@atlasent/sdk 2.5.0 → 2.10.0

package/dist/index.d.cts

@@ -1,7 +1,284 @@
-import { R as RateLimitState, c as AtlaSentClientOptions, E as EvaluateRequest, d as EvaluateResponse, e as EvaluatePreflightResponse, V as VerifyPermitRequest, f as VerifyPermitResponse, D as DeployGateRequest, g as DeployGateResponse, h as RevokePermitRequest, i as RevokePermitResponse, j as RevokePermitByIdInput, k as RevokePermitByIdResponse, l as VerifyPermitByIdResponse, G as GetPermitResponse, m as PermitValidResponse, L as ListPermitsRequest, n as ListPermitsResponse, o as ApiKeySelfResponse, p as AuditEventsQuery, q as AuditEventsResult, r as AuditExportRequest, s as AuditExportResult, S as StreamOptions, t as StreamEvent, b as ProtectRequest, P as Permit, a as AtlaSentError, u as protect, v as deployGate, w as configure, A as AtlaSentDeniedError } from './protect-DiRVfVLq.cjs';
-export { x as AtlaSentDecision, y as AtlaSentDeniedErrorInit, z as AtlaSentErrorCode, B as AtlaSentErrorInit, C as AtlaSentEscalateError, F as AtlaSentEscalateErrorInit, H as AuditDecision, I as AuditEvent, J as AuditEventsPage, K as AuditExport, M as AuditExportSignatureStatus, N as ConfigureOptions, O as ConstraintTrace, Q as ConstraintTracePolicy, T as ConstraintTraceStage, U as DEFAULT_RETRY_POLICY, W as DEPLOYMENT_PRODUCTION_ACTION, X as DEPLOY_GATE_CODES, Y as Decision, Z as DecisionCanonical, _ as DeployGateContext, $ as DeployGateDenyCode, a0 as DeployGateEvidence, a1 as DeployOverrideClaim, a2 as DeployPermitClaim, a3 as EvaluateResponsePermit, a4 as PRODUCTION_DEPLOY_ACTION, a5 as PermitOutcome, a6 as PermitRecord, a7 as PermitRevoked, a8 as PermitStatus, a9 as RetryPolicy, aa as StreamDecisionEvent, ab as StreamParseError, ac as StreamProgressEvent, ad as StreamTimeoutError, ae as computeBackoffMs, af as hasAttemptsLeft, ag as isRetryable, ah as mergePolicy, ai as normalizePermitOutcome } from './protect-DiRVfVLq.cjs';
+import { D as DecisionCanonical, R as RateLimitState, c as AtlaSentClientOptions, E as EvaluateRequest, d as EvaluateResponse, B as BatchEvalItem, e as BatchEvalResponse, S as SubscribeDecisionsOptions, f as DecisionStreamEvent, g as EvaluatePreflightResponse, V as VerifyPermitRequest, h as VerifyPermitResponse, i as DeployGateRequest, j as DeployGateResponse, k as RevokePermitRequest, l as RevokePermitResponse, m as RevokePermitByIdInput, n as RevokePermitByIdResponse, o as VerifyPermitByIdResponse, G as GetPermitResponse, p as PermitValidResponse, L as ListPermitsRequest, q as ListPermitsResponse, r as ApiKeySelfResponse, s as AuditEventsQuery, t as AuditEventsResult, u as AuditExportRequest, v as AuditExportResult, w as StreamOptions, x as StreamEvent, b as ProtectRequest, P as Permit, a as AtlaSentError, A as AtlaSentDeniedError, y as DecisionReceipt, z as DecisionReceiptAlgorithm, C as protect, F as deployGate, H as configure } from './protect-C0t0fP1y.cjs';
+export { I as AtlaSentDecision, J as AtlaSentDeniedErrorInit, K as AtlaSentErrorCode, M as AtlaSentErrorInit, N as AtlaSentEscalateError, O as AtlaSentEscalateErrorInit, Q as AuditDecision, T as AuditEvent, U as AuditEventsPage, W as AuditExport, X as AuditExportSignatureStatus, Y as BvsSnapshot, Z as ConfigureOptions, _ as ConsentClassProjection, $ as ConstraintTrace, a0 as ConstraintTracePolicy, a1 as ConstraintTraceStage, a2 as DEFAULT_RETRY_POLICY, a3 as DEPLOYMENT_PRODUCTION_ACTION, a4 as DEPLOY_GATE_CODES, a5 as Decision, a6 as DeployGateContext, a7 as DeployGateDenyCode, a8 as DeployGateEvidence, a9 as DeployOverrideClaim, aa as DeployPermitClaim, ab as EvaluateBatchResultItem, ac as EvaluateResponsePermit, ad as EvaluateRiskEnvelope, ae as EvaluateRiskEnvelopeFactor, af as PRODUCTION_DEPLOY_ACTION, ag as PermitOutcome, ah as PermitRecord, ai as PermitRevoked, aj as PermitStatus, ak as PermitWithEvidence, al as ProtectWithEvidenceOptions, am as RetryPolicy, an as StreamDecisionEvent, ao as StreamParseError, ap as StreamProgressEvent, aq as StreamTimeoutError, ar as computeBackoffMs, as as hasAttemptsLeft, at as isRetryable, au as mergePolicy, av as normalizePermitOutcome, aw as protectWithEvidence } from './protect-C0t0fP1y.cjs';
 import { webcrypto } from 'node:crypto';
 
+/**
+ * Override types — wire shapes for `/v1/overrides`.
+ *
+ * Overrides allow an authorized actor to bypass a deny decision for a
+ * specific evaluation. They must be approved before they take effect
+ * and can be revoked at any time.
+ *
+ * Mirrors `api/src/schemas/overrides.ts` in atlasent-control-plane.
+ */
+/**
+ * Lifecycle status of an override request.
+ *
+ * - `pending`  — created, waiting for approval
+ * - `approved` — approved and active; the evaluation's deny is lifted
+ * - `revoked`  — manually revoked
+ * - `expired`  — TTL elapsed before revocation
+ */
+type OverrideStatus = "pending" | "approved" | "revoked" | "expired";
+/**
+ * The event types that can appear on an override's event log.
+ */
+type OverrideEventType = "created" | "approved" | "revoked";
+/**
+ * Canonical Override domain object returned by the API.
+ *
+ * All timestamps are ISO-8601 UTC strings. Nullable fields are `null`
+ * rather than omitted so wire shapes are stable.
+ */
+interface OverrideV1 {
+    id: string;
+    orgId: string;
+    /** The evaluation ID this override applies to. */
+    evaluationId: string;
+    /** Human-readable justification provided at creation time. */
+    reason: string;
+    status: OverrideStatus;
+    /** Actor who requested the override. */
+    requestedBy: string;
+    /** Actor who approved the override, or `null` if not yet approved. */
+    approvedBy: string | null;
+    /** Actor who revoked the override, or `null` if not revoked. */
+    revokedBy: string | null;
+    /** ISO-8601 creation timestamp. */
+    createdAt: string;
+    /** ISO-8601 approval timestamp, or `null`. */
+    approvedAt: string | null;
+    /** ISO-8601 revocation timestamp, or `null`. */
+    revokedAt: string | null;
+    /** ISO-8601 expiry timestamp, or `null` if no TTL was set. */
+    expiresAt: string | null;
+    /** Arbitrary key/value metadata attached at creation. `null` when none. */
+    metadata: Record<string, unknown> | null;
+}
+/**
+ * Paginated list of overrides.
+ */
+interface OverrideListResponse {
+    items: OverrideV1[];
+    /** Opaque cursor for the next page. `null` when there are no more results. */
+    nextCursor: string | null;
+}
+/**
+ * Input for `POST /v1/overrides` — request a new override.
+ */
+interface CreateOverrideRequest {
+    /** Human-readable justification. Required; max 2000 characters. */
+    reason: string;
+    /** The evaluation ID to override. */
+    evaluationId: string;
+    /** Lifetime in seconds. Defaults to 3600. Max 604800 (7 days). */
+    ttlSeconds?: number;
+    /** Arbitrary metadata to attach to the override record. */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Audit event appended to an override's event log on every state mutation.
+ */
+interface OverrideEvent {
+    id: string;
+    overrideId: string;
+    orgId: string;
+    /** Actor who caused this event. */
+    actorId: string;
+    type: OverrideEventType;
+    /** ISO-8601 timestamp. */
+    at: string;
+    /** Event-specific payload. `null` when none. */
+    payload: Record<string, unknown> | null;
+}
+/**
+ * Response for `GET /v1/overrides/:id/events`.
+ */
+interface OverrideEventsResponse {
+    items: OverrideEvent[];
+}
+
+/**
+ * Compliance evidence types — wire shapes for `v1-compliance-evidence`.
+ *
+ * Supports on-demand SOC 2 Type II control evidence collection. The
+ * same run shape is used for ISO 27001, GDPR, and HIPAA; control IDs
+ * differ per framework.
+ */
+type ComplianceFramework = "soc2" | "iso27001" | "gdpr" | "hipaa";
+type EvidenceControlStatus = "pass" | "gap" | "finding";
+type ComplianceRunStatus = "pending" | "running" | "completed" | "failed";
+/**
+ * A single evaluated control within an evidence run.
+ * `evidence` is a free-form object whose keys are framework-specific
+ * metric names (e.g. `mfa_enforced_policies`, `audit_events_last_30d`).
+ */
+interface EvidenceControl {
+    control_id: string;
+    title: string;
+    status: EvidenceControlStatus;
+    evidence: Record<string, unknown>;
+}
+interface ComplianceEvidenceSummary {
+    total: number;
+    pass: number;
+    gap: number;
+    finding: number;
+}
+interface ComplianceEvidenceRun {
+    id: string;
+    org_id: string;
+    framework: ComplianceFramework;
+    period_start: string;
+    period_end: string;
+    status: ComplianceRunStatus;
+    controls: EvidenceControl[];
+    summary: ComplianceEvidenceSummary | null;
+    applied_by: string | null;
+    created_at: string;
+}
+interface TriggerEvidenceRunRequest {
+    framework: ComplianceFramework;
+    /** ISO 8601 date string; defaults to 30 days ago on the server. */
+    period_start?: string;
+    /** ISO 8601 date string; defaults to now on the server. */
+    period_end?: string;
+}
+interface TriggerEvidenceRunResponse {
+    run: ComplianceEvidenceRun;
+}
+interface ListEvidenceRunsResponse {
+    runs: ComplianceEvidenceRun[];
+}
+/**
+ * SOC 2 control IDs evaluated by `v1-compliance-evidence`.
+ *
+ * | ID     | Area |
+ * |--------|------|
+ * | CC6.1  | MFA enforcement |
+ * | CC6.3  | Periodic access reviews |
+ * | CC7.2  | Audit trail completeness |
+ * | CC8.1  | Change management / HITL |
+ * | CC3.2  | Policy violations |
+ */
+type SOC2ControlId = "CC6.1" | "CC6.3" | "CC7.2" | "CC8.1" | "CC3.2";
+/**
+ * Returns `true` when every control in the run has `pass` or `gap`
+ * status (no `finding`). A `gap` means a control is partially met;
+ * a `finding` is a blocking deficiency that requires remediation.
+ */
+declare function evidenceRunPasses(run: ComplianceEvidenceRun): boolean;
+/**
+ * Returns controls that do not have `pass` status, sorted so
+ * `finding` controls appear before `gap` controls.
+ */
+declare function nonPassingControls(run: ComplianceEvidenceRun): EvidenceControl[];
+
+/**
+ * Wire types for `POST /v1-decisions-replay/:id/replay`.
+ *
+ * Re-evaluates a recorded decision against its originally-pinned policy
+ * bundle and engine version, then reports whether the result agrees with
+ * what was recorded. Side-effect-free: no audit chain row is written and
+ * no permit is issued (see ADR-016).
+ *
+ * Mirrors `_handleReplayPost` in atlasent-api's
+ * `supabase/functions/v1-decisions-replay/handler.ts`. Variance kinds and
+ * envelope-verification states are pinned to the API contract — keep this
+ * file aligned with `_shared/decision-replay.ts` if the surface evolves.
+ *
+ * Per AtlaSent's versioning doctrine `/v1/decisions/:id/replay` is an
+ * **alpha** endpoint; shapes can change without a deprecation cycle until
+ * it graduates to stable v1 (see atlasent-api `docs/STABLE_V2_PROMOTION.md`).
+ */
+/**
+ * Replay variance — superset covering both the raw wire values used by
+ * `replayDecision()` and the SDK-canonical values used by `replay()`.
+ *
+ * Raw wire values (replayDecision): NONE, DECISION_CHANGED, ENVELOPE_DRIFT
+ * SDK-canonical values (replay):    NONE, POLICY_DRIFT, ENVELOPE_DRIFT,
+ *                                   ENGINE_DRIFT, CHAIN_TAMPER, BUNDLE_MISSING
+ */
+type ReplayVarianceKind = "NONE" | "DECISION_CHANGED" | "POLICY_DRIFT" | "ENVELOPE_DRIFT" | "ENGINE_DRIFT" | "CHAIN_TAMPER" | "BUNDLE_MISSING";
+/** Engine-version registry classification (ADR-017). `unknown` covers
+ * NULL engine_version (pre-replay-era rows) and registry-misses. */
+type EngineVersionKind = "active" | "retired" | "archival" | "unknown";
+/** Envelope hash verification outcome for the recorded request envelope.
+ * `verified` = recomputed hash matched; `drift` = mismatch; `envelope_missing`
+ * = recorded hash points at a content_envelopes row that no longer exists;
+ * `absent` = the original evaluation predates envelope_hash capture. */
+type EnvelopeVerification = "verified" | "drift" | "absent" | "envelope_missing";
+/** Mirror of `decision` enum on the original evaluation. */
+type ReplayDecisionValue = "allow" | "deny" | "hold" | "escalate";
+/** Envelope-drift diagnostic. Present only when `variance === "ENVELOPE_DRIFT"`. */
+interface EnvelopeDriftDetail {
+    recorded_hash: string;
+    recomputed_hash: string;
+}
+/**
+ * Successful POST /v1-decisions-replay/:id/replay response. The shape is
+ * additive — additional fields may appear in future API versions.
+ */
+interface ReplayDecisionResponse {
+    decision_id: string;
+    /** What the original decision was at evaluate time. */
+    original_decision: ReplayDecisionValue;
+    /** Recorded deny code from the original decision, if any. */
+    original_deny_code?: string;
+    /** Re-evaluated decision. Absent when replay short-circuits on
+     * ENVELOPE_DRIFT — in that case the original decision is the only
+     * authoritative value and no replay was run. */
+    replay_decision?: ReplayDecisionValue;
+    replay_deny_code?: string;
+    /** Engine version string recorded with the original decision, or
+     * `undefined` for pre-replay-era rows. */
+    engine_version?: string;
+    engine_version_kind: EngineVersionKind;
+    /** Always `true` on a 200 — the handler refuses replay (409) when the
+     * engine version does not accept replay. */
+    accepts_replay: boolean;
+    variance: ReplayVarianceKind;
+    envelope_verification: EnvelopeVerification;
+    envelope_drift_detail?: EnvelopeDriftDetail;
+    replayed_at: string;
+}
+/** Input to {@link AtlaSentClient.replay}. */
+interface ReplayRequest {
+    /** The evaluation/decision ID to replay. */
+    evaluationId: string;
+}
+
+/**
+ * Result of {@link AtlaSentClient.replay}.
+ *
+ * Uses SDK-canonical variance kinds (see {@link ReplayVarianceKind}).
+ * `DECISION_CHANGED` on the wire maps to `POLICY_DRIFT` here.
+ * 409 responses map to `ENGINE_DRIFT` or `BUNDLE_MISSING` and are never
+ * thrown — callers can always switch on `varianceKind`.
+ */
+interface ReplayResponse {
+    /** The decision/evaluation ID that was replayed. */
+    decisionId: string;
+    /** SDK-canonical variance outcome. */
+    varianceKind: ReplayVarianceKind;
+    /** The original recorded decision. */
+    originalDecision: DecisionCanonical;
+    /** Original deny code, if any. */
+    originalDenyCode?: string;
+    /** Re-evaluated decision. Absent when `varianceKind === "ENVELOPE_DRIFT"`. */
+    replayedDecision?: DecisionCanonical;
+    replayedDenyCode?: string;
+    engineVersion?: string;
+    engineVersionKind?: string;
+    /** Whether the evaluation was eligible for replay. `false` for 409 responses. */
+    acceptsReplay: boolean;
+    envelopeVerification?: string;
+    /** ISO-8601 timestamp of the replay. */
+    replayedAt: string;
+    /** Rate-limit state from response headers. */
+    rateLimit: RateLimitState | null;
+}
+
 /**
  * Dual-shape input bridge for the v2.0.0 wire format change.
  *
@@ -31,6 +308,8 @@ interface V2EvaluateRequest {
     action_type: string;
     actor_id: string;
     context?: Record<string, unknown>;
+    /** Populate `risk_envelope.factors` in the response (Phase C). */
+    explain?: boolean;
 }
 /**
  * Normalise an evaluate request from either the legacy v1.x shape
@@ -74,6 +353,140 @@ interface V2EvaluateResponse {
  */
 declare function normalizeEvaluateResponse(wire: LegacyEvaluateResponse | V2EvaluateResponse): V2EvaluateResponse;
 
+/**
+ * Constrained governance agents — read-side SDK surface.
+ *
+ * Three endpoints, all GET, all org-scoped server-side:
+ *
+ *   GET /v1/governance/agents                — registry of advisory agents
+ *   GET /v1/governance/findings?change_id=…  — findings against one change
+ *   GET /v1/governance/evaluations?change_id=… — agent run records
+ *
+ * **Doctrine — evaluation ≠ authorization ≠ execution.**
+ * Every type in this module is read-only signal. `can_authorize` is
+ * pinned `false` on the wire (DB-generated column on the registry,
+ * CHECK on findings). The SDK does not expose an invocation method:
+ * agent invocation is a CI concern (atlasent-action `governance-agents`
+ * mode), not an application concern. This module is for surfaces that
+ * want to render findings alongside the authority workflow.
+ *
+ * Wire schema source of truth lives in
+ *   atlasent-api/packages/types/src/governance-agents.ts
+ * which is intentionally standalone (not re-exported from @atlasent/types).
+ * The shapes mirrored below are the read-side subset.
+ *
+ * @module
+ */
+type AgentFindingSeverity = "info" | "low" | "medium" | "high" | "blocker";
+type AgentEvaluationStatus = "running" | "completed" | "failed" | "timeout";
+type AgentAuthorityDomain = "engineering" | "runtime_platform" | "security" | "compliance" | "release_management" | "operations" | "customer_impact" | "governance_office";
+type AgentInvokerKind = "human" | "service_account" | "autonomous_agent" | "system";
+type AgentSubjectKind = "pull_request" | "schema_migration" | "runtime_flag" | "deployment" | "operational_rollout" | "regulated_execution_change" | "policy_bundle";
+/**
+ * A versioned advisory agent definition. `authority_class` is fixed to
+ * `advisory` and `can_authorize` to `false` at the schema level — these
+ * cannot be relaxed without a structural change to the runtime DB.
+ */
+interface GovernanceAgent {
+    readonly slug: string;
+    readonly version: string;
+    readonly name: string;
+    readonly description: string;
+    readonly applicable_subject_kinds: readonly AgentSubjectKind[];
+    readonly authority_class: "advisory";
+    /** Structurally false. Generated column on the runtime DB. */
+    readonly can_authorize: false;
+    readonly capabilities: readonly string[];
+    readonly is_active: boolean;
+    readonly created_at: string;
+    readonly retired_at: string | null;
+}
+/** A typed evidence pointer attached to a finding. Free-form by design. */
+interface AgentEvidenceRef {
+    readonly kind: string;
+    readonly ref: string;
+    readonly note?: string;
+}
+/**
+ * One advisory finding produced by an agent run. `can_authorize` is
+ * pinned `false` by a CHECK constraint on the underlying table — no
+ * finding row in any environment can ever satisfy a gate.
+ */
+interface GovernanceAgentFinding {
+    readonly id: string;
+    readonly org_id: string;
+    readonly evaluation_id: string;
+    readonly change_id: string;
+    readonly agent_slug: string;
+    readonly agent_version: string;
+    readonly finding_type: string;
+    readonly severity: AgentFindingSeverity;
+    readonly confidence: number | null;
+    readonly summary: string;
+    readonly evidence_refs: readonly AgentEvidenceRef[];
+    readonly required_authority: AgentAuthorityDomain | null;
+    readonly recommended_action: string | null;
+    /** Structurally false. CHECK constraint on the runtime DB. */
+    readonly can_authorize: false;
+    readonly supersedes_finding_id: string | null;
+    readonly payload: Readonly<Record<string, unknown>>;
+    readonly created_at: string;
+    /**
+     * Populated by the finding→gate routing trigger (atlasent-api #842).
+     * Null when no matching gate exists at insertion time; can be
+     * back-resolved by `governance_resolve_findings_for_gate(gate_id)`.
+     */
+    readonly routed_gate_id?: string | null;
+}
+/**
+ * An append-only record of one agent run against one governed change.
+ * The same (agent_slug, agent_version, input_hash) combination may
+ * produce multiple rows across time — the runtime DB does not dedupe.
+ */
+interface GovernanceAgentEvaluation {
+    readonly id: string;
+    readonly org_id: string;
+    readonly change_id: string;
+    readonly agent_slug: string;
+    readonly agent_version: string;
+    readonly input_hash: string;
+    readonly status: AgentEvaluationStatus;
+    readonly highest_severity: AgentFindingSeverity | null;
+    readonly findings_count: number;
+    readonly summary: string | null;
+    readonly runtime_ms: number | null;
+    readonly failure_reason: string | null;
+    readonly invoked_by_kind: AgentInvokerKind;
+    readonly invoked_by: string | null;
+    readonly started_at: string;
+    readonly completed_at: string | null;
+}
+interface ListGovernanceAgentsResponse {
+    readonly agents: readonly GovernanceAgent[];
+}
+interface ListGovernanceFindingsResponse {
+    readonly findings: readonly GovernanceAgentFinding[];
+}
+interface ListGovernanceEvaluationsResponse {
+    readonly evaluations: readonly GovernanceAgentEvaluation[];
+}
+interface ListGovernanceFindingsQuery {
+    readonly change_id: string;
+    /** Optional: filter to one agent's findings. */
+    readonly agent_slug?: string;
+}
+interface ListGovernanceEvaluationsQuery {
+    readonly change_id: string;
+    /** Optional: filter to one agent's runs. */
+    readonly agent_slug?: string;
+}
+/**
+ * Return the worst severity across a set of findings, or `null` when
+ * the input is empty. Pure function, exported because every consumer
+ * needs the same rollup logic (Console finds panel, CI summary, etc.).
+ */
+declare function highestAgentFindingSeverity(findings: readonly Pick<GovernanceAgentFinding, "severity">[]): AgentFindingSeverity | null;
+
 /**
  * Human-in-the-loop (HITL) types — wire shape for `/v1/hitl/*`.
  *
@@ -1165,6 +1578,49 @@ declare class AtlaSentClient {
      * {@link AtlaSentError}.
      */
     evaluate(input: EvaluateRequest | LegacyEvaluateRequest): Promise<EvaluateResponse>;
+    /**
+     * Batch evaluate — send up to 100 decisions in a single round-trip.
+     *
+     * Wraps `POST /v1-evaluate-batch`. The server evaluates each item
+     * against the active policy bundle and returns results in the same
+     * order as the input. One rate-limit token is consumed for the
+     * whole batch, and one audit-chain entry lists every included
+     * decision id.
+     *
+     * A per-item policy `deny` is **not** thrown — it appears as
+     * `item.decision === "deny"` in the returned items. A whole-batch
+     * network error, 4xx, or 5xx throws {@link AtlaSentError}.
+     *
+     * Requires the `v2_batch` tenant feature flag to be enabled on the
+     * org (returns 404 when off). Requires scope `evaluate:write`.
+     *
+     * @param requests - 1–100 evaluate items.
+     * @param batchId  - Optional caller-supplied UUID for idempotency.
+     *   A retried call with the same `batchId` and identical items
+     *   returns the cached response within 24 h (`replayed: true`).
+     */
+    evaluateBatch(requests: BatchEvalItem[], batchId?: string): Promise<BatchEvalResponse>;
+    /**
+     * Subscribe to a live stream of decisions for this org.
+     *
+     * Wraps `GET /v1-decisions-stream`. The server emits one SSE frame
+     * per audit event and sends a heartbeat every 15 s. The session
+     * auto-closes after `maxSeconds` (default 30 min); reconnect with
+     * the last received `event.id` to resume without replaying history.
+     *
+     * ```ts
+     * const controller = new AbortController();
+     * for await (const event of client.subscribeDecisions({ signal: controller.signal })) {
+     *   if (event.type === "heartbeat") continue;
+     *   console.log(event.type, event.decision, event.actorId);
+     *   if (event.type === "session_end") break; // reconnect
+     * }
+     * ```
+     *
+     * Requires scope `audit:read`. Requires the `v2_decisions_stream`
+     * tenant feature flag (returns 404 when off).
+     */
+    subscribeDecisions(opts?: SubscribeDecisionsOptions): AsyncGenerator<DecisionStreamEvent>;
     /**
      * Pre-flight evaluation that always returns the constraint trace.
      *
@@ -1348,6 +1804,80 @@ declare class AtlaSentClient {
      * taxonomy as {@link AtlaSentClient.evaluate}.
      */
     createAuditExport(filter?: AuditExportRequest): Promise<AuditExportResult>;
+    /**
+     * Re-evaluate a recorded decision against its originally-pinned policy
+     * bundle and engine version, and report whether the result agrees with
+     * what was recorded.
+     *
+     * Wraps `POST /v1-decisions-replay/:id/replay`. **Side-effect-free** — no
+     * audit chain row is written and no permit is issued (per ADR-016).
+     * Useful for compliance review, regression testing of bundle changes,
+     * and post-incident investigation.
+     *
+     * Outcomes encoded in the response:
+     * - `variance: "NONE"` — replay agrees with the original decision.
+     * - `variance: "DECISION_CHANGED"` — same envelope, same bundle, different
+     *   decision. Almost always indicates non-determinism in a rule
+     *   (e.g. wall-clock comparison) and warrants investigation.
+     * - `variance: "ENVELOPE_DRIFT"` — the recorded request envelope no longer
+     *   hashes to the recorded value. The replay short-circuits without
+     *   running the engine; `replay_decision` is absent. Treat as evidence
+     *   of substrate tamper or a recorder bug.
+     *
+     * Server-side 409 responses (replay refused because the engine version
+     * does not accept replay, or because no bundle was pinned) surface as
+     * `AtlaSentError` with `code: "replay_not_eligible"` — callers should
+     * treat them as expected for old / un-pinned decisions, not as bugs.
+     *
+     * Requires the `evaluate:write` API key scope.
+     *
+     * @param decisionId The UUID of the recorded decision to replay.
+     *                   Matches `execution_evaluations.request_id`.
+     *
+     * @example
+     * ```ts
+     * const result = await client.replayDecision("dec_abc123");
+     * if (result.variance === "DECISION_CHANGED") {
+     *   console.warn(
+     *     `Decision ${result.decision_id} changed on replay: ` +
+     *     `${result.original_decision} → ${result.replay_decision}`,
+     *   );
+     * }
+     * ```
+     */
+    replayDecision(decisionId: string): Promise<ReplayDecisionResponse & {
+        rateLimit: RateLimitState | null;
+    }>;
+    /**
+     * ADR-015 Phase C — SDK-canonical replay runtime.
+     *
+     * Re-evaluates a recorded decision against its originally-pinned policy
+     * bundle and engine version via `POST /v1/decisions/:id/replay`.
+     * Side-effect-free server-side: no audit chain row is written and no
+     * permit is issued (ADR-016 `mode: "replay"` sentinel).
+     *
+     * Differences from {@link replayDecision} (the 2.7.0 raw-wire surface):
+     *
+     * | | `replayDecision()` | `replay()` |
+     * | --- | --- | --- |
+     * | Path | `/v1-decisions-replay/:id/replay` | `/v1/decisions/:id/replay` |
+     * | Variance | raw wire (`DECISION_CHANGED`) | SDK-canonical (`POLICY_DRIFT`) |
+     * | 409 handling | throws `AtlaSentError` | returns `ENGINE_DRIFT` / `BUNDLE_MISSING` |
+     * | Input shape | `decisionId: string` | `{ evaluationId }` |
+     *
+     * **Never throws on `409 replay_not_eligible`** — instead returns a
+     * `ReplayResponse` with `varianceKind: "ENGINE_DRIFT"` (engine retired
+     * beyond archival window) or `"BUNDLE_MISSING"` (no bundle pinned on
+     * the original evaluation). Callers can always `switch` on
+     * `result.varianceKind` without a try/catch.
+     *
+     * Fix-forward note: this method was originally landed in PR #275 but
+     * dropped from the squash merge. The TS types (`ReplayResponse`,
+     * `ReplayRequest`) and CHANGELOG made it through; the method itself
+     * did not. Restored here to match the Python {@link
+     * AtlaSentClient}.replay() that landed in atlasent-sdk@2.6.0 (Python).
+     */
+    replay(input: ReplayRequest): Promise<ReplayResponse>;
     /**
      * Open a streaming evaluation session against `POST /v1-evaluate-stream`.
      *
@@ -1614,11 +2144,40 @@ declare class AtlaSentClient {
     revokeImpersonationGrant(id: string): Promise<void>;
     issueImpersonationToken(grant_id: string, requested_duration_seconds?: number): Promise<ImpersonationToken>;
     validateImpersonationToken(token: string): Promise<ImpersonationValidationResult>;
-}
-
-/** Node's webcrypto CryptoKey — kept local so the module doesn't depend on DOM types. */
-type WebCryptoKey = webcrypto.CryptoKey;
-/** Public key candidate the verifier will try, tagged with its registry id. */
+    /**
+     * List the advisory governance-agent registry for the calling org.
+     *
+     * Calls `GET /v1/governance/agents`. The registry is reference data
+     * seeded at runtime-DB migration time; every row has
+     * `authority_class = "advisory"` and `can_authorize = false` —
+     * structural invariants enforced by the schema, not policy.
+     */
+    listGovernanceAgents(): Promise<GovernanceAgent[]>;
+    /**
+     * List advisory findings emitted against one governed change.
+     *
+     * Calls `GET /v1/governance/findings?change_id=…[&agent_slug=…]`.
+     * Returns the typed-finding rows in `created_at DESC` order, including
+     * `routed_gate_id` when the finding→gate trigger linked them. Findings
+     * with `can_authorize === false` (always) are advisory; rendering them
+     * never satisfies a gate.
+     */
+    listGovernanceFindings(query: ListGovernanceFindingsQuery): Promise<GovernanceAgentFinding[]>;
+    /**
+     * List agent run records against one governed change.
+     *
+     * Calls `GET /v1/governance/evaluations?change_id=…[&agent_slug=…]`.
+     * Returns every persisted evaluation, including `failed` / `timeout`
+     * runs and `completed` runs with zero findings — the latter is the
+     * positive signal "the agent ran and found nothing", which the UI
+     * surfaces as `clear`.
+     */
+    listGovernanceEvaluations(query: ListGovernanceEvaluationsQuery): Promise<GovernanceAgentEvaluation[]>;
+}
+
+/** Node's webcrypto CryptoKey — kept local so the module doesn't depend on DOM types. */
+type WebCryptoKey = webcrypto.CryptoKey;
+/** Public key candidate the verifier will try, tagged with its registry id. */
 interface VerifyKey {
     keyId: string;
     publicKey: WebCryptoKey;
@@ -2210,102 +2769,6 @@ interface GovernanceEvent {
     payload?: Record<string, unknown>;
 }
 
-/**
- * Override types — wire shapes for `/v1/overrides`.
- *
- * Overrides allow an authorized actor to bypass a deny decision for a
- * specific evaluation. They must be approved before they take effect
- * and can be revoked at any time.
- *
- * Mirrors `api/src/schemas/overrides.ts` in atlasent-control-plane.
- */
-/**
- * Lifecycle status of an override request.
- *
- * - `pending`  — created, waiting for approval
- * - `approved` — approved and active; the evaluation's deny is lifted
- * - `revoked`  — manually revoked
- * - `expired`  — TTL elapsed before revocation
- */
-type OverrideStatus = "pending" | "approved" | "revoked" | "expired";
-/**
- * The event types that can appear on an override's event log.
- */
-type OverrideEventType = "created" | "approved" | "revoked";
-/**
- * Canonical Override domain object returned by the API.
- *
- * All timestamps are ISO-8601 UTC strings. Nullable fields are `null`
- * rather than omitted so wire shapes are stable.
- */
-interface OverrideV1 {
-    id: string;
-    orgId: string;
-    /** The evaluation ID this override applies to. */
-    evaluationId: string;
-    /** Human-readable justification provided at creation time. */
-    reason: string;
-    status: OverrideStatus;
-    /** Actor who requested the override. */
-    requestedBy: string;
-    /** Actor who approved the override, or `null` if not yet approved. */
-    approvedBy: string | null;
-    /** Actor who revoked the override, or `null` if not revoked. */
-    revokedBy: string | null;
-    /** ISO-8601 creation timestamp. */
-    createdAt: string;
-    /** ISO-8601 approval timestamp, or `null`. */
-    approvedAt: string | null;
-    /** ISO-8601 revocation timestamp, or `null`. */
-    revokedAt: string | null;
-    /** ISO-8601 expiry timestamp, or `null` if no TTL was set. */
-    expiresAt: string | null;
-    /** Arbitrary key/value metadata attached at creation. `null` when none. */
-    metadata: Record<string, unknown> | null;
-}
-/**
- * Paginated list of overrides.
- */
-interface OverrideListResponse {
-    items: OverrideV1[];
-    /** Opaque cursor for the next page. `null` when there are no more results. */
-    nextCursor: string | null;
-}
-/**
- * Input for `POST /v1/overrides` — request a new override.
- */
-interface CreateOverrideRequest {
-    /** Human-readable justification. Required; max 2000 characters. */
-    reason: string;
-    /** The evaluation ID to override. */
-    evaluationId: string;
-    /** Lifetime in seconds. Defaults to 3600. Max 604800 (7 days). */
-    ttlSeconds?: number;
-    /** Arbitrary metadata to attach to the override record. */
-    metadata?: Record<string, unknown>;
-}
-/**
- * Audit event appended to an override's event log on every state mutation.
- */
-interface OverrideEvent {
-    id: string;
-    overrideId: string;
-    orgId: string;
-    /** Actor who caused this event. */
-    actorId: string;
-    type: OverrideEventType;
-    /** ISO-8601 timestamp. */
-    at: string;
-    /** Event-specific payload. `null` when none. */
-    payload: Record<string, unknown> | null;
-}
-/**
- * Response for `GET /v1/overrides/:id/events`.
- */
-interface OverrideEventsResponse {
-    items: OverrideEvent[];
-}
-
 /**
  * Proof bundle types — wire shape for `GET /v1/proof/:evaluationId`.
  *
@@ -3584,82 +4047,6 @@ interface WebhookPayload<T = Record<string, unknown>> {
  */
 declare function verifyWebhookSignature(payload: string, signature: string, secret: string): Promise<boolean>;
 
-/**
- * Compliance evidence types — wire shapes for `v1-compliance-evidence`.
- *
- * Supports on-demand SOC 2 Type II control evidence collection. The
- * same run shape is used for ISO 27001, GDPR, and HIPAA; control IDs
- * differ per framework.
- */
-type ComplianceFramework = "soc2" | "iso27001" | "gdpr" | "hipaa";
-type EvidenceControlStatus = "pass" | "gap" | "finding";
-type ComplianceRunStatus = "pending" | "running" | "completed" | "failed";
-/**
- * A single evaluated control within an evidence run.
- * `evidence` is a free-form object whose keys are framework-specific
- * metric names (e.g. `mfa_enforced_policies`, `audit_events_last_30d`).
- */
-interface EvidenceControl {
-    control_id: string;
-    title: string;
-    status: EvidenceControlStatus;
-    evidence: Record<string, unknown>;
-}
-interface ComplianceEvidenceSummary {
-    total: number;
-    pass: number;
-    gap: number;
-    finding: number;
-}
-interface ComplianceEvidenceRun {
-    id: string;
-    org_id: string;
-    framework: ComplianceFramework;
-    period_start: string;
-    period_end: string;
-    status: ComplianceRunStatus;
-    controls: EvidenceControl[];
-    summary: ComplianceEvidenceSummary | null;
-    applied_by: string | null;
-    created_at: string;
-}
-interface TriggerEvidenceRunRequest {
-    framework: ComplianceFramework;
-    /** ISO 8601 date string; defaults to 30 days ago on the server. */
-    period_start?: string;
-    /** ISO 8601 date string; defaults to now on the server. */
-    period_end?: string;
-}
-interface TriggerEvidenceRunResponse {
-    run: ComplianceEvidenceRun;
-}
-interface ListEvidenceRunsResponse {
-    runs: ComplianceEvidenceRun[];
-}
-/**
- * SOC 2 control IDs evaluated by `v1-compliance-evidence`.
- *
- * | ID     | Area |
- * |--------|------|
- * | CC6.1  | MFA enforcement |
- * | CC6.3  | Periodic access reviews |
- * | CC7.2  | Audit trail completeness |
- * | CC8.1  | Change management / HITL |
- * | CC3.2  | Policy violations |
- */
-type SOC2ControlId = "CC6.1" | "CC6.3" | "CC7.2" | "CC8.1" | "CC3.2";
-/**
- * Returns `true` when every control in the run has `pass` or `gap`
- * status (no `finding`). A `gap` means a control is partially met;
- * a `finding` is a blocking deficiency that requires remediation.
- */
-declare function evidenceRunPasses(run: ComplianceEvidenceRun): boolean;
-/**
- * Returns controls that do not have `pass` status, sorted so
- * `finding` controls appear before `gap` controls.
- */
-declare function nonPassingControls(run: ComplianceEvidenceRun): EvidenceControl[];
-
 /**
  * Policy-as-code GitOps sync types — wire shapes for `v1-policy-sync`.
  *
@@ -3985,6 +4372,1138 @@ declare function authorizeStream(transport: V2Transport, req: EvaluateManyReques
  */
 declare function graphql<T = unknown>(transport: V2Transport, req: GraphQLRequest): Promise<GraphQLResponse<T>>;
 
+/**
+ * Approval/Override Runtime — fail-closed bridge between policy `hold`/`escalate`
+ * outcomes and human approval.
+ *
+ * `protectOrEscalate()` — like `protect()` but handles hold/escalate by:
+ *   1. Creating an HITL escalation via POST /v1/hitl
+ *   2. Polling until approved, rejected, or timed out
+ *   3. Returning an `ApprovalPermit` on approval; throwing on rejection/timeout
+ *
+ * `createEscalation()` — create an HITL escalation request (lower-level)
+ * `waitForEscalationApproval()` — poll until the escalation resolves
+ * `requestOverride()` — request a post-hoc override for a denied evaluation
+ * `configureApprovalRuntime()` — set API key / base URL once
+ */
+
+interface ApprovalRuntimeConfig {
+    apiKey?: string;
+    baseUrl?: string;
+    /** Per-request HTTP timeout in ms. Default 30_000. */
+    timeoutMs?: number;
+}
+/**
+ * Configure the Approval Runtime singleton. Optional — if `ATLASENT_API_KEY` is
+ * set in the environment, the runtime works without configuration. Calling this
+ * again merges into the existing config.
+ */
+declare function configureApprovalRuntime(config: ApprovalRuntimeConfig): void;
+/** Opaque handle returned when an escalation is created. */
+interface EscalationHandle {
+    readonly escalationId: string;
+    readonly createdAt: string;
+    readonly timeoutAt: string | null;
+    readonly assignedToRole: string | null;
+}
+/** Terminal resolution status of an escalation. */
+type ApprovalStatus = "approved" | "rejected" | "timed_out";
+/** Full outcome returned when an escalation resolves. */
+interface EscalationOutcome {
+    readonly status: ApprovalStatus;
+    readonly escalation: HitlEscalation;
+    readonly resolvedBy: string | null;
+    readonly resolutionNote: string | null;
+    readonly resolvedAt: string | null;
+}
+/**
+ * Thrown by `protectOrEscalate` / `waitForEscalationApproval` when the
+ * human reviewer rejects the escalation.
+ */
+declare class EscalationDeniedError extends Error {
+    readonly name: "EscalationDeniedError";
+    readonly escalationId: string;
+    readonly outcome: EscalationOutcome;
+    constructor(outcome: EscalationOutcome);
+}
+/**
+ * Thrown by `protectOrEscalate` / `waitForEscalationApproval` when the
+ * client-side wait window expires before the escalation resolves.
+ */
+declare class EscalationTimeoutError extends Error {
+    readonly name: "EscalationTimeoutError";
+    readonly escalationId: string;
+    readonly outcome: EscalationOutcome;
+    constructor(outcome: EscalationOutcome);
+}
+/**
+ * Options for creating an HITL escalation. Extends `HitlCreateRequest` with
+ * API-key and base-URL overrides for per-call credential injection.
+ */
+interface CreateEscalationOptions extends Partial<HitlCreateRequest> {
+    apiKey?: string;
+    baseUrl?: string;
+}
+/**
+ * Create an HITL escalation via POST /v1/hitl.
+ *
+ * The escalation is placed in `pending` status; a reviewer must approve or
+ * reject it before the original action can proceed. Use
+ * `waitForEscalationApproval()` to poll until the escalation resolves.
+ */
+declare function createEscalation(opts: CreateEscalationOptions): Promise<EscalationHandle>;
+interface WaitForApprovalOptions {
+    escalationId: string;
+    /** Max milliseconds to wait for a human to respond. Default 600_000 (10 min). */
+    waitMs?: number;
+    /** How often to poll the API. Default 5000ms. Minimum 1000ms. */
+    pollIntervalMs?: number;
+    apiKey?: string;
+    baseUrl?: string;
+}
+/**
+ * Poll GET /v1/escalations/:id until the escalation reaches a terminal status
+ * (`approved`, `auto_approved`, `rejected`, or `timed_out`).
+ *
+ * Returns the resolved outcome regardless of approval/rejection — the caller
+ * decides whether to throw. Use `protectOrEscalate()` for the opinionated flow.
+ */
+declare function waitForEscalationApproval(opts: WaitForApprovalOptions): Promise<EscalationOutcome>;
+/**
+ * A verified Permit granted via human approval of an HITL escalation.
+ * Extends {@link Permit} with escalation provenance fields.
+ *
+ * `approvalBasis: "direct_policy"` — action was allowed directly by policy;
+ * no escalation was created.
+ *
+ * `approvalBasis: "human_approval"` — the policy returned `hold`/`escalate`;
+ * a human reviewer approved the escalation.
+ *
+ * Guards and enforcement adapters should treat both as equivalent authorization
+ * proof; auditors can distinguish them via `escalationId`.
+ */
+interface ApprovalPermit extends Permit {
+    /**
+     * The HITL escalation ID that authorized this action. Empty string when
+     * the action was directly allowed by policy (no escalation needed).
+     */
+    readonly escalationId: string;
+    /** Identity of the reviewer who approved, or `null` for `auto_approved`. */
+    readonly resolvedBy: string | null;
+    readonly resolutionNote: string | null;
+    readonly resolvedAt: string;
+    readonly approvalBasis: "direct_policy" | "human_approval";
+}
+interface ProtectOrEscalateOptions {
+    /** Agent ID recorded on the escalation. Defaults to `request.agent`. */
+    agentId?: string;
+    /** Human-readable reason surfaced in the reviewer's queue. */
+    escalationReason?: string;
+    /** The proposed action payload shown to reviewers. Defaults to `request.context`. */
+    proposedAction?: Record<string, unknown>;
+    riskScore?: number;
+    assignedToRole?: string;
+    quorumRequired?: HitlQuorumTier;
+    fallbackDecision?: HitlFallbackDecision;
+    /** ISO-8601 — when the escalation should auto-resolve per server policy. */
+    timeoutAt?: string;
+    metadata?: Record<string, unknown>;
+    /** Max ms to wait for a human decision. Default 600_000 (10 min). */
+    waitMs?: number;
+    /** How often to poll. Default 5000ms. */
+    pollIntervalMs?: number;
+    apiKey?: string;
+    baseUrl?: string;
+    /** Called with the EscalationHandle immediately after it is created. */
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+}
+/**
+ * Authorize an action end-to-end, automatically escalating to human review
+ * when the policy returns `hold` or `escalate`.
+ *
+ * **Directly allowed** → returns `ApprovalPermit` with
+ *   `approvalBasis: "direct_policy"` (same semantics as `protect()`).
+ *
+ * **Hold / escalate** → creates an HITL escalation, polls for a human
+ *   decision, and returns `ApprovalPermit` with
+ *   `approvalBasis: "human_approval"` on approval.
+ *
+ * **Throws**:
+ * - {@link EscalationDeniedError} — reviewer rejected the escalation
+ * - {@link EscalationTimeoutError} — wait window elapsed without a decision
+ * - {@link AtlaSentDeniedError} — hard deny (not hold/escalate); fail-closed
+ * - {@link AtlaSentError} — transport / auth / server failure; fail-closed
+ */
+declare function protectOrEscalate(request: ProtectRequest, opts?: ProtectOrEscalateOptions): Promise<ApprovalPermit>;
+interface RequestOverrideOptions {
+    /** Human-readable justification. Required; max 2000 characters. */
+    reason: string;
+    /** The evaluation ID that was denied and should be overridden. */
+    evaluationId: string;
+    /** How long this override is valid, in seconds. Max 604800 (7 days). */
+    ttlSeconds?: number;
+    /** Arbitrary metadata to attach (e.g. liability attribution context). */
+    metadata?: Record<string, unknown>;
+    apiKey?: string;
+    baseUrl?: string;
+}
+/**
+ * Request a post-hoc override for a denied evaluation via POST /v1/overrides.
+ *
+ * The override starts in `pending` status and takes effect only after an
+ * authorized actor approves it. Subsequent evaluations for the same action
+ * will return `allow` while the override is `approved` and within its TTL.
+ *
+ * Attach `metadata.requested_by` for liability attribution.
+ */
+declare function requestOverride(opts: RequestOverrideOptions): Promise<OverrideV1>;
+
+/**
+ * Context Layer — typed, validated, redaction-aware context for AtlaSent
+ * evaluations.
+ *
+ * The current `protect()` / `evaluate()` API accepts
+ * `context?: Record<string, unknown>` — a black box the policy engine
+ * treats as an opaque blob. This module provides:
+ *
+ * 1. **Typed sub-schemas** — `ActorContext`, `ResourceContext`,
+ *    `EnvironmentContext`, `ActionMetaContext`, `HistoricalContext`, and
+ *    `ActionContext` (the union of all five).
+ *
+ * 2. **`buildActionContext()`** — a structured constructor that normalises
+ *    flat shorthands and validates at build time.
+ *
+ * 3. **`validateActionContext()`** — non-throwing validation that returns
+ *    typed `ContextValidationError[]` and `ContextValidationWarning[]`.
+ *
+ * 4. **`redactContext()`** — strips / masks sensitive fields before
+ *    logging or storing in receipts / evidence bundles.
+ *
+ * 5. **`flattenActionContext()`** — converts a typed `ActionContext` to the
+ *    flat `Record<string, unknown>` that `protect()` / `evaluate()` accept.
+ *
+ * ### Usage
+ *
+ * ```ts
+ * import atlasent, { buildActionContext, redactContext } from "@atlasent/sdk";
+ *
+ * const ctx = buildActionContext({
+ *   actor: { id: "user:alice", type: "human", roles: ["deploy_engineer"] },
+ *   environment: { name: "production", region: "us-east-1" },
+ *   resource: { type: "service", id: "api-gateway", sensitivity: "restricted" },
+ * });
+ *
+ * const permit = await atlasent.protect({
+ *   agent: "deploy-bot",
+ *   action: "production.deploy",
+ *   context: flattenActionContext(ctx),
+ * });
+ *
+ * // Store the redacted context alongside the permit — no PII in evidence.
+ * const safe = redactContext(ctx);
+ * await db.permits.create({ permitId: permit.permitId, context: safe });
+ * ```
+ */
+/**
+ * Identity of the actor requesting the action.
+ *
+ * `id` is the only required field; all others are policy-engine hints.
+ * Omitting optional fields may cause deny on policies that gate on role
+ * membership, trust level, or session binding.
+ */
+interface ActorContext {
+    /** Stable, opaque actor identifier (e.g. `"user:alice"`, `"agent:deploy-bot"`). */
+    id: string;
+    /** Human-readable label for audit trails and reviewer UIs. */
+    label?: string;
+    /** Discriminates human vs. AI agent vs. service account. */
+    type?: "human" | "agent" | "service_account" | "system";
+    /** Roles the actor holds at evaluation time. */
+    roles?: string[];
+    /** Trust tier. Policy rules can gate on this value. */
+    trust_level?: "high" | "medium" | "low" | "untrusted" | string;
+    /** Actor email — required for human-approval escalation UIs. */
+    email?: string;
+    /** Observed client IP — used in geo-restriction and rate-limit rules. */
+    ip?: string;
+    /** Session or OAuth token ID for replay-detection rules. */
+    session_id?: string;
+}
+/**
+ * The resource the action targets.
+ *
+ * `type` is a stable string like `"database.table"`, `"repository"`,
+ * or `"payment"`. `sensitivity` drives redaction rules in evidence
+ * bundles — `"restricted"` fields are masked even in signed receipts.
+ */
+interface ResourceContext {
+    /** Stable resource type slug (e.g. `"database.table"`, `"service"`, `"payment"`). */
+    type?: string;
+    /** Opaque resource identifier (e.g. table name, repo name, payment ID). */
+    id?: string;
+    /** Human-readable name for reviewer UIs. */
+    name?: string;
+    /** Data-sensitivity classification — drives receipt redaction. */
+    sensitivity?: "public" | "internal" | "confidential" | "restricted";
+    /** Owner org or tenant of the resource. */
+    owner?: string;
+    /** Cloud or datacenter region where the resource lives. */
+    region?: string;
+}
+/**
+ * Deployment environment and infrastructure context.
+ *
+ * `name` is the field protect() reads to set the `environment` field
+ * on the verify-permit request. Omitting it logs a console warning
+ * and defaults to `"production"`.
+ */
+interface EnvironmentContext {
+    /** Deployment tier. Defaults to `"production"` in protect() when absent. */
+    name?: "production" | "staging" | "development" | "test" | string;
+    /** Cloud or datacenter region (e.g. `"us-east-1"`, `"eu-west-1"`). */
+    region?: string;
+    /** CI/CD pipeline name (e.g. `"github_actions"`, `"jenkins"`). */
+    pipeline?: string;
+    /** Git SHA, image tag, or artifact version being deployed. */
+    version?: string;
+}
+/**
+ * Action-specific metadata that shapes policy decisions.
+ *
+ * `risk_level` and `reversibility` are the two fields most commonly
+ * referenced by policy rules. Financial policies additionally gate on
+ * `estimated_amount` and `currency`.
+ */
+interface ActionMetaContext {
+    /** Caller-assessed risk level of this specific invocation. */
+    risk_level?: "critical" | "high" | "medium" | "low";
+    /** Whether the action can be undone after execution. */
+    reversibility?: "reversible" | "irreversible" | "partial";
+    /** Free-text description shown to human reviewers in the HITL UI. */
+    description?: string;
+    /** Estimated monetary amount for financial actions. */
+    estimated_amount?: number;
+    /** ISO 4217 currency code (e.g. `"USD"`, `"EUR"`). */
+    currency?: string;
+}
+/**
+ * Historical and behavioral signals about the actor.
+ *
+ * These are caller-computed signals from the caller's own systems —
+ * AtlaSent does not maintain the source-of-truth; it only evaluates
+ * policy against the values provided here.
+ */
+interface HistoricalContext {
+    /** Number of times this actor performed this action in the past 24h. */
+    recent_action_count?: number;
+    /** ISO-8601 timestamp of the actor's most recent action of this type. */
+    last_action_at?: string;
+    /** True when the actor has unresolved policy violations on record. */
+    has_violations?: boolean;
+    /** Arbitrary caller-defined risk signals from upstream systems. */
+    risk_signals?: Record<string, unknown>;
+}
+/**
+ * The canonical typed context for AtlaSent evaluations.
+ *
+ * All sub-schemas are optional at the TypeScript level; policy rules
+ * determine which fields are effectively required. Missing fields that
+ * a policy expects will typically result in a `deny` decision.
+ *
+ * Flat shorthands (`resource_type`, `resource_id`, `environment_name`)
+ * are supported for backward compatibility with existing
+ * `Record<string, unknown>` call sites. `buildActionContext()` merges
+ * them into the nested sub-schemas automatically.
+ *
+ * The `[key: string]: unknown` index signature allows arbitrary
+ * custom fields to pass through to the policy engine unchanged.
+ */
+interface ActionContext {
+    actor?: ActorContext;
+    resource?: ResourceContext;
+    environment?: EnvironmentContext;
+    action_meta?: ActionMetaContext;
+    history?: HistoricalContext;
+    /** Alias for `environment.name`. Merged into `environment` by buildActionContext. */
+    environment_name?: string;
+    /** Alias for `resource.type`. Merged into `resource` by buildActionContext. */
+    resource_type?: string;
+    /** Alias for `resource.id`. Merged into `resource` by buildActionContext. */
+    resource_id?: string;
+    [key: string]: unknown;
+}
+/** Input for `buildActionContext()`. Mirrors `ActionContext` with `actor` required. */
+interface BuildActionContextInput {
+    actor: ActorContext;
+    resource?: ResourceContext;
+    environment?: EnvironmentContext | string;
+    action_meta?: ActionMetaContext;
+    history?: HistoricalContext;
+    /** Arbitrary additional fields to pass through to the policy engine. */
+    extra?: Record<string, unknown>;
+}
+/**
+ * Construct a normalized `ActionContext`.
+ *
+ * - Accepts `environment` as a string shorthand for `{ name: environment }`.
+ * - Populates flat shorthands (`resource_type`, `resource_id`,
+ *   `environment_name`) from the nested sub-schemas so both the nested and
+ *   flat forms are present in the output.
+ * - Never throws — validation is a separate step via `validateActionContext()`.
+ *
+ * ```ts
+ * const ctx = buildActionContext({
+ *   actor: { id: "agent:deploy-bot", type: "agent" },
+ *   environment: "production",
+ *   resource: { type: "service", id: "checkout-api" },
+ * });
+ * ```
+ */
+declare function buildActionContext(input: BuildActionContextInput): ActionContext;
+/** A field-level error from `validateActionContext()`. */
+interface ContextValidationError {
+    /** Dot-delimited field path (e.g. `"actor.id"`, `"action_meta.currency"`). */
+    field: string;
+    /** Machine-readable error code. */
+    code: "required" | "invalid_type" | "invalid_value" | "cross_field" | "sensitive_field";
+    /** Human-readable explanation. */
+    message: string;
+}
+/** A non-blocking advisory from `validateActionContext()`. */
+interface ContextValidationWarning {
+    field: string;
+    code: "recommended" | "deprecated" | "performance";
+    message: string;
+}
+/** Result of `validateActionContext()`. */
+interface ContextValidationResult {
+    valid: boolean;
+    errors: ContextValidationError[];
+    warnings: ContextValidationWarning[];
+}
+/** Options for `validateActionContext()`. */
+interface ValidateContextOptions {
+    /**
+     * Extra fields to treat as required. Dot-delimited paths are supported
+     * (e.g. `["actor.roles", "resource.id"]`).
+     */
+    requiredFields?: string[];
+    /**
+     * When true, skip the built-in cross-field checks (e.g.
+     * estimated_amount → currency). Useful for partial contexts.
+     */
+    skipCrossFieldChecks?: boolean;
+}
+/**
+ * Validate an `ActionContext` without throwing.
+ *
+ * Returns a `ContextValidationResult` with `valid: false` and a list of
+ * typed `errors` / `warnings` when the context is malformed or missing
+ * fields. Does not throw — the caller decides what to do with errors.
+ *
+ * Built-in checks:
+ * - `actor.id` is required when `actor` is present
+ * - `environment.name` is recommended (warns if absent)
+ * - `action_meta.currency` is required when `action_meta.estimated_amount > 0`
+ * - ISO 4217 format check for `action_meta.currency`
+ * - `history.last_action_at` must be a valid ISO-8601 string
+ * - `resource.sensitivity` must be a known value when present
+ *
+ * ```ts
+ * const { valid, errors, warnings } = validateActionContext(ctx, {
+ *   requiredFields: ["resource.id", "actor.roles"],
+ * });
+ * if (!valid) logger.warn("Context validation failed", { errors });
+ * ```
+ */
+declare function validateActionContext(ctx: ActionContext, opts?: ValidateContextOptions): ContextValidationResult;
+/** Redaction mode applied to a matched field. */
+type RedactionMode = "remove" | "mask" | "hash";
+/**
+ * A single redaction rule. `field` is matched against every key at
+ * every nesting level in the context object.
+ *
+ * `path` narrows the match to a specific dot-delimited location
+ * (e.g. `"actor.email"` to only mask email inside the actor sub-object,
+ * not top-level email fields).
+ */
+interface RedactionRule {
+    /** Key name or regex applied to every key in the context tree. */
+    field: string | RegExp;
+    /** What to do with the matched value. */
+    mode: RedactionMode;
+    /**
+     * Optional dot-delimited path constraint. When set, the rule only
+     * applies to a key at this exact path (e.g. `"actor.session_id"`).
+     */
+    path?: string;
+}
+/**
+ * Built-in redaction rules covering OWASP Top 10 sensitive field
+ * name patterns. Matched case-insensitively against every key name
+ * at every nesting level.
+ *
+ * Callers can extend this list or pass a custom rule set to
+ * `redactContext()`.
+ */
+declare const DEFAULT_REDACTION_RULES: readonly RedactionRule[];
+/**
+ * Return a redacted copy of `ctx` with sensitive fields removed or masked.
+ *
+ * Uses `DEFAULT_REDACTION_RULES` when `rules` is omitted. Callers can
+ * extend or replace the default rules:
+ *
+ * ```ts
+ * import { DEFAULT_REDACTION_RULES, redactContext } from "@atlasent/sdk";
+ *
+ * const safe = redactContext(ctx, [
+ *   ...DEFAULT_REDACTION_RULES,
+ *   { field: /internal_id/, mode: "hash" },
+ * ]);
+ * ```
+ *
+ * Never mutates the input; returns a shallow-to-deep copy.
+ */
+declare function redactContext(ctx: ActionContext, rules?: readonly RedactionRule[]): ActionContext;
+/**
+ * Convert a typed `ActionContext` to the flat `Record<string, unknown>`
+ * that `protect()` / `evaluate()` / `verifyPermit()` accept.
+ *
+ * The output merges:
+ * 1. All top-level scalar fields from `ActionContext` (including flat
+ *    shorthands like `environment_name`).
+ * 2. Nested sub-schemas (`actor`, `resource`, `environment`, etc.) preserved
+ *    as nested objects so policy rules written against either the nested or
+ *    flat form work correctly.
+ *
+ * The nested form is always present in the output; the flat shorthands
+ * (`resource_type`, `resource_id`, `environment_name`, `environment`) are
+ * duplicated at the top level for policy rules that use the flat path.
+ *
+ * ```ts
+ * const permit = await protect({
+ *   agent: "deploy-bot",
+ *   action: "production.deploy",
+ *   context: flattenActionContext(ctx),
+ * });
+ * ```
+ */
+declare function flattenActionContext(ctx: ActionContext): Record<string, unknown>;
+
+type ShadowMode = "observe" | "warn" | "enforce";
+interface ShadowOutcome {
+    readonly decision: "permit" | "deny" | "hold" | "escalate";
+    readonly permit: Permit | null;
+    readonly error: AtlaSentDeniedError | null;
+    readonly would_have_blocked: boolean;
+    readonly latencyMs: number;
+    readonly evaluationId: string | null;
+    readonly request: ProtectRequest;
+    readonly mode: ShadowMode;
+}
+interface ShadowConfig {
+    mode?: ShadowMode;
+    onOutcome?: (outcome: ShadowOutcome) => void | Promise<void>;
+    reportToApi?: boolean;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function configureShadow(config: ShadowConfig): void;
+interface ShadowOptions extends ShadowConfig {
+}
+declare function protectShadow(request: ProtectRequest, opts?: ShadowOptions): Promise<ShadowOutcome>;
+interface ShadowEventPayload {
+    action: string;
+    agentId: string | null;
+    decision: ShadowOutcome["decision"];
+    would_have_blocked: boolean;
+    latencyMs: number;
+    evaluationId: string | null;
+    mode: ShadowMode;
+    deniedReason?: string;
+    timestamp: string;
+}
+declare function reportShadowEvent(outcome: ShadowOutcome, opts?: Pick<ShadowConfig, "apiKey" | "baseUrl">): Promise<void>;
+
+type EnforcementMode = "observe" | "warn" | "enforce";
+interface HealthReport {
+    readonly healthy: boolean;
+    readonly apiReachable: boolean;
+    readonly authenticated: boolean;
+    readonly latencyMs: number | null;
+    readonly apiVersion: string | null;
+    readonly checkedAt: string;
+    readonly errors: string[];
+}
+interface EnforcementStatus {
+    readonly actionClass: string;
+    readonly mode: EnforcementMode;
+    readonly blockRate: number | null;
+    readonly totalEvaluations: number | null;
+    readonly lastSeenAt: string | null;
+    readonly schemaRegistered: boolean;
+}
+interface ProtectedActionEntry {
+    readonly actionClass: string;
+    readonly firstRegisteredAt: string;
+    readonly lastUpdatedAt: string;
+    readonly enforcementMode: EnforcementMode;
+    readonly schemaId: string | null;
+    readonly tags: string[];
+}
+interface OrgSummary {
+    readonly orgId: string;
+    readonly activePolicies: number;
+    readonly totalPolicies: number;
+    readonly activeOverrides: number;
+    readonly pendingEscalations: number;
+    readonly evidenceSigningEnabled: boolean;
+    readonly shadowModeActions: number;
+    readonly enforcedActions: number;
+    readonly lastEvaluationAt: string | null;
+}
+interface ControlSurfaceConfig {
+    apiKey?: string;
+    baseUrl?: string;
+    timeoutMs?: number;
+}
+declare function configureControlSurface(config: ControlSurfaceConfig): void;
+declare function checkIntegrationHealth(opts?: ControlSurfaceConfig): Promise<HealthReport>;
+interface ReportProtectedActionOptions extends ControlSurfaceConfig {
+    actionClass: string;
+    enforcementMode?: EnforcementMode;
+    schemaId?: string;
+    tags?: string[];
+}
+declare function reportProtectedAction(opts: ReportProtectedActionOptions): Promise<ProtectedActionEntry>;
+interface GetEnforcementStatusOptions extends ControlSurfaceConfig {
+    actionClass: string;
+}
+declare function getEnforcementStatus(opts: GetEnforcementStatusOptions): Promise<EnforcementStatus>;
+declare function getOrgSummary(opts?: ControlSurfaceConfig): Promise<OrgSummary>;
+
+type DeployEnvironment = "production" | "staging" | "development" | string;
+interface DeployGateOptions {
+    service: string;
+    resourceType?: string;
+    sha?: string;
+    workflow?: string;
+    actorId?: string;
+    actorLabel?: string;
+    environment?: DeployEnvironment;
+    description?: string;
+    requireApproval?: boolean;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectDeploy(opts: DeployGateOptions): Promise<ApprovalPermit | Permit>;
+
+type CloseActionType = "period.close" | "period.reopen" | "data.export" | "reconciliation.lock";
+interface CloseGovernanceOptions {
+    action: CloseActionType;
+    periodLabel: string;
+    closedBy: string;
+    entityId: string;
+    entityName?: string;
+    dataClassification?: "internal" | "confidential" | "restricted";
+    assignedToRole?: string;
+    requireDualApproval?: boolean;
+    waitMs?: number;
+    description?: string;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectCloseAction(opts: CloseGovernanceOptions): Promise<ApprovalPermit>;
+
+interface PaymentReleaseOptions {
+    amount: number;
+    currency: string;
+    vendorId: string;
+    vendorName?: string;
+    authorizedBy: string;
+    reference?: string;
+    description?: string;
+    autoEscalateAbove?: number;
+    requireDualApprovalAbove?: number;
+    assignedToRole?: string;
+    waitMs?: number;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function protectPaymentRelease(opts: PaymentReleaseOptions): Promise<ApprovalPermit | Permit>;
+
+type AgentToolMode = "observe" | "enforce" | "escalate";
+interface AgentToolOptions {
+    toolName: string;
+    toolArgs: Record<string, unknown>;
+    agentId: string;
+    sessionId?: string;
+    riskLevel?: "critical" | "high" | "medium" | "low";
+    mode?: AgentToolMode;
+    assignedToRole?: string;
+    waitMs?: number;
+    description?: string;
+    onEscalationCreated?: (handle: EscalationHandle) => void;
+    apiKey?: string;
+    baseUrl?: string;
+}
+declare function classifyToolRisk(toolName: string): "critical" | "high" | "medium" | "low";
+declare function protectToolCall(opts: AgentToolOptions): Promise<ApprovalPermit | Permit | ShadowOutcome>;
+
+/**
+ * Claims → Evidence Lineage
+ *
+ * Builds and verifies {@link ClaimEvidenceLink} objects — signed, wire-stable
+ * artifacts that tie a canonical claim row to its full evidence chain:
+ *
+ * 1. **`runtime_evidence`** — {@link DecisionReceipt} from `protectWithEvidence()`
+ * 2. **`deploy_evidence`** — `protectDeploy()` gate record
+ * 3. **`integration_evidence`** — `ComplianceEvidenceRun` summary
+ * 4. **`approval_artifact`** — HITL chain or ApprovalArtifact summary
+ * 5. **`delta`** — policy + schema drift since the claim was asserted
+ * 6. **`verification_checklist`** — machine-auditable `all_pass` + per-slot status
+ *
+ * Wire schema: `contract/schemas/claim-evidence-link.schema.json`
+ * Proposal: `contract/PROPOSALS/004-claims-evidence-links.md`
+ *
+ * @module
+ */
+
+interface RuntimeEvidenceSlot {
+    readonly permit_token: string;
+    readonly audit_hash: string;
+    readonly decision: "allow" | "deny" | "escalate";
+    readonly decision_id: string;
+    readonly evaluated_at: string;
+    readonly algorithm: DecisionReceiptAlgorithm;
+    readonly signature: string | null;
+    readonly permit_revoked_at: string | null;
+    readonly verified_at_claim_time: boolean;
+    readonly verified_at_link_creation: boolean;
+}
+interface DeployEvidenceSlot {
+    readonly deploy_id: string;
+    readonly environment: string;
+    readonly sha: string;
+    readonly actor_id: string;
+    readonly deployed_at: string;
+    readonly gate_permit_token: string;
+}
+interface IntegrationEvidenceSlot {
+    readonly run_id: string;
+    readonly framework: "soc2" | "iso27001" | "hipaa" | "pci_dss" | "gdpr" | "fedramp";
+    readonly period_start: string;
+    readonly period_end: string;
+    readonly status: "pending" | "running" | "completed" | "failed";
+    readonly passing_control_count: number;
+    readonly failing_control_count: number;
+    readonly run_completed_at: string;
+}
+interface ApprovalArtifactSlot {
+    readonly approval_id: string;
+    readonly approval_kind: "hitl_chain" | "approval_artifact";
+    readonly quorum_type: "single_approver" | "simple_majority" | "two_thirds" | "unanimous";
+    readonly approver_count: number;
+    readonly approver_ids: readonly string[];
+    readonly approved_at: string;
+    readonly artifact_hash: string;
+}
+type DriftChangeType = "rule_added" | "rule_removed" | "rule_modified" | "threshold_changed" | "policy_updated" | "schema_field_added" | "schema_field_removed" | "schema_field_type_changed";
+type DriftSeverity = "info" | "warning" | "critical";
+interface DriftDetail {
+    readonly change_type: DriftChangeType;
+    readonly severity: DriftSeverity;
+    readonly rule_id: string | null;
+    readonly changed_at: string | null;
+    readonly description: string;
+}
+type DeltaStatus = "pending" | "computing" | "computed" | "failed";
+interface DeltaSlot {
+    readonly status: DeltaStatus;
+    readonly computed_at: string | null;
+    readonly policy_version_at_claim: string | null;
+    readonly policy_version_current: string | null;
+    readonly policy_drift_detected: boolean | null;
+    readonly schema_version_at_claim: string;
+    readonly schema_version_current: string;
+    readonly schema_drift_detected: boolean;
+    readonly drift_details: readonly DriftDetail[];
+}
+type EvidenceSlotStatus = "present" | "not_applicable" | "missing";
+interface VerificationChecklist {
+    readonly runtime_evidence_present: boolean;
+    readonly verified_at_claim_time: boolean;
+    readonly verified_at_link_creation: boolean;
+    readonly deploy_evidence_status: EvidenceSlotStatus;
+    readonly integration_evidence_status: EvidenceSlotStatus;
+    readonly approval_artifact_status: EvidenceSlotStatus;
+    readonly delta_computed: boolean;
+    readonly policy_drift_clean: boolean | null;
+    readonly schema_drift_clean: boolean;
+    readonly all_pass: boolean;
+    readonly last_verified_at: string | null;
+    readonly computed_at: string;
+}
+interface ClaimEvidenceLink {
+    readonly version: "claim_evidence_link.v1";
+    readonly link_id: string;
+    readonly claim_id: string;
+    readonly org_id: string;
+    readonly linked_at: string;
+    readonly updated_at: string;
+    readonly revision: number;
+    readonly link_algorithm: "hmac-sha256" | "none";
+    readonly link_hash: string;
+    readonly link_signature: string | null;
+    readonly runtime_evidence: RuntimeEvidenceSlot;
+    readonly deploy_evidence: DeployEvidenceSlot | null;
+    readonly integration_evidence: IntegrationEvidenceSlot | null;
+    readonly approval_artifact: ApprovalArtifactSlot | null;
+    readonly delta: DeltaSlot;
+    readonly verification_checklist: VerificationChecklist;
+}
+/** Caller signals evidence does not apply to this claim. */
+interface NotApplicable {
+    readonly notApplicable: true;
+}
+declare const NOT_APPLICABLE: NotApplicable;
+/** Raw deploy gate inputs — caller supplies at minimum environment + service. */
+interface DeployEvidenceInput {
+    readonly deploy_id: string;
+    readonly environment: string;
+    readonly sha: string;
+    readonly actor_id: string;
+    readonly deployed_at: string;
+    readonly gate_permit_token: string;
+}
+/** Summary from a HITL chain (derived from HitlEscalation + approval records). */
+interface HitlChainSummary {
+    readonly escalation: HitlEscalation;
+    readonly approvals: readonly HitlApprovalRecord[];
+    /** SHA-256 hex of the canonical JSON of the full chain object. */
+    readonly artifact_hash: string;
+}
+/** Out-of-band approval artifact (pre-signed). */
+interface SignedApprovalArtifact {
+    readonly approval_id: string;
+    readonly approval_kind: "approval_artifact";
+    readonly quorum_type: "single_approver" | "simple_majority" | "two_thirds" | "unanimous";
+    readonly approver_ids: readonly string[];
+    readonly approved_at: string;
+    /** SHA-256 hex of the canonical encoding of the full artifact. */
+    readonly artifact_hash: string;
+}
+interface BuildClaimEvidenceLinkOpts {
+    /** The canonical claim ID this link annotates. */
+    readonly claimId: string;
+    /**
+     * The org that owns the claim. Defaults to `receipt.org_id` from
+     * `runtimeEvidence` when omitted.
+     */
+    readonly orgId?: string;
+    /** DecisionReceipt from `protectWithEvidence()`. Required. */
+    readonly runtimeEvidence: DecisionReceipt;
+    /**
+     * Deploy gate record. Pass `NOT_APPLICABLE` for non-deployment actions.
+     * Omit (or pass `undefined`) when the deploy record was expected but
+     * unavailable — the slot status will be `"missing"` and `all_pass`
+     * will be `false`.
+     */
+    readonly deployEvidence?: DeployEvidenceInput | NotApplicable;
+    /**
+     * Most recent compliance run covering the claim period. Pass
+     * `NOT_APPLICABLE` when no compliance run applies.
+     */
+    readonly integrationEvidence?: ComplianceEvidenceRun | NotApplicable;
+    /**
+     * HITL chain summary or out-of-band approval artifact. Pass
+     * `NOT_APPLICABLE` when no human approval was required.
+     */
+    readonly approvalArtifact?: HitlChainSummary | SignedApprovalArtifact | NotApplicable;
+    /**
+     * HMAC-SHA256 signing secret. When provided the link is signed and
+     * `link_algorithm` is `"hmac-sha256"`. Omit for unsigned links
+     * (`link_algorithm: "none"`).
+     */
+    readonly signingSecret?: string;
+    /**
+     * Override the schema version recorded in `delta.schema_version_at_claim`.
+     * Defaults to the SDK package version embedded at build time.
+     */
+    readonly schemaVersion?: string;
+}
+interface VerifyClaimEvidenceLinkOpts {
+    /**
+     * Signing secret used to re-verify `link_signature`. Required when
+     * `link.link_algorithm` is `"hmac-sha256"`.
+     */
+    readonly signingSecret?: string;
+    /**
+     * When true, skips re-calling `/v1-verify-permit` even if a client is
+     * provided. Useful when the permit is known to be expired and you only
+     * want to check structural integrity.
+     */
+    readonly skipPermitRecheck?: boolean;
+}
+interface VerifyClaimEvidenceLinkResult {
+    /** Updated link with refreshed checklist, incremented revision, and recomputed hash. */
+    readonly link: ClaimEvidenceLink;
+    readonly valid: boolean;
+    /** Names of verification_checklist fields that are false or "missing". */
+    readonly failedSlots: readonly string[];
+}
+/**
+ * Subset of an `ActionEvidenceBundle.receipt` produced by the AtlaSent
+ * GitHub Action (atlasent-action `evidenceBundle.ts`).
+ *
+ * Only the fields consumed by {@link buildClaimEvidenceLinkFromActionBundle}
+ * are required here; the full receipt shape lives in the action repo.
+ */
+interface ActionBundleReceipt {
+    readonly receipt_id: string;
+    readonly evaluation_id: string;
+    readonly permit_id: string | null;
+    readonly audit_hash: string | null;
+    readonly issued_at: string;
+    readonly algorithm: "hmac-sha256" | "none";
+    readonly signature: string | null;
+    readonly decision: "allow";
+}
+/**
+ * Minimal shape of an `ActionEvidenceBundle` emitted by the AtlaSent
+ * GitHub Action as its `evidence-bundle` output. Pass the parsed JSON
+ * directly; no re-shaping needed.
+ */
+interface ActionBundleInput {
+    readonly bundle_id: string;
+    readonly action: string;
+    readonly actor: string;
+    readonly environment: string;
+    readonly repository: string;
+    readonly sha: string;
+    readonly run_id: string;
+    readonly generated_at: string;
+    readonly receipt: ActionBundleReceipt;
+}
+interface BuildFromActionBundleOpts {
+    /** The canonical claim ID this link annotates. */
+    readonly claimId: string;
+    /** Owning org. Defaults to `""` for v1 (no org context on the action). */
+    readonly orgId?: string;
+    /**
+     * Set to `true` when the bundle does NOT represent a deploy action.
+     * The deploy slot will be `NOT_APPLICABLE` instead of auto-populated
+     * from `bundle.sha` / `bundle.environment`.
+     */
+    readonly deployNotApplicable?: boolean;
+    readonly signingSecret?: string;
+    readonly schemaVersion?: string;
+}
+/**
+ * Assemble a {@link ClaimEvidenceLink} from already-fetched SDK artifacts.
+ *
+ * - Generates a client-side `link_id` (`cel_` + UUID v4).
+ * - Computes schema drift from the SDK version; policy drift is set to
+ *   `delta.status: "pending"` (server-side, async).
+ * - Signs the link with HMAC-SHA256 when `signingSecret` is provided.
+ * - `verified_at_link_creation` is set to `true` when the receipt carries a
+ *   `decision === "allow"` (the permit was valid at the moment we're building
+ *   the link, since it was just produced by `protectWithEvidence()`).
+ *
+ * The returned link has `revision: 1`. Subsequent calls to
+ * {@link verifyClaimEvidenceLink} increment `revision` and recompute
+ * `link_hash` / `link_signature`.
+ */
+declare function buildClaimEvidenceLink(opts: BuildClaimEvidenceLinkOpts): ClaimEvidenceLink;
+/**
+ * Verify the structural integrity and checklist freshness of a
+ * {@link ClaimEvidenceLink}.
+ *
+ * Checks:
+ * 1. `link_hash` matches a canonical re-serialisation of the link content.
+ * 2. `link_signature` verifies under `link_algorithm` (when not `"none"`).
+ * 3. Recomputes the `verification_checklist` from the current slot state.
+ *
+ * Returns a new `ClaimEvidenceLink` with:
+ * - Updated `verified_at_link_creation` / `last_verified_at` (permit may have
+ *   expired since the link was built — reflected in the updated checklist).
+ * - Incremented `revision`.
+ * - Recomputed `link_hash` / `link_signature` over the mutated content.
+ *
+ * Does **not** mutate the input. Does **not** make network calls (permit
+ * re-verification via `/v1-verify-permit` is scoped for v2 once the server
+ * endpoint ships).
+ *
+ * @throws {@link AtlaSentError} with `code: "claim_evidence_incomplete"` when
+ *   `all_pass` is false on the refreshed checklist.
+ */
+declare function verifyClaimEvidenceLink(link: ClaimEvidenceLink, opts?: VerifyClaimEvidenceLinkOpts): VerifyClaimEvidenceLinkResult;
+/**
+ * Build a {@link ClaimEvidenceLink} directly from the `evidence-bundle`
+ * JSON emitted by the AtlaSent GitHub Action.
+ *
+ * ```ts
+ * import { buildClaimEvidenceLinkFromActionBundle } from "@atlasent/sdk";
+ *
+ * const bundle = JSON.parse(process.env.ATLASENT_EVIDENCE_BUNDLE!);
+ * const link = buildClaimEvidenceLinkFromActionBundle(bundle, {
+ *   claimId: myClaimId,
+ *   signingSecret: process.env.ATLASENT_SIGNING_SECRET,
+ * });
+ * ```
+ *
+ * The `receipt` fields map directly to the `runtime_evidence` slot. The
+ * `bundle.sha` / `bundle.environment` / `bundle.actor` are used to
+ * auto-populate the `deploy_evidence` slot — pass `deployNotApplicable: true`
+ * to suppress this for non-deploy actions.
+ */
+declare function buildClaimEvidenceLinkFromActionBundle(bundle: ActionBundleInput, opts: BuildFromActionBundleOpts): ClaimEvidenceLink;
+
+/**
+ * BCCAE V1 — TypeScript client.
+ *
+ * BCCAEClient wraps the four BCCAE Phase 3 endpoints:
+ *   evaluate  → POST /v1/bccae/evaluations   (bccae:evaluate scope)
+ *   execute   → POST /v1/bccae/execute        (bccae:execute scope)
+ *   revoke    → POST /v1/bccae/revocations    (bccae:revoke scope)
+ *   getEvidence → GET /v1/bccae/evidence/:id  (bccae:audit scope)
+ *
+ * Spec: atlasent-internal/architecture/BCCAE-architecture.md
+ * Phase 3 — Execution Assurance. Not a Deploy Gate V1 customer API.
+ */
+type BccaeActorType = "HUMAN" | "AGENT" | "SERVICE" | "EXTERNAL";
+type BccaeTrustLevel = "L0" | "L1" | "L2" | "L3";
+type BccaeResourceClassification = "PUBLIC" | "INTERNAL" | "CONFIDENTIAL" | "RESTRICTED";
+type BccaeDeploymentEnv = "PROD" | "STAGING" | "DEV" | "TEST";
+type BccaeSecurityPosture = "STANDARD" | "ELEVATED" | "LOCKED";
+type BccaeRequestSource = "AGENT" | "API" | "INTERNAL" | "SCHEDULED" | "TRIGGERED";
+type BccaeRevocationTargetType = "PERMIT" | "EVALUATION" | "ACTOR" | "RESOURCE";
+interface BccaeEvaluateInput {
+    actor_id: string;
+    actor_type: BccaeActorType;
+    actor_trust_level: BccaeTrustLevel;
+    actor_claims?: Record<string, unknown>;
+    action_id: string;
+    execution_intent: string;
+    /** 64 lowercase hex characters (32 random bytes). */
+    caller_nonce: string;
+    resource_ref: string;
+    resource_type: string;
+    resource_classification: BccaeResourceClassification;
+    organization_version?: number;
+    deployment_env: BccaeDeploymentEnv;
+    deployment_region: string;
+    security_posture: BccaeSecurityPosture;
+    external_signals?: unknown[];
+    dependencies?: unknown[];
+    policy_version_set?: unknown[];
+    request_source?: BccaeRequestSource;
+    request_chain_id?: string;
+    parent_eval_id?: string;
+}
+interface BccaeEvaluateResponse {
+    evaluation_id: string;
+    envelope_hash: string;
+    permit_token: string;
+    permit_id: string;
+    expires_at: string;
+    outcome: "PERMIT" | "PERMIT_WITH_CONDITIONS";
+}
+interface BccaeExecuteInput {
+    permit_token: string;
+    action_id: string;
+    resource_ref: string;
+}
+interface BccaeExecuteResponse {
+    authorized: boolean;
+    outcome: "EXECUTION_AUTHORIZED" | "EXECUTION_DENIED";
+    permit_id?: string;
+    evaluation_id?: string;
+    envelope_hash?: string;
+    evidence_id?: string | null;
+    /** Populated on denial — identifies which gate check failed. */
+    check?: string;
+    reason?: string;
+}
+interface BccaeRevokeInput {
+    target_type: BccaeRevocationTargetType;
+    target_id: string;
+    reason: string;
+}
+interface BccaeRevokeResponse {
+    revocation_id: string;
+    target_type: BccaeRevocationTargetType;
+    target_id: string;
+    effective_at: string;
+}
+interface BccaeEvidenceResponse {
+    evidence_id: string;
+    org_id: string;
+    event_type: string;
+    evaluation_id: string | null;
+    permit_id: string | null;
+    envelope_hash: string | null;
+    actor_id: string;
+    action_id: string | null;
+    resource_ref: string | null;
+    outcome: string;
+    detail: Record<string, unknown>;
+    previous_evidence_id: string | null;
+    previous_hash: string | null;
+    record_hash: string;
+    sequence: number;
+    recorded_at: string;
+    chain_integrity: {
+        hash_intact: boolean;
+        expected_hash?: string;
+    };
+}
+interface BccaeClientOptions {
+    /** API key with appropriate bccae:* scopes. */
+    apiKey: string;
+    /** Override base URL. Defaults to https://api.atlasent.io */
+    baseUrl?: string;
+    /** Request timeout in ms. Defaults to 10000. */
+    timeoutMs?: number;
+    /** Inject a custom fetch implementation (testing / edge runtimes). */
+    fetch?: typeof globalThis.fetch;
+}
+/** Generate a cryptographically random 64-char hex nonce (32 bytes). */
+declare function generateBccaeNonce(): string;
+/**
+ * Thin HTTP client for the BCCAE V1 Phase 3 endpoints.
+ *
+ * Each method maps 1:1 to an edge function:
+ *   - {@link BCCAEClient.evaluate}    → v1-bccae-evaluate
+ *   - {@link BCCAEClient.execute}     → v1-bccae-execute
+ *   - {@link BCCAEClient.revoke}      → v1-bccae-revoke
+ *   - {@link BCCAEClient.getEvidence} → v1-bccae-evidence
+ *
+ * Authorization denials are returned (not thrown). Network errors,
+ * invalid API keys, and 5xx responses throw {@link AtlaSentError}.
+ *
+ * Use {@link generateBccaeNonce} to produce a valid `caller_nonce`.
+ */
+declare class BCCAEClient {
+    private readonly apiKey;
+    private readonly baseUrl;
+    private readonly timeoutMs;
+    private readonly fetchImpl;
+    constructor(options: BccaeClientOptions);
+    evaluate(input: BccaeEvaluateInput): Promise<BccaeEvaluateResponse>;
+    execute(input: BccaeExecuteInput): Promise<BccaeExecuteResponse>;
+    revoke(input: BccaeRevokeInput): Promise<BccaeRevokeResponse>;
+    getEvidence(evidenceId: string): Promise<BccaeEvidenceResponse>;
+    private post;
+    private get;
+    private request;
+}
+
 /**
  * @atlasent/sdk — execution-time authorization for AI agents.
  *
@@ -4061,4 +5580,4 @@ declare const atlasent: {
     readonly AtlaSentDeniedError: typeof AtlaSentDeniedError;
 };
 
-export { type ActionFreeze, type ActionTypeOverrideStat, type ActorOverrideStat, type AmountThreshold, type AnomalyActionType, type AnomalyResponseEvent, type AnomalyResponseRule, type AnomalyType, ApiKeySelfResponse, type ApplyPolicySyncResponse, type ApprovalArtifactV1, type ApprovalConcentrationAnalysis, type ApprovalIssuer, type ApprovalProvenance, type ApprovalQuorumV1, type ApprovalReference, type ApprovalReviewer, type ApproveBudgetExceptionRequest, type ApproverBreakdown, AtlaSentClient, AtlaSentClientOptions, AtlaSentDeniedError, AtlaSentError, type AuditBundle, AuditEventsQuery, AuditEventsResult, AuditExportRequest, AuditExportResult, type AuthenticateConnectorInput, type AuthenticateConnectorResponse, type AuthorizeStreamHandlers, type AutonomousBoundsDenyCode, type AutonomousExecutionBounds, type AutonomousExecutionCheckResult, type AutonomousExecutionRecord, type BudgetConstraintCheckResult, type BudgetDenyCode, type BudgetExceptionRequest, type BudgetExceptionStatus, type BudgetLimit, type BudgetPolicy, type BudgetScope, type BudgetSpendingState, type BudgetViolation, type BudgetaryDriftAnalysis, type BundleVerificationResult, type ComplianceEvidenceRun, type ComplianceEvidenceSummary, type ComplianceFramework, type ComplianceRunStatus, type ComputeOrgRiskOptions, type ComputeOrgRiskResponse, type ConcentrationAlert, type ConnectedSystemRow, type ConnectorAuditLogEntry, type ConnectorCredentialRow, type ConnectorCredentialType, type ConnectorEnforcementEventInput, type ConnectorEnforcementPolicy, type ConnectorEnforcementResult, type ConnectorRow, type ConnectorStatus, type ConnectorSyncState, type ConnectorType, type CreateAnomalyResponseRuleRequest, type CreateBudgetExceptionRequest, type CreateGraphEdgeInput, type CreateGraphNodeInput, type CreateImpersonationGrantRequest, type CreateOverrideRequest, type CreateRegulatoryEscalationRequest, type CreateWebhookSubscriptionRequest, type CrossOrgImpersonationGrant, type CrossOrgPermissionCheckListParams, type CrossOrgPermissionCheckRequest, type CrossOrgPermissionCheckResult, type CrossOrgTrustHop, type CurrencyCode, DEFAULT_INCENTIVE_CONFIG, DEFAULT_RISK_TIER_THRESHOLDS, type DelegationPropagationSummary, DeployGateRequest, DeployGateResponse, type DisputeOrigin, type DisputeRecord, type DisputeReversalSummary, type DisputeStatus, type EconomicEvidenceBundle, type EmergencyFreeze, type EmergencyOverrideActionRow, type EnforcementAction, type EnforcementQuorumConfig, type EnforcementWebhookEvent, type EvaluateBatchItem, type EvaluateBatchResponse, type EvaluateManyRequest, EvaluatePreflightResponse, EvaluateRequest, EvaluateResponse, type EvidenceBundleSignableContent, type EvidenceBundleVerificationResult, type EvidenceControl, type EvidenceControlStatus, type EvidencePurpose, type ExecutionAnomaly, type ExecutionApproverRow, type ExecutionCeiling, FeatureNotEnabledError, type FeatureNotEnabledErrorInit, type FinancialActionClass, type FinancialActionType, type FinancialExecutionRecord, type FinancialExecutionStatus, type FinancialGovernanceSummary, type FinancialQuorumDenyCode, type FinancialQuorumInput, type FinancialQuorumPolicy, type FinancialQuorumResult, type FinancialRiskScore, type FinancialRiskTier, type FinancialRoleRequirement, type GetLatestOrgRiskResponse, GetPermitResponse, type GovernanceBehaviorPattern, GovernanceEnforcementError, type GovernanceEnforcementErrorInit, type GovernanceEvent, type GovernanceGate, type GovernanceGraphQueryParams, type GovernanceGraphQueryResponse, type GovernanceGraphQueryType, type GovernanceGraphResultRow, type GovernanceSignalAction, type GovernanceWebhookEvent, type GraphEdge, type GraphEdgeType, type GraphNode, type GraphNodeType, type GraphQLRequest, type GraphQLResponse, type HitlAiUnavailableFallback, type HitlApprovalRecord, type HitlApproveRequest, type HitlApproverPoolEntry, type HitlApproverType, type HitlChainHop, type HitlCreateRequest, type HitlDetailResponse, type HitlEscalateRequest, type HitlEscalation, type HitlFallbackDecision, type HitlHeterogeneousQuorumExtension, type HitlHeterogeneousQuorumTally, type HitlListResponse, type HitlQuorumProgress, type HitlQuorumTier, type HitlRejectRequest, type HitlRespondRequest, type HitlStatus, type IdentityAssertionBinding, type IdentityAssertionV1, type IdentityIssuer, type IdentityIssuerKey, type IdentitySubject, type IdentityTrustedIssuersConfig, type ImpersonationToken, type ImpersonationValidationResult, type IncentiveAlignmentConfig, type IncentiveSignal, type IncentiveSignalType, type IncidentChainActorEntry, type IncidentChainEvidenceRow, type IncidentChainExecutionRow, type IncidentTimelineResponse, type InstallConnectorInput, type InstallConnectorResponse, type LegacyEvaluateRequest, type LegacyEvaluateResponse, type LiabilityAttributionInput, type LiabilityAttributionRecord, type LiabilityChainValidation, type LiabilityClassification, type LiabilityEdge, type LiabilityNode, type LiabilityParty, type LiabilityPartyRole, type LiabilityVisualization, type ListConnectorsResponse, type ListEnforcementPoliciesResponse, type ListEvidenceRunsResponse, type ListGraphEdgesResponse, type ListGraphNodesResponse, type ListHitlEscalationsRequest, type ListHitlEscalationsResponse, type ListOrgRiskHistoryResponse, ListPermitsRequest, ListPermitsResponse, type ListPolicySyncRunsResponse, type ListWebhookDeliveriesResponse, type ListWebhookSubscriptionsResponse, type MisalignmentAlert, type OrgRiskLevel, type OrgRiskScore, type OverrideAnalytics, type OverrideEvent, type OverrideEventType, type OverrideEventsResponse, type OverrideListResponse, type OverrideStatus, type OverrideV1, Permit, type PermitV1, PermitValidResponse, type PolicyBundleEntry, type PolicyRef, type PolicySyncDiff, type PolicySyncRun, type PolicySyncStatus, type PrincipalKind, type ProductionDeployerRow, type ProofEvaluationSummary, type ProofPayload, type ProofResponse, ProtectRequest, type ProtectedAction, type QuorumBypassConnectorRow, type QuorumIndependence, type QuorumPolicy, type QuorumProof, type QuorumRoleRequirement, RateLimitState, type RecordSignalActionRequest, type RecordSignalOutcomeRequest, type RegulatoryAuthorityLevel, type RegulatoryEscalation, type RegulatoryEscalationStatus, type ReversalStage, type ReversalWorkflow, type RevokeConnectorResponse, RevokePermitByIdInput, RevokePermitByIdResponse, RevokePermitRequest, RevokePermitResponse, type RiskFactor, type RiskTierThreshold, type RiskTimelinePoint, type RotateCredentialsResponse, type SOC2ControlId, type SandboxDiff, type SandboxDiffEmpty, type SandboxDiffPerTable, type SandboxDiffResponse, type SandboxRunMode, type SandboxRunStatus, type SandboxRunWrite, type SandboxWriteOp, type SignalActionSummary, type SignalActionType, type SpendingConstraint, type StreamComplete, type StreamDecisionFrame, type StreamErrorFrame, StreamEvent, StreamOptions, type SubmitPolicySyncRequest, type SubmitPolicySyncResponse, type SyncConnectorResponse, type TriggerAnomalyResponseRequest, type TriggerEvidenceRunRequest, type TriggerEvidenceRunResponse, type UpsertEnforcementPolicyInput, type UpsertEnforcementPolicyResponse, type UserApprovalRow, type V2EvaluateRequest, type V2EvaluateResponse, type V2Feature, type V2Transport, V2_BATCH_PATH, V2_GRAPHQL_MAX_DEPTH, V2_GRAPHQL_PATH, V2_MAX_BATCH_ITEMS, V2_MAX_BODY_BYTES, V2_STREAM_PATH, type VerifyBundleOptions, type VerifyKey, VerifyPermitByIdResponse, VerifyPermitRequest, VerifyPermitResponse, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookPayload, type WebhookSubscription, WebhookVerificationError, type WeightDistribution, assertWebhook, authorizeStream, budgetUtilizationSeverity, buildLiabilityChain, buildLiabilityVisualization, buildRiskTimeline, buildSignableContent, canonicalJSON, canonicalizeForEvidence, checkAutonomousBounds, checkBudgetConstraints, clampTokenDuration, classifyCommand, classifyRiskTier, computeApprovalRiskScore, computeEscalatedApprovalCount, computeExposureScore, computeGovernanceHealthScore, computeHHI, computeLiabilityWeights, computeOverallRiskScore, computeOverrideScore, computeRemediationUrgency, computeSignalEngagementRate, configure, atlasent as default, delegationPropagationHadEffect, deployGate, detectAutonomousAnomaly, detectMisalignedIncentives, detectSelfApproval, enforceAutonomousBounds, enforceBudgetConstraint, enforceEconomicGovernance, enforceFinancialQuorum, evaluateFinancialQuorum, evaluateMany, evidenceRunPasses, findPrimaryLiabilityParties, formatPolicySyncDiff, graphql, hhiToConcentrationScore, highestSeverityAction, hitlRequiredApproverCount, isBudgetExceptionActive, isBudgetExceptionTerminal, isEscalationSlaBreached, isFreezeActive, isImpersonationGrantUsable, isPolicySyncTerminal, isRegulatoryEscalationTerminal, isSandboxDiffPopulated, isSubstantiveSignalResponse, matchAnomalyRules, nonPassingControls, normalizeEvaluateRequest, normalizeEvaluateResponse, protect, requirePermit, scoreToRiskTier, serializeSignableContent, signedBytesFor, summarizeCrossOrgPermission, transitionDispute, transitionReversal, validateLiabilityChain, verifyAuditBundle, verifyBundle, verifyEvidenceBundleStructure, verifyWebhook, verifyWebhookSignature, withPermit, withinAutonomousCeiling };
+export { type ActionBundleInput, type ActionBundleReceipt, type ActionContext, type ActionFreeze, type ActionMetaContext, type ActionTypeOverrideStat, type ActorContext, type ActorOverrideStat, type AgentAuthorityDomain, type AgentEvaluationStatus, type AgentEvidenceRef, type AgentFindingSeverity, type AgentInvokerKind, type AgentSubjectKind, type AgentToolMode, type AgentToolOptions, type AmountThreshold, type AnomalyActionType, type AnomalyResponseEvent, type AnomalyResponseRule, type AnomalyType, ApiKeySelfResponse, type ApplyPolicySyncResponse, type ApprovalArtifactSlot, type ApprovalArtifactV1, type ApprovalConcentrationAnalysis, type ApprovalIssuer, type ApprovalPermit, type ApprovalProvenance, type ApprovalQuorumV1, type ApprovalReference, type ApprovalReviewer, type ApprovalRuntimeConfig, type ApprovalStatus, type ApproveBudgetExceptionRequest, type ApproverBreakdown, AtlaSentClient, AtlaSentClientOptions, AtlaSentDeniedError, AtlaSentError, type AuditBundle, AuditEventsQuery, AuditEventsResult, AuditExportRequest, AuditExportResult, type AuthenticateConnectorInput, type AuthenticateConnectorResponse, type AuthorizeStreamHandlers, type AutonomousBoundsDenyCode, type AutonomousExecutionBounds, type AutonomousExecutionCheckResult, type AutonomousExecutionRecord, BCCAEClient, BatchEvalItem, BatchEvalResponse, type BccaeActorType, type BccaeClientOptions, type BccaeDeploymentEnv, type BccaeEvaluateInput, type BccaeEvaluateResponse, type BccaeEvidenceResponse, type BccaeExecuteInput, type BccaeExecuteResponse, type BccaeRequestSource, type BccaeResourceClassification, type BccaeRevocationTargetType, type BccaeRevokeInput, type BccaeRevokeResponse, type BccaeSecurityPosture, type BccaeTrustLevel, type BudgetConstraintCheckResult, type BudgetDenyCode, type BudgetExceptionRequest, type BudgetExceptionStatus, type BudgetLimit, type BudgetPolicy, type BudgetScope, type BudgetSpendingState, type BudgetViolation, type BudgetaryDriftAnalysis, type BuildActionContextInput, type BuildClaimEvidenceLinkOpts, type BuildFromActionBundleOpts, type BundleVerificationResult, type ClaimEvidenceLink, type CloseActionType, type CloseGovernanceOptions, type ComplianceEvidenceRun, type ComplianceEvidenceSummary, type ComplianceFramework, type ComplianceRunStatus, type ComputeOrgRiskOptions, type ComputeOrgRiskResponse, type ConcentrationAlert, type ConnectedSystemRow, type ConnectorAuditLogEntry, type ConnectorCredentialRow, type ConnectorCredentialType, type ConnectorEnforcementEventInput, type ConnectorEnforcementPolicy, type ConnectorEnforcementResult, type ConnectorRow, type ConnectorStatus, type ConnectorSyncState, type ConnectorType, type ContextValidationError, type ContextValidationResult, type ContextValidationWarning, type ControlSurfaceConfig, type CreateAnomalyResponseRuleRequest, type CreateBudgetExceptionRequest, type CreateEscalationOptions, type CreateGraphEdgeInput, type CreateGraphNodeInput, type CreateImpersonationGrantRequest, type CreateOverrideRequest, type CreateRegulatoryEscalationRequest, type CreateWebhookSubscriptionRequest, type CrossOrgImpersonationGrant, type CrossOrgPermissionCheckListParams, type CrossOrgPermissionCheckRequest, type CrossOrgPermissionCheckResult, type CrossOrgTrustHop, type CurrencyCode, DEFAULT_INCENTIVE_CONFIG, DEFAULT_REDACTION_RULES, DEFAULT_RISK_TIER_THRESHOLDS, DecisionCanonical, DecisionStreamEvent, type DelegationPropagationSummary, type DeltaSlot, type DeltaStatus, type DeployEnvironment, type DeployEvidenceInput, type DeployEvidenceSlot, type DeployGateOptions, DeployGateRequest, DeployGateResponse, type DisputeOrigin, type DisputeRecord, type DisputeReversalSummary, type DisputeStatus, type DriftChangeType, type DriftDetail, type DriftSeverity, type EconomicEvidenceBundle, type EmergencyFreeze, type EmergencyOverrideActionRow, type EnforcementAction, type EnforcementMode, type EnforcementQuorumConfig, type EnforcementStatus, type EnforcementWebhookEvent, type EngineVersionKind, type EnvelopeDriftDetail, type EnvelopeVerification, type EnvironmentContext, EscalationDeniedError, type EscalationHandle, type EscalationOutcome, EscalationTimeoutError, type EvaluateBatchItem, type EvaluateBatchResponse, type EvaluateManyRequest, EvaluatePreflightResponse, EvaluateRequest, EvaluateResponse, type EvidenceBundleSignableContent, type EvidenceBundleVerificationResult, type EvidenceControl, type EvidenceControlStatus, type EvidencePurpose, type EvidenceSlotStatus, type ExecutionAnomaly, type ExecutionApproverRow, type ExecutionCeiling, FeatureNotEnabledError, type FeatureNotEnabledErrorInit, type FinancialActionClass, type FinancialActionType, type FinancialExecutionRecord, type FinancialExecutionStatus, type FinancialGovernanceSummary, type FinancialQuorumDenyCode, type FinancialQuorumInput, type FinancialQuorumPolicy, type FinancialQuorumResult, type FinancialRiskScore, type FinancialRiskTier, type FinancialRoleRequirement, type GetEnforcementStatusOptions, type GetLatestOrgRiskResponse, GetPermitResponse, type GovernanceAgent, type GovernanceAgentEvaluation, type GovernanceAgentFinding, type GovernanceBehaviorPattern, GovernanceEnforcementError, type GovernanceEnforcementErrorInit, type GovernanceEvent, type GovernanceGate, type GovernanceGraphQueryParams, type GovernanceGraphQueryResponse, type GovernanceGraphQueryType, type GovernanceGraphResultRow, type GovernanceSignalAction, type GovernanceWebhookEvent, type GraphEdge, type GraphEdgeType, type GraphNode, type GraphNodeType, type GraphQLRequest, type GraphQLResponse, type HealthReport, type HistoricalContext, type HitlAiUnavailableFallback, type HitlApprovalRecord, type HitlApproveRequest, type HitlApproverPoolEntry, type HitlApproverType, type HitlChainHop, type HitlChainSummary, type HitlCreateRequest, type HitlDetailResponse, type HitlEscalation, type HitlFallbackDecision, type HitlHeterogeneousQuorumExtension, type HitlHeterogeneousQuorumTally, type HitlListResponse, type HitlQuorumProgress, type HitlQuorumTier, type HitlRejectRequest, type HitlRespondRequest, type HitlStatus, type IdentityAssertionBinding, type IdentityAssertionV1, type IdentityIssuer, type IdentityIssuerKey, type IdentitySubject, type IdentityTrustedIssuersConfig, type ImpersonationToken, type ImpersonationValidationResult, type IncentiveAlignmentConfig, type IncentiveSignal, type IncentiveSignalType, type IncidentChainActorEntry, type IncidentChainEvidenceRow, type IncidentChainExecutionRow, type IncidentTimelineResponse, type InstallConnectorInput, type InstallConnectorResponse, type IntegrationEvidenceSlot, type LegacyEvaluateRequest, type LegacyEvaluateResponse, type LiabilityAttributionInput, type LiabilityAttributionRecord, type LiabilityChainValidation, type LiabilityClassification, type LiabilityEdge, type LiabilityNode, type LiabilityParty, type LiabilityPartyRole, type LiabilityVisualization, type ListConnectorsResponse, type ListEnforcementPoliciesResponse, type ListEvidenceRunsResponse, type ListGovernanceAgentsResponse, type ListGovernanceEvaluationsQuery, type ListGovernanceEvaluationsResponse, type ListGovernanceFindingsQuery, type ListGovernanceFindingsResponse, type ListGraphEdgesResponse, type ListGraphNodesResponse, type ListHitlEscalationsRequest, type ListHitlEscalationsResponse, type ListOrgRiskHistoryResponse, ListPermitsRequest, ListPermitsResponse, type ListPolicySyncRunsResponse, type ListWebhookDeliveriesResponse, type ListWebhookSubscriptionsResponse, type MisalignmentAlert, NOT_APPLICABLE, type NotApplicable, type OrgRiskLevel, type OrgRiskScore, type OrgSummary, type OverrideAnalytics, type OverrideEvent, type OverrideEventType, type OverrideEventsResponse, type OverrideListResponse, type OverrideStatus, type OverrideV1, type PaymentReleaseOptions, Permit, type PermitV1, PermitValidResponse, type PolicyBundleEntry, type PolicyRef, type PolicySyncDiff, type PolicySyncRun, type PolicySyncStatus, type PrincipalKind, type ProductionDeployerRow, type ProofEvaluationSummary, type ProofPayload, type ProofResponse, type ProtectOrEscalateOptions, ProtectRequest, type ProtectedAction, type ProtectedActionEntry, type QuorumBypassConnectorRow, type QuorumIndependence, type QuorumPolicy, type QuorumProof, type QuorumRoleRequirement, RateLimitState, type RecordSignalActionRequest, type RecordSignalOutcomeRequest, type RedactionMode, type RedactionRule, type RegulatoryAuthorityLevel, type RegulatoryEscalation, type RegulatoryEscalationStatus, type ReplayDecisionResponse, type ReplayDecisionValue, type ReplayRequest, type ReplayResponse, type ReplayVarianceKind, type ReportProtectedActionOptions, type RequestOverrideOptions, type ResourceContext, type ReversalStage, type ReversalWorkflow, type RevokeConnectorResponse, RevokePermitByIdInput, RevokePermitByIdResponse, RevokePermitRequest, RevokePermitResponse, type RiskFactor, type RiskTierThreshold, type RiskTimelinePoint, type RotateCredentialsResponse, type RuntimeEvidenceSlot, type SOC2ControlId, type SandboxDiff, type SandboxDiffEmpty, type SandboxDiffPerTable, type SandboxDiffResponse, type SandboxRunMode, type SandboxRunStatus, type SandboxRunWrite, type SandboxWriteOp, type ShadowConfig, type ShadowEventPayload, type ShadowMode, type ShadowOptions, type ShadowOutcome, type SignalActionSummary, type SignalActionType, type SignedApprovalArtifact, type SpendingConstraint, type StreamComplete, type StreamDecisionFrame, type StreamErrorFrame, StreamEvent, StreamOptions, type SubmitPolicySyncRequest, type SubmitPolicySyncResponse, SubscribeDecisionsOptions, type SyncConnectorResponse, type TriggerAnomalyResponseRequest, type TriggerEvidenceRunRequest, type TriggerEvidenceRunResponse, type UpsertEnforcementPolicyInput, type UpsertEnforcementPolicyResponse, type UserApprovalRow, type V2EvaluateRequest, type V2EvaluateResponse, type V2Feature, type V2Transport, V2_BATCH_PATH, V2_GRAPHQL_MAX_DEPTH, V2_GRAPHQL_PATH, V2_MAX_BATCH_ITEMS, V2_MAX_BODY_BYTES, V2_STREAM_PATH, type ValidateContextOptions, type VerificationChecklist, type VerifyBundleOptions, type VerifyClaimEvidenceLinkOpts, type VerifyClaimEvidenceLinkResult, type VerifyKey, VerifyPermitByIdResponse, VerifyPermitRequest, VerifyPermitResponse, type WaitForApprovalOptions, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookPayload, type WebhookSubscription, WebhookVerificationError, type WeightDistribution, assertWebhook, authorizeStream, budgetUtilizationSeverity, buildActionContext, buildClaimEvidenceLink, buildClaimEvidenceLinkFromActionBundle, buildLiabilityChain, buildLiabilityVisualization, buildRiskTimeline, buildSignableContent, canonicalJSON, canonicalizeForEvidence, checkAutonomousBounds, checkBudgetConstraints, checkIntegrationHealth, clampTokenDuration, classifyCommand, classifyRiskTier, classifyToolRisk, computeApprovalRiskScore, computeEscalatedApprovalCount, computeExposureScore, computeGovernanceHealthScore, computeHHI, computeLiabilityWeights, computeOverallRiskScore, computeOverrideScore, computeRemediationUrgency, computeSignalEngagementRate, configure, configureApprovalRuntime, configureControlSurface, configureShadow, createEscalation, atlasent as default, delegationPropagationHadEffect, deployGate, detectAutonomousAnomaly, detectMisalignedIncentives, detectSelfApproval, enforceAutonomousBounds, enforceBudgetConstraint, enforceEconomicGovernance, enforceFinancialQuorum, evaluateFinancialQuorum, evaluateMany, evidenceRunPasses, findPrimaryLiabilityParties, flattenActionContext, formatPolicySyncDiff, generateBccaeNonce, getEnforcementStatus, getOrgSummary, graphql, hhiToConcentrationScore, highestAgentFindingSeverity, highestSeverityAction, hitlRequiredApproverCount, isBudgetExceptionActive, isBudgetExceptionTerminal, isEscalationSlaBreached, isFreezeActive, isImpersonationGrantUsable, isPolicySyncTerminal, isRegulatoryEscalationTerminal, isSandboxDiffPopulated, isSubstantiveSignalResponse, matchAnomalyRules, nonPassingControls, normalizeEvaluateRequest, normalizeEvaluateResponse, protect, protectCloseAction, protectDeploy, protectOrEscalate, protectPaymentRelease, protectShadow, protectToolCall, redactContext, reportProtectedAction, reportShadowEvent, requestOverride, requirePermit, scoreToRiskTier, serializeSignableContent, signedBytesFor, summarizeCrossOrgPermission, transitionDispute, transitionReversal, validateActionContext, validateLiabilityChain, verifyAuditBundle, verifyBundle, verifyClaimEvidenceLink, verifyEvidenceBundleStructure, verifyWebhook, verifyWebhookSignature, waitForEscalationApproval, withPermit, withinAutonomousCeiling };