * deterministically fall back to the v1 per-item loop.
  *
- * "Full jitter" is the AWS-recommended scheme — see
- * https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/.
- * It avoids thundering-herd retries from many SDK instances that hit
- * a 429 in the same window.
+ * Subclass of {@link AtlaSentError} so `instanceof AtlaSentError`
+ * catches it alongside the SDK's other typed errors.
  */
-/** Defaults for {@link RetryPolicy}. Conservative — three retries, ~7s ceiling. */
-declare const DEFAULT_RETRY_POLICY: Required<RetryPolicy>;
+declare class FeatureNotEnabledError extends AtlaSentError {
+    name: string;
+    /** Which tenant flag is gating the endpoint. */
+    readonly feature: V2Feature;
+    /** The wire path the SDK attempted (for diagnostics). */
+    readonly endpoint: string;
+    constructor(init: FeatureNotEnabledErrorInit);
+}
 /**
- * Caller-tunable retry policy. All fields optional; missing fields
- * fall back to {@link DEFAULT_RETRY_POLICY}.
+ * One element of an {@link EvaluateBatchResponse.items} list.
+ *
+ * Preserves input order — `items[i]` corresponds to `request.items[i]`.
+ * On a per-item RPC failure the server returns `decision: undefined`
+ * and populates `errorCode` / `errorMessage` instead.
  */
-interface RetryPolicy {
-    /**
-     * Total attempts including the first try. `1` disables retries
-     * entirely. Must be `>= 1`; values below are clamped to `1`.
-     */
-    maxAttempts?: number;
-    /**
-     * Initial backoff for `attempt = 0`. Doubles per attempt up to
-     * `maxDelayMs`. Must be `>= 0`.
-     */
-    baseDelayMs?: number;
-    /**
-     * Hard ceiling on the per-attempt sleep, applied **before** jitter.
-     * The actual sleep is uniformly distributed in `[0, ceiling]`.
-     */
-    maxDelayMs?: number;
+interface EvaluateBatchItem {
+    index: number;
+    decision?: string;
+    decisionId?: string;
+    permitToken?: string;
+    reason?: string;
+    errorCode?: string;
+    errorMessage?: string;
+}
+/** Response shape for `POST /v1/evaluate/batch`. */
+interface EvaluateBatchResponse {
+    batchId: string;
+    items: ReadonlyArray<EvaluateBatchItem>;
+    partial: boolean;
+}
+/** Request payload for {@link evaluateMany} and {@link authorizeStream}. */
+interface EvaluateManyRequest {
+    items: ReadonlyArray<Record<string, unknown>>;
+    batchId?: string;
+}
+/** `event: decision` frame surfaced via the `onDecision` callback. */
+interface StreamDecisionFrame {
+    index: number;
+    decision: string;
+    decisionId?: string;
+    permitToken?: string;
+    reason?: string;
+}
+/** `event: error` frame surfaced via the `onError` callback. */
+interface StreamErrorFrame {
+    index: number;
+    errorCode: string;
+    message: string;
+}
+/** Terminal `event: complete` payload returned by {@link authorizeStream}. */
+interface StreamComplete {
+    batchId: string;
+    count: number;
+    partial: boolean;
+}
+/** GraphQL request body. */
+interface GraphQLRequest {
+    query: string;
+    variables?: Record<string, unknown>;
+    operationName?: string;
+}
+/**
+ * GraphQL response. Resolver errors land on `errors`; the SDK does
+ * not throw on them — the caller branches.
+ */
+interface GraphQLResponse<T = unknown> {
+    data: T | null;
+    errors?: ReadonlyArray<Record<string, unknown>>;
 }
 /**
- * Decide whether `err` is worth a retry. Anything that isn't an
- * {@link AtlaSentError} is treated as non-retryable — the SDK's
- * transport layer always wraps fetch failures in `AtlaSentError`,
- * so a non-AtlaSent throwable is by definition a programmer bug
- * (a bad input, an assertion in user code) and should propagate.
+ * The minimal subset of an {@link AtlaSentClient}-like object this
+ * module needs: a `fetch`-compatible HTTP function and a base URL.
+ *
+ * Passed explicitly so the v2 module never reaches into v1 internals
+ * (and so callers can plug in a custom fetch for testing / edge
+ * runtimes / Node fetch wrappers).
  */
-declare function isRetryable(err: unknown): boolean;
+interface V2Transport {
+    /** Base URL (no trailing slash), e.g. `https://api.atlasent.io`. */
+    baseUrl: string;
+    /** Bearer API key (without the `Bearer ` prefix). */
+    apiKey: string;
+    /** A `fetch`-like function. Defaults to global `fetch` if omitted. */
+    fetch?: typeof fetch;
+}
 /**
- * Compute how long to sleep before retry attempt `attempt`
- * (zero-indexed: `attempt = 0` is the first retry, i.e. the second
- * total request). Uses capped exponential backoff with full jitter.
+ * `POST /v1/evaluate/batch` — V2-D3.
  *
- * When `err` carries a `retryAfterMs` (server-provided `Retry-After`
- * header), the result is `max(retryAfterMs, jitteredDelay)` — the
- * server's hint is treated as a floor so we never retry sooner than
- * the server asked.
+ * One round-trip for up to {@link V2_MAX_BATCH_ITEMS} evaluate items.
+ * Items are returned in input order — `response.items[i].index === i`.
  *
- * @param attempt    Zero-indexed retry attempt (0, 1, 2, ...).
- * @param policy     Optional override of {@link DEFAULT_RETRY_POLICY}.
- * @param err        Optional error whose `retryAfterMs` is honoured.
- * @param random     Injectable RNG, defaults to `Math.random`. Must
- *                   return values in `[0, 1)` to preserve the
- *                   distribution.
+ * @throws {FeatureNotEnabledError} When the tenant `v2_batch` flag is off (404).
+ * @throws {AtlaSentError} For any other transport / HTTP failure.
+ * @throws {TypeError} When `items` is empty, exceeds the cap, or
+ *   `batchId` is not a valid UUID.
  */
-declare function computeBackoffMs(attempt: number, policy?: RetryPolicy, err?: unknown, random?: () => number): number;
+declare function evaluateMany(transport: V2Transport, req: EvaluateManyRequest): Promise<EvaluateBatchResponse>;
 /**
- * Returns `true` when `attempt` (zero-indexed) is below the policy's
- * `maxAttempts - 1` ceiling — i.e. when there is still budget for at
- * least one more try after this one. Convenience wrapper so retry
- * loops read top-to-bottom:
+ * Callbacks consumed by {@link authorizeStream}.
+ */
+interface AuthorizeStreamHandlers {
+    onDecision?: (frame: StreamDecisionFrame) => void;
+    onError?: (frame: StreamErrorFrame) => void;
+}
+/**
+ * `POST /v1/evaluate/stream` — V2-D4.
  *
- * ```ts
- * for (let attempt = 0; ; attempt++) {
- *   try { return await op(); }
- *   catch (err) {
- *     if (!isRetryable(err) || !hasAttemptsLeft(attempt, policy)) throw err;
- *     await sleep(computeBackoffMs(attempt, policy, err));
- *   }
- * }
- * ```
+ * Streams `event: decision` frames in input order. Per-item RPC
+ * failures arrive as `event: error` frames and do not tear down the
+ * stream (V2-D7 async semantics). Resolves with the terminal
+ * `event: complete` payload.
+ *
+ * @throws {FeatureNotEnabledError} When the tenant `v2_streaming` flag is off.
+ * @throws {AtlaSentError} For transport failures, including the stream
+ *   closing without a `complete` frame.
  */
-declare function hasAttemptsLeft(attempt: number, policy?: RetryPolicy): boolean;
+declare function authorizeStream(transport: V2Transport, req: EvaluateManyRequest, handlers?: AuthorizeStreamHandlers): Promise<StreamComplete>;
 /**
- * Merge a partial policy with {@link DEFAULT_RETRY_POLICY} and clamp
- * each field into a sensible range. Exported for tests and for
- * callers that want to log the resolved policy.
+ * `POST /v1/graphql` — V2-D2 + V2-D8.
+ *
+ * Bearer-only auth (no query-param). Wave A schema is read-only
+ * (`recentEvaluations(limit)` + `activeBundle`). Server enforces the
+ * V2-D8 OR-gate (`audit:read` OR `policy:read`) at request layer and
+ * a per-resolver AND-gate at field resolution time.
+ *
+ * Resolver-level errors surface on `response.errors` — the SDK does
+ * not throw on them so callers can inspect partial data.
+ *
+ * @throws {FeatureNotEnabledError} When the tenant `v2_graphql` flag is off.
+ * @throws {AtlaSentError} For transport / HTTP failures.
+ * @throws {TypeError} When `query` is empty or the body exceeds the 1MB cap.
  */
-declare function mergePolicy(policy: RetryPolicy): Required<RetryPolicy>;
+declare function graphql<T = unknown>(transport: V2Transport, req: GraphQLRequest): Promise<GraphQLResponse<T>>;
 
 /**
  * @atlasent/sdk — execution-time authorization for AI agents.
  *
- * Primary API is the default export:
+ * The canonical execution-boundary surface is two forms of the same
+ * contract. Both mint and verify a Permit end-to-end; both fail closed.
+ * Pick the form that fits the call site.
+ *
+ * `protect` — the primitive. Returns the verified {@link Permit} so
+ * the caller can pass it across a boundary, persist it alongside
+ * their own record, or interleave it with non-trivial control flow:
  *
  * ```ts
  * import atlasent from "@atlasent/sdk";
  *
  * const permit = await atlasent.protect({
  *   agent: "deploy-bot",
- *   action: "deploy_to_production",
+ *   action: "production.deploy",
  *   context: { commit, approver },
  * });
+ * // permit is verified end-to-end. Execute the action.
+ * ```
+ *
+ * `withPermit` — the lexically-scoped form. Binds the action body to
+ * the permit's lifetime via a callback so the call site reads as
+ * "execute this body under a permit":
+ *
+ * ```ts
+ * const result = await atlasent.withPermit(
+ *   { agent: "deploy-bot", action: "production.deploy",
+ *     context: { commit, approver } },
+ *   async (permit) => runDeploy(commit, { permitId: permit.permitId }),
+ * );
+ * ```
+ *
+ * `requirePermit` — descriptor form for dangerous operations carrying
+ * `resource_id` + `environment`. The executor only runs when AtlaSent
+ * authorizes it end-to-end:
+ *
+ * ```ts
+ * await atlasent.requirePermit(
+ *   { action_type: "database.table.drop", actor_id: "agent:code-agent",
+ *     resource_id: "prod-db.users", environment: "production",
+ *     context: { reversibility: "irreversible" } },
+ *   async () => { await db.raw("DROP TABLE users"); },
+ * );
  * ```
  *
  * Named exports remain available for the lower-level
@@ -605,16 +4041,24 @@ declare function mergePolicy(policy: RetryPolicy): Required<RetryPolicy>;
  *
  * ```ts
  * import atlasent from "@atlasent/sdk";
- * await atlasent.protect({ ... });
+ * const permit = await atlasent.protect({ ... });        // primitive
+ * await atlasent.withPermit({ ... }, async (permit) => …); // scoped form
+ * await atlasent.requirePermit({ ... }, executor);         // descriptor form
  * ```
  */
 declare const atlasent: {
     readonly protect: typeof protect;
+    readonly withPermit: typeof withPermit;
+    readonly deployGate: typeof deployGate;
     readonly configure: typeof configure;
+    readonly requirePermit: typeof requirePermit;
+    readonly classifyCommand: typeof classifyCommand;
     readonly verifyBundle: typeof verifyBundle;
+    readonly PRODUCTION_DEPLOY_ACTION: "production.deploy";
+    readonly DEPLOYMENT_PRODUCTION_ACTION: "deployment.production";
     readonly AtlaSentClient: typeof AtlaSentClient;
     readonly AtlaSentError: typeof AtlaSentError;
     readonly AtlaSentDeniedError: typeof AtlaSentDeniedError;
 };
 
-export { type ApiKeySelfResponse, AtlaSentClient, type AtlaSentClientOptions, AtlaSentDeniedError, AtlaSentError, type AuditBundle, type AuditDecision, type AuditEvent, type AuditEventsPage, type AuditEventsQuery, type AuditEventsResult, type AuditExport, type AuditExportRequest, type AuditExportResult, type AuditExportSignatureStatus, type BundleVerificationResult, DEFAULT_RETRY_POLICY, type Decision, type EvaluateRequest, type EvaluateResponse, type RateLimitState, type RetryPolicy, type VerifyBundleOptions, type VerifyKey, type VerifyPermitRequest, type VerifyPermitResponse, canonicalJSON, computeBackoffMs, configure, atlasent as default, hasAttemptsLeft, isRetryable, mergePolicy, protect, signedBytesFor, verifyAuditBundle, verifyBundle };
+export { type ActionFreeze, type ActionTypeOverrideStat, type ActorOverrideStat, type AmountThreshold, type AnomalyActionType, type AnomalyResponseEvent, type AnomalyResponseRule, type AnomalyType, ApiKeySelfResponse, type ApplyPolicySyncResponse, type ApprovalArtifactV1, type ApprovalConcentrationAnalysis, type ApprovalIssuer, type ApprovalProvenance, type ApprovalQuorumV1, type ApprovalReference, type ApprovalReviewer, type ApproveBudgetExceptionRequest, type ApproverBreakdown, AtlaSentClient, AtlaSentClientOptions, AtlaSentDeniedError, AtlaSentError, type AuditBundle, AuditEventsQuery, AuditEventsResult, AuditExportRequest, AuditExportResult, type AuthenticateConnectorInput, type AuthenticateConnectorResponse, type AuthorizeStreamHandlers, type AutonomousBoundsDenyCode, type AutonomousExecutionBounds, type AutonomousExecutionCheckResult, type AutonomousExecutionRecord, type BudgetConstraintCheckResult, type BudgetDenyCode, type BudgetExceptionRequest, type BudgetExceptionStatus, type BudgetLimit, type BudgetPolicy, type BudgetScope, type BudgetSpendingState, type BudgetViolation, type BudgetaryDriftAnalysis, type BundleVerificationResult, type ComplianceEvidenceRun, type ComplianceEvidenceSummary, type ComplianceFramework, type ComplianceRunStatus, type ComputeOrgRiskOptions, type ComputeOrgRiskResponse, type ConcentrationAlert, type ConnectedSystemRow, type ConnectorAuditLogEntry, type ConnectorCredentialRow, type ConnectorCredentialType, type ConnectorEnforcementEventInput, type ConnectorEnforcementPolicy, type ConnectorEnforcementResult, type ConnectorRow, type ConnectorStatus, type ConnectorSyncState, type ConnectorType, type CreateAnomalyResponseRuleRequest, type CreateBudgetExceptionRequest, type CreateGraphEdgeInput, type CreateGraphNodeInput, type CreateImpersonationGrantRequest, type CreateOverrideRequest, type CreateRegulatoryEscalationRequest, type CreateWebhookSubscriptionRequest, type CrossOrgImpersonationGrant, type CrossOrgPermissionCheckListParams, type CrossOrgPermissionCheckRequest, type CrossOrgPermissionCheckResult, type CrossOrgTrustHop, type CurrencyCode, DEFAULT_INCENTIVE_CONFIG, DEFAULT_RISK_TIER_THRESHOLDS, type DelegationPropagationSummary, DeployGateRequest, DeployGateResponse, type DisputeOrigin, type DisputeRecord, type DisputeReversalSummary, type DisputeStatus, type EconomicEvidenceBundle, type EmergencyFreeze, type EmergencyOverrideActionRow, type EnforcementAction, type EnforcementQuorumConfig, type EnforcementWebhookEvent, type EvaluateBatchItem, type EvaluateBatchResponse, type EvaluateManyRequest, EvaluatePreflightResponse, EvaluateRequest, EvaluateResponse, type EvidenceBundleSignableContent, type EvidenceBundleVerificationResult, type EvidenceControl, type EvidenceControlStatus, type EvidencePurpose, type ExecutionAnomaly, type ExecutionApproverRow, type ExecutionCeiling, FeatureNotEnabledError, type FeatureNotEnabledErrorInit, type FinancialActionClass, type FinancialActionType, type FinancialExecutionRecord, type FinancialExecutionStatus, type FinancialGovernanceSummary, type FinancialQuorumDenyCode, type FinancialQuorumInput, type FinancialQuorumPolicy, type FinancialQuorumResult, type FinancialRiskScore, type FinancialRiskTier, type FinancialRoleRequirement, type GetLatestOrgRiskResponse, GetPermitResponse, type GovernanceBehaviorPattern, GovernanceEnforcementError, type GovernanceEnforcementErrorInit, type GovernanceEvent, type GovernanceGate, type GovernanceGraphQueryParams, type GovernanceGraphQueryResponse, type GovernanceGraphQueryType, type GovernanceGraphResultRow, type GovernanceSignalAction, type GovernanceWebhookEvent, type GraphEdge, type GraphEdgeType, type GraphNode, type GraphNodeType, type GraphQLRequest, type GraphQLResponse, type HitlAiUnavailableFallback, type HitlApprovalRecord, type HitlApproveRequest, type HitlApproverPoolEntry, type HitlApproverType, type HitlChainHop, type HitlCreateRequest, type HitlDetailResponse, type HitlEscalateRequest, type HitlEscalation, type HitlFallbackDecision, type HitlHeterogeneousQuorumExtension, type HitlHeterogeneousQuorumTally, type HitlListResponse, type HitlQuorumProgress, type HitlQuorumTier, type HitlRejectRequest, type HitlRespondRequest, type HitlStatus, type IdentityAssertionBinding, type IdentityAssertionV1, type IdentityIssuer, type IdentityIssuerKey, type IdentitySubject, type IdentityTrustedIssuersConfig, type ImpersonationToken, type ImpersonationValidationResult, type IncentiveAlignmentConfig, type IncentiveSignal, type IncentiveSignalType, type IncidentChainActorEntry, type IncidentChainEvidenceRow, type IncidentChainExecutionRow, type IncidentTimelineResponse, type InstallConnectorInput, type InstallConnectorResponse, type LegacyEvaluateRequest, type LegacyEvaluateResponse, type LiabilityAttributionInput, type LiabilityAttributionRecord, type LiabilityChainValidation, type LiabilityClassification, type LiabilityEdge, type LiabilityNode, type LiabilityParty, type LiabilityPartyRole, type LiabilityVisualization, type ListConnectorsResponse, type ListEnforcementPoliciesResponse, type ListEvidenceRunsResponse, type ListGraphEdgesResponse, type ListGraphNodesResponse, type ListHitlEscalationsRequest, type ListHitlEscalationsResponse, type ListOrgRiskHistoryResponse, ListPermitsRequest, ListPermitsResponse, type ListPolicySyncRunsResponse, type ListWebhookDeliveriesResponse, type ListWebhookSubscriptionsResponse, type MisalignmentAlert, type OrgRiskLevel, type OrgRiskScore, type OverrideAnalytics, type OverrideEvent, type OverrideEventType, type OverrideEventsResponse, type OverrideListResponse, type OverrideStatus, type OverrideV1, Permit, type PermitV1, PermitValidResponse, type PolicyBundleEntry, type PolicyRef, type PolicySyncDiff, type PolicySyncRun, type PolicySyncStatus, type PrincipalKind, type ProductionDeployerRow, type ProofEvaluationSummary, type ProofPayload, type ProofResponse, ProtectRequest, type ProtectedAction, type QuorumBypassConnectorRow, type QuorumIndependence, type QuorumPolicy, type QuorumProof, type QuorumRoleRequirement, RateLimitState, type RecordSignalActionRequest, type RecordSignalOutcomeRequest, type RegulatoryAuthorityLevel, type RegulatoryEscalation, type RegulatoryEscalationStatus, type ReversalStage, type ReversalWorkflow, type RevokeConnectorResponse, RevokePermitByIdInput, RevokePermitByIdResponse, RevokePermitRequest, RevokePermitResponse, type RiskFactor, type RiskTierThreshold, type RiskTimelinePoint, type RotateCredentialsResponse, type SOC2ControlId, type SandboxDiff, type SandboxDiffEmpty, type SandboxDiffPerTable, type SandboxDiffResponse, type SandboxRunMode, type SandboxRunStatus, type SandboxRunWrite, type SandboxWriteOp, type SignalActionSummary, type SignalActionType, type SpendingConstraint, type StreamComplete, type StreamDecisionFrame, type StreamErrorFrame, StreamEvent, StreamOptions, type SubmitPolicySyncRequest, type SubmitPolicySyncResponse, type SyncConnectorResponse, type TriggerAnomalyResponseRequest, type TriggerEvidenceRunRequest, type TriggerEvidenceRunResponse, type UpsertEnforcementPolicyInput, type UpsertEnforcementPolicyResponse, type UserApprovalRow, type V2EvaluateRequest, type V2EvaluateResponse, type V2Feature, type V2Transport, V2_BATCH_PATH, V2_GRAPHQL_MAX_DEPTH, V2_GRAPHQL_PATH, V2_MAX_BATCH_ITEMS, V2_MAX_BODY_BYTES, V2_STREAM_PATH, type VerifyBundleOptions, type VerifyKey, VerifyPermitByIdResponse, VerifyPermitRequest, VerifyPermitResponse, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookPayload, type WebhookSubscription, WebhookVerificationError, type WeightDistribution, assertWebhook, authorizeStream, budgetUtilizationSeverity, buildLiabilityChain, buildLiabilityVisualization, buildRiskTimeline, buildSignableContent, canonicalJSON, canonicalizeForEvidence, checkAutonomousBounds, checkBudgetConstraints, clampTokenDuration, classifyCommand, classifyRiskTier, computeApprovalRiskScore, computeEscalatedApprovalCount, computeExposureScore, computeGovernanceHealthScore, computeHHI, computeLiabilityWeights, computeOverallRiskScore, computeOverrideScore, computeRemediationUrgency, computeSignalEngagementRate, configure, atlasent as default, delegationPropagationHadEffect, deployGate, detectAutonomousAnomaly, detectMisalignedIncentives, detectSelfApproval, enforceAutonomousBounds, enforceBudgetConstraint, enforceEconomicGovernance, enforceFinancialQuorum, evaluateFinancialQuorum, evaluateMany, evidenceRunPasses, findPrimaryLiabilityParties, formatPolicySyncDiff, graphql, hhiToConcentrationScore, highestSeverityAction, hitlRequiredApproverCount, isBudgetExceptionActive, isBudgetExceptionTerminal, isEscalationSlaBreached, isFreezeActive, isImpersonationGrantUsable, isPolicySyncTerminal, isRegulatoryEscalationTerminal, isSandboxDiffPopulated, isSubstantiveSignalResponse, matchAnomalyRules, nonPassingControls, normalizeEvaluateRequest, normalizeEvaluateResponse, protect, requirePermit, scoreToRiskTier, serializeSignableContent, signedBytesFor, summarizeCrossOrgPermission, transitionDispute, transitionReversal, validateLiabilityChain, verifyAuditBundle, verifyBundle, verifyEvidenceBundleStructure, verifyWebhook, verifyWebhookSignature, withPermit, withinAutonomousCeiling };