@atlasent/sdk 2.10.0 → 2.13.0

package/dist/index.d.ts

@@ -1,179 +1,7 @@
-import { D as DecisionCanonical, R as RateLimitState, c as AtlaSentClientOptions, E as EvaluateRequest, d as EvaluateResponse, B as BatchEvalItem, e as BatchEvalResponse, S as SubscribeDecisionsOptions, f as DecisionStreamEvent, g as EvaluatePreflightResponse, V as VerifyPermitRequest, h as VerifyPermitResponse, i as DeployGateRequest, j as DeployGateResponse, k as RevokePermitRequest, l as RevokePermitResponse, m as RevokePermitByIdInput, n as RevokePermitByIdResponse, o as VerifyPermitByIdResponse, G as GetPermitResponse, p as PermitValidResponse, L as ListPermitsRequest, q as ListPermitsResponse, r as ApiKeySelfResponse, s as AuditEventsQuery, t as AuditEventsResult, u as AuditExportRequest, v as AuditExportResult, w as StreamOptions, x as StreamEvent, b as ProtectRequest, P as Permit, a as AtlaSentError, A as AtlaSentDeniedError, y as DecisionReceipt, z as DecisionReceiptAlgorithm, C as protect, F as deployGate, H as configure } from './protect-C0t0fP1y.js';
-export { I as AtlaSentDecision, J as AtlaSentDeniedErrorInit, K as AtlaSentErrorCode, M as AtlaSentErrorInit, N as AtlaSentEscalateError, O as AtlaSentEscalateErrorInit, Q as AuditDecision, T as AuditEvent, U as AuditEventsPage, W as AuditExport, X as AuditExportSignatureStatus, Y as BvsSnapshot, Z as ConfigureOptions, _ as ConsentClassProjection, $ as ConstraintTrace, a0 as ConstraintTracePolicy, a1 as ConstraintTraceStage, a2 as DEFAULT_RETRY_POLICY, a3 as DEPLOYMENT_PRODUCTION_ACTION, a4 as DEPLOY_GATE_CODES, a5 as Decision, a6 as DeployGateContext, a7 as DeployGateDenyCode, a8 as DeployGateEvidence, a9 as DeployOverrideClaim, aa as DeployPermitClaim, ab as EvaluateBatchResultItem, ac as EvaluateResponsePermit, ad as EvaluateRiskEnvelope, ae as EvaluateRiskEnvelopeFactor, af as PRODUCTION_DEPLOY_ACTION, ag as PermitOutcome, ah as PermitRecord, ai as PermitRevoked, aj as PermitStatus, ak as PermitWithEvidence, al as ProtectWithEvidenceOptions, am as RetryPolicy, an as StreamDecisionEvent, ao as StreamParseError, ap as StreamProgressEvent, aq as StreamTimeoutError, ar as computeBackoffMs, as as hasAttemptsLeft, at as isRetryable, au as mergePolicy, av as normalizePermitOutcome, aw as protectWithEvidence } from './protect-C0t0fP1y.js';
+import { D as DecisionCanonical, R as RateLimitState, c as AtlaSentClientOptions, E as EvaluateRequest, d as EvaluateResponse, B as BatchEvalItem, e as BatchEvalResponse, S as SubscribeDecisionsOptions, f as DecisionStreamEvent, g as EvaluatePreflightResponse, V as VerifyPermitRequest, h as VerifyPermitResponse, i as DeployGateRequest, j as DeployGateResponse, k as RevokePermitRequest, l as RevokePermitResponse, m as RevokePermitByIdInput, n as RevokePermitByIdResponse, o as VerifyPermitByIdResponse, G as GetPermitResponse, p as PermitValidResponse, L as ListPermitsRequest, q as ListPermitsResponse, r as ApiKeySelfResponse, s as AuditEventsQuery, t as AuditEventsResult, u as AuditExportRequest, v as AuditExportResult, w as StreamOptions, x as StreamEvent, y as LicenseStatus, z as LicenseVerifyResult, b as ProtectRequest, P as Permit, O as OverrideV1, A as AtlaSentDeniedError, a as AtlaSentError, C as DecisionReceipt, F as ComplianceEvidenceRun, H as DecisionReceiptAlgorithm, I as protect, J as deployGate, K as configure } from './protect-Bk9q12ia.js';
+export { M as ActionEvidenceBundle, N as AtlaSentDecision, Q as AtlaSentDeniedErrorInit, T as AtlaSentErrorCode, U as AtlaSentErrorInit, W as AtlaSentEscalateError, X as AtlaSentEscalateErrorInit, Y as AuditDecision, Z as AuditEvent, _ as AuditEventsPage, $ as AuditExport, a0 as AuditExportSignatureStatus, a1 as BundleVerificationError, a2 as BvsSnapshot, a3 as CompletionProof, a4 as ComplianceControlCoverage, a5 as ComplianceEvidenceSummary, a6 as ComplianceFramework, a7 as ComplianceRunStatus, a8 as ConfigureOptions, a9 as ConsentClassProjection, aa as ConstraintTrace, ab as ConstraintTracePolicy, ac as ConstraintTraceStage, ad as CreateOverrideRequest, ae as DEFAULT_RETRY_POLICY, af as DEPLOYMENT_PRODUCTION_ACTION, ag as DEPLOY_GATE_CODES, ah as Decision, ai as DecisionReceiptPayload, aj as DeployGateContext, ak as DeployGateDenyCode, al as DeployGateEvidence, am as DeployOverrideClaim, an as DeployPermitClaim, ao as EvaluateBatchResultItem, ap as EvaluateResponsePermit, aq as EvaluateRiskEnvelope, ar as EvaluateRiskEnvelopeFactor, as as EvidenceControl, at as EvidenceControlStatus, au as ListEvidenceRunsResponse, av as OverrideEvent, aw as OverrideEventType, ax as OverrideEventsResponse, ay as OverrideListResponse, az as OverrideStatus, aA as PRODUCTION_DEPLOY_ACTION, aB as PermitOutcome, aC as PermitRecord, aD as PermitRevoked, aE as PermitStatus, aF as PermitWithEvidence, aG as ProtectWithEvidenceOptions, aH as RetryPolicy, aI as SOC2ControlId, aJ as StreamDecisionEvent, aK as StreamParseError, aL as StreamProgressEvent, aM as StreamTimeoutError, aN as TriggerEvidenceRunRequest, aO as TriggerEvidenceRunResponse, aP as WhyPolicyEvaluation, aQ as WhyStage, aR as WhyTrace, aS as buildDecisionReceiptPayload, aT as buildWhyTrace, aU as computeBackoffMs, aV as computeBundleHash, aW as computeContextHash, aX as evidenceRunPasses, aY as hasAttemptsLeft, aZ as isRetryable, a_ as mergePolicy, a$ as nonPassingControls, b0 as normalizePermitOutcome, b1 as protectWithEvidence, b2 as signDecisionReceiptHmac, b3 as soc2ControlCoverageForDecision, b4 as verifyDecisionReceiptHmac } from './protect-Bk9q12ia.js';
 import { webcrypto } from 'node:crypto';
 
-/**
- * Override types — wire shapes for `/v1/overrides`.
- *
- * Overrides allow an authorized actor to bypass a deny decision for a
- * specific evaluation. They must be approved before they take effect
- * and can be revoked at any time.
- *
- * Mirrors `api/src/schemas/overrides.ts` in atlasent-control-plane.
- */
-/**
- * Lifecycle status of an override request.
- *
- * - `pending`  — created, waiting for approval
- * - `approved` — approved and active; the evaluation's deny is lifted
- * - `revoked`  — manually revoked
- * - `expired`  — TTL elapsed before revocation
- */
-type OverrideStatus = "pending" | "approved" | "revoked" | "expired";
-/**
- * The event types that can appear on an override's event log.
- */
-type OverrideEventType = "created" | "approved" | "revoked";
-/**
- * Canonical Override domain object returned by the API.
- *
- * All timestamps are ISO-8601 UTC strings. Nullable fields are `null`
- * rather than omitted so wire shapes are stable.
- */
-interface OverrideV1 {
-    id: string;
-    orgId: string;
-    /** The evaluation ID this override applies to. */
-    evaluationId: string;
-    /** Human-readable justification provided at creation time. */
-    reason: string;
-    status: OverrideStatus;
-    /** Actor who requested the override. */
-    requestedBy: string;
-    /** Actor who approved the override, or `null` if not yet approved. */
-    approvedBy: string | null;
-    /** Actor who revoked the override, or `null` if not revoked. */
-    revokedBy: string | null;
-    /** ISO-8601 creation timestamp. */
-    createdAt: string;
-    /** ISO-8601 approval timestamp, or `null`. */
-    approvedAt: string | null;
-    /** ISO-8601 revocation timestamp, or `null`. */
-    revokedAt: string | null;
-    /** ISO-8601 expiry timestamp, or `null` if no TTL was set. */
-    expiresAt: string | null;
-    /** Arbitrary key/value metadata attached at creation. `null` when none. */
-    metadata: Record<string, unknown> | null;
-}
-/**
- * Paginated list of overrides.
- */
-interface OverrideListResponse {
-    items: OverrideV1[];
-    /** Opaque cursor for the next page. `null` when there are no more results. */
-    nextCursor: string | null;
-}
-/**
- * Input for `POST /v1/overrides` — request a new override.
- */
-interface CreateOverrideRequest {
-    /** Human-readable justification. Required; max 2000 characters. */
-    reason: string;
-    /** The evaluation ID to override. */
-    evaluationId: string;
-    /** Lifetime in seconds. Defaults to 3600. Max 604800 (7 days). */
-    ttlSeconds?: number;
-    /** Arbitrary metadata to attach to the override record. */
-    metadata?: Record<string, unknown>;
-}
-/**
- * Audit event appended to an override's event log on every state mutation.
- */
-interface OverrideEvent {
-    id: string;
-    overrideId: string;
-    orgId: string;
-    /** Actor who caused this event. */
-    actorId: string;
-    type: OverrideEventType;
-    /** ISO-8601 timestamp. */
-    at: string;
-    /** Event-specific payload. `null` when none. */
-    payload: Record<string, unknown> | null;
-}
-/**
- * Response for `GET /v1/overrides/:id/events`.
- */
-interface OverrideEventsResponse {
-    items: OverrideEvent[];
-}
-
-/**
- * Compliance evidence types — wire shapes for `v1-compliance-evidence`.
- *
- * Supports on-demand SOC 2 Type II control evidence collection. The
- * same run shape is used for ISO 27001, GDPR, and HIPAA; control IDs
- * differ per framework.
- */
-type ComplianceFramework = "soc2" | "iso27001" | "gdpr" | "hipaa";
-type EvidenceControlStatus = "pass" | "gap" | "finding";
-type ComplianceRunStatus = "pending" | "running" | "completed" | "failed";
-/**
- * A single evaluated control within an evidence run.
- * `evidence` is a free-form object whose keys are framework-specific
- * metric names (e.g. `mfa_enforced_policies`, `audit_events_last_30d`).
- */
-interface EvidenceControl {
-    control_id: string;
-    title: string;
-    status: EvidenceControlStatus;
-    evidence: Record<string, unknown>;
-}
-interface ComplianceEvidenceSummary {
-    total: number;
-    pass: number;
-    gap: number;
-    finding: number;
-}
-interface ComplianceEvidenceRun {
-    id: string;
-    org_id: string;
-    framework: ComplianceFramework;
-    period_start: string;
-    period_end: string;
-    status: ComplianceRunStatus;
-    controls: EvidenceControl[];
-    summary: ComplianceEvidenceSummary | null;
-    applied_by: string | null;
-    created_at: string;
-}
-interface TriggerEvidenceRunRequest {
-    framework: ComplianceFramework;
-    /** ISO 8601 date string; defaults to 30 days ago on the server. */
-    period_start?: string;
-    /** ISO 8601 date string; defaults to now on the server. */
-    period_end?: string;
-}
-interface TriggerEvidenceRunResponse {
-    run: ComplianceEvidenceRun;
-}
-interface ListEvidenceRunsResponse {
-    runs: ComplianceEvidenceRun[];
-}
-/**
- * SOC 2 control IDs evaluated by `v1-compliance-evidence`.
- *
- * | ID     | Area |
- * |--------|------|
- * | CC6.1  | MFA enforcement |
- * | CC6.3  | Periodic access reviews |
- * | CC7.2  | Audit trail completeness |
- * | CC8.1  | Change management / HITL |
- * | CC3.2  | Policy violations |
- */
-type SOC2ControlId = "CC6.1" | "CC6.3" | "CC7.2" | "CC8.1" | "CC3.2";
-/**
- * Returns `true` when every control in the run has `pass` or `gap`
- * status (no `finding`). A `gap` means a control is partially met;
- * a `finding` is a blocking deficiency that requires remediation.
- */
-declare function evidenceRunPasses(run: ComplianceEvidenceRun): boolean;
-/**
- * Returns controls that do not have `pass` status, sorted so
- * `finding` controls appear before `gap` controls.
- */
-declare function nonPassingControls(run: ComplianceEvidenceRun): EvidenceControl[];
-
 /**
  * Wire types for `POST /v1-decisions-replay/:id/replay`.
  *
@@ -278,6 +106,154 @@ interface ReplayResponse {
     /** Rate-limit state from response headers. */
     rateLimit: RateLimitState | null;
 }
+/**
+ * Result of offline evidence bundle verification via {@link verifyEvidenceBundle}.
+ *
+ * Named distinctly from {@link BundleVerificationResult} in `auditBundle.ts`
+ * which carries chain-integrity and signature fields for audit export bundles.
+ * This result covers the lighter-weight structural + hash-integrity check used
+ * by the Phase 3 replay client.
+ */
+interface EvidenceBundleVerifyResult {
+    /** `true` when all checks passed. */
+    valid: boolean;
+    /** The `bundle_id` from the top-level bundle object, if present. */
+    bundleId: string | undefined;
+    /** The first `permit_id` found in the permits array (convenience). */
+    permitId: string | undefined;
+    /** Human-readable failure description; `undefined` when `valid` is `true`. */
+    reason: string | undefined;
+}
+/**
+ * Offline shape of an evidence bundle as returned by
+ * `GET /v1/evidence-bundles/:id` and downloaded for replay verification.
+ */
+interface OfflineEvidenceBundleData {
+    bundle_id?: string;
+    org_id?: string;
+    status?: string;
+    permits?: Array<{
+        permit_id?: string;
+        evaluation_id?: string;
+    }>;
+    hash_chain?: {
+        root_hash?: string;
+        entry_count?: number;
+    };
+    [key: string]: unknown;
+}
+/**
+ * Verify an evidence bundle offline without a backend round-trip.
+ *
+ * Checks:
+ * 1. Bundle has required fields (`bundle_id`, `org_id`, `status`).
+ * 2. `status` is `"ready"`.
+ * 3. Root hash integrity if `hash_chain` is present (SHA-256 via Node crypto).
+ *
+ * Does **not** require `AtlaSentClient` or network access.
+ *
+ * @example
+ * ```ts
+ * import { verifyEvidenceBundle } from "@atlasent/sdk";
+ *
+ * const result = verifyEvidenceBundle(bundleJson);
+ * if (result.valid) {
+ *   console.log("verified, first permit:", result.permitId);
+ * } else {
+ *   console.error("verification failed:", result.reason);
+ * }
+ * ```
+ */
+declare function verifyEvidenceBundle(bundle: OfflineEvidenceBundleData): EvidenceBundleVerifyResult;
+/**
+ * Compute a deterministic SHA-256 root hash over the permits list.
+ * Uses `JSON.stringify` with sorted keys via a replacer for canonical form.
+ *
+ * @internal
+ */
+declare function _computeEvidenceRootHash(permits: OfflineEvidenceBundleData["permits"]): string;
+
+/**
+ * Hybrid trust-root bootstrap and snapshot management.
+ *
+ * At module load, seeds from the vendor snapshot in vendor/trust-root/.
+ * Optionally refreshes from https://keys.atlasent.io/.well-known/ on
+ * a configurable interval (default 4h, floor 5 min per ADR-005 D2).
+ * Refresh failure is silent — falls back to the in-memory snapshot.
+ *
+ * Snapshot expiry (valid_until) is fail-closed per ADR-005 D3:
+ * checkExpiry() emits a one-time console.warn at half-life, and again
+ * on expiry. verifyAuditBundle throws BundleVerificationError when
+ * expired (unless allowExpiredSnapshot=true is passed).
+ */
+interface TrustRootKey {
+    kid: string;
+    role: "R1_release" | "R2_permit" | "R3_audit" | "R4_pack";
+    kty: string;
+    crv?: string;
+    alg: string;
+    x?: string;
+    valid_from?: string | null;
+    valid_until?: string | null;
+    replaced_by?: string | null;
+    revoked?: boolean;
+    tenant?: string | null;
+}
+interface TrustRootRevocationEntry {
+    kid: string;
+    role?: string;
+    revoked_at: string;
+    reason?: string;
+}
+interface TrustRootSnapshot {
+    /** ISO-8601 expiry of this snapshot; fail-closed when exceeded */
+    valid_until: string;
+    issued_at: string;
+    keys: TrustRootKey[];
+    revoked_keys: TrustRootRevocationEntry[];
+    revoked_identities: Array<{
+        identity: string;
+        revoked_at: string;
+        reason?: string;
+    }>;
+}
+interface TrustRootManagerOptions {
+    /** Override the refresh URL (default: https://keys.atlasent.io/.well-known/) */
+    refreshBaseUrl?: string;
+    /** Refresh interval in ms. Default: 4h. Floor: 5 min. */
+    refreshIntervalMs?: number;
+    /** Disable automatic background refresh. */
+    disableRefresh?: boolean;
+    /** Custom fetch implementation (for tests). */
+    fetch?: typeof fetch;
+}
+declare class TrustRootManager {
+    private _snapshot;
+    private _refreshTimer;
+    private readonly _opts;
+    constructor(initialSnapshot: TrustRootSnapshot, opts?: TrustRootManagerOptions);
+    getSnapshot(): TrustRootSnapshot;
+    /**
+     * Check whether the snapshot is expired, emit one-time warnings at
+     * half-life and expiry.  Returns "ok" | "half_life" | "expired".
+     *
+     * Emits console.warn once per process at half-life (ADR-005 D3).
+     * Emits console.warn once per process on expiry.
+     */
+    checkExpiry(): "ok" | "half_life" | "expired";
+    /** Look up a key entry by kid. Returns undefined if not found. */
+    lookupKey(kid: string): TrustRootKey | undefined;
+    /** Returns true if the kid appears in revoked_keys. */
+    isRevoked(kid: string): boolean;
+    /** Replace the snapshot (e.g. after a successful refresh). */
+    replaceSnapshot(next: TrustRootSnapshot): void;
+    stopRefresh(): void;
+    private _scheduleRefresh;
+    private _doRefresh;
+}
+declare function getGlobalTrustRootManager(opts?: TrustRootManagerOptions): TrustRootManager;
+/** Replace the global manager (primarily for tests). */
+declare function __setGlobalTrustRootManagerForTests(mgr: TrustRootManager | null): void;
 
 /**
  * Dual-shape input bridge for the v2.0.0 wire format change.
@@ -310,6 +286,31 @@ interface V2EvaluateRequest {
     context?: Record<string, unknown>;
     /** Populate `risk_envelope.factors` in the response (Phase C). */
     explain?: boolean;
+    /** Deployment environment where the action executes (e.g. `"production"`). */
+    environment?: string;
+    /** Structured resource descriptor. Prefer over `resource_id` for new callers. */
+    resource?: {
+        type: string;
+        id?: string;
+        attributes?: Record<string, unknown>;
+    };
+    /** Snapshot of the resource before the proposed action. Enables state-transition-aware policy evaluation. */
+    current_state?: {
+        description: string;
+        attributes?: Record<string, unknown>;
+    };
+    /** Desired resource state after the action. */
+    proposed_state?: {
+        description: string;
+        attributes?: Record<string, unknown>;
+    };
+    /** Execution surface binding (CI/CD adapter, DB driver, etc.). */
+    execution_binding?: {
+        kind: string;
+        adapter_version?: string;
+        resource_id?: string;
+        enforcement_point?: string;
+    };
 }
 /**
  * Normalise an evaluate request from either the legacy v1.x shape
@@ -1544,96 +1545,801 @@ declare function isImpersonationGrantUsable(grant: CrossOrgImpersonationGrant, n
 declare function clampTokenDuration(grant: CrossOrgImpersonationGrant, requestedSeconds: number): number;
 
 /**
- * AtlaSent HTTP client.
+ * SCIM 2.0 provisioning client — user and group lifecycle management.
  *
- * Two public methods, both backed by native `fetch`:
- *   - {@link AtlaSentClient.evaluate}     → POST {baseUrl}/v1-evaluate
- *   - {@link AtlaSentClient.verifyPermit} → POST {baseUrl}/v1-verify-permit
+ * Wire surface: /scim/v2/* endpoints in atlasent-api (RFC 7643/7644).
  *
- * Fail-closed: a clean policy DENY is returned (not thrown), but
- * network, timeout, bad response, 4xx/5xx, and rate-limit conditions
- * all throw {@link AtlaSentError}.
+ * Usage:
+ *
+ * ```ts
+ * import { AtlaSentClient } from "@atlasent/sdk";
+ *
+ * const client = new AtlaSentClient({ apiKey: "..." });
+ *
+ * const page = await client.scim.users.list({ orgId: "org_abc" });
+ * for (const user of page.Resources) {
+ *   console.log(user.userName);
+ * }
+ *
+ * const newUser = await client.scim.users.create("org_abc", {
+ *   userName: "alice@example.com",
+ *   displayName: "Alice Example",
+ *   active: true,
+ *   emails: [{ value: "alice@example.com", primary: true }],
+ * });
+ * ```
  */
-
-declare class AtlaSentClient {
-    private readonly apiKey;
-    private readonly baseUrl;
-    private readonly timeoutMs;
-    private readonly fetchImpl;
-    private readonly userAgent;
-    private readonly retryPolicy;
-    constructor(options: AtlaSentClientOptions);
+declare const SCIM_USER_SCHEMA: "urn:ietf:params:scim:schemas:core:2.0:User";
+declare const SCIM_GROUP_SCHEMA: "urn:ietf:params:scim:schemas:core:2.0:Group";
+declare const SCIM_PATCH_OP_SCHEMA: "urn:ietf:params:scim:api:messages:2.0:PatchOp";
+/** SCIM email value. */
+interface ScimEmail {
+    value: string;
+    type?: string;
+    primary?: boolean;
+}
+/** SCIM name component. */
+interface ScimName {
+    formatted?: string;
+    givenName?: string;
+    familyName?: string;
+}
+/** Group reference embedded on a user. */
+interface ScimGroupRef {
+    value: string;
+    display?: string;
+}
+/** SCIM metadata block. */
+interface ScimMeta {
+    resourceType?: string;
+    created?: string;
+    lastModified?: string;
+    location?: string;
+    version?: string;
+}
+/** SCIM 2.0 User resource. */
+interface ScimUser {
+    schemas?: string[];
+    id?: string;
+    userName: string;
+    displayName?: string;
+    active?: boolean;
+    emails?: ScimEmail[];
+    name?: ScimName;
+    groups?: ScimGroupRef[];
+    meta?: ScimMeta;
+    [k: string]: unknown;
+}
+/** Create payload for a new SCIM user. `schemas` is injected automatically. */
+type ScimUserCreate = Omit<ScimUser, "id" | "meta">;
+/** Update payload for an existing SCIM user. */
+type ScimUserUpdate = ScimUser;
+/** RFC 7644 PatchOp operation. */
+interface ScimPatchOp {
+    op: "add" | "remove" | "replace";
+    path?: string;
+    value?: unknown;
+}
+/** SCIM 2.0 ListResponse envelope (generic). */
+interface ScimListResponse<T = unknown> {
+    schemas: string[];
+    totalResults: number;
+    startIndex: number;
+    itemsPerPage: number;
+    Resources: T[];
+}
+/** Query parameters for SCIM list operations. */
+interface ScimListParams {
+    /** Organisation ID (required). */
+    orgId: string;
+    /** SCIM filter expression, e.g. `userName eq "alice@example.com"`. */
+    filter?: string;
+    /** 1-based pagination offset. Defaults to 1 on the server. */
+    startIndex?: number;
+    /** Maximum results per page. Defaults to 100 on the server. */
+    count?: number;
+}
+/** Sub-client for /scim/v2/{orgId}/Users operations. */
+interface ScimUsersSubClient {
     /**
-     * Ask the policy engine whether an agent action is permitted.
-     *
-     * Accepts either the current v2.0 shape (`action_type` / `actor_id`)
-     * or the legacy v1.x shape (`action` / `agent`). Legacy callers
-     * receive a deprecation warning via `console.warn`; the shim is
-     * handled by {@link normalizeEvaluateRequest} and will be removed
-     * in v3.0.0.
+     * `GET /scim/v2/{orgId}/Users` — list provisioned users.
      *
-     * A "deny" is **not** thrown — it is returned in
-     * `response.decision`. Network errors, invalid API key, rate
-     * limits, timeouts, and malformed responses throw
-     * {@link AtlaSentError}.
+     * ```ts
+     * const page = await client.scim.users.list({ orgId: "org_abc" });
+     * ```
      */
-    evaluate(input: EvaluateRequest | LegacyEvaluateRequest): Promise<EvaluateResponse>;
+    list(params: ScimListParams): Promise<ScimListResponse<ScimUser>>;
     /**
-     * Batch evaluate — send up to 100 decisions in a single round-trip.
-     *
-     * Wraps `POST /v1-evaluate-batch`. The server evaluates each item
-     * against the active policy bundle and returns results in the same
-     * order as the input. One rate-limit token is consumed for the
-     * whole batch, and one audit-chain entry lists every included
-     * decision id.
-     *
-     * A per-item policy `deny` is **not** thrown — it appears as
-     * `item.decision === "deny"` in the returned items. A whole-batch
-     * network error, 4xx, or 5xx throws {@link AtlaSentError}.
+     * `POST /scim/v2/{orgId}/Users` — provision a new user.
      *
-     * Requires the `v2_batch` tenant feature flag to be enabled on the
-     * org (returns 404 when off). Requires scope `evaluate:write`.
+     * ```ts
+     * const user = await client.scim.users.create("org_abc", {
+     *   userName: "alice@example.com",
+     *   active: true,
+     *   emails: [{ value: "alice@example.com", primary: true }],
+     * });
+     * ```
+     */
+    create(orgId: string, user: ScimUserCreate): Promise<ScimUser>;
+    /**
+     * `PUT /scim/v2/{orgId}/Users/{id}` — full replacement.
      *
-     * @param requests - 1–100 evaluate items.
-     * @param batchId  - Optional caller-supplied UUID for idempotency.
-     *   A retried call with the same `batchId` and identical items
-     *   returns the cached response within 24 h (`replayed: true`).
+     * ```ts
+     * const updated = await client.scim.users.update("org_abc", "usr_123", user);
+     * ```
      */
-    evaluateBatch(requests: BatchEvalItem[], batchId?: string): Promise<BatchEvalResponse>;
+    update(orgId: string, id: string, user: ScimUserUpdate): Promise<ScimUser>;
     /**
-     * Subscribe to a live stream of decisions for this org.
+     * `DELETE /scim/v2/{orgId}/Users/{id}` — deprovision a user.
      *
-     * Wraps `GET /v1-decisions-stream`. The server emits one SSE frame
-     * per audit event and sends a heartbeat every 15 s. The session
-     * auto-closes after `maxSeconds` (default 30 min); reconnect with
-     * the last received `event.id` to resume without replaying history.
+     * ```ts
+     * await client.scim.users.delete("org_abc", "usr_123");
+     * ```
+     */
+    delete(orgId: string, id: string): Promise<void>;
+}
+/** Sub-client for /scim/v2/{orgId}/Groups operations. */
+interface ScimGroupsSubClient {
+    /** `GET /scim/v2/{orgId}/Groups` — list groups. */
+    list(params: ScimListParams): Promise<ScimListResponse<Record<string, unknown>>>;
+    /** `POST /scim/v2/{orgId}/Groups` — create a group. */
+    create(orgId: string, group: Record<string, unknown>): Promise<Record<string, unknown>>;
+    /** `DELETE /scim/v2/{orgId}/Groups/{id}` — delete a group. */
+    delete(orgId: string, id: string): Promise<void>;
+}
+/** Top-level SCIM sub-client exposed as `client.scim`. */
+interface ScimSubClient {
+    users: ScimUsersSubClient;
+    groups: ScimGroupsSubClient;
+}
+type PostFn = <T>(path: string, body: unknown, query?: URLSearchParams) => Promise<{
+    body: T;
+}>;
+type GetFn = <T>(path: string, query?: URLSearchParams) => Promise<{
+    body: T;
+}>;
+type PutFn = <T>(path: string, body: unknown) => Promise<{
+    body: T;
+}>;
+type DeleteFn = (path: string) => Promise<void>;
+/**
+ * Factory that returns the SCIM sub-client bound to a host client.
+ * Called internally by AtlaSentClient; not part of the public constructor API.
+ */
+declare function makeScimClient(postFn: PostFn, getFn: GetFn, putFn: PutFn, deleteFn: DeleteFn): ScimSubClient;
+
+/**
+ * Evidence Bundle helpers — create, retrieve, and download compliance
+ * evidence bundles for incident investigations and audit export.
+ *
+ * Wire surface: POST/GET /v1/evidence-bundles
+ *
+ * Usage:
+ *
+ * ```ts
+ * import { AtlaSentClient } from "@atlasent/sdk";
+ *
+ * const client = new AtlaSentClient({ apiKey: "..." });
+ *
+ * // Create
+ * const bundle = await client.evidenceBundles.create({
+ *   incidentId: "inc_abc123",
+ *   includeOverrides: true,
+ * });
+ *
+ * // Get
+ * const bundle2 = await client.evidenceBundles.get(bundle.bundleId);
+ *
+ * // Download as JSON or PDF
+ * const pdf = await client.evidenceBundles.download(bundle.bundleId, "pdf");
+ * ```
+ */
+/** Status of an evidence bundle. */
+type EvidenceBundleStatus = "pending" | "building" | "ready" | "failed" | "expired";
+/** An evidence bundle record returned by the API. */
+interface EvidenceBundle {
+    /** Server-assigned bundle identifier. */
+    bundleId: string;
+    /** Organisation the bundle belongs to. */
+    orgId: string;
+    /** Incident or investigation ID this bundle was created for. */
+    incidentId: string;
+    /** Current bundle status. */
+    status: EvidenceBundleStatus;
+    /** Permit IDs included in the bundle (empty = all permits for the incident). */
+    includedPermits: string[];
+    /** Whether override events are included. */
+    includeOverrides: boolean;
+    /** Format used when the bundle was created. */
+    format: "json" | "pdf";
+    /** ISO 8601 creation time. */
+    createdAt: string;
+    /** ISO 8601 expiration time. */
+    expiresAt: string;
+    /** Pre-signed download URL (populated when status is `ready`). */
+    downloadUrl?: string;
+    /** Free-form metadata supplied at creation. */
+    metadata?: Record<string, unknown>;
+}
+/** Input to {@link EvidenceBundlesMixin.create}. */
+interface EvidenceBundleCreateParams {
+    /** Incident or investigation ID for this bundle. */
+    incidentId: string;
+    /**
+     * Optional list of specific permit IDs to include.
+     * When omitted, all permits associated with the incident are included.
+     */
+    includedPermits?: string[];
+    /**
+     * When `true`, override events are embedded in the bundle.
+     * Defaults to `false`.
+     */
+    includeOverrides?: boolean;
+}
+/** Query parameters for {@link EvidenceBundleSubClient.list}. */
+interface EvidenceBundleListParams {
+    /** Filter bundles to a specific execution ID. */
+    executionId?: string;
+    /** Maximum number of bundles to return. */
+    limit?: number;
+    /** Opaque cursor from a previous list response for pagination. */
+    cursor?: string;
+}
+/** Paginated response from {@link EvidenceBundleSubClient.list}. */
+interface EvidenceBundleListPage {
+    /** Evidence bundles for this page. */
+    bundles: EvidenceBundle[];
+    /** Pass as `cursor` to `list()` to fetch the next page. `null` means no more pages. */
+    nextCursor: string | null;
+}
+/**
+ * Sub-client for evidence bundle operations.
+ * Accessed as `client.evidenceBundles` on {@link AtlaSentClient}.
+ */
+interface EvidenceBundleSubClient {
+    /**
+     * List evidence bundles for the org, with optional filters and pagination.
      *
      * ```ts
-     * const controller = new AbortController();
-     * for await (const event of client.subscribeDecisions({ signal: controller.signal })) {
-     *   if (event.type === "heartbeat") continue;
-     *   console.log(event.type, event.decision, event.actorId);
-     *   if (event.type === "session_end") break; // reconnect
+     * const page = await client.evidenceBundles.list({ limit: 20 });
+     * for (const bundle of page.bundles) { ... }
+     * if (page.nextCursor) {
+     *   const next = await client.evidenceBundles.list({ cursor: page.nextCursor });
      * }
      * ```
+     */
+    list(params?: EvidenceBundleListParams): Promise<EvidenceBundleListPage>;
+    /**
+     * Create a new evidence bundle.
      *
-     * Requires scope `audit:read`. Requires the `v2_decisions_stream`
-     * tenant feature flag (returns 404 when off).
+     * ```ts
+     * const bundle = await client.evidenceBundles.create({
+     *   incidentId: "inc_abc123",
+     *   includeOverrides: true,
+     * });
+     * ```
      */
-    subscribeDecisions(opts?: SubscribeDecisionsOptions): AsyncGenerator<DecisionStreamEvent>;
+    create(params: EvidenceBundleCreateParams): Promise<EvidenceBundle>;
     /**
-     * Pre-flight evaluation that always returns the constraint trace.
+     * Retrieve an evidence bundle by ID.
      *
-     * Wraps `POST /v1-evaluate?include=constraint_trace`. Use this from
-     * a workflow's submission step to surface trivial defects (missing
-     * fields, wrong roles, mis-set context) BEFORE pushing the request
-     * onto an approval queue — only requests that would actually pass
-     * make it through to a human reviewer.
+     * ```ts
+     * const bundle = await client.evidenceBundles.get("bnd_xyz");
+     * ```
+     */
+    get(bundleId: string): Promise<EvidenceBundle>;
+    /**
+     * Download the evidence bundle contents.
      *
-     * Returns an {@link EvaluatePreflightResponse} carrying the regular
-     * {@link EvaluateResponse} plus the {@link ConstraintTrace}. Unlike
-     * {@link evaluate}, this method does NOT mark a non-allow as a
-     * thrown condition — the whole point is to inspect both the outcome
+     * @param bundleId - The bundle to download.
+     * @param format   - `"json"` (default) or `"pdf"`.
+     * @returns Raw bytes of the downloaded file.
+     *
+     * ```ts
+     * const pdf = await client.evidenceBundles.download("bnd_xyz", "pdf");
+     * await fs.writeFile("bundle.pdf", pdf);
+     * ```
+     */
+    download(bundleId: string, format?: "json" | "pdf"): Promise<Buffer>;
+}
+/**
+ * Factory that returns the evidence-bundles sub-client bound to a host
+ * client. Called internally by AtlaSentClient; not part of the public
+ * constructor API.
+ */
+declare function makeEvidenceBundleClient(postFn: <T>(path: string, body: unknown) => Promise<{
+    body: T;
+}>, getFn: <T>(path: string, query?: URLSearchParams) => Promise<{
+    body: T;
+}>, getRawFn: (path: string) => Promise<ArrayBuffer>): EvidenceBundleSubClient;
+
+/**
+ * Auth helpers — token management and multi-IdP token refresh.
+ *
+ * Wire surface: /v1/auth/* endpoints in atlasent-api.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import { AtlaSentClient } from "@atlasent/sdk";
+ *
+ * const client = new AtlaSentClient({ apiKey: "..." });
+ *
+ * // Refresh using the default IdP
+ * const tokens = await client.auth.refresh(currentRefreshToken);
+ *
+ * // Refresh using a specific IdP (multi-IdP orgs)
+ * const tokens = await client.auth.refreshWithIdp("idp_okta_prod", currentRefreshToken);
+ *
+ * // List IdP connections
+ * const connections = await client.auth.listIdpConnections();
+ * ```
+ */
+/** A token response from the auth endpoints. */
+interface TokenResponse {
+    accessToken: string;
+    refreshToken: string;
+    tokenType: string;
+    expiresIn: number;
+    scope?: string;
+    /** IdP that issued the token (populated on multi-IdP responses). */
+    idpId?: string;
+}
+/** An IdP connection record. */
+interface IdpConnection {
+    id: string;
+    name: string;
+    provider: string;
+    enabled: boolean;
+    isDefault: boolean;
+    domains?: string[];
+    createdAt: string;
+}
+/** Sub-client for token management and multi-IdP auth. */
+interface AuthSubClient {
+    /**
+     * Refresh an access token using the default IdP connection.
+     *
+     * ```ts
+     * const tokens = await client.auth.refresh(currentRefreshToken);
+     * ```
+     */
+    refresh(refreshToken: string): Promise<TokenResponse>;
+    /**
+     * Refresh an access token against a specific IdP connection.
+     *
+     * Use this in multi-IdP organisations where the caller needs to
+     * specify which SSO connection to use for the token exchange.
+     *
+     * `idpId` corresponds to the connection ID returned by
+     * `listIdpConnections()` (e.g. `"idp_okta_prod"`, `"idp_entra"`).
+     *
+     * ```ts
+     * const tokens = await client.auth.refreshWithIdp(
+     *   "idp_okta_prod",
+     *   currentRefreshToken,
+     * );
+     * ```
+     */
+    refreshWithIdp(idpId: string, refreshToken: string): Promise<TokenResponse>;
+    /**
+     * List IdP connections available for this organisation.
+     *
+     * ```ts
+     * const connections = await client.auth.listIdpConnections();
+     * const primary = connections.find(c => c.isDefault);
+     * ```
+     */
+    listIdpConnections(): Promise<IdpConnection[]>;
+}
+/**
+ * Factory that returns the auth sub-client bound to a host client.
+ * Called internally by AtlaSentClient; not part of the public constructor API.
+ */
+declare function makeAuthClient(postFn: <T>(path: string, body: unknown) => Promise<{
+    body: T;
+}>, getFn: <T>(path: string) => Promise<{
+    body: T;
+}>): AuthSubClient;
+
+/**
+ * SSO administration — connections, JIT rules, events, enforcement state
+ * machine, and the `client.sso` sub-client.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import { AtlaSentClient } from "@atlasent/sdk";
+ *
+ * const client = new AtlaSentClient({ apiKey: "..." });
+ *
+ * const { connections } = await client.sso.listConnections();
+ * const status = await client.sso.getStatus();
+ * await client.sso.enforce("enable");
+ * ```
+ */
+/** An SSO connection record (SAML 2.0 or OIDC). */
+interface SsoConnection {
+    id: string;
+    organizationId: string;
+    name: string;
+    protocol: "saml" | "oidc";
+    idpEntityId: string;
+    metadataUrl: string | null;
+    metadataXml: string | null;
+    emailDomain: string | null;
+    enforceForDomain: boolean;
+    isActive: boolean;
+    supabaseProviderId: string | null;
+    createdBy: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/** Wire (snake_case) shape for SSO connection responses. */
+interface SsoConnectionWire {
+    id: string;
+    organization_id: string;
+    name: string;
+    protocol: "saml" | "oidc";
+    idp_entity_id: string;
+    metadata_url: string | null;
+    metadata_xml: string | null;
+    email_domain: string | null;
+    enforce_for_domain: boolean;
+    is_active: boolean;
+    supabase_provider_id: string | null;
+    created_by: string;
+    created_at: string;
+    updated_at: string;
+}
+declare function wireToSsoConnection(w: SsoConnectionWire): SsoConnection;
+type SsoRole = "owner" | "admin" | "approver" | "member" | "viewer";
+/** A JIT provisioning rule that maps an IdP claim to an org role. */
+interface SsoJitRule {
+    id: string;
+    connectionId: string;
+    organizationId: string;
+    claimAttribute: string;
+    claimValue: string;
+    grantedRole: SsoRole;
+    precedence: number;
+    isActive: boolean;
+    createdAt: string;
+    updatedAt: string;
+}
+/** Wire (snake_case) shape for JIT rule responses. */
+interface SsoJitRuleWire {
+    id: string;
+    connection_id: string;
+    organization_id: string;
+    claim_attribute: string;
+    claim_value: string;
+    granted_role: SsoRole;
+    precedence: number;
+    is_active: boolean;
+    created_at: string;
+    updated_at: string;
+}
+declare function wireToSsoJitRule(w: SsoJitRuleWire): SsoJitRule;
+/**
+ * An SSO lifecycle event — login, session, config change, break-glass, or
+ * JIT provisioning.
+ */
+interface SsoEvent {
+    id: string;
+    organizationId: string;
+    connectionId: string | null;
+    eventType: string;
+    actorEmail: string | null;
+    payload: Record<string, unknown>;
+    occurredAt: string;
+}
+/** Wire (snake_case) shape for SSO event responses. */
+interface SsoEventWire {
+    id: string;
+    organization_id: string;
+    connection_id: string | null;
+    event_type: string;
+    actor_email: string | null;
+    payload: Record<string, unknown>;
+    occurred_at: string;
+}
+declare function wireToSsoEvent(w: SsoEventWire): SsoEvent;
+/** Action to pass to `POST /v1/sso/enforce`. */
+type SsoEnforceAction = "enable" | "enforce";
+/**
+ * Four-boolean readiness checklist returned by `GET /v1/sso/status`.
+ * All four must be `true` before enforcement is safe to activate.
+ */
+interface SsoReadiness {
+    /** At least one SSO connection row exists for the org. */
+    connectionConfigured: boolean;
+    /** At least one connection has been activated (registered with the IdP). */
+    connectionTested: boolean;
+    /** Break-glass access has been configured (non-default settings). */
+    breakGlassSet: boolean;
+    /** No unreviewed active service API keys exist. */
+    serviceApiKeysReviewed: boolean;
+}
+/** Wire (snake_case) shape for the readiness response. */
+interface SsoReadinessWire {
+    connection_configured: boolean;
+    connection_tested: boolean;
+    break_glass_set: boolean;
+    service_api_keys_reviewed: boolean;
+}
+declare function wireToSsoReadiness(w: SsoReadinessWire): SsoReadiness;
+/** Input for creating a JIT provisioning rule. */
+interface SsoJitRuleInput {
+    connectionId: string;
+    claimAttribute: string;
+    claimValue: string;
+    grantedRole: SsoRole;
+    precedence?: number;
+}
+/** Patchable fields for an existing JIT rule. */
+interface SsoJitRulePatch {
+    claimAttribute?: string;
+    claimValue?: string;
+    grantedRole?: SsoRole;
+    precedence?: number;
+    isActive?: boolean;
+}
+/** Input for creating or updating an SSO connection. */
+interface SsoConnectionInput {
+    name: string;
+    protocol: "saml" | "oidc";
+    idpEntityId: string;
+    metadataUrl?: string | null;
+    metadataXml?: string | null;
+    emailDomain?: string | null;
+    enforceForDomain?: boolean;
+}
+/** Result of `POST /v1/sso/enforce`. */
+interface SsoEnforceResult {
+    ok: boolean;
+    action: SsoEnforceAction;
+    enforceSso: boolean;
+    enforceSsoAt: string | null;
+}
+/**
+ * Sub-client for SSO administration.
+ * Accessed as `client.sso` on {@link AtlaSentClient}.
+ */
+interface SsoSubClient {
+    /** List all SSO connections for the org. */
+    listConnections(): Promise<{
+        connections: SsoConnection[];
+    }>;
+    /** Get a single SSO connection by ID. */
+    getConnection(id: string): Promise<SsoConnection>;
+    /** Create a new SSO connection. */
+    createConnection(input: SsoConnectionInput): Promise<SsoConnection>;
+    /** Update an existing SSO connection. */
+    updateConnection(id: string, input: Partial<SsoConnectionInput>): Promise<SsoConnection>;
+    /** Delete an SSO connection. */
+    deleteConnection(id: string): Promise<void>;
+    /** Activate (register) a connection with the IdP. */
+    activateConnection(id: string): Promise<{
+        ok: boolean;
+        supabaseProviderId: string | null;
+    }>;
+    /**
+     * Advance the SSO enforcement state machine.
+     * `"enable"` → SSO enabled, not yet enforced.
+     * `"enforce"` → SSO mandatory for all members (requires readiness checklist to pass).
+     */
+    enforce(action: SsoEnforceAction): Promise<SsoEnforceResult>;
+    /** Get the four-boolean enforcement readiness checklist. */
+    getStatus(): Promise<SsoReadiness>;
+    /** List JIT provisioning rules, optionally filtered to a single connection. */
+    listJitRules(connectionId?: string): Promise<{
+        rules: SsoJitRule[];
+    }>;
+    /** Create a new JIT provisioning rule. */
+    createJitRule(input: SsoJitRuleInput): Promise<SsoJitRule>;
+    /** Update fields on an existing JIT rule. */
+    patchJitRule(id: string, patch: SsoJitRulePatch): Promise<SsoJitRule>;
+    /** Delete a JIT provisioning rule. */
+    deleteJitRule(id: string): Promise<void>;
+}
+/**
+ * Factory that returns the SSO sub-client bound to a host client's transport
+ * helpers. Called internally by AtlaSentClient; not part of the public API.
+ */
+declare function makeSsoClient(getFn: <T>(path: string, query?: URLSearchParams) => Promise<{
+    body: T;
+}>, postFn: <T>(path: string, body: unknown) => Promise<{
+    body: T;
+}>, patchFn: <T>(path: string, body: unknown) => Promise<{
+    body: T;
+}>, deleteFn: (path: string) => Promise<void>): SsoSubClient;
+
+/**
+ * Access Governance Log sub-client — paginated identity lifecycle events.
+ *
+ * Wire surface: GET /v1/access-governance-log
+ *
+ * Usage:
+ *
+ * ```ts
+ * import { AtlaSentClient } from "@atlasent/sdk";
+ *
+ * const client = new AtlaSentClient({ apiKey: "..." });
+ *
+ * const page = await client.accessGovernanceLog.list({ limit: 50 });
+ * for (const event of page.events) {
+ *   console.log(event.eventType, event.actorEmail);
+ * }
+ * if (page.nextCursor) {
+ *   const next = await client.accessGovernanceLog.list({ cursor: page.nextCursor });
+ * }
+ * ```
+ */
+/** A single identity lifecycle event from the access governance log. */
+interface AccessGovernanceEvent {
+    id: string;
+    eventType: string;
+    orgId: string;
+    actorId: string | null;
+    actorEmail: string | null;
+    ipAddress: string | null;
+    metadata: Record<string, unknown>;
+    createdAt: string;
+}
+/** A page of access governance events with cursor for the next page. */
+interface AccessGovernanceLogPage {
+    events: AccessGovernanceEvent[];
+    /** Pass as `cursor` to `list()` to fetch the next page. `null` means no more pages. */
+    nextCursor: string | null;
+    totalCount: number;
+}
+/** Query parameters for `accessGovernanceLog.list()`. */
+interface AccessGovernanceLogQuery {
+    /** Max events to return. Default 50, max 200. */
+    limit?: number;
+    /** Cursor from a previous page's `nextCursor`. */
+    cursor?: string;
+    /** Filter by event type (e.g. `"sso.login"`, `"jit.provisioned"`). */
+    eventType?: string;
+    /** Filter by actor email or UUID. */
+    actorId?: string;
+    /** Lower bound on event timestamp (ISO 8601). */
+    from?: string;
+    /** Upper bound on event timestamp (ISO 8601). */
+    to?: string;
+}
+/**
+ * Sub-client for the access governance log.
+ * Accessed as `client.accessGovernanceLog` on {@link AtlaSentClient}.
+ */
+interface AccessGovernanceLogSubClient {
+    /**
+     * Fetch a page of identity lifecycle events for the authenticated org.
+     *
+     * ```ts
+     * const { events, nextCursor } = await client.accessGovernanceLog.list({
+     *   eventType: "sso.login",
+     *   limit: 100,
+     * });
+     * ```
+     */
+    list(query?: AccessGovernanceLogQuery): Promise<AccessGovernanceLogPage>;
+}
+/**
+ * Factory that returns the access-governance-log sub-client bound to a host
+ * client's transport helpers. Called internally by AtlaSentClient.
+ */
+declare function makeAccessGovernanceLogClient(getFn: <T>(path: string, query?: URLSearchParams) => Promise<{
+    body: T;
+}>): AccessGovernanceLogSubClient;
+
+/**
+ * AtlaSent HTTP client.
+ *
+ * Two public methods, both backed by native `fetch`:
+ *   - {@link AtlaSentClient.evaluate}     → POST {baseUrl}/v1-evaluate
+ *   - {@link AtlaSentClient.verifyPermit} → POST {baseUrl}/v1-verify-permit
+ *
+ * Fail-closed: a clean policy DENY is returned (not thrown), but
+ * network, timeout, bad response, 4xx/5xx, and rate-limit conditions
+ * all throw {@link AtlaSentError}.
+ */
+
+declare class AtlaSentClient {
+    private readonly apiKey;
+    private readonly baseUrl;
+    private readonly timeoutMs;
+    private readonly fetchImpl;
+    private readonly userAgent;
+    private readonly retryPolicy;
+    /** SCIM 2.0 provisioning sub-client. Access as `client.scim`. */
+    readonly scim: ScimSubClient;
+    /** Evidence bundle sub-client. Access as `client.evidenceBundles`. */
+    readonly evidenceBundles: EvidenceBundleSubClient;
+    /** Auth / token management sub-client. Access as `client.auth`. */
+    readonly auth: AuthSubClient;
+    /** SSO administration sub-client. Access as `client.sso`. */
+    readonly sso: SsoSubClient;
+    /** Access governance log sub-client. Access as `client.accessGovernanceLog`. */
+    readonly accessGovernanceLog: AccessGovernanceLogSubClient;
+    /** Trust-root snapshot manager for this client instance. */
+    readonly trustRoot: TrustRootManager;
+    constructor(options: AtlaSentClientOptions);
+    /** Return the current trust-root snapshot (pinned or last successful refresh). */
+    getTrustSnapshot(): TrustRootSnapshot;
+    /**
+     * Ask the policy engine whether an agent action is permitted.
+     *
+     * Accepts either the current v2.0 shape (`action_type` / `actor_id`)
+     * or the legacy v1.x shape (`action` / `agent`). Legacy callers
+     * receive a deprecation warning via `console.warn`; the shim is
+     * handled by {@link normalizeEvaluateRequest} and will be removed
+     * in v3.0.0.
+     *
+     * A "deny" is **not** thrown — it is returned in
+     * `response.decision`. Network errors, invalid API key, rate
+     * limits, timeouts, and malformed responses throw
+     * {@link AtlaSentError}.
+     */
+    evaluate(input: EvaluateRequest | LegacyEvaluateRequest): Promise<EvaluateResponse>;
+    /**
+     * Batch evaluate — send up to 100 decisions in a single round-trip.
+     *
+    * Wraps `POST /v1/evaluate/batch` (with fallback to
+    * `POST /v1-evaluate-batch` on older runtimes). The server evaluates each item
+     * against the active policy bundle and returns results in the same
+     * order as the input. One rate-limit token is consumed for the
+     * whole batch, and one audit-chain entry lists every included
+     * decision id.
+     *
+     * A per-item policy `deny` is **not** thrown — it appears as
+     * `item.decision === "deny"` in the returned items. A whole-batch
+     * network error, 4xx, or 5xx throws {@link AtlaSentError}.
+     *
+     * Requires the `v2_batch` tenant feature flag to be enabled on the
+     * org (returns 404 when off). Requires scope `evaluate:write`.
+     *
+     * @param requests - 1–100 evaluate items.
+     * @param batchId  - Optional caller-supplied UUID for idempotency.
+     *   A retried call with the same `batchId` and identical items
+     *   returns the cached response within 24 h (`replayed: true`).
+     */
+    evaluateBatch(requests: BatchEvalItem[], batchId?: string): Promise<BatchEvalResponse>;
+    /**
+     * Subscribe to a live stream of decisions for this org.
+     *
+     * Wraps `GET /v1-decisions-stream`. The server emits one SSE frame
+     * per audit event and sends a heartbeat every 15 s. The session
+     * auto-closes after `maxSeconds` (default 30 min); reconnect with
+     * the last received `event.id` to resume without replaying history.
+     *
+     * ```ts
+     * const controller = new AbortController();
+     * for await (const event of client.subscribeDecisions({ signal: controller.signal })) {
+     *   if (event.type === "heartbeat") continue;
+     *   console.log(event.type, event.decision, event.actorId);
+     *   if (event.type === "session_end") break; // reconnect
+     * }
+     * ```
+     *
+     * Requires scope `audit:read`. Requires the `v2_decisions_stream`
+     * tenant feature flag (returns 404 when off).
+     */
+    subscribeDecisions(opts?: SubscribeDecisionsOptions): AsyncGenerator<DecisionStreamEvent>;
+    /**
+     * Pre-flight evaluation that always returns the constraint trace.
+     *
+     * Wraps `POST /v1-evaluate?include=constraint_trace`. Use this from
+     * a workflow's submission step to surface trivial defects (missing
+     * fields, wrong roles, mis-set context) BEFORE pushing the request
+     * onto an approval queue — only requests that would actually pass
+     * make it through to a human reviewer.
+     *
+     * Returns an {@link EvaluatePreflightResponse} carrying the regular
+     * {@link EvaluateResponse} plus the {@link ConstraintTrace}. Unlike
+     * {@link evaluate}, this method does NOT mark a non-allow as a
+     * thrown condition — the whole point is to inspect both the outcome
      * AND the per-policy trace, so the caller branches on
      * `result.evaluation.decision` and reads `result.constraintTrace`
      * to render the failing stages.
@@ -1879,7 +2585,8 @@ declare class AtlaSentClient {
      */
     replay(input: ReplayRequest): Promise<ReplayResponse>;
     /**
-     * Open a streaming evaluation session against `POST /v1-evaluate-stream`.
+    * Open a streaming evaluation session against `POST /v1/evaluate/stream`
+    * (with fallback to `POST /v1-evaluate-stream` on older runtimes).
      *
      * Yields {@link StreamDecisionEvent} and {@link StreamProgressEvent} objects
      * as the server emits them. The iterator ends cleanly when the server sends
@@ -1908,7 +2615,41 @@ declare class AtlaSentClient {
      * ```
      */
     protectStream(input: EvaluateRequest, opts?: StreamOptions): AsyncIterable<StreamEvent>;
+    /**
+     * Retrieve the license status of this self-hosted or air-gapped deployment.
+     *
+     * Calls `GET /v1/license`. Returns the current validity state, expiry,
+     * enabled feature flags, and optional capacity limits for the installed
+     * license key.
+     *
+     * Callers should check `result.status === "active"` before proceeding.
+     * A `"grace"` status means the license has lapsed but a grace window
+     * (`grace_until`) is still open — the deployment continues to function
+     * but the license should be renewed immediately.
+     *
+     * Throws {@link AtlaSentError} on transport / auth failures.
+     */
+    getLicense(): Promise<LicenseStatus & {
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * Validate a signed license blob against this deployment's installed
+     * public key.
+     *
+     * Calls `POST /v1/license/verify`. Use this when onboarding a new license
+     * key or rotating an expiring one — submit the blob received from AtlaSent
+     * and check `result.valid` before applying the new license.
+     *
+     * A `valid: false` response is **not** thrown — inspect the returned
+     * object. Only transport / server errors throw {@link AtlaSentError}.
+     *
+     * @param blob — The signed license blob string provided by AtlaSent.
+     */
+    verifyLicense(blob: string): Promise<LicenseVerifyResult & {
+        rateLimit: RateLimitState | null;
+    }>;
     private post;
+    private postWithPathFallback;
     private get;
     private request;
     /**
@@ -2173,6 +2914,13 @@ declare class AtlaSentClient {
      * surfaces as `clear`.
      */
     listGovernanceEvaluations(query: ListGovernanceEvaluationsQuery): Promise<GovernanceAgentEvaluation[]>;
+    private _post;
+    private _get;
+    private _put;
+    private _patch;
+    private _delete;
+    private _getRaw;
+    private _requestRaw;
 }
 
 /** Node's webcrypto CryptoKey — kept local so the module doesn't depend on DOM types. */
@@ -2220,6 +2968,14 @@ interface VerifyBundleOptions {
     publicKeysPem?: readonly string[];
     /** Already-imported keys, paired with registry ids (rotation hint). */
     keys?: readonly VerifyKey[];
+    /** Trust-root snapshot for revocation + expiry checks. */
+    trustRoot?: TrustRootSnapshot;
+    /**
+     * Opt out of fail-closed snapshot expiry check (ADR-005 D3).
+     * Intended for air-gap / offline use cases.
+     * Emits a one-time warning per process start.
+     */
+    allowExpiredSnapshot?: boolean;
 }
 /**
  * Reproduces `_shared/rules.ts::canonicalJSON` byte-for-byte:
@@ -2236,7 +2992,10 @@ declare function canonicalJSON(value: unknown): string;
  * the literal below is byte-identical with what the backend signs.
  */
 declare function signedBytesFor(bundle: AuditBundle): Uint8Array<ArrayBuffer>;
-declare function verifyAuditBundle(bundle: AuditBundle, keys: readonly VerifyKey[]): Promise<BundleVerificationResult>;
+declare function verifyAuditBundle(bundle: AuditBundle, keys: readonly VerifyKey[], trustRootOpts?: {
+    trustRoot?: TrustRootSnapshot;
+    allowExpiredSnapshot?: boolean;
+}): Promise<BundleVerificationResult>;
 /**
  * Load a bundle from disk (or a parsed object) and verify it.
  *
@@ -2245,6 +3004,11 @@ declare function verifyAuditBundle(bundle: AuditBundle, keys: readonly VerifyKey
  * but `signatureValid` will be false with an explanatory `reason` —
  * callers that want a complete offline check MUST supply the trust
  * set.
+ *
+ * When `trustRoot` is not supplied, the global trust-root manager's
+ * current snapshot is used automatically (B2.3 bootstrap wire-in).
+ * Pass `allowExpiredSnapshot: true` to disable fail-closed expiry
+ * for air-gap environments.
  */
 declare function verifyBundle(pathOrBundle: string | AuditBundle, options?: VerifyBundleOptions): Promise<BundleVerificationResult>;
 
@@ -2275,6 +3039,40 @@ declare function verifyBundle(pathOrBundle: string | AuditBundle, options?: Veri
  * Unlike calling the executor directly, dangerous code cannot bypass
  * this gate: if `requirePermit` throws, the executor never runs.
  */
+/**
+ * Catalog of built-in protected action types, mirroring `CanonicalProtectedActionType`
+ * in the OpenAPI spec. Use these constants as `action_type` values in
+ * {@link requirePermit} calls instead of bare strings.
+ *
+ * ```ts
+ * await requirePermit(
+ *   { action_type: CanonicalProtectedActionType.DATABASE_TABLE_DELETE, ... },
+ *   () => db.raw("DELETE FROM users"),
+ * );
+ * ```
+ */
+declare const CanonicalProtectedActionType: {
+    readonly PRODUCTION_DEPLOY: "production.deploy";
+    readonly HR_EMPLOYEE_OFFBOARD: "hr.employee.offboard";
+    readonly HR_ACCESS_REVOKE: "hr.access.revoke";
+    readonly HR_ROLE_ESCALATE: "hr.role.escalate";
+    readonly ML_MODEL_PROMOTE: "ml.model.promote";
+    readonly ML_MODEL_RETIRE: "ml.model.retire";
+    readonly ML_MODEL_FINE_TUNE: "ml.model.fine_tune";
+    readonly CUSTOMER_DATA_DELETE: "customer.data.delete";
+    readonly CONTRACT_EXECUTE: "contract.execute";
+    readonly CONTRACT_AMEND: "contract.amend";
+    readonly PRICING_RULE_PUBLISH: "pricing.rule.publish";
+    readonly PRICING_DISCOUNT_APPROVE: "pricing.discount.approve";
+    readonly SECURITY_INCIDENT_ESCALATE: "security.incident.escalate";
+    readonly SECURITY_ACCESS_QUARANTINE: "security.access.quarantine";
+    readonly ACCESS_CERT_REVOKE: "access.cert.revoke";
+    readonly PERIOD_CLOSE_CERTIFY: "period.close.certify";
+    readonly DATABASE_MIGRATION_APPLY: "database.migration.apply";
+    readonly DATABASE_SCHEMA_DROP: "database.schema.drop";
+    readonly DATABASE_TABLE_DELETE: "database.table.delete";
+};
+type CanonicalProtectedActionType = (typeof CanonicalProtectedActionType)[keyof typeof CanonicalProtectedActionType];
 /**
  * Describes a potentially dangerous action to be authorized before
  * the executor runs. Passed as the first argument to {@link requirePermit}.
@@ -2397,6 +3195,691 @@ declare function classifyCommand(command: string): string | null;
  */
 declare function withPermit<T>(request: ProtectRequest, fn: (permit: Permit) => Promise<T> | T): Promise<T>;
 
+/**
+ * Approval/Override Runtime — fail-closed bridge between policy `hold`/`escalate`
+ * outcomes and human approval.
+ *
+ * `protectOrEscalate()` — like `protect()` but handles hold/escalate by:
+ *   1. Creating an HITL escalation via POST /v1/hitl
+ *   2. Polling until approved, rejected, or timed out
+ *   3. Returning an `ApprovalPermit` on approval; throwing on rejection/timeout
+ *
+ * `createEscalation()` — create an HITL escalation request (lower-level)
+ * `waitForEscalationApproval()` — poll until the escalation resolves
+ * `requestOverride()` — request a post-hoc override for a denied evaluation
+ * `configureApprovalRuntime()` — set API key / base URL once
+ */
+
+interface ApprovalRuntimeConfig {
+    apiKey?: string;
+    baseUrl?: string;
+    /** Per-request HTTP timeout in ms. Default 30_000. */
+    timeoutMs?: number;
+}
+/**
+ * Configure the Approval Runtime singleton. Optional — if `ATLASENT_API_KEY` is
+ * set in the environment, the runtime works without configuration. Calling this
+ * again merges into the existing config.
+ */
+declare function configureApprovalRuntime(config: ApprovalRuntimeConfig): void;
+/** Opaque handle returned when an escalation is created. */
+interface EscalationHandle {
+    readonly escalationId: string;
+    readonly createdAt: string;
+    readonly timeoutAt: string | null;
+    readonly assignedToRole: string | null;
+}
+/** Terminal resolution status of an escalation. */
+type ApprovalStatus = "approved" | "rejected" | "timed_out";
+/** Full outcome returned when an escalation resolves. */
+interface EscalationOutcome {
+    readonly status: ApprovalStatus;
+    readonly escalation: HitlEscalation;
+    readonly resolvedBy: string | null;
+    readonly resolutionNote: string | null;
+    readonly resolvedAt: string | null;
+}
+/**
+ * Thrown by `protectOrEscalate` / `waitForEscalationApproval` when the
+ * human reviewer rejects the escalation.
+ */
+declare class EscalationDeniedError extends Error {
+    readonly name: "EscalationDeniedError";
+    readonly escalationId: string;
+    readonly outcome: EscalationOutcome;
+    constructor(outcome: EscalationOutcome);
+}
+/**
+ * Thrown by `protectOrEscalate` / `waitForEscalationApproval` when the
+ * client-side wait window expires before the escalation resolves.
+ */
+declare class EscalationTimeoutError extends Error {
+    readonly name: "EscalationTimeoutError";
+    readonly escalationId: string;
+    readonly outcome: EscalationOutcome;
+    constructor(outcome: EscalationOutcome);
+}
+/**
+ * Options for creating an HITL escalation. Extends `HitlCreateRequest` with
+ * API-key and base-URL overrides for per-call credential injection.
+ */
+interface CreateEscalationOptions extends Partial<HitlCreateRequest> {
+    apiKey?: string;
+    baseUrl?: string;
+}
+/**
+ * Create an HITL escalation via POST /v1/hitl.
+ *
+ * The escalation is placed in `pending` status; a reviewer must approve or
+ * reject it before the original action can proceed. Use
+ * `waitForEscalationApproval()` to poll until the escalation resolves.
+ */
+declare function createEscalation(opts: CreateEscalationOptions): Promise<EscalationHandle>;
+interface WaitForApprovalOptions {
+    escalationId: string;
+    /** Max milliseconds to wait for a human to respond. Default 600_000 (10 min). */
+    waitMs?: number;
+    /** How often to poll the API. Default 5000ms. Minimum 1000ms. */
+    pollIntervalMs?: number;
+    apiKey?: string;
+    baseUrl?: string;
+}
+/**
+ * Poll GET /v1/escalations/:id until the escalation reaches a terminal status
+ * (`approved`, `auto_approved`, `rejected`, or `timed_out`).
+ *
+ * Returns the resolved outcome regardless of approval/rejection — the caller
+ * decides whether to throw. Use `protectOrEscalate()` for the opinionated flow.
+ */
+declare function waitForEscalationApproval(opts: WaitForApprovalOptions): Promise<EscalationOutcome>;
+/**
+ * A verified Permit granted via human approval of an HITL escalation.
+ * Extends {@link Permit} with escalation provenance fields.
+ *
+ * `approvalBasis: "direct_policy"` — action was allowed directly by policy;
+ * no escalation was created.
+ *
+ * `approvalBasis: "human_approval"` — the policy returned `hold`/`escalate`;
+ * a human reviewer approved the escalation.
+ *
+ * Guards and enforcement adapters should treat both as equivalent authorization
+ * proof; auditors can distinguish them via `escalationId`.
+ */
+interface ApprovalPermit extends Permit {
+    /**
+     * The HITL escalation ID that authorized this action. Empty string when
+     * the action was directly allowed by policy (no escalation needed).
+     */
+    readonly escalationId: string;
+    /** Identity of the reviewer who approved, or `null` for `auto_approved`. */
+    readonly resolvedBy: string | null;
+    readonly resolutionNote: string | null;
+    readonly resolvedAt: string;
+    readonly approvalBasis: "direct_policy" | "human_approval";
+}
+interface ProtectOrEscalateOptions {
+    /** Agent ID recorded on the escalation. Defaults to `request.agent`. */
+    agentId?: string;
+    /** Human-readable reason surfaced in the reviewer's queue. */
+    escalationReason?: string;
+    /** The proposed action payload shown to reviewers. Defaults to `request.context`. */
+    proposedAction?: Record<string, unknown>;
+    riskScore?: number;
+    assignedToRole?: string;
+    quorumRequired?: HitlQuorumTier;
+    fallbackDecision?: HitlFallbackDecision;
+    /** ISO-8601 — when the escalation should auto-resolve per server policy. */
+    timeoutAt?: string;
+    metadata?: Record<string, unknown>;
+    /** Max ms to wait for a human decision. Default 600_000 (10 min). */
+    waitMs?: number;
+    /** How often to poll. Default 5000ms. */
+    pollIntervalMs?: number;
+    apiKey?: string;
+    baseUrl?: string;
+    /** Called with the EscalationHandle immediately after it is created. */
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+}
+/**
+ * Authorize an action end-to-end, automatically escalating to human review
+ * when the policy returns `hold` or `escalate`.
+ *
+ * **Directly allowed** → returns `ApprovalPermit` with
+ *   `approvalBasis: "direct_policy"` (same semantics as `protect()`).
+ *
+ * **Hold / escalate** → creates an HITL escalation, polls for a human
+ *   decision, and returns `ApprovalPermit` with
+ *   `approvalBasis: "human_approval"` on approval.
+ *
+ * **Throws**:
+ * - {@link EscalationDeniedError} — reviewer rejected the escalation
+ * - {@link EscalationTimeoutError} — wait window elapsed without a decision
+ * - {@link AtlaSentDeniedError} — hard deny (not hold/escalate); fail-closed
+ * - {@link AtlaSentError} — transport / auth / server failure; fail-closed
+ */
+declare function protectOrEscalate(request: ProtectRequest, opts?: ProtectOrEscalateOptions): Promise<ApprovalPermit>;
+interface RequestOverrideOptions {
+    /** Human-readable justification. Required; max 2000 characters. */
+    reason: string;
+    /** The evaluation ID that was denied and should be overridden. */
+    evaluationId: string;
+    /** How long this override is valid, in seconds. Max 604800 (7 days). */
+    ttlSeconds?: number;
+    /** Arbitrary metadata to attach (e.g. liability attribution context). */
+    metadata?: Record<string, unknown>;
+    apiKey?: string;
+    baseUrl?: string;
+}
+/**
+ * Request a post-hoc override for a denied evaluation via POST /v1/overrides.
+ *
+ * The override starts in `pending` status and takes effect only after an
+ * authorized actor approves it. Subsequent evaluations for the same action
+ * will return `allow` while the override is `approved` and within its TTL.
+ *
+ * Attach `metadata.requested_by` for liability attribution.
+ */
+declare function requestOverride(opts: RequestOverrideOptions): Promise<OverrideV1>;
+
+type DeployEnvironment = "production" | "staging" | "development" | string;
+interface DeployGateOptions {
+    service: string;
+    resourceType?: string;
+    sha?: string;
+    workflow?: string;
+    actorId?: string;
+    actorLabel?: string;
+    environment?: DeployEnvironment;
+    description?: string;
+    requireApproval?: boolean;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+    /** Slack Incoming Webhook URL. When set, an informational message is posted
+     *  when the gate returns deny or escalate. Best-effort; never throws. */
+    notifySlackWebhook?: string;
+}
+declare function protectDeploy(opts: DeployGateOptions): Promise<ApprovalPermit | Permit>;
+
+type CloseActionType = "period.close" | "period.reopen" | "reconciliation.lock" | "reconciliation.certify";
+interface CloseGovernanceOptions {
+    action: CloseActionType;
+    periodLabel: string;
+    closedBy: string;
+    entityId: string;
+    entityName?: string;
+    dataClassification?: "internal" | "confidential" | "restricted";
+    assignedToRole?: string;
+    requireDualApproval?: boolean;
+    waitMs?: number;
+    description?: string;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+interface ReconciliationCertifyOptions {
+    accountId: string;
+    period: string;
+    certifiedBy: string;
+    balanceDifference: number;
+    dualApprovalRequired: boolean;
+    secondApprover?: string;
+    supportingEvidenceUri?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectReconciliationCertify(opts: ReconciliationCertifyOptions): Promise<ApprovalPermit>;
+declare function protectCloseAction(opts: CloseGovernanceOptions): Promise<ApprovalPermit>;
+
+declare const VENDOR_PAYMENT_ACTION: "vendor.payment.release";
+interface PaymentReleaseOptions {
+    amount: number;
+    currency: string;
+    vendorId: string;
+    vendorName?: string;
+    authorizedBy: string;
+    reference?: string;
+    description?: string;
+    autoEscalateAbove?: number;
+    requireDualApprovalAbove?: number;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectPaymentRelease(opts: PaymentReleaseOptions): Promise<ApprovalPermit | Permit>;
+
+declare const CUSTOMER_DATA_EXPORT_ACTION: "customer.data.export";
+interface DataExportOptions {
+    dataset: string;
+    destination: string;
+    containsPii: boolean;
+    rowCount: number;
+    dataClassification: "public" | "internal" | "confidential" | "restricted";
+    purpose: string;
+    dpaReference?: string;
+    encryption?: string;
+    authorizedBy: string;
+    rowCap?: number;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectDataExport(opts: DataExportOptions): Promise<ApprovalPermit | Permit>;
+
+type ShadowMode = "observe" | "warn" | "enforce";
+interface ShadowOutcome {
+    readonly decision: "permit" | "deny" | "hold" | "escalate";
+    readonly permit: Permit | null;
+    readonly error: AtlaSentDeniedError | null;
+    readonly would_have_blocked: boolean;
+    readonly latencyMs: number;
+    readonly evaluationId: string | null;
+    readonly request: ProtectRequest;
+    readonly mode: ShadowMode;
+}
+interface ShadowConfig {
+    mode?: ShadowMode;
+    onOutcome?: (outcome: ShadowOutcome) => void | Promise<void>;
+    reportToApi?: boolean;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function configureShadow(config: ShadowConfig): void;
+interface ShadowOptions extends ShadowConfig {
+}
+declare function protectShadow(request: ProtectRequest, opts?: ShadowOptions): Promise<ShadowOutcome>;
+interface ShadowEventPayload {
+    action: string;
+    agentId: string | null;
+    decision: ShadowOutcome["decision"];
+    would_have_blocked: boolean;
+    latencyMs: number;
+    evaluationId: string | null;
+    mode: ShadowMode;
+    deniedReason?: string;
+    timestamp: string;
+}
+declare function reportShadowEvent(outcome: ShadowOutcome, opts?: Pick<ShadowConfig, "apiKey" | "baseUrl">): Promise<void>;
+
+type AgentToolMode = "observe" | "enforce" | "escalate";
+interface AgentToolOptions {
+    toolName: string;
+    toolArgs: Record<string, unknown>;
+    agentId: string;
+    sessionId?: string;
+    riskLevel?: "critical" | "high" | "medium" | "low";
+    mode?: AgentToolMode;
+    assignedToRole?: string;
+    waitMs?: number;
+    description?: string;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function classifyToolRisk(toolName: string): "critical" | "high" | "medium" | "low";
+declare function protectToolCall(opts: AgentToolOptions): Promise<ApprovalPermit | Permit | ShadowOutcome>;
+
+type GxpActionType = "manufacturing.batch_record.release" | "clinical.tmf.record.modify" | "clinical.data.access" | "clinical.source_data.read" | "clinical.signature.apply" | "clinical.deviation.report" | "clinical.consent.update" | "quality.capa.initiate" | "quality.capa.assign" | "quality.capa.progress" | "quality.capa.effectiveness_check" | "quality.capa.close" | "quality.deviation.detect" | "quality.deviation.classify" | "quality.deviation.escalate" | "quality.deviation.investigate" | "quality.deviation.close" | "quality.change_control.initiate" | "quality.change_control.classify" | "quality.change_control.approve" | "quality.change_control.implement" | "quality.change_control.close";
+interface BatchRecordReleaseOptions {
+    batchId: string;
+    productCode: string;
+    lotNumber: string;
+    certifiedBy: string;
+    qaSignoffBy: string;
+    batchRecordComplete: boolean;
+    deviationCount: number;
+    regulatoryRegion: string;
+    action: "manufacturing.batch_record.release";
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+interface ClinicalDataAccessOptions {
+    subjectId: string;
+    dataCategory: string;
+    accessedBy: string;
+    purpose: string;
+    aiAgent: boolean;
+    consentVerified: boolean;
+    trialId: string;
+    action: "clinical.data.access";
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+interface CAPAOptions {
+    capaId: string;
+    action: GxpActionType & `quality.capa.${string}`;
+    initiatedBy?: string;
+    closedBy?: string;
+    secondClosedBy?: string;
+    severity?: "minor" | "major" | "critical";
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+    [key: string]: unknown;
+}
+type GxpActionOptions = BatchRecordReleaseOptions | ClinicalDataAccessOptions | CAPAOptions | {
+    action: GxpActionType;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+    [key: string]: unknown;
+};
+declare function protectGxpAction(opts: GxpActionOptions): Promise<ApprovalPermit>;
+declare function protectBatchRecordRelease(opts: Omit<BatchRecordReleaseOptions, "action">): Promise<ApprovalPermit>;
+
+type PaymentOperationActionType = "payment.approval.approve" | "payment.approval.deny" | "payment.execute.approved" | "payment.execute.held" | "payment.execute.denied" | "payment.execute.policy_error" | "qb.transaction.approve";
+interface PaymentOperationOptions {
+    paymentId: string;
+    action: PaymentOperationActionType;
+    amount?: number;
+    currency?: string;
+    approvedBy?: string;
+    deniedBy?: string;
+    executedBy?: string;
+    heldBy?: string;
+    holdReason?: string;
+    policyRule?: string;
+    errorCode?: string;
+    bankReference?: string;
+    invoiceId?: string;
+    vendorId?: string;
+    accountCode?: string;
+    transactionId?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectPaymentOperation(opts: PaymentOperationOptions): Promise<ApprovalPermit | Permit>;
+
+type DeploymentActionType = "deployment.production.execute" | "deployment.staging.execute" | "deployment.rollback.execute";
+/**
+ * V1 backward-compatibility constant. The original `production.deploy`
+ * action string from deployGate.ts is still supported by the server.
+ * Use `DeploymentActionType` values for new V2 integrations.
+ */
+declare const DEPLOY_V1_ACTION: "production.deploy";
+interface DeploymentV2Options {
+    action: DeploymentActionType;
+    deploymentId: string;
+    buildSha: string;
+    environment: "production" | "staging";
+    approvedBy?: string;
+    rollbackPlan?: string;
+    changeTicket?: string;
+    incidentId?: string;
+    rollbackTarget?: string;
+    authorizedBy?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectDeploymentV2(opts: DeploymentV2Options): Promise<ApprovalPermit>;
+
+type BehaviorEventCategory = "general" | "health.mental" | "health.adherence" | "financial" | "minor";
+declare const BEHAVIOR_SENSITIVE_CATEGORIES: BehaviorEventCategory[];
+interface BehaviorEventOptions {
+    action: "behavior.event.share";
+    subjectId: string;
+    eventCategory: BehaviorEventCategory;
+    destination: string;
+    purpose: string;
+    consentVerified: boolean;
+    dataMinimized: boolean;
+    subjectIsMinor?: boolean;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectBehaviorEvent(opts: BehaviorEventOptions): Promise<ApprovalPermit>;
+
+type InfraActionType = "aws.ec2.stop_instance" | "aws.ec2.terminate_instance" | "github.repos.delete" | "database.table.drop" | "database.volume.delete" | "db.table.delete" | "infra.volume.delete";
+interface InfraActionOptions {
+    action: InfraActionType;
+    resourceId: string;
+    authorizedBy: string;
+    reason: string;
+    changeTicket?: string;
+    incidentId?: string;
+    backupVerified?: boolean;
+    region?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectInfraAction(opts: InfraActionOptions): Promise<ApprovalPermit | Permit>;
+
+type HrActionType = "hr.employee.offboard" | "hr.access.revoke" | "hr.role.escalate";
+interface HrActionOptions {
+    action: HrActionType;
+    employeeId: string;
+    authorizedBy: string;
+    effectiveDate?: string;
+    offboardingReason?: string;
+    requestedRole?: string;
+    businessJustification?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectHrAction(opts: HrActionOptions): Promise<ApprovalPermit | Permit>;
+declare function protectHrOffboard(opts: Omit<HrActionOptions, "action"> & {
+    effectiveDate: string;
+    offboardingReason: string;
+}): Promise<ApprovalPermit | Permit>;
+declare function protectHrRoleEscalate(opts: Omit<HrActionOptions, "action"> & {
+    requestedRole: string;
+    businessJustification: string;
+}): Promise<ApprovalPermit | Permit>;
+
+type ModelGovernanceActionType = "ml.model.promote" | "ml.model.retire" | "ml.model.fine_tune";
+interface ModelGovernanceOptions {
+    action: ModelGovernanceActionType;
+    modelId: string;
+    authorizedBy: string;
+    reason: string;
+    safetyReviewId?: string;
+    serviceImpactAssessed?: boolean;
+    alignmentVerified?: boolean;
+    targetEnvironment?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectModelGovernance(opts: ModelGovernanceOptions): Promise<ApprovalPermit>;
+declare function protectModelPromotion(opts: Omit<ModelGovernanceOptions, "action">): Promise<ApprovalPermit>;
+
+type DataDeleteActionType = "customer.data.delete";
+type GdprLegalBasis = "erasure_request" | "retention_expired" | "consent_withdrawn" | "controller_instruction";
+interface DataDeleteOptions {
+    action: DataDeleteActionType;
+    dataSubjectId: string;
+    verifiedBy: string;
+    gdprBasis: GdprLegalBasis;
+    dpaReference?: string;
+    dataCategories?: string[];
+    retentionEndDate?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectCustomerDataDelete(opts: DataDeleteOptions): Promise<ApprovalPermit>;
+
+type ContractActionType = "contract.execute" | "contract.amend";
+interface ContractActionOptions {
+    action: ContractActionType;
+    contractId: string;
+    authorizedBy: string;
+    counterparty: string;
+    legalReviewId?: string;
+    estimatedValue?: number;
+    currency?: string;
+    effectiveDate?: string;
+    amendmentDescription?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectContractAction(opts: ContractActionOptions): Promise<ApprovalPermit>;
+declare function protectContractExecution(opts: Omit<ContractActionOptions, "action">): Promise<ApprovalPermit>;
+
+type PricingActionType = "pricing.rule.publish" | "pricing.discount.approve";
+interface PricingActionOptions {
+    action: PricingActionType;
+    ruleId: string;
+    authorizedBy: string;
+    priceChangePct?: number;
+    affectedSkus?: string[];
+    effectiveDate?: string;
+    discountPercent?: number;
+    customerId?: string;
+    discountReason?: string;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectPricingAction(opts: PricingActionOptions): Promise<ApprovalPermit | Permit>;
+declare function protectPricingRule(opts: Omit<PricingActionOptions, "action">): Promise<ApprovalPermit | Permit>;
+
+type SecurityActionType = "security.incident.escalate" | "security.access.quarantine";
+interface SecurityActionOptions {
+    action: SecurityActionType;
+    authorizedBy: string;
+    incidentId?: string;
+    severity?: "low" | "medium" | "high" | "critical";
+    targetId?: string;
+    quarantineReason?: string;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectSecurityAction(opts: SecurityActionOptions): Promise<ApprovalPermit>;
+declare function protectSecurityIncidentEscalate(opts: Omit<SecurityActionOptions, "action"> & {
+    incidentId: string;
+    severity: "low" | "medium" | "high" | "critical";
+}): Promise<ApprovalPermit>;
+declare function protectSecurityAccessQuarantine(opts: Omit<SecurityActionOptions, "action"> & {
+    targetId: string;
+    quarantineReason: string;
+}): Promise<ApprovalPermit>;
+
+type AccessCertActionType = "access.cert.revoke";
+interface AccessCertOptions {
+    action: AccessCertActionType;
+    certId: string;
+    revocationReason: string;
+    authorizedBy?: string;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectAccessCertAction(opts: AccessCertOptions): Promise<ApprovalPermit>;
+declare function protectAccessCertRevoke(opts: Omit<AccessCertOptions, "action">): Promise<ApprovalPermit>;
+
+type FinancialCloseActionType = "period.close.certify";
+interface FinancialCloseOptions {
+    action: FinancialCloseActionType;
+    periodId: string;
+    certifiedBy: string;
+    financialController: string;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectFinancialCloseAction(opts: FinancialCloseOptions): Promise<ApprovalPermit>;
+declare function protectPeriodCloseCertify(opts: Omit<FinancialCloseOptions, "action">): Promise<ApprovalPermit>;
+
+type DatabaseMigrationActionType = "database.migration.apply";
+type DatabaseDestructiveActionType = "database.schema.drop" | "database.table.delete";
+type DatabaseActionType = DatabaseMigrationActionType | DatabaseDestructiveActionType;
+interface PermitEvidence {
+    action: DatabaseActionType;
+    databaseId: string;
+    authorizedBy: string;
+    permitToken: string;
+    timestamp: string;
+    context: Record<string, unknown>;
+}
+interface DenialEvidence {
+    action: DatabaseActionType;
+    databaseId: string;
+    authorizedBy: string;
+    denialReason: string;
+    evaluationId?: string;
+    timestamp: string;
+    context: Record<string, unknown>;
+}
+interface DatabaseActionOptions {
+    action: DatabaseActionType;
+    databaseId: string;
+    authorizedBy: string;
+    environment: "production" | "staging" | "development";
+    migrationId?: string;
+    migrationChecksum?: string;
+    rollbackPlan?: string;
+    schemaName?: string;
+    tableName?: string;
+    backupVerified?: boolean;
+    recoveryPointId?: string;
+    onPermitEvidence?: (evidence: PermitEvidence) => void | Promise<void>;
+    onDenialEvidence?: (evidence: DenialEvidence) => void | Promise<void>;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectDatabaseAction(opts: DatabaseActionOptions): Promise<ApprovalPermit | Permit>;
+declare function protectDatabaseMigration(opts: Omit<DatabaseActionOptions, "action"> & {
+    migrationId: string;
+    migrationChecksum: string;
+}): Promise<ApprovalPermit | Permit>;
+declare function protectDatabaseSchemaDrop(opts: Omit<DatabaseActionOptions, "action"> & {
+    schemaName: string;
+    backupVerified: true;
+    recoveryPointId: string;
+}): Promise<ApprovalPermit | Permit>;
+declare function protectDatabaseTableDelete(opts: Omit<DatabaseActionOptions, "action"> & {
+    tableName: string;
+    backupVerified: true;
+    recoveryPointId: string;
+}): Promise<ApprovalPermit | Permit>;
+
 /**
  * Sandbox simulation diff — wire shape for `GET /v1/agent-sandbox/:id/diff`.
  *
@@ -2710,6 +4193,118 @@ interface QuorumProof {
     approval_ids: string[];
 }
 
+/**
+ * Context Envelope types — structured input set for execution-time
+ * authorization decisions.
+ *
+ * These types mirror the `context_envelopes` + `context_signals` +
+ * `context_namespace_registry` DB schema introduced in migration
+ * `20260522070000_context_envelope_v1.sql`.
+ *
+ * A V1 envelope has a fixed top-level keyset (the canonical namespace
+ * catalog). The recorder validates incoming envelopes against this catalog
+ * and rejects unknown top-level keys in strict mode (V2+).
+ */
+/** Canonical V1 envelope top-level namespace keys. */
+declare const CONTEXT_NAMESPACES: readonly ["intent", "actor", "resource", "environment", "history", "evidence_refs", "signals", "compatibility_overrides"];
+type ContextNamespaceKey = (typeof CONTEXT_NAMESPACES)[number];
+/** One row from `context_namespace_registry`. */
+interface ContextNamespaceEntry {
+    namespace: ContextNamespaceKey;
+    purpose: string;
+    owner: string;
+    /** `true` for the `signals` namespace — derived / inferred inputs. */
+    is_signal: boolean;
+    introduced_in_version: string;
+}
+/** One signal attached to a context envelope. */
+interface ContextSignal {
+    /** Dotted path under the `signals` namespace (e.g. `"signals.actor_anomaly"`). */
+    namespace: string;
+    /** Named source that produced this signal. */
+    source: string;
+    /** Confidence in [0.0, 1.0]. `null` when not reported. */
+    confidence: number | null;
+    /** Arbitrary signal payload. */
+    payload: Record<string, unknown>;
+    /** ISO-8601 timestamp when the signal was produced. */
+    produced_at: string;
+    /** Seconds until the signal is considered stale. `null` = no expiry. */
+    ttl_seconds: number | null;
+}
+/**
+ * A canonical V1 context envelope — the deterministic input set that
+ * powers execution-time authorization decisions.
+ *
+ * Envelopes are append-only and hash-committed: `envelope_hash` is
+ * SHA-256 of the canonical JSON form. The permit issued by the evaluator
+ * commits to this hash so the audit chain, the permit, and a verifier all
+ * agree on what was evaluated.
+ *
+ * ```ts
+ * import type { ContextEnvelope } from "@atlasent/sdk";
+ *
+ * const envelope: ContextEnvelope = {
+ *   request_id: "req_abc123",
+ *   org_id: "org_xyz",
+ *   envelope_version: "atlasent.v1",
+ *   protected_action: "production.deploy",
+ *   envelope: {
+ *     intent: { action: "deploy", summary: "Release v1.2.0" },
+ *     actor: { id: "agent:deploy-bot", roles: ["deploy"] },
+ *     environment: { name: "production", freeze_window: false },
+ *   },
+ *   envelope_hash: "a3f...",
+ *   evidence_refs: [],
+ *   recorded_by: "v1-evaluate",
+ *   received_at: "2026-06-02T00:00:00Z",
+ *   signals: [],
+ * };
+ * ```
+ */
+interface ContextEnvelope {
+    /** Caller-supplied idempotency / correlation key. */
+    request_id: string;
+    org_id: string;
+    envelope_version: "atlasent.v1";
+    /** The namespaced action type this envelope covers. */
+    protected_action: string;
+    /**
+     * The full validated envelope payload. Top-level keys must be in
+     * {@link CONTEXT_NAMESPACES}. Unknown keys are warn-only in V1.
+     */
+    envelope: Partial<Record<ContextNamespaceKey, unknown>>;
+    /**
+     * SHA-256 hex of `canonical-JSON(envelope)`. Three points of truth
+     * (permit, audit chain, verifier) reduce to this single hash.
+     */
+    envelope_hash: string;
+    /** UUIDs of governance evidence rows referenced by this envelope. */
+    evidence_refs: string[];
+    /** Which handler wrote this row (e.g. `"v1-evaluate"`). */
+    recorded_by: string;
+    /** ISO-8601 timestamp. */
+    received_at: string;
+    /** Signals attached to this envelope. */
+    signals: ContextSignal[];
+}
+/**
+ * Minimal input shape for recording a context envelope via
+ * `context_record_envelope()`. The hash is computed by the caller
+ * before submitting.
+ */
+interface RecordContextEnvelopeInput {
+    request_id: string;
+    org_id: string;
+    envelope_version: "atlasent.v1";
+    protected_action: string;
+    envelope: Partial<Record<ContextNamespaceKey, unknown>>;
+    envelope_hash: string;
+    evidence_refs?: string[];
+    recorded_by?: string;
+    signals?: Omit<ContextSignal, never>[];
+}
+
 /**
  * Shared V1 API wire types used across multiple SDK modules.
  *
@@ -2841,6 +4436,130 @@ interface ProofResponse {
     issuedAt: string;
 }
 
+/**
+ * Trust-root Phase 2 — hybrid snapshot bootstrap + revocation enforcement.
+ *
+ * Provides a lightweight TrustSnapshot type (numeric epoch timestamps,
+ * JWK-array keys, flat revoked_kids list) alongside three helpers that
+ * the verify() path and application code can call directly.
+ *
+ * Design decisions (ADR-005):
+ *
+ * - D3 (fail-closed expiry): isTrustSnapshotExpired() defaults to a 24-hour
+ *   TTL and returns true when the snapshot is older than that or when
+ *   expires_at has already passed. Callers in verify() must treat an expired
+ *   snapshot as a denial.
+ *
+ * - D4 (R2/R3 split): revoked_kids is a flat allowlist consulted for ANY
+ *   KID regardless of role. Role enforcement belongs in auditBundle.ts;
+ *   this module only answers "is this KID revoked?"
+ *
+ * - Bootstrap: bootstrapTrust() fetches the .well-known endpoint and merges
+ *   the response with an optional pinned snapshot.  The pinned snapshot is
+ *   returned as-is if the fetch fails (silent fallback).
+ *
+ * - Refresh: background scheduling is handled by TrustRootManager in
+ *   trustRoot.ts.  bootstrapTrust() is intentionally a one-shot function
+ *   for callers that need an explicit initial snapshot without wiring up
+ *   the full manager.
+ */
+/**
+ * Minimal JWK key entry as returned by the .well-known endpoint.
+ *
+ * Deliberately loose — additional vendor-defined fields (kid, use,
+ * alg, crv, x, …) are preserved but not enumerated here so the type
+ * survives forward additions to the key document.
+ */
+interface JWK {
+    /** Key identifier — used for revocation checks. */
+    kid: string;
+    /** Key type, e.g. "OKP", "EC", "RSA". */
+    kty: string;
+    [key: string]: unknown;
+}
+/**
+ * Trust snapshot in the Phase 2 wire format.
+ *
+ * Uses numeric epoch-millisecond timestamps so callers can compare
+ * directly with Date.now() without parsing ISO-8601 strings.
+ */
+interface TrustSnapshot {
+    /** Active verification keys from the trust root. */
+    keys: JWK[];
+    /** KIDs that have been revoked; any permit signed by these must be rejected. */
+    revoked_kids: string[];
+    /**
+     * Unix epoch (ms) when this snapshot was fetched from the server.
+     * Used as the reference point for TTL expiry checks.
+     */
+    fetched_at: number;
+    /**
+     * Unix epoch (ms) at which this snapshot expires regardless of TTL.
+     * bootstrapTrust() derives this from the `valid_until` field in the
+     * server response when available, otherwise from fetched_at + TTL.
+     */
+    expires_at: number;
+}
+/** Default snapshot TTL: 24 hours in milliseconds. */
+declare const DEFAULT_TRUST_TTL_MS: number;
+/**
+ * Fetch a fresh TrustSnapshot from the AtlaSent trust-root documents.
+ *
+ * Fetches three documents from `${baseUrl}/.well-known/` in parallel:
+ *   - `atlasent-verifier-keys.json`  — active verification keys
+ *   - `atlasent-revocations.json`    — revoked KIDs
+ *   - `atlasent-trust-root.json`     — validity window (valid_until, issued_at)
+ *
+ * Uses a 10-second timeout across all three fetches.  On any failure
+ * (network error, non-2xx, malformed response) the function returns the
+ * `pinnedSnapshot` if provided, or re-throws the underlying error when no
+ * fallback is available.
+ *
+ * The `expires_at` field is derived from the trust-root document's
+ * `valid_until` field when present; otherwise it is set to
+ * `fetched_at + ttlMs`.
+ *
+ * @param baseUrl        Root URL of the AtlaSent keys host (no trailing slash).
+ * @param pinnedSnapshot Optional pre-loaded snapshot to use as fallback.
+ * @param ttlMs          TTL for the snapshot in ms (default: 24 hours).
+ * @param fetchImpl      Custom fetch implementation (for tests/environments
+ *                       without a global fetch).
+ */
+declare function bootstrapTrust(baseUrl: string, pinnedSnapshot?: TrustSnapshot, ttlMs?: number, fetchImpl?: typeof fetch): Promise<TrustSnapshot>;
+/**
+ * Returns true when the snapshot should be treated as expired.
+ *
+ * A snapshot is expired when EITHER:
+ *   1. `expires_at` is in the past, OR
+ *   2. `fetched_at + ttlMs` is in the past (age-based eviction).
+ *
+ * The stricter of the two checks wins so a snapshot that was fetched
+ * recently but carries an already-expired `expires_at` is still rejected.
+ *
+ * ADR-005 D3: callers in the verify() path MUST treat an expired
+ * snapshot as a denial (`failClosedOnExpiry` is honoured by the client
+ * integration — see verify.ts).
+ *
+ * @param snapshot  The snapshot to check.
+ * @param ttlMs     Maximum age in ms from `fetched_at` (default: 24 hours).
+ * @param nowMs     Override for `Date.now()` (for testing).
+ */
+declare function isTrustSnapshotExpired(snapshot: TrustSnapshot, ttlMs?: number, nowMs?: number): boolean;
+/**
+ * Returns true when the given KID appears in the snapshot's revocation list.
+ *
+ * Used by the verify() path before accepting a permit's signature:
+ * ```ts
+ * if (isKidRevoked(snapshot, permit.kid)) {
+ *   return { valid: false, reason: 'SIGNING_KEY_REVOKED' };
+ * }
+ * ```
+ *
+ * @param snapshot  Trust snapshot to consult.
+ * @param kid       Key identifier from the permit or audit bundle header.
+ */
+declare function isKidRevoked(snapshot: TrustSnapshot, kid: string): boolean;
+
 /**
  * Financial Action Model — canonical types for financial execution authority.
  *
@@ -4340,223 +6059,187 @@ declare function evaluateMany(transport: V2Transport, req: EvaluateManyRequest):
  */
 interface AuthorizeStreamHandlers {
     onDecision?: (frame: StreamDecisionFrame) => void;
-    onError?: (frame: StreamErrorFrame) => void;
-}
-/**
- * `POST /v1/evaluate/stream` — V2-D4.
- *
- * Streams `event: decision` frames in input order. Per-item RPC
- * failures arrive as `event: error` frames and do not tear down the
- * stream (V2-D7 async semantics). Resolves with the terminal
- * `event: complete` payload.
- *
- * @throws {FeatureNotEnabledError} When the tenant `v2_streaming` flag is off.
- * @throws {AtlaSentError} For transport failures, including the stream
- *   closing without a `complete` frame.
- */
-declare function authorizeStream(transport: V2Transport, req: EvaluateManyRequest, handlers?: AuthorizeStreamHandlers): Promise<StreamComplete>;
-/**
- * `POST /v1/graphql` — V2-D2 + V2-D8.
- *
- * Bearer-only auth (no query-param). Wave A schema is read-only
- * (`recentEvaluations(limit)` + `activeBundle`). Server enforces the
- * V2-D8 OR-gate (`audit:read` OR `policy:read`) at request layer and
- * a per-resolver AND-gate at field resolution time.
- *
- * Resolver-level errors surface on `response.errors` — the SDK does
- * not throw on them so callers can inspect partial data.
- *
- * @throws {FeatureNotEnabledError} When the tenant `v2_graphql` flag is off.
- * @throws {AtlaSentError} For transport / HTTP failures.
- * @throws {TypeError} When `query` is empty or the body exceeds the 1MB cap.
- */
-declare function graphql<T = unknown>(transport: V2Transport, req: GraphQLRequest): Promise<GraphQLResponse<T>>;
-
-/**
- * Approval/Override Runtime — fail-closed bridge between policy `hold`/`escalate`
- * outcomes and human approval.
- *
- * `protectOrEscalate()` — like `protect()` but handles hold/escalate by:
- *   1. Creating an HITL escalation via POST /v1/hitl
- *   2. Polling until approved, rejected, or timed out
- *   3. Returning an `ApprovalPermit` on approval; throwing on rejection/timeout
- *
- * `createEscalation()` — create an HITL escalation request (lower-level)
- * `waitForEscalationApproval()` — poll until the escalation resolves
- * `requestOverride()` — request a post-hoc override for a denied evaluation
- * `configureApprovalRuntime()` — set API key / base URL once
- */
-
-interface ApprovalRuntimeConfig {
-    apiKey?: string;
-    baseUrl?: string;
-    /** Per-request HTTP timeout in ms. Default 30_000. */
-    timeoutMs?: number;
-}
-/**
- * Configure the Approval Runtime singleton. Optional — if `ATLASENT_API_KEY` is
- * set in the environment, the runtime works without configuration. Calling this
- * again merges into the existing config.
- */
-declare function configureApprovalRuntime(config: ApprovalRuntimeConfig): void;
-/** Opaque handle returned when an escalation is created. */
-interface EscalationHandle {
-    readonly escalationId: string;
-    readonly createdAt: string;
-    readonly timeoutAt: string | null;
-    readonly assignedToRole: string | null;
-}
-/** Terminal resolution status of an escalation. */
-type ApprovalStatus = "approved" | "rejected" | "timed_out";
-/** Full outcome returned when an escalation resolves. */
-interface EscalationOutcome {
-    readonly status: ApprovalStatus;
-    readonly escalation: HitlEscalation;
-    readonly resolvedBy: string | null;
-    readonly resolutionNote: string | null;
-    readonly resolvedAt: string | null;
-}
-/**
- * Thrown by `protectOrEscalate` / `waitForEscalationApproval` when the
- * human reviewer rejects the escalation.
- */
-declare class EscalationDeniedError extends Error {
-    readonly name: "EscalationDeniedError";
-    readonly escalationId: string;
-    readonly outcome: EscalationOutcome;
-    constructor(outcome: EscalationOutcome);
-}
-/**
- * Thrown by `protectOrEscalate` / `waitForEscalationApproval` when the
- * client-side wait window expires before the escalation resolves.
- */
-declare class EscalationTimeoutError extends Error {
-    readonly name: "EscalationTimeoutError";
-    readonly escalationId: string;
-    readonly outcome: EscalationOutcome;
-    constructor(outcome: EscalationOutcome);
-}
-/**
- * Options for creating an HITL escalation. Extends `HitlCreateRequest` with
- * API-key and base-URL overrides for per-call credential injection.
- */
-interface CreateEscalationOptions extends Partial<HitlCreateRequest> {
-    apiKey?: string;
-    baseUrl?: string;
-}
-/**
- * Create an HITL escalation via POST /v1/hitl.
- *
- * The escalation is placed in `pending` status; a reviewer must approve or
- * reject it before the original action can proceed. Use
- * `waitForEscalationApproval()` to poll until the escalation resolves.
- */
-declare function createEscalation(opts: CreateEscalationOptions): Promise<EscalationHandle>;
-interface WaitForApprovalOptions {
-    escalationId: string;
-    /** Max milliseconds to wait for a human to respond. Default 600_000 (10 min). */
-    waitMs?: number;
-    /** How often to poll the API. Default 5000ms. Minimum 1000ms. */
-    pollIntervalMs?: number;
-    apiKey?: string;
-    baseUrl?: string;
-}
-/**
- * Poll GET /v1/escalations/:id until the escalation reaches a terminal status
- * (`approved`, `auto_approved`, `rejected`, or `timed_out`).
- *
- * Returns the resolved outcome regardless of approval/rejection — the caller
- * decides whether to throw. Use `protectOrEscalate()` for the opinionated flow.
- */
-declare function waitForEscalationApproval(opts: WaitForApprovalOptions): Promise<EscalationOutcome>;
-/**
- * A verified Permit granted via human approval of an HITL escalation.
- * Extends {@link Permit} with escalation provenance fields.
- *
- * `approvalBasis: "direct_policy"` — action was allowed directly by policy;
- * no escalation was created.
- *
- * `approvalBasis: "human_approval"` — the policy returned `hold`/`escalate`;
- * a human reviewer approved the escalation.
- *
- * Guards and enforcement adapters should treat both as equivalent authorization
- * proof; auditors can distinguish them via `escalationId`.
- */
-interface ApprovalPermit extends Permit {
-    /**
-     * The HITL escalation ID that authorized this action. Empty string when
-     * the action was directly allowed by policy (no escalation needed).
-     */
-    readonly escalationId: string;
-    /** Identity of the reviewer who approved, or `null` for `auto_approved`. */
-    readonly resolvedBy: string | null;
-    readonly resolutionNote: string | null;
-    readonly resolvedAt: string;
-    readonly approvalBasis: "direct_policy" | "human_approval";
-}
-interface ProtectOrEscalateOptions {
-    /** Agent ID recorded on the escalation. Defaults to `request.agent`. */
-    agentId?: string;
-    /** Human-readable reason surfaced in the reviewer's queue. */
-    escalationReason?: string;
-    /** The proposed action payload shown to reviewers. Defaults to `request.context`. */
-    proposedAction?: Record<string, unknown>;
-    riskScore?: number;
-    assignedToRole?: string;
-    quorumRequired?: HitlQuorumTier;
-    fallbackDecision?: HitlFallbackDecision;
-    /** ISO-8601 — when the escalation should auto-resolve per server policy. */
-    timeoutAt?: string;
-    metadata?: Record<string, unknown>;
-    /** Max ms to wait for a human decision. Default 600_000 (10 min). */
-    waitMs?: number;
-    /** How often to poll. Default 5000ms. */
-    pollIntervalMs?: number;
-    apiKey?: string;
-    baseUrl?: string;
-    /** Called with the EscalationHandle immediately after it is created. */
-    onEscalationCreated?: (handle: EscalationHandle) => void;
+    onError?: (frame: StreamErrorFrame) => void;
 }
 /**
- * Authorize an action end-to-end, automatically escalating to human review
- * when the policy returns `hold` or `escalate`.
+ * `POST /v1/evaluate/stream` — V2-D4.
  *
- * **Directly allowed** → returns `ApprovalPermit` with
- *   `approvalBasis: "direct_policy"` (same semantics as `protect()`).
+ * Streams `event: decision` frames in input order. Per-item RPC
+ * failures arrive as `event: error` frames and do not tear down the
+ * stream (V2-D7 async semantics). Resolves with the terminal
+ * `event: complete` payload.
  *
- * **Hold / escalate** → creates an HITL escalation, polls for a human
- *   decision, and returns `ApprovalPermit` with
- *   `approvalBasis: "human_approval"` on approval.
+ * @throws {FeatureNotEnabledError} When the tenant `v2_streaming` flag is off.
+ * @throws {AtlaSentError} For transport failures, including the stream
+ *   closing without a `complete` frame.
+ */
+declare function authorizeStream(transport: V2Transport, req: EvaluateManyRequest, handlers?: AuthorizeStreamHandlers): Promise<StreamComplete>;
+/**
+ * `POST /v1/graphql` — V2-D2 + V2-D8.
  *
- * **Throws**:
- * - {@link EscalationDeniedError} — reviewer rejected the escalation
- * - {@link EscalationTimeoutError} — wait window elapsed without a decision
- * - {@link AtlaSentDeniedError} — hard deny (not hold/escalate); fail-closed
- * - {@link AtlaSentError} — transport / auth / server failure; fail-closed
+ * Bearer-only auth (no query-param). Wave A schema is read-only
+ * (`recentEvaluations(limit)` + `activeBundle`). Server enforces the
+ * V2-D8 OR-gate (`audit:read` OR `policy:read`) at request layer and
+ * a per-resolver AND-gate at field resolution time.
+ *
+ * Resolver-level errors surface on `response.errors` — the SDK does
+ * not throw on them so callers can inspect partial data.
+ *
+ * @throws {FeatureNotEnabledError} When the tenant `v2_graphql` flag is off.
+ * @throws {AtlaSentError} For transport / HTTP failures.
+ * @throws {TypeError} When `query` is empty or the body exceeds the 1MB cap.
  */
-declare function protectOrEscalate(request: ProtectRequest, opts?: ProtectOrEscalateOptions): Promise<ApprovalPermit>;
-interface RequestOverrideOptions {
-    /** Human-readable justification. Required; max 2000 characters. */
-    reason: string;
-    /** The evaluation ID that was denied and should be overridden. */
-    evaluationId: string;
-    /** How long this override is valid, in seconds. Max 604800 (7 days). */
-    ttlSeconds?: number;
-    /** Arbitrary metadata to attach (e.g. liability attribution context). */
-    metadata?: Record<string, unknown>;
-    apiKey?: string;
-    baseUrl?: string;
-}
+declare function graphql<T = unknown>(transport: V2Transport, req: GraphQLRequest): Promise<GraphQLResponse<T>>;
+
 /**
- * Request a post-hoc override for a denied evaluation via POST /v1/overrides.
+ * Runtime v2 client — authorized-state-change lifecycle.
  *
- * The override starts in `pending` status and takes effect only after an
- * authorized actor approves it. Subsequent evaluations for the same action
- * will return `allow` while the override is `approved` and within its TTL.
+ * Thin client over `/v2/orgs/:org_id/…` endpoints landed in
+ * `atlasent-api` PR #1031. Accepts the same {@link V2Transport}
+ * interface used by the existing v2 batch/stream/graphql module so
+ * callers can reuse the same auth headers and fetch implementation.
  *
- * Attach `metadata.requested_by` for liability attribution.
+ * @example
+ * ```ts
+ * import { RuntimeV2Client } from "@atlasent/sdk/runtime_v2";
+ *
+ * const rt = new RuntimeV2Client({
+ *   baseUrl: "https://api.atlasent.io",
+ *   apiKey: process.env.ATLASENT_API_KEY!,
+ * });
+ * const decision = await rt.authorize("org_acme", { transition: { … } });
+ * ```
  */
-declare function requestOverride(opts: RequestOverrideOptions): Promise<OverrideV1>;
+
+interface VerificationFailure {
+    code: string;
+    message: string;
+    field?: string;
+}
+interface VerificationResult {
+    passed: boolean;
+    verified_at: string;
+    failures: VerificationFailure[];
+    warnings: Array<Record<string, unknown>>;
+}
+interface ExecutionReceipt {
+    receipt_id: string;
+    permit_id: string;
+    org_id: string;
+    issued_at: string;
+    post_state_fingerprint: string;
+    evidence_id: string;
+}
+interface PostExecutionResult {
+    verified: boolean;
+    evidence_completeness: "COMPLETE" | "PARTIAL" | "FAILED";
+    failures: VerificationFailure[];
+    receipt?: ExecutionReceipt;
+}
+interface AuthorizationDecision {
+    status: "PERMITTED" | "PENDING_APPROVAL" | "DENIED" | "ERROR";
+    permit?: Record<string, unknown>;
+    required_approvers?: string[];
+    reasons?: string[];
+    policy_ids?: string[];
+    code?: string;
+    message?: string;
+}
+interface AuthorityRecord {
+    authority_id: string;
+    org_id: string;
+    name: string;
+    action_classes: string[];
+    public_key: string;
+    key_id: string;
+    status: string;
+    created_at: string;
+    [key: string]: unknown;
+}
+interface RuntimeAuditEntry {
+    entry_id: string;
+    org_id: string;
+    sequence: number;
+    receipt_id: string;
+    prior_hash: string;
+    entry_hash: string;
+    appended_at: string;
+}
+interface AuditChainPage {
+    entries: RuntimeAuditEntry[];
+    total: number;
+    page: number;
+    page_size: number;
+}
+interface ChainIntegrityReport {
+    valid: boolean;
+    checked_entries: number;
+    first_sequence: number;
+    last_sequence: number;
+    gaps: number[];
+    invalid_hashes: number[];
+    verified_at: string;
+}
+interface ComplianceExport {
+    export_id: string;
+    org_id: string;
+    from: string;
+    to: string;
+    entry_count: number;
+    format: string;
+    content_ref: string;
+    content_hash: string;
+    generated_at: string;
+    signed_by: string;
+}
+interface AuditChainFilters {
+    action_class?: string;
+    principal_did?: string;
+    resource_locator?: string;
+}
+/** Runtime v2 client — four-plane authorized-state-change lifecycle. */
+declare class RuntimeV2Client {
+    private readonly transport;
+    constructor(transport: V2Transport);
+    /** `POST /v2/orgs/:orgId/transitions` */
+    authorize(orgId: string, request: Record<string, unknown>): Promise<AuthorizationDecision>;
+    /** `GET /v2/orgs/:orgId/permits/:permitId` */
+    getPermit(orgId: string, permitId: string): Promise<Record<string, unknown> | null>;
+    /** `POST /v2/orgs/:orgId/permits/:permitId/consume` */
+    consume(orgId: string, permitId: string, observedSourceFingerprint: string): Promise<VerificationResult>;
+    /** `POST /v2/orgs/:orgId/permits/:permitId/approve` */
+    approve(orgId: string, permitId: string, approverDid: string, signature: string, comment?: string): Promise<{
+        approved: boolean;
+        status: string;
+    }>;
+    /** `POST /v2/orgs/:orgId/permits/:permitId/complete` */
+    complete(orgId: string, permitId: string, evidenceId: string, observedPostFingerprint: string): Promise<PostExecutionResult>;
+    /** `DELETE /v2/orgs/:orgId/permits/:permitId` */
+    revokePermit(orgId: string, permitId: string, revokedBy: string, reason: string, propagatesToChildren?: boolean): Promise<void>;
+    /** `GET /v2/orgs/:orgId/authorities` */
+    listAuthorities(orgId: string, includeInactive?: boolean): Promise<AuthorityRecord[]>;
+    /** `POST /v2/orgs/:orgId/authorities` */
+    createAuthority(orgId: string, record: Record<string, unknown>): Promise<AuthorityRecord>;
+    /** `GET /v2/orgs/:orgId/authorities/:authorityId` */
+    getAuthority(orgId: string, authorityId: string): Promise<AuthorityRecord | null>;
+    /** `POST /v2/orgs/:orgId/authorities/:authorityId/rotate` */
+    rotateAuthority(orgId: string, authorityId: string, newPublicKey: string, newKeyId: string): Promise<AuthorityRecord>;
+    /** `POST /v2/orgs/:orgId/authorities/:authorityId/revoke` */
+    revokeAuthority(orgId: string, authorityId: string, reason: string): Promise<void>;
+    /** `POST /v2/orgs/:orgId/evidence` */
+    submitEvidence(orgId: string, pkg: Record<string, unknown>): Promise<void>;
+    /** `GET /v2/orgs/:orgId/evidence/:evidenceId` */
+    getEvidence(orgId: string, evidenceId: string): Promise<Record<string, unknown> | null>;
+    /** `GET /v2/orgs/:orgId/audit-chain` */
+    queryAuditChain(orgId: string, from: string, to: string, options?: AuditChainFilters & {
+        page?: number;
+        page_size?: number;
+    }): Promise<AuditChainPage>;
+    /** `GET /v2/orgs/:orgId/audit-chain/integrity` */
+    verifyChainIntegrity(orgId: string, fromSequence: number, toSequence: number): Promise<ChainIntegrityReport>;
+    /** `POST /v2/orgs/:orgId/compliance-export` */
+    exportCompliance(orgId: string, from: string, to: string, format?: "JSON" | "CSV" | "CISA_SBOM"): Promise<ComplianceExport>;
+}
 
 /**
  * Context Layer — typed, validated, redaction-aware context for AtlaSent
@@ -4591,6 +6274,8 @@ declare function requestOverride(opts: RequestOverrideOptions): Promise<Override
  *   actor: { id: "user:alice", type: "human", roles: ["deploy_engineer"] },
  *   environment: { name: "production", region: "us-east-1" },
  *   resource: { type: "service", id: "api-gateway", sensitivity: "restricted" },
+ *   org_id: "org_acme",
+ *   environment_id: "env_prod_us_east",
  * });
  *
  * const permit = await atlasent.protect({
@@ -4628,6 +6313,12 @@ interface ActorContext {
     ip?: string;
     /** Session or OAuth token ID for replay-detection rules. */
     session_id?: string;
+    /**
+     * Organization this actor belongs to. Populated from
+     * `BuildActionContextInput.org_id` when the actor has no explicit org_id.
+     * Used by cross-tenant policy checks and usage metering.
+     */
+    org_id?: string;
 }
 /**
  * The resource the action targets.
@@ -4654,11 +6345,11 @@ interface ResourceContext {
  * Deployment environment and infrastructure context.
  *
  * `name` is the field protect() reads to set the `environment` field
- * on the verify-permit request. Omitting it logs a console warning
- * and defaults to `"production"`.
+ * on the verify-permit request. Set it explicitly in runtime contexts
+ * so verification is bound to the executing environment.
  */
 interface EnvironmentContext {
-    /** Deployment tier. Defaults to `"production"` in protect() when absent. */
+    /** Deployment tier (for example, `"production"` or `"staging"`). */
     name?: "production" | "staging" | "development" | "test" | string;
     /** Cloud or datacenter region (e.g. `"us-east-1"`, `"eu-west-1"`). */
     region?: string;
@@ -4724,6 +6415,19 @@ interface ActionContext {
     environment?: EnvironmentContext;
     action_meta?: ActionMetaContext;
     history?: HistoricalContext;
+    /**
+     * Organization ID — scopes the evaluation to this org's policies and
+     * usage meters. Propagated from `BuildActionContextInput.org_id` and
+     * also set on `actor.org_id` when the actor has no explicit org.
+     */
+    org_id?: string;
+    /**
+     * ID of the registered `org_environments` row.
+     * Future billing dimension: usage will be metered per environment tier.
+     * Optional and additive — existing call sites that pass `environment.name`
+     * continue to work without providing this field.
+     */
+    environment_id?: string;
     /** Alias for `environment.name`. Merged into `environment` by buildActionContext. */
     environment_name?: string;
     /** Alias for `resource.type`. Merged into `resource` by buildActionContext. */
@@ -4739,6 +6443,19 @@ interface BuildActionContextInput {
     environment?: EnvironmentContext | string;
     action_meta?: ActionMetaContext;
     history?: HistoricalContext;
+    /**
+     * Organization ID — scopes the evaluation to this org's policies and
+     * usage meters. Propagated to `actor.org_id` when the actor has no
+     * explicit org_id, and also set as a top-level `org_id` on the context
+     * so policy rules can reference it at `context.org_id`.
+     */
+    org_id?: string;
+    /**
+     * ID of the registered `org_environments` row (future billing dimension).
+     * Passed through to the flat context as `environment_id`. Optional —
+     * callers that pass only `environment.name` continue to work unchanged.
+     */
+    environment_id?: string;
     /** Arbitrary additional fields to pass through to the policy engine. */
     extra?: Record<string, unknown>;
 }
@@ -4749,6 +6466,8 @@ interface BuildActionContextInput {
  * - Populates flat shorthands (`resource_type`, `resource_id`,
  *   `environment_name`) from the nested sub-schemas so both the nested and
  *   flat forms are present in the output.
+ * - Propagates `org_id` to `actor.org_id` when the actor has no explicit org.
+ * - Propagates `environment_id` as a top-level context field for billing.
  * - Never throws — validation is a separate step via `validateActionContext()`.
  *
  * ```ts
@@ -4756,6 +6475,8 @@ interface BuildActionContextInput {
  *   actor: { id: "agent:deploy-bot", type: "agent" },
  *   environment: "production",
  *   resource: { type: "service", id: "checkout-api" },
+ *   org_id: "org_acme",
+ *   environment_id: "env_prod_us_east",
  * });
  * ```
  */
@@ -4871,7 +6592,8 @@ declare function redactContext(ctx: ActionContext, rules?: readonly RedactionRul
  *
  * The output merges:
  * 1. All top-level scalar fields from `ActionContext` (including flat
- *    shorthands like `environment_name`).
+ *    shorthands like `environment_name`, and billing dimensions like
+ *    `org_id` and `environment_id`).
  * 2. Nested sub-schemas (`actor`, `resource`, `environment`, etc.) preserved
  *    as nested objects so policy rules written against either the nested or
  *    flat form work correctly.
@@ -4890,41 +6612,6 @@ declare function redactContext(ctx: ActionContext, rules?: readonly RedactionRul
  */
 declare function flattenActionContext(ctx: ActionContext): Record<string, unknown>;
 
-type ShadowMode = "observe" | "warn" | "enforce";
-interface ShadowOutcome {
-    readonly decision: "permit" | "deny" | "hold" | "escalate";
-    readonly permit: Permit | null;
-    readonly error: AtlaSentDeniedError | null;
-    readonly would_have_blocked: boolean;
-    readonly latencyMs: number;
-    readonly evaluationId: string | null;
-    readonly request: ProtectRequest;
-    readonly mode: ShadowMode;
-}
-interface ShadowConfig {
-    mode?: ShadowMode;
-    onOutcome?: (outcome: ShadowOutcome) => void | Promise<void>;
-    reportToApi?: boolean;
-    apiKey?: string;
-    baseUrl?: string;
-}
-declare function configureShadow(config: ShadowConfig): void;
-interface ShadowOptions extends ShadowConfig {
-}
-declare function protectShadow(request: ProtectRequest, opts?: ShadowOptions): Promise<ShadowOutcome>;
-interface ShadowEventPayload {
-    action: string;
-    agentId: string | null;
-    decision: ShadowOutcome["decision"];
-    would_have_blocked: boolean;
-    latencyMs: number;
-    evaluationId: string | null;
-    mode: ShadowMode;
-    deniedReason?: string;
-    timestamp: string;
-}
-declare function reportShadowEvent(outcome: ShadowOutcome, opts?: Pick<ShadowConfig, "apiKey" | "baseUrl">): Promise<void>;
-
 type EnforcementMode = "observe" | "warn" | "enforce";
 interface HealthReport {
     readonly healthy: boolean;
@@ -4982,79 +6669,6 @@ interface GetEnforcementStatusOptions extends ControlSurfaceConfig {
 declare function getEnforcementStatus(opts: GetEnforcementStatusOptions): Promise<EnforcementStatus>;
 declare function getOrgSummary(opts?: ControlSurfaceConfig): Promise<OrgSummary>;
 
-type DeployEnvironment = "production" | "staging" | "development" | string;
-interface DeployGateOptions {
-    service: string;
-    resourceType?: string;
-    sha?: string;
-    workflow?: string;
-    actorId?: string;
-    actorLabel?: string;
-    environment?: DeployEnvironment;
-    description?: string;
-    requireApproval?: boolean;
-    assignedToRole?: string;
-    waitMs?: number;
-    onEscalationCreated?: (handle: EscalationHandle) => void;
-    apiKey?: string;
-    baseUrl?: string;
-}
-declare function protectDeploy(opts: DeployGateOptions): Promise<ApprovalPermit | Permit>;
-
-type CloseActionType = "period.close" | "period.reopen" | "data.export" | "reconciliation.lock";
-interface CloseGovernanceOptions {
-    action: CloseActionType;
-    periodLabel: string;
-    closedBy: string;
-    entityId: string;
-    entityName?: string;
-    dataClassification?: "internal" | "confidential" | "restricted";
-    assignedToRole?: string;
-    requireDualApproval?: boolean;
-    waitMs?: number;
-    description?: string;
-    onEscalationCreated?: (handle: EscalationHandle) => void;
-    apiKey?: string;
-    baseUrl?: string;
-}
-declare function protectCloseAction(opts: CloseGovernanceOptions): Promise<ApprovalPermit>;
-
-interface PaymentReleaseOptions {
-    amount: number;
-    currency: string;
-    vendorId: string;
-    vendorName?: string;
-    authorizedBy: string;
-    reference?: string;
-    description?: string;
-    autoEscalateAbove?: number;
-    requireDualApprovalAbove?: number;
-    assignedToRole?: string;
-    waitMs?: number;
-    onEscalationCreated?: (handle: EscalationHandle) => void;
-    apiKey?: string;
-    baseUrl?: string;
-}
-declare function protectPaymentRelease(opts: PaymentReleaseOptions): Promise<ApprovalPermit | Permit>;
-
-type AgentToolMode = "observe" | "enforce" | "escalate";
-interface AgentToolOptions {
-    toolName: string;
-    toolArgs: Record<string, unknown>;
-    agentId: string;
-    sessionId?: string;
-    riskLevel?: "critical" | "high" | "medium" | "low";
-    mode?: AgentToolMode;
-    assignedToRole?: string;
-    waitMs?: number;
-    description?: string;
-    onEscalationCreated?: (handle: EscalationHandle) => void;
-    apiKey?: string;
-    baseUrl?: string;
-}
-declare function classifyToolRisk(toolName: string): "critical" | "high" | "medium" | "low";
-declare function protectToolCall(opts: AgentToolOptions): Promise<ApprovalPermit | Permit | ShadowOutcome>;
-
 /**
  * Claims → Evidence Lineage
  *
@@ -5504,6 +7118,181 @@ declare class BCCAEClient {
     private request;
 }
 
+/**
+ * Delta VQP — TypeScript client for the VQP re-derivation audit endpoints.
+ *
+ * VQPClient wraps two service-role-only edge functions:
+ *   generate → POST /functions/v1/v1-generate-vqp  (creates snapshot + prompt_hash)
+ *   verify   → POST /functions/v1/v1-verify-vqp    (re-derives prompt, hashes, audits)
+ *
+ * These endpoints require a Supabase service_role key — not a user API key.
+ * This client is for server-side admin tooling only.
+ *
+ * Spec: atlasent-api/supabase/functions/v1-generate-vqp, v1-verify-vqp
+ * Phase 3 — Deterministic re-derivation audit.
+ */
+type VqpVerdict = "qualified" | "conditionally_qualified" | "not_qualified";
+interface VQPGenerateInput {
+    bundle_id: string;
+    org_id: string;
+    /** Additional context embedded in the VQP prompt for this snapshot. */
+    vqp_context?: Record<string, unknown>;
+}
+interface VQPGenerateResponse {
+    snapshot_id: string;
+    bundle_id: string;
+    bundle_version: string;
+    overall_verdict: VqpVerdict;
+    quality_score: number;
+    /** SHA-256 hex of the deterministic VQP prompt used to produce this snapshot. */
+    prompt_hash: string;
+    generation_model: string;
+    generated_at: string;
+}
+interface VQPVerifyInput {
+    snapshot_id: string;
+    /**
+     * Re-call the AI model with the re-derived prompt to detect score drift.
+     * When false (default), only prompt hash integrity is checked.
+     */
+    rerun?: boolean;
+}
+interface VQPVerifyResponse {
+    snapshot_id: string;
+    /** True when the re-derived prompt hash matches the stored snapshot.prompt_hash. */
+    hash_match: boolean;
+    original_prompt_hash: string;
+    rerun_prompt_hash: string;
+    /** Score from the re-run AI call. Null when rerun was not requested. */
+    rerun_score: number | null;
+    /** Verdict from the re-run AI call. Null when rerun was not requested. */
+    rerun_verdict: VqpVerdict | null;
+    /** rerun_score - original quality_score. Null when rerun was not requested. */
+    score_delta: number | null;
+    /** True when rerun_verdict differs from the stored overall_verdict. */
+    verdict_changed: boolean;
+    /** UUID of the written vqp_audit_log row. */
+    audit_log_id: string;
+}
+interface VQPClientOptions {
+    /** Supabase service_role key. These endpoints are not accessible with user API keys. */
+    serviceRoleKey: string;
+    /** Supabase project URL, e.g. https://<ref>.supabase.co */
+    supabaseUrl: string;
+    /** Request timeout in ms. Defaults to 30000 (AI re-run calls can be slow). */
+    timeoutMs?: number;
+    /** Inject a custom fetch implementation (testing / edge runtimes). */
+    fetch?: typeof globalThis.fetch;
+}
+/**
+ * Thin HTTP client for the Delta VQP Phase 3 service-role endpoints.
+ *
+ * Each method maps 1:1 to an edge function:
+ *   - {@link VQPClient.generate} → v1-generate-vqp
+ *   - {@link VQPClient.verify}   → v1-verify-vqp
+ *
+ * **Server-side only.** These endpoints require `SUPABASE_SERVICE_ROLE_KEY`.
+ * Never expose a service_role key in browser or agent code.
+ *
+ * Network errors and 5xx responses throw {@link AtlaSentError}.
+ */
+declare class VQPClient {
+    private readonly serviceRoleKey;
+    private readonly baseUrl;
+    private readonly timeoutMs;
+    private readonly fetchImpl;
+    constructor(options: VQPClientOptions);
+    generate(input: VQPGenerateInput): Promise<VQPGenerateResponse>;
+    verify(input: VQPVerifyInput): Promise<VQPVerifyResponse>;
+    private post;
+    private request;
+}
+
+type DependencyRequirement = "permit" | "allow_decision";
+type DependencyStatus = "satisfied" | "missing" | "expired" | "invalid";
+interface ActionDependency {
+    id: string;
+    organization_id: string;
+    parent_action_class_id: string;
+    child_action_class_id: string;
+    requires: DependencyRequirement;
+    temporal_window_seconds: number | null;
+    created_at: string;
+}
+interface CreateActionDependencyRequest {
+    parent_action_class_id: string;
+    child_action_class_id: string;
+    requires?: DependencyRequirement;
+    temporal_window_seconds?: number;
+}
+interface ActionDependencyResponse {
+    action_dependency: ActionDependency;
+    rateLimit: RateLimitState | null;
+}
+interface ListActionDependenciesResponse {
+    action_dependencies: ActionDependency[];
+    total: number;
+    limit: number;
+    offset: number;
+    rateLimit: RateLimitState | null;
+}
+interface DependencyLink {
+    dependency_id: string;
+    parent_evaluation_id?: string;
+    parent_permit_token_hash?: string;
+    status: DependencyStatus;
+}
+
+type EngineVersionStatus = "active" | "retired" | "archival";
+interface EngineVersionRecord {
+    engine_version: string;
+    status: EngineVersionStatus;
+    bundle_compatibility_range: string | null;
+    supersedes_version: string | null;
+    released_at: string;
+    retired_at: string | null;
+    archival_until: string | null;
+    notes: string | null;
+    created_at: string;
+    updated_at: string;
+}
+interface RegisterEngineVersionRequest {
+    engine_version: string;
+    status?: EngineVersionStatus;
+    bundle_compatibility_range?: string;
+    supersedes_version?: string;
+    notes?: string;
+    released_at?: string;
+}
+interface EngineVersionResponse {
+    engine_version: EngineVersionRecord;
+    rateLimit: RateLimitState | null;
+}
+interface ListEngineVersionsResponse {
+    engine_versions: EngineVersionRecord[];
+    rateLimit: RateLimitState | null;
+}
+
+type SnapshotSourceKind = "system_state" | "external_system" | "caller_provided";
+interface StateSnapshotInput {
+    source: string;
+    source_kind: SnapshotSourceKind;
+    complete: boolean;
+    payload: Record<string, unknown>;
+}
+interface StateSnapshotRef {
+    snapshot_id: string;
+    canonical_hash?: string;
+}
+interface StateSnapshot extends StateSnapshotRef {
+    organization_id: string;
+    source: string;
+    source_kind: SnapshotSourceKind;
+    complete: boolean;
+    tamper_detected: boolean;
+    created_at: string;
+}
+
 /**
  * @atlasent/sdk — execution-time authorization for AI agents.
  *
@@ -5578,6 +7367,27 @@ declare const atlasent: {
     readonly AtlaSentClient: typeof AtlaSentClient;
     readonly AtlaSentError: typeof AtlaSentError;
     readonly AtlaSentDeniedError: typeof AtlaSentDeniedError;
+    readonly paymentGate: typeof protectPaymentRelease;
+    readonly dataExportGate: typeof protectDataExport;
+    readonly reconciliationGate: typeof protectReconciliationCertify;
+    readonly agentGuard: typeof protectToolCall;
+    readonly gxpGate: typeof protectGxpAction;
+    readonly batchRecordGate: typeof protectBatchRecordRelease;
+    readonly paymentOpsGate: typeof protectPaymentOperation;
+    readonly deployV2Gate: typeof protectDeploymentV2;
+    readonly behaviorEventGate: typeof protectBehaviorEvent;
+    readonly infraGate: typeof protectInfraAction;
+    readonly hrGate: typeof protectHrOffboard;
+    readonly modelGovernanceGate: typeof protectModelPromotion;
+    readonly dataDeleteGate: typeof protectCustomerDataDelete;
+    readonly contractGate: typeof protectContractExecution;
+    readonly pricingGate: typeof protectPricingRule;
+    readonly securityGate: typeof protectSecurityIncidentEscalate;
+    readonly accessCertGate: typeof protectAccessCertRevoke;
+    readonly financialCloseGate: typeof protectPeriodCloseCertify;
+    readonly databaseMigrationGate: typeof protectDatabaseMigration;
+    readonly databaseSchemaDropGate: typeof protectDatabaseSchemaDrop;
+    readonly databaseTableDeleteGate: typeof protectDatabaseTableDelete;
 };
 
-export { type ActionBundleInput, type ActionBundleReceipt, type ActionContext, type ActionFreeze, type ActionMetaContext, type ActionTypeOverrideStat, type ActorContext, type ActorOverrideStat, type AgentAuthorityDomain, type AgentEvaluationStatus, type AgentEvidenceRef, type AgentFindingSeverity, type AgentInvokerKind, type AgentSubjectKind, type AgentToolMode, type AgentToolOptions, type AmountThreshold, type AnomalyActionType, type AnomalyResponseEvent, type AnomalyResponseRule, type AnomalyType, ApiKeySelfResponse, type ApplyPolicySyncResponse, type ApprovalArtifactSlot, type ApprovalArtifactV1, type ApprovalConcentrationAnalysis, type ApprovalIssuer, type ApprovalPermit, type ApprovalProvenance, type ApprovalQuorumV1, type ApprovalReference, type ApprovalReviewer, type ApprovalRuntimeConfig, type ApprovalStatus, type ApproveBudgetExceptionRequest, type ApproverBreakdown, AtlaSentClient, AtlaSentClientOptions, AtlaSentDeniedError, AtlaSentError, type AuditBundle, AuditEventsQuery, AuditEventsResult, AuditExportRequest, AuditExportResult, type AuthenticateConnectorInput, type AuthenticateConnectorResponse, type AuthorizeStreamHandlers, type AutonomousBoundsDenyCode, type AutonomousExecutionBounds, type AutonomousExecutionCheckResult, type AutonomousExecutionRecord, BCCAEClient, BatchEvalItem, BatchEvalResponse, type BccaeActorType, type BccaeClientOptions, type BccaeDeploymentEnv, type BccaeEvaluateInput, type BccaeEvaluateResponse, type BccaeEvidenceResponse, type BccaeExecuteInput, type BccaeExecuteResponse, type BccaeRequestSource, type BccaeResourceClassification, type BccaeRevocationTargetType, type BccaeRevokeInput, type BccaeRevokeResponse, type BccaeSecurityPosture, type BccaeTrustLevel, type BudgetConstraintCheckResult, type BudgetDenyCode, type BudgetExceptionRequest, type BudgetExceptionStatus, type BudgetLimit, type BudgetPolicy, type BudgetScope, type BudgetSpendingState, type BudgetViolation, type BudgetaryDriftAnalysis, type BuildActionContextInput, type BuildClaimEvidenceLinkOpts, type BuildFromActionBundleOpts, type BundleVerificationResult, type ClaimEvidenceLink, type CloseActionType, type CloseGovernanceOptions, type ComplianceEvidenceRun, type ComplianceEvidenceSummary, type ComplianceFramework, type ComplianceRunStatus, type ComputeOrgRiskOptions, type ComputeOrgRiskResponse, type ConcentrationAlert, type ConnectedSystemRow, type ConnectorAuditLogEntry, type ConnectorCredentialRow, type ConnectorCredentialType, type ConnectorEnforcementEventInput, type ConnectorEnforcementPolicy, type ConnectorEnforcementResult, type ConnectorRow, type ConnectorStatus, type ConnectorSyncState, type ConnectorType, type ContextValidationError, type ContextValidationResult, type ContextValidationWarning, type ControlSurfaceConfig, type CreateAnomalyResponseRuleRequest, type CreateBudgetExceptionRequest, type CreateEscalationOptions, type CreateGraphEdgeInput, type CreateGraphNodeInput, type CreateImpersonationGrantRequest, type CreateOverrideRequest, type CreateRegulatoryEscalationRequest, type CreateWebhookSubscriptionRequest, type CrossOrgImpersonationGrant, type CrossOrgPermissionCheckListParams, type CrossOrgPermissionCheckRequest, type CrossOrgPermissionCheckResult, type CrossOrgTrustHop, type CurrencyCode, DEFAULT_INCENTIVE_CONFIG, DEFAULT_REDACTION_RULES, DEFAULT_RISK_TIER_THRESHOLDS, DecisionCanonical, DecisionStreamEvent, type DelegationPropagationSummary, type DeltaSlot, type DeltaStatus, type DeployEnvironment, type DeployEvidenceInput, type DeployEvidenceSlot, type DeployGateOptions, DeployGateRequest, DeployGateResponse, type DisputeOrigin, type DisputeRecord, type DisputeReversalSummary, type DisputeStatus, type DriftChangeType, type DriftDetail, type DriftSeverity, type EconomicEvidenceBundle, type EmergencyFreeze, type EmergencyOverrideActionRow, type EnforcementAction, type EnforcementMode, type EnforcementQuorumConfig, type EnforcementStatus, type EnforcementWebhookEvent, type EngineVersionKind, type EnvelopeDriftDetail, type EnvelopeVerification, type EnvironmentContext, EscalationDeniedError, type EscalationHandle, type EscalationOutcome, EscalationTimeoutError, type EvaluateBatchItem, type EvaluateBatchResponse, type EvaluateManyRequest, EvaluatePreflightResponse, EvaluateRequest, EvaluateResponse, type EvidenceBundleSignableContent, type EvidenceBundleVerificationResult, type EvidenceControl, type EvidenceControlStatus, type EvidencePurpose, type EvidenceSlotStatus, type ExecutionAnomaly, type ExecutionApproverRow, type ExecutionCeiling, FeatureNotEnabledError, type FeatureNotEnabledErrorInit, type FinancialActionClass, type FinancialActionType, type FinancialExecutionRecord, type FinancialExecutionStatus, type FinancialGovernanceSummary, type FinancialQuorumDenyCode, type FinancialQuorumInput, type FinancialQuorumPolicy, type FinancialQuorumResult, type FinancialRiskScore, type FinancialRiskTier, type FinancialRoleRequirement, type GetEnforcementStatusOptions, type GetLatestOrgRiskResponse, GetPermitResponse, type GovernanceAgent, type GovernanceAgentEvaluation, type GovernanceAgentFinding, type GovernanceBehaviorPattern, GovernanceEnforcementError, type GovernanceEnforcementErrorInit, type GovernanceEvent, type GovernanceGate, type GovernanceGraphQueryParams, type GovernanceGraphQueryResponse, type GovernanceGraphQueryType, type GovernanceGraphResultRow, type GovernanceSignalAction, type GovernanceWebhookEvent, type GraphEdge, type GraphEdgeType, type GraphNode, type GraphNodeType, type GraphQLRequest, type GraphQLResponse, type HealthReport, type HistoricalContext, type HitlAiUnavailableFallback, type HitlApprovalRecord, type HitlApproveRequest, type HitlApproverPoolEntry, type HitlApproverType, type HitlChainHop, type HitlChainSummary, type HitlCreateRequest, type HitlDetailResponse, type HitlEscalation, type HitlFallbackDecision, type HitlHeterogeneousQuorumExtension, type HitlHeterogeneousQuorumTally, type HitlListResponse, type HitlQuorumProgress, type HitlQuorumTier, type HitlRejectRequest, type HitlRespondRequest, type HitlStatus, type IdentityAssertionBinding, type IdentityAssertionV1, type IdentityIssuer, type IdentityIssuerKey, type IdentitySubject, type IdentityTrustedIssuersConfig, type ImpersonationToken, type ImpersonationValidationResult, type IncentiveAlignmentConfig, type IncentiveSignal, type IncentiveSignalType, type IncidentChainActorEntry, type IncidentChainEvidenceRow, type IncidentChainExecutionRow, type IncidentTimelineResponse, type InstallConnectorInput, type InstallConnectorResponse, type IntegrationEvidenceSlot, type LegacyEvaluateRequest, type LegacyEvaluateResponse, type LiabilityAttributionInput, type LiabilityAttributionRecord, type LiabilityChainValidation, type LiabilityClassification, type LiabilityEdge, type LiabilityNode, type LiabilityParty, type LiabilityPartyRole, type LiabilityVisualization, type ListConnectorsResponse, type ListEnforcementPoliciesResponse, type ListEvidenceRunsResponse, type ListGovernanceAgentsResponse, type ListGovernanceEvaluationsQuery, type ListGovernanceEvaluationsResponse, type ListGovernanceFindingsQuery, type ListGovernanceFindingsResponse, type ListGraphEdgesResponse, type ListGraphNodesResponse, type ListHitlEscalationsRequest, type ListHitlEscalationsResponse, type ListOrgRiskHistoryResponse, ListPermitsRequest, ListPermitsResponse, type ListPolicySyncRunsResponse, type ListWebhookDeliveriesResponse, type ListWebhookSubscriptionsResponse, type MisalignmentAlert, NOT_APPLICABLE, type NotApplicable, type OrgRiskLevel, type OrgRiskScore, type OrgSummary, type OverrideAnalytics, type OverrideEvent, type OverrideEventType, type OverrideEventsResponse, type OverrideListResponse, type OverrideStatus, type OverrideV1, type PaymentReleaseOptions, Permit, type PermitV1, PermitValidResponse, type PolicyBundleEntry, type PolicyRef, type PolicySyncDiff, type PolicySyncRun, type PolicySyncStatus, type PrincipalKind, type ProductionDeployerRow, type ProofEvaluationSummary, type ProofPayload, type ProofResponse, type ProtectOrEscalateOptions, ProtectRequest, type ProtectedAction, type ProtectedActionEntry, type QuorumBypassConnectorRow, type QuorumIndependence, type QuorumPolicy, type QuorumProof, type QuorumRoleRequirement, RateLimitState, type RecordSignalActionRequest, type RecordSignalOutcomeRequest, type RedactionMode, type RedactionRule, type RegulatoryAuthorityLevel, type RegulatoryEscalation, type RegulatoryEscalationStatus, type ReplayDecisionResponse, type ReplayDecisionValue, type ReplayRequest, type ReplayResponse, type ReplayVarianceKind, type ReportProtectedActionOptions, type RequestOverrideOptions, type ResourceContext, type ReversalStage, type ReversalWorkflow, type RevokeConnectorResponse, RevokePermitByIdInput, RevokePermitByIdResponse, RevokePermitRequest, RevokePermitResponse, type RiskFactor, type RiskTierThreshold, type RiskTimelinePoint, type RotateCredentialsResponse, type RuntimeEvidenceSlot, type SOC2ControlId, type SandboxDiff, type SandboxDiffEmpty, type SandboxDiffPerTable, type SandboxDiffResponse, type SandboxRunMode, type SandboxRunStatus, type SandboxRunWrite, type SandboxWriteOp, type ShadowConfig, type ShadowEventPayload, type ShadowMode, type ShadowOptions, type ShadowOutcome, type SignalActionSummary, type SignalActionType, type SignedApprovalArtifact, type SpendingConstraint, type StreamComplete, type StreamDecisionFrame, type StreamErrorFrame, StreamEvent, StreamOptions, type SubmitPolicySyncRequest, type SubmitPolicySyncResponse, SubscribeDecisionsOptions, type SyncConnectorResponse, type TriggerAnomalyResponseRequest, type TriggerEvidenceRunRequest, type TriggerEvidenceRunResponse, type UpsertEnforcementPolicyInput, type UpsertEnforcementPolicyResponse, type UserApprovalRow, type V2EvaluateRequest, type V2EvaluateResponse, type V2Feature, type V2Transport, V2_BATCH_PATH, V2_GRAPHQL_MAX_DEPTH, V2_GRAPHQL_PATH, V2_MAX_BATCH_ITEMS, V2_MAX_BODY_BYTES, V2_STREAM_PATH, type ValidateContextOptions, type VerificationChecklist, type VerifyBundleOptions, type VerifyClaimEvidenceLinkOpts, type VerifyClaimEvidenceLinkResult, type VerifyKey, VerifyPermitByIdResponse, VerifyPermitRequest, VerifyPermitResponse, type WaitForApprovalOptions, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookPayload, type WebhookSubscription, WebhookVerificationError, type WeightDistribution, assertWebhook, authorizeStream, budgetUtilizationSeverity, buildActionContext, buildClaimEvidenceLink, buildClaimEvidenceLinkFromActionBundle, buildLiabilityChain, buildLiabilityVisualization, buildRiskTimeline, buildSignableContent, canonicalJSON, canonicalizeForEvidence, checkAutonomousBounds, checkBudgetConstraints, checkIntegrationHealth, clampTokenDuration, classifyCommand, classifyRiskTier, classifyToolRisk, computeApprovalRiskScore, computeEscalatedApprovalCount, computeExposureScore, computeGovernanceHealthScore, computeHHI, computeLiabilityWeights, computeOverallRiskScore, computeOverrideScore, computeRemediationUrgency, computeSignalEngagementRate, configure, configureApprovalRuntime, configureControlSurface, configureShadow, createEscalation, atlasent as default, delegationPropagationHadEffect, deployGate, detectAutonomousAnomaly, detectMisalignedIncentives, detectSelfApproval, enforceAutonomousBounds, enforceBudgetConstraint, enforceEconomicGovernance, enforceFinancialQuorum, evaluateFinancialQuorum, evaluateMany, evidenceRunPasses, findPrimaryLiabilityParties, flattenActionContext, formatPolicySyncDiff, generateBccaeNonce, getEnforcementStatus, getOrgSummary, graphql, hhiToConcentrationScore, highestAgentFindingSeverity, highestSeverityAction, hitlRequiredApproverCount, isBudgetExceptionActive, isBudgetExceptionTerminal, isEscalationSlaBreached, isFreezeActive, isImpersonationGrantUsable, isPolicySyncTerminal, isRegulatoryEscalationTerminal, isSandboxDiffPopulated, isSubstantiveSignalResponse, matchAnomalyRules, nonPassingControls, normalizeEvaluateRequest, normalizeEvaluateResponse, protect, protectCloseAction, protectDeploy, protectOrEscalate, protectPaymentRelease, protectShadow, protectToolCall, redactContext, reportProtectedAction, reportShadowEvent, requestOverride, requirePermit, scoreToRiskTier, serializeSignableContent, signedBytesFor, summarizeCrossOrgPermission, transitionDispute, transitionReversal, validateActionContext, validateLiabilityChain, verifyAuditBundle, verifyBundle, verifyClaimEvidenceLink, verifyEvidenceBundleStructure, verifyWebhook, verifyWebhookSignature, waitForEscalationApproval, withPermit, withinAutonomousCeiling };
+export { type AccessCertActionType, type AccessCertOptions, type AccessGovernanceEvent, type AccessGovernanceLogPage, type AccessGovernanceLogQuery, type AccessGovernanceLogSubClient, type ActionBundleInput, type ActionBundleReceipt, type ActionContext, type ActionDependency, type ActionDependencyResponse, type ActionFreeze, type ActionMetaContext, type ActionTypeOverrideStat, type ActorContext, type ActorOverrideStat, type AgentAuthorityDomain, type AgentEvaluationStatus, type AgentEvidenceRef, type AgentFindingSeverity, type AgentInvokerKind, type AgentSubjectKind, type AgentToolMode, type AgentToolOptions, type AmountThreshold, type AnomalyActionType, type AnomalyResponseEvent, type AnomalyResponseRule, type AnomalyType, ApiKeySelfResponse, type ApplyPolicySyncResponse, type ApprovalArtifactSlot, type ApprovalArtifactV1, type ApprovalConcentrationAnalysis, type ApprovalIssuer, type ApprovalPermit, type ApprovalProvenance, type ApprovalQuorumV1, type ApprovalReference, type ApprovalReviewer, type ApprovalRuntimeConfig, type ApprovalStatus, type ApproveBudgetExceptionRequest, type ApproverBreakdown, AtlaSentClient, AtlaSentClientOptions, AtlaSentDeniedError, AtlaSentError, type AuditBundle, type AuditChainFilters, type AuditChainPage, AuditEventsQuery, AuditEventsResult, AuditExportRequest, AuditExportResult, type AuthSubClient, type AuthenticateConnectorInput, type AuthenticateConnectorResponse, type AuthorityRecord, type AuthorizationDecision, type AuthorizeStreamHandlers, type AutonomousBoundsDenyCode, type AutonomousExecutionBounds, type AutonomousExecutionCheckResult, type AutonomousExecutionRecord, BCCAEClient, BEHAVIOR_SENSITIVE_CATEGORIES, BatchEvalItem, BatchEvalResponse, type BatchRecordReleaseOptions, type BccaeActorType, type BccaeClientOptions, type BccaeDeploymentEnv, type BccaeEvaluateInput, type BccaeEvaluateResponse, type BccaeEvidenceResponse, type BccaeExecuteInput, type BccaeExecuteResponse, type BccaeRequestSource, type BccaeResourceClassification, type BccaeRevocationTargetType, type BccaeRevokeInput, type BccaeRevokeResponse, type BccaeSecurityPosture, type BccaeTrustLevel, type BehaviorEventCategory, type BehaviorEventOptions, type BudgetConstraintCheckResult, type BudgetDenyCode, type BudgetExceptionRequest, type BudgetExceptionStatus, type BudgetLimit, type BudgetPolicy, type BudgetScope, type BudgetSpendingState, type BudgetViolation, type BudgetaryDriftAnalysis, type BuildActionContextInput, type BuildClaimEvidenceLinkOpts, type BuildFromActionBundleOpts, type BundleVerificationResult, type CAPAOptions, CONTEXT_NAMESPACES, CUSTOMER_DATA_EXPORT_ACTION, CanonicalProtectedActionType, type ChainIntegrityReport, type ClaimEvidenceLink, type ClinicalDataAccessOptions, type CloseActionType, type CloseGovernanceOptions, ComplianceEvidenceRun, type ComplianceExport, type ComputeOrgRiskOptions, type ComputeOrgRiskResponse, type ConcentrationAlert, type ConnectedSystemRow, type ConnectorAuditLogEntry, type ConnectorCredentialRow, type ConnectorCredentialType, type ConnectorEnforcementEventInput, type ConnectorEnforcementPolicy, type ConnectorEnforcementResult, type ConnectorRow, type ConnectorStatus, type ConnectorSyncState, type ConnectorType, type ContextEnvelope, type ContextNamespaceEntry, type ContextNamespaceKey, type ContextSignal, type ContextValidationError, type ContextValidationResult, type ContextValidationWarning, type ContractActionOptions, type ContractActionType, type ControlSurfaceConfig, type CreateActionDependencyRequest, type CreateAnomalyResponseRuleRequest, type CreateBudgetExceptionRequest, type CreateEscalationOptions, type CreateGraphEdgeInput, type CreateGraphNodeInput, type CreateImpersonationGrantRequest, type CreateRegulatoryEscalationRequest, type CreateWebhookSubscriptionRequest, type CrossOrgImpersonationGrant, type CrossOrgPermissionCheckListParams, type CrossOrgPermissionCheckRequest, type CrossOrgPermissionCheckResult, type CrossOrgTrustHop, type CurrencyCode, DEFAULT_INCENTIVE_CONFIG, DEFAULT_REDACTION_RULES, DEFAULT_RISK_TIER_THRESHOLDS, DEFAULT_TRUST_TTL_MS, DEPLOY_V1_ACTION, type DataDeleteActionType, type DataDeleteOptions, type DataExportOptions, type DatabaseActionOptions, type DatabaseActionType, type DatabaseDestructiveActionType, type DatabaseMigrationActionType, DecisionCanonical, DecisionReceipt, DecisionReceiptAlgorithm, DecisionStreamEvent, type DelegationPropagationSummary, type DeltaSlot, type DeltaStatus, type DenialEvidence, type DependencyLink, type DependencyRequirement, type DependencyStatus, type DeployEnvironment, type DeployEvidenceInput, type DeployEvidenceSlot, type DeployGateOptions, DeployGateRequest, DeployGateResponse, type DeploymentActionType, type DeploymentV2Options, type DisputeOrigin, type DisputeRecord, type DisputeReversalSummary, type DisputeStatus, type DriftChangeType, type DriftDetail, type DriftSeverity, type EconomicEvidenceBundle, type EmergencyFreeze, type EmergencyOverrideActionRow, type EnforcementAction, type EnforcementMode, type EnforcementQuorumConfig, type EnforcementStatus, type EnforcementWebhookEvent, type EngineVersionKind, type EngineVersionRecord, type EngineVersionResponse, type EngineVersionStatus, type EnvelopeDriftDetail, type EnvelopeVerification, type EnvironmentContext, EscalationDeniedError, type EscalationHandle, type EscalationOutcome, EscalationTimeoutError, type EvaluateBatchItem, type EvaluateBatchResponse, type EvaluateManyRequest, EvaluatePreflightResponse, EvaluateRequest, EvaluateResponse, type EvidenceBundle, type EvidenceBundleCreateParams, type EvidenceBundleListPage, type EvidenceBundleListParams, type EvidenceBundleSignableContent, type EvidenceBundleStatus, type EvidenceBundleSubClient, type EvidenceBundleVerificationResult, type EvidenceBundleVerifyResult, type EvidencePurpose, type EvidenceSlotStatus, type ExecutionAnomaly, type ExecutionApproverRow, type ExecutionCeiling, type ExecutionReceipt, FeatureNotEnabledError, type FeatureNotEnabledErrorInit, type FinancialActionClass, type FinancialActionType, type FinancialCloseActionType, type FinancialCloseOptions, type FinancialExecutionRecord, type FinancialExecutionStatus, type FinancialGovernanceSummary, type FinancialQuorumDenyCode, type FinancialQuorumInput, type FinancialQuorumPolicy, type FinancialQuorumResult, type FinancialRiskScore, type FinancialRiskTier, type FinancialRoleRequirement, type GdprLegalBasis, type GetEnforcementStatusOptions, type GetLatestOrgRiskResponse, GetPermitResponse, type GovernanceAgent, type GovernanceAgentEvaluation, type GovernanceAgentFinding, type GovernanceBehaviorPattern, GovernanceEnforcementError, type GovernanceEnforcementErrorInit, type GovernanceEvent, type GovernanceGate, type GovernanceGraphQueryParams, type GovernanceGraphQueryResponse, type GovernanceGraphQueryType, type GovernanceGraphResultRow, type GovernanceSignalAction, type GovernanceWebhookEvent, type GraphEdge, type GraphEdgeType, type GraphNode, type GraphNodeType, type GraphQLRequest, type GraphQLResponse, type GxpActionOptions, type GxpActionType, type HealthReport, type HistoricalContext, type HitlAiUnavailableFallback, type HitlApprovalRecord, type HitlApproveRequest, type HitlApproverPoolEntry, type HitlApproverType, type HitlChainHop, type HitlChainSummary, type HitlCreateRequest, type HitlDetailResponse, type HitlEscalation, type HitlFallbackDecision, type HitlHeterogeneousQuorumExtension, type HitlHeterogeneousQuorumTally, type HitlListResponse, type HitlQuorumProgress, type HitlQuorumTier, type HitlRejectRequest, type HitlRespondRequest, type HitlStatus, type HrActionOptions, type HrActionType, type IdentityAssertionBinding, type IdentityAssertionV1, type IdentityIssuer, type IdentityIssuerKey, type IdentitySubject, type IdentityTrustedIssuersConfig, type IdpConnection, type ImpersonationToken, type ImpersonationValidationResult, type IncentiveAlignmentConfig, type IncentiveSignal, type IncentiveSignalType, type IncidentChainActorEntry, type IncidentChainEvidenceRow, type IncidentChainExecutionRow, type IncidentTimelineResponse, type InfraActionOptions, type InfraActionType, type InstallConnectorInput, type InstallConnectorResponse, type IntegrationEvidenceSlot, type JWK, type LegacyEvaluateRequest, type LegacyEvaluateResponse, type LiabilityAttributionInput, type LiabilityAttributionRecord, type LiabilityChainValidation, type LiabilityClassification, type LiabilityEdge, type LiabilityNode, type LiabilityParty, type LiabilityPartyRole, type LiabilityVisualization, LicenseStatus, LicenseVerifyResult, type ListActionDependenciesResponse, type ListConnectorsResponse, type ListEnforcementPoliciesResponse, type ListEngineVersionsResponse, type ListGovernanceAgentsResponse, type ListGovernanceEvaluationsQuery, type ListGovernanceEvaluationsResponse, type ListGovernanceFindingsQuery, type ListGovernanceFindingsResponse, type ListGraphEdgesResponse, type ListGraphNodesResponse, type ListHitlEscalationsRequest, type ListHitlEscalationsResponse, type ListOrgRiskHistoryResponse, ListPermitsRequest, ListPermitsResponse, type ListPolicySyncRunsResponse, type ListWebhookDeliveriesResponse, type ListWebhookSubscriptionsResponse, type MisalignmentAlert, type ModelGovernanceActionType, type ModelGovernanceOptions, NOT_APPLICABLE, type NotApplicable, type OfflineEvidenceBundleData, type OrgRiskLevel, type OrgRiskScore, type OrgSummary, type OverrideAnalytics, OverrideV1, type PaymentOperationActionType, type PaymentOperationOptions, type PaymentReleaseOptions, Permit, type PermitEvidence, type PermitV1, PermitValidResponse, type PolicyBundleEntry, type PolicyRef, type PolicySyncDiff, type PolicySyncRun, type PolicySyncStatus, type PostExecutionResult, type PricingActionOptions, type PricingActionType, type PrincipalKind, type ProductionDeployerRow, type ProofEvaluationSummary, type ProofPayload, type ProofResponse, type ProtectOrEscalateOptions, ProtectRequest, type ProtectedAction, type ProtectedActionEntry, type QuorumBypassConnectorRow, type QuorumIndependence, type QuorumPolicy, type QuorumProof, type QuorumRoleRequirement, RateLimitState, type ReconciliationCertifyOptions, type RecordContextEnvelopeInput, type RecordSignalActionRequest, type RecordSignalOutcomeRequest, type RedactionMode, type RedactionRule, type RegisterEngineVersionRequest, type RegulatoryAuthorityLevel, type RegulatoryEscalation, type RegulatoryEscalationStatus, type ReplayDecisionResponse, type ReplayDecisionValue, type ReplayRequest, type ReplayResponse, type ReplayVarianceKind, type ReportProtectedActionOptions, type RequestOverrideOptions, type ResourceContext, type ReversalStage, type ReversalWorkflow, type RevokeConnectorResponse, RevokePermitByIdInput, RevokePermitByIdResponse, RevokePermitRequest, RevokePermitResponse, type RiskFactor, type RiskTierThreshold, type RiskTimelinePoint, type RotateCredentialsResponse, type RuntimeAuditEntry, type RuntimeEvidenceSlot, RuntimeV2Client, SCIM_GROUP_SCHEMA, SCIM_PATCH_OP_SCHEMA, SCIM_USER_SCHEMA, type SandboxDiff, type SandboxDiffEmpty, type SandboxDiffPerTable, type SandboxDiffResponse, type SandboxRunMode, type SandboxRunStatus, type SandboxRunWrite, type SandboxWriteOp, type ScimEmail, type ScimGroupRef, type ScimGroupsSubClient, type ScimListParams, type ScimListResponse, type ScimMeta, type ScimName, type ScimPatchOp, type ScimSubClient, type ScimUser, type ScimUserCreate, type ScimUserUpdate, type ScimUsersSubClient, type SecurityActionOptions, type SecurityActionType, type ShadowConfig, type ShadowEventPayload, type ShadowMode, type ShadowOptions, type ShadowOutcome, type SignalActionSummary, type SignalActionType, type SignedApprovalArtifact, type SnapshotSourceKind, type SpendingConstraint, type SsoConnection, type SsoConnectionInput, type SsoConnectionWire, type SsoEnforceAction, type SsoEnforceResult, type SsoEvent, type SsoEventWire, type SsoJitRule, type SsoJitRuleInput, type SsoJitRulePatch, type SsoJitRuleWire, type SsoReadiness, type SsoReadinessWire, type SsoRole, type SsoSubClient, type StateSnapshot, type StateSnapshotInput, type StateSnapshotRef, type StreamComplete, type StreamDecisionFrame, type StreamErrorFrame, StreamEvent, StreamOptions, type SubmitPolicySyncRequest, type SubmitPolicySyncResponse, SubscribeDecisionsOptions, type SyncConnectorResponse, type TokenResponse, type TriggerAnomalyResponseRequest, type TrustRootKey, TrustRootManager, type TrustRootManagerOptions, type TrustRootRevocationEntry, type TrustRootSnapshot, type TrustSnapshot, type UpsertEnforcementPolicyInput, type UpsertEnforcementPolicyResponse, type UserApprovalRow, type V2EvaluateRequest, type V2EvaluateResponse, type V2Feature, type V2Transport, V2_BATCH_PATH, V2_GRAPHQL_MAX_DEPTH, V2_GRAPHQL_PATH, V2_MAX_BATCH_ITEMS, V2_MAX_BODY_BYTES, V2_STREAM_PATH, VENDOR_PAYMENT_ACTION, VQPClient, type VQPClientOptions, type VQPGenerateInput, type VQPGenerateResponse, type VQPVerifyInput, type VQPVerifyResponse, type ValidateContextOptions, type VerificationChecklist, type VerificationFailure, type VerificationResult, type VerifyBundleOptions, type VerifyClaimEvidenceLinkOpts, type VerifyClaimEvidenceLinkResult, type VerifyKey, VerifyPermitByIdResponse, VerifyPermitRequest, VerifyPermitResponse, type VqpVerdict, type WaitForApprovalOptions, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookPayload, type WebhookSubscription, WebhookVerificationError, type WeightDistribution, __setGlobalTrustRootManagerForTests, _computeEvidenceRootHash, assertWebhook, authorizeStream, bootstrapTrust, budgetUtilizationSeverity, buildActionContext, buildClaimEvidenceLink, buildClaimEvidenceLinkFromActionBundle, buildLiabilityChain, buildLiabilityVisualization, buildRiskTimeline, buildSignableContent, canonicalJSON, canonicalizeForEvidence, checkAutonomousBounds, checkBudgetConstraints, checkIntegrationHealth, clampTokenDuration, classifyCommand, classifyRiskTier, classifyToolRisk, computeApprovalRiskScore, computeEscalatedApprovalCount, computeExposureScore, computeGovernanceHealthScore, computeHHI, computeLiabilityWeights, computeOverallRiskScore, computeOverrideScore, computeRemediationUrgency, computeSignalEngagementRate, configure, configureApprovalRuntime, configureControlSurface, configureShadow, createEscalation, atlasent as default, delegationPropagationHadEffect, deployGate, detectAutonomousAnomaly, detectMisalignedIncentives, detectSelfApproval, enforceAutonomousBounds, enforceBudgetConstraint, enforceEconomicGovernance, enforceFinancialQuorum, evaluateFinancialQuorum, evaluateMany, findPrimaryLiabilityParties, flattenActionContext, formatPolicySyncDiff, generateBccaeNonce, getEnforcementStatus, getGlobalTrustRootManager, getOrgSummary, graphql, hhiToConcentrationScore, highestAgentFindingSeverity, highestSeverityAction, hitlRequiredApproverCount, isBudgetExceptionActive, isBudgetExceptionTerminal, isEscalationSlaBreached, isFreezeActive, isImpersonationGrantUsable, isKidRevoked, isPolicySyncTerminal, isRegulatoryEscalationTerminal, isSandboxDiffPopulated, isSubstantiveSignalResponse, isTrustSnapshotExpired, makeAccessGovernanceLogClient, makeAuthClient, makeEvidenceBundleClient, makeScimClient, makeSsoClient, matchAnomalyRules, normalizeEvaluateRequest, normalizeEvaluateResponse, protect, protectAccessCertAction, protectAccessCertRevoke, protectBatchRecordRelease, protectBehaviorEvent, protectCloseAction, protectContractAction, protectContractExecution, protectCustomerDataDelete, protectDataExport, protectDatabaseAction, protectDatabaseMigration, protectDatabaseSchemaDrop, protectDatabaseTableDelete, protectDeploy, protectDeploymentV2, protectFinancialCloseAction, protectGxpAction, protectHrAction, protectHrOffboard, protectHrRoleEscalate, protectInfraAction, protectModelGovernance, protectModelPromotion, protectOrEscalate, protectPaymentOperation, protectPaymentRelease, protectPeriodCloseCertify, protectPricingAction, protectPricingRule, protectReconciliationCertify, protectSecurityAccessQuarantine, protectSecurityAction, protectSecurityIncidentEscalate, protectShadow, protectToolCall, redactContext, reportProtectedAction, reportShadowEvent, requestOverride, requirePermit, scoreToRiskTier, serializeSignableContent, signedBytesFor, summarizeCrossOrgPermission, transitionDispute, transitionReversal, validateActionContext, validateLiabilityChain, verifyAuditBundle, verifyBundle, verifyClaimEvidenceLink, verifyEvidenceBundle, verifyEvidenceBundleStructure, verifyWebhook, verifyWebhookSignature, waitForEscalationApproval, wireToSsoConnection, wireToSsoEvent, wireToSsoJitRule, wireToSsoReadiness, withPermit, withinAutonomousCeiling };