@axtary/ledger 0.0.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/README.md +82 -3
- package/dist/behavior.d.ts +81 -0
- package/dist/behavior.d.ts.map +1 -0
- package/dist/behavior.js +0 -0
- package/dist/behavior.js.map +1 -0
- package/dist/forensics.d.ts +52 -0
- package/dist/forensics.d.ts.map +1 -0
- package/dist/forensics.js +249 -0
- package/dist/forensics.js.map +1 -0
- package/dist/index.d.ts +663 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +928 -29
- package/dist/index.js.map +1 -1
- package/dist/merkle.d.ts +42 -0
- package/dist/merkle.d.ts.map +1 -0
- package/dist/merkle.js +213 -0
- package/dist/merkle.js.map +1 -0
- package/package.json +6 -6
package/dist/index.d.ts
CHANGED
|
@@ -1,16 +1,31 @@
|
|
|
1
|
-
import { type LedgerRecord, type NormalizedAction, type PolicyDecision } from "@axtary/actionpass";
|
|
1
|
+
import { type ActionPassRevocation, type LocalActionPassTrustStore, type BudgetLedgerEvent, type LedgerExecutionOutcome, type DelegationLedgerEdge, type LedgerRecord, type NormalizedAction, type PolicyDecision, type SigningAlgorithm, type SigningKey, type VerificationKey, type VerificationKeyResolver, type VerificationKeySet } from "@axtary/actionpass";
|
|
2
2
|
import { z } from "zod";
|
|
3
|
+
import { merkleConsistencyProof, merkleInclusionProof, merkleLeafHash, merkleNodeHash, merkleTreeRoot, verifyMerkleConsistency, verifyMerkleInclusion } from "./merkle.js";
|
|
4
|
+
export { merkleConsistencyProof, merkleInclusionProof, merkleLeafHash, merkleNodeHash, merkleTreeRoot, verifyMerkleConsistency, verifyMerkleInclusion, };
|
|
5
|
+
export { BEHAVIOR_STORE_VERSION, BehaviorStoreSchema, InMemoryBehaviorStore, FileBehaviorStore, deriveBehaviorSignals, recordBehaviorObservation, type BehaviorStore, type BehaviorStoreData, type BehaviorSignals, type FileBehaviorStoreOptions, } from "./behavior.js";
|
|
6
|
+
export { LEDGER_FORENSICS_VERSION, analyzeForensics, reconstructIncident, type ForensicExecution, type ForensicIncident, type ForensicNode, type ForensicProperty, type ForensicReport, type ForensicTimelineEntry, } from "./forensics.js";
|
|
3
7
|
export declare const LOCAL_LEDGER_SCHEMA_VERSION = "axtary.local-ledger.v0";
|
|
8
|
+
export declare const LOCAL_LEDGER_HEAD_SCHEMA_VERSION = "axtary.local-ledger-head.v0";
|
|
4
9
|
export declare const LEDGER_EXPORT_SCHEMA_VERSION = "axtary.ledger_export.v0";
|
|
5
10
|
export declare const LEDGER_SYNC_SCHEMA_VERSION = "axtary.ledger_sync.v0";
|
|
6
11
|
export declare const LEDGER_SIEM_EVENT_SCHEMA_VERSION = "axtary.siem_event.v0";
|
|
12
|
+
export declare const LEDGER_OTEL_EXPORT_SCHEMA_VERSION = "axtary.otel_trace_export.v0";
|
|
7
13
|
export declare const LedgerAppendResultSchema: z.ZodObject<{
|
|
8
14
|
record: z.ZodObject<{
|
|
9
15
|
schemaVersion: z.ZodLiteral<"axtary.ledger.v0">;
|
|
10
16
|
id: z.ZodString;
|
|
11
17
|
occurredAt: z.ZodString;
|
|
18
|
+
auditContext: z.ZodOptional<z.ZodObject<{
|
|
19
|
+
tenant: z.ZodNullable<z.ZodString>;
|
|
20
|
+
agentId: z.ZodString;
|
|
21
|
+
humanOwner: z.ZodString;
|
|
22
|
+
taskId: z.ZodString;
|
|
23
|
+
tool: z.ZodString;
|
|
24
|
+
resource: z.ZodString;
|
|
25
|
+
}, z.core.$strip>>;
|
|
12
26
|
actionHash: z.ZodString;
|
|
13
27
|
payloadHash: z.ZodString;
|
|
28
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
14
29
|
decision: z.ZodEnum<{
|
|
15
30
|
allow: "allow";
|
|
16
31
|
deny: "deny";
|
|
@@ -29,6 +44,13 @@ export declare const LedgerAppendResultSchema: z.ZodObject<{
|
|
|
29
44
|
github: "github";
|
|
30
45
|
slack: "slack";
|
|
31
46
|
linear: "linear";
|
|
47
|
+
docs: "docs";
|
|
48
|
+
drive: "drive";
|
|
49
|
+
mcp: "mcp";
|
|
50
|
+
aws: "aws";
|
|
51
|
+
gcp: "gcp";
|
|
52
|
+
jira: "jira";
|
|
53
|
+
postgres: "postgres";
|
|
32
54
|
}>;
|
|
33
55
|
tool: z.ZodString;
|
|
34
56
|
operation: z.ZodString;
|
|
@@ -37,6 +59,13 @@ export declare const LedgerAppendResultSchema: z.ZodObject<{
|
|
|
37
59
|
github: "github";
|
|
38
60
|
slack: "slack";
|
|
39
61
|
linear: "linear";
|
|
62
|
+
docs: "docs";
|
|
63
|
+
drive: "drive";
|
|
64
|
+
mcp: "mcp";
|
|
65
|
+
aws: "aws";
|
|
66
|
+
gcp: "gcp";
|
|
67
|
+
jira: "jira";
|
|
68
|
+
postgres: "postgres";
|
|
40
69
|
}>;
|
|
41
70
|
kind: z.ZodString;
|
|
42
71
|
id: z.ZodString;
|
|
@@ -54,6 +83,13 @@ export declare const LedgerAppendResultSchema: z.ZodObject<{
|
|
|
54
83
|
github: "github";
|
|
55
84
|
slack: "slack";
|
|
56
85
|
linear: "linear";
|
|
86
|
+
docs: "docs";
|
|
87
|
+
drive: "drive";
|
|
88
|
+
mcp: "mcp";
|
|
89
|
+
aws: "aws";
|
|
90
|
+
gcp: "gcp";
|
|
91
|
+
jira: "jira";
|
|
92
|
+
postgres: "postgres";
|
|
57
93
|
}>;
|
|
58
94
|
summary: z.ZodOptional<z.ZodString>;
|
|
59
95
|
files: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
@@ -83,8 +119,57 @@ export declare const LedgerAppendResultSchema: z.ZodObject<{
|
|
|
83
119
|
}, z.core.$strip>>>;
|
|
84
120
|
}, z.core.$strip>>;
|
|
85
121
|
}, z.core.$strip>>;
|
|
122
|
+
executionOutcome: z.ZodOptional<z.ZodObject<{
|
|
123
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_execution_outcome.v0">;
|
|
124
|
+
status: z.ZodEnum<{
|
|
125
|
+
succeeded: "succeeded";
|
|
126
|
+
failed: "failed";
|
|
127
|
+
}>;
|
|
128
|
+
provider: z.ZodOptional<z.ZodEnum<{
|
|
129
|
+
github: "github";
|
|
130
|
+
slack: "slack";
|
|
131
|
+
linear: "linear";
|
|
132
|
+
docs: "docs";
|
|
133
|
+
drive: "drive";
|
|
134
|
+
mcp: "mcp";
|
|
135
|
+
aws: "aws";
|
|
136
|
+
gcp: "gcp";
|
|
137
|
+
jira: "jira";
|
|
138
|
+
postgres: "postgres";
|
|
139
|
+
}>>;
|
|
140
|
+
resultId: z.ZodOptional<z.ZodString>;
|
|
141
|
+
resultUrl: z.ZodOptional<z.ZodString>;
|
|
142
|
+
resourceId: z.ZodOptional<z.ZodString>;
|
|
143
|
+
resourceLabel: z.ZodOptional<z.ZodString>;
|
|
144
|
+
failureReason: z.ZodOptional<z.ZodString>;
|
|
145
|
+
errorClass: z.ZodOptional<z.ZodString>;
|
|
146
|
+
sideEffectProof: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<import("@axtary/actionpass").JsonValue, unknown, z.core.$ZodTypeInternals<import("@axtary/actionpass").JsonValue, unknown>>>>;
|
|
147
|
+
}, z.core.$strict>>;
|
|
86
148
|
traceId: z.ZodOptional<z.ZodString>;
|
|
87
149
|
actionPassId: z.ZodNullable<z.ZodString>;
|
|
150
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
151
|
+
parentPassId: z.ZodString;
|
|
152
|
+
childPassId: z.ZodString;
|
|
153
|
+
depth: z.ZodNumber;
|
|
154
|
+
rootPassId: z.ZodString;
|
|
155
|
+
}, z.core.$strip>>;
|
|
156
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
157
|
+
reservationId: z.ZodNullable<z.ZodString>;
|
|
158
|
+
scope: z.ZodString;
|
|
159
|
+
status: z.ZodEnum<{
|
|
160
|
+
pending: "pending";
|
|
161
|
+
committed: "committed";
|
|
162
|
+
rolled_back: "rolled_back";
|
|
163
|
+
denied: "denied";
|
|
164
|
+
}>;
|
|
165
|
+
expiresAt: z.ZodNullable<z.ZodString>;
|
|
166
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
167
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
168
|
+
committedBefore: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
169
|
+
committedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
170
|
+
reservedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
171
|
+
}, z.core.$strip>>;
|
|
172
|
+
correlationId: z.ZodOptional<z.ZodString>;
|
|
88
173
|
previousLedgerHash: z.ZodNullable<z.ZodString>;
|
|
89
174
|
ledgerHash: z.ZodString;
|
|
90
175
|
}, z.core.$strip>;
|
|
@@ -95,8 +180,21 @@ export type AppendDecisionInput = {
|
|
|
95
180
|
action: NormalizedAction;
|
|
96
181
|
decision: PolicyDecision;
|
|
97
182
|
actionPassId?: string | null;
|
|
183
|
+
delegation?: DelegationLedgerEdge;
|
|
184
|
+
budget?: BudgetLedgerEvent;
|
|
185
|
+
occurredAt?: Date;
|
|
186
|
+
};
|
|
187
|
+
export type AppendRevocationInput = {
|
|
188
|
+
revokedRecord: LedgerRecord;
|
|
189
|
+
revokedBy?: string;
|
|
190
|
+
reason?: string;
|
|
98
191
|
occurredAt?: Date;
|
|
99
192
|
};
|
|
193
|
+
export type AppendExecutionOutcomeInput = AppendDecisionInput & {
|
|
194
|
+
executionOutcome: LedgerExecutionOutcome;
|
|
195
|
+
correlationId: string;
|
|
196
|
+
traceId?: string;
|
|
197
|
+
};
|
|
100
198
|
export type VerifyLedgerResult = {
|
|
101
199
|
valid: true;
|
|
102
200
|
records: LedgerRecord[];
|
|
@@ -138,8 +236,17 @@ export declare const LedgerExportSchema: z.ZodObject<{
|
|
|
138
236
|
schemaVersion: z.ZodLiteral<"axtary.ledger.v0">;
|
|
139
237
|
id: z.ZodString;
|
|
140
238
|
occurredAt: z.ZodString;
|
|
239
|
+
auditContext: z.ZodOptional<z.ZodObject<{
|
|
240
|
+
tenant: z.ZodNullable<z.ZodString>;
|
|
241
|
+
agentId: z.ZodString;
|
|
242
|
+
humanOwner: z.ZodString;
|
|
243
|
+
taskId: z.ZodString;
|
|
244
|
+
tool: z.ZodString;
|
|
245
|
+
resource: z.ZodString;
|
|
246
|
+
}, z.core.$strip>>;
|
|
141
247
|
actionHash: z.ZodString;
|
|
142
248
|
payloadHash: z.ZodString;
|
|
249
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
143
250
|
decision: z.ZodEnum<{
|
|
144
251
|
allow: "allow";
|
|
145
252
|
deny: "deny";
|
|
@@ -158,6 +265,13 @@ export declare const LedgerExportSchema: z.ZodObject<{
|
|
|
158
265
|
github: "github";
|
|
159
266
|
slack: "slack";
|
|
160
267
|
linear: "linear";
|
|
268
|
+
docs: "docs";
|
|
269
|
+
drive: "drive";
|
|
270
|
+
mcp: "mcp";
|
|
271
|
+
aws: "aws";
|
|
272
|
+
gcp: "gcp";
|
|
273
|
+
jira: "jira";
|
|
274
|
+
postgres: "postgres";
|
|
161
275
|
}>;
|
|
162
276
|
tool: z.ZodString;
|
|
163
277
|
operation: z.ZodString;
|
|
@@ -166,6 +280,13 @@ export declare const LedgerExportSchema: z.ZodObject<{
|
|
|
166
280
|
github: "github";
|
|
167
281
|
slack: "slack";
|
|
168
282
|
linear: "linear";
|
|
283
|
+
docs: "docs";
|
|
284
|
+
drive: "drive";
|
|
285
|
+
mcp: "mcp";
|
|
286
|
+
aws: "aws";
|
|
287
|
+
gcp: "gcp";
|
|
288
|
+
jira: "jira";
|
|
289
|
+
postgres: "postgres";
|
|
169
290
|
}>;
|
|
170
291
|
kind: z.ZodString;
|
|
171
292
|
id: z.ZodString;
|
|
@@ -183,6 +304,13 @@ export declare const LedgerExportSchema: z.ZodObject<{
|
|
|
183
304
|
github: "github";
|
|
184
305
|
slack: "slack";
|
|
185
306
|
linear: "linear";
|
|
307
|
+
docs: "docs";
|
|
308
|
+
drive: "drive";
|
|
309
|
+
mcp: "mcp";
|
|
310
|
+
aws: "aws";
|
|
311
|
+
gcp: "gcp";
|
|
312
|
+
jira: "jira";
|
|
313
|
+
postgres: "postgres";
|
|
186
314
|
}>;
|
|
187
315
|
summary: z.ZodOptional<z.ZodString>;
|
|
188
316
|
files: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
@@ -212,8 +340,57 @@ export declare const LedgerExportSchema: z.ZodObject<{
|
|
|
212
340
|
}, z.core.$strip>>>;
|
|
213
341
|
}, z.core.$strip>>;
|
|
214
342
|
}, z.core.$strip>>;
|
|
343
|
+
executionOutcome: z.ZodOptional<z.ZodObject<{
|
|
344
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_execution_outcome.v0">;
|
|
345
|
+
status: z.ZodEnum<{
|
|
346
|
+
succeeded: "succeeded";
|
|
347
|
+
failed: "failed";
|
|
348
|
+
}>;
|
|
349
|
+
provider: z.ZodOptional<z.ZodEnum<{
|
|
350
|
+
github: "github";
|
|
351
|
+
slack: "slack";
|
|
352
|
+
linear: "linear";
|
|
353
|
+
docs: "docs";
|
|
354
|
+
drive: "drive";
|
|
355
|
+
mcp: "mcp";
|
|
356
|
+
aws: "aws";
|
|
357
|
+
gcp: "gcp";
|
|
358
|
+
jira: "jira";
|
|
359
|
+
postgres: "postgres";
|
|
360
|
+
}>>;
|
|
361
|
+
resultId: z.ZodOptional<z.ZodString>;
|
|
362
|
+
resultUrl: z.ZodOptional<z.ZodString>;
|
|
363
|
+
resourceId: z.ZodOptional<z.ZodString>;
|
|
364
|
+
resourceLabel: z.ZodOptional<z.ZodString>;
|
|
365
|
+
failureReason: z.ZodOptional<z.ZodString>;
|
|
366
|
+
errorClass: z.ZodOptional<z.ZodString>;
|
|
367
|
+
sideEffectProof: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<import("@axtary/actionpass").JsonValue, unknown, z.core.$ZodTypeInternals<import("@axtary/actionpass").JsonValue, unknown>>>>;
|
|
368
|
+
}, z.core.$strict>>;
|
|
215
369
|
traceId: z.ZodOptional<z.ZodString>;
|
|
216
370
|
actionPassId: z.ZodNullable<z.ZodString>;
|
|
371
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
372
|
+
parentPassId: z.ZodString;
|
|
373
|
+
childPassId: z.ZodString;
|
|
374
|
+
depth: z.ZodNumber;
|
|
375
|
+
rootPassId: z.ZodString;
|
|
376
|
+
}, z.core.$strip>>;
|
|
377
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
378
|
+
reservationId: z.ZodNullable<z.ZodString>;
|
|
379
|
+
scope: z.ZodString;
|
|
380
|
+
status: z.ZodEnum<{
|
|
381
|
+
pending: "pending";
|
|
382
|
+
committed: "committed";
|
|
383
|
+
rolled_back: "rolled_back";
|
|
384
|
+
denied: "denied";
|
|
385
|
+
}>;
|
|
386
|
+
expiresAt: z.ZodNullable<z.ZodString>;
|
|
387
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
388
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
389
|
+
committedBefore: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
390
|
+
committedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
391
|
+
reservedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
392
|
+
}, z.core.$strip>>;
|
|
393
|
+
correlationId: z.ZodOptional<z.ZodString>;
|
|
217
394
|
previousLedgerHash: z.ZodNullable<z.ZodString>;
|
|
218
395
|
ledgerHash: z.ZodString;
|
|
219
396
|
}, z.core.$strip>>;
|
|
@@ -269,6 +446,13 @@ export declare const LedgerSiemEventSchema: z.ZodObject<{
|
|
|
269
446
|
github: "github";
|
|
270
447
|
slack: "slack";
|
|
271
448
|
linear: "linear";
|
|
449
|
+
docs: "docs";
|
|
450
|
+
drive: "drive";
|
|
451
|
+
mcp: "mcp";
|
|
452
|
+
aws: "aws";
|
|
453
|
+
gcp: "gcp";
|
|
454
|
+
jira: "jira";
|
|
455
|
+
postgres: "postgres";
|
|
272
456
|
}>;
|
|
273
457
|
tool: z.ZodString;
|
|
274
458
|
operation: z.ZodString;
|
|
@@ -307,18 +491,495 @@ export type SyncLedgerExportInput = {
|
|
|
307
491
|
fetch?: typeof fetch;
|
|
308
492
|
timeoutMs?: number;
|
|
309
493
|
};
|
|
494
|
+
export type LedgerTelemetryExporter = {
|
|
495
|
+
exportRecord(record: LedgerRecord): Promise<void>;
|
|
496
|
+
};
|
|
497
|
+
export type OtlpHttpTraceExporterOptions = {
|
|
498
|
+
endpoint: string;
|
|
499
|
+
serviceName?: string;
|
|
500
|
+
serviceVersion?: string;
|
|
501
|
+
timeoutMs?: number;
|
|
502
|
+
headers?: Record<string, string>;
|
|
503
|
+
fetch?: typeof fetch;
|
|
504
|
+
};
|
|
505
|
+
export type ExportOtelTracesInput = OtlpHttpTraceExporterOptions & {
|
|
506
|
+
records: LedgerRecord[];
|
|
507
|
+
};
|
|
508
|
+
export type OtelTraceExportResult = {
|
|
509
|
+
schemaVersion: typeof LEDGER_OTEL_EXPORT_SCHEMA_VERSION;
|
|
510
|
+
endpoint: string;
|
|
511
|
+
exportedAt: string;
|
|
512
|
+
records: number;
|
|
513
|
+
spans: number;
|
|
514
|
+
status: number;
|
|
515
|
+
};
|
|
516
|
+
export type LocalJsonlLedgerOptions = {
|
|
517
|
+
lock?: {
|
|
518
|
+
staleMs?: number;
|
|
519
|
+
updateMs?: number;
|
|
520
|
+
retries?: number;
|
|
521
|
+
minTimeoutMs?: number;
|
|
522
|
+
maxTimeoutMs?: number;
|
|
523
|
+
};
|
|
524
|
+
telemetry?: LedgerTelemetryExporter;
|
|
525
|
+
};
|
|
310
526
|
export declare class LocalJsonlLedger {
|
|
311
527
|
readonly filePath: string;
|
|
312
|
-
|
|
528
|
+
readonly headPath: string;
|
|
529
|
+
private readonly options;
|
|
530
|
+
constructor(filePath: string, options?: LocalJsonlLedgerOptions);
|
|
313
531
|
appendDecision(input: AppendDecisionInput): Promise<LedgerAppendResult>;
|
|
532
|
+
appendExecutionOutcome(input: AppendExecutionOutcomeInput): Promise<LedgerAppendResult>;
|
|
533
|
+
appendRevocation(input: AppendRevocationInput): Promise<LedgerAppendResult>;
|
|
314
534
|
appendRecord(recordInput: LedgerRecord): Promise<LedgerAppendResult>;
|
|
315
535
|
readRecords(): Promise<LedgerRecord[]>;
|
|
316
536
|
verify(): Promise<VerifyLedgerResult>;
|
|
537
|
+
private withAppendLock;
|
|
538
|
+
private appendLocked;
|
|
539
|
+
private exportTelemetry;
|
|
540
|
+
}
|
|
541
|
+
export declare class OtlpHttpTraceExporter implements LedgerTelemetryExporter {
|
|
542
|
+
private readonly options;
|
|
543
|
+
constructor(options: OtlpHttpTraceExporterOptions);
|
|
544
|
+
exportRecord(record: LedgerRecord): Promise<void>;
|
|
317
545
|
}
|
|
318
546
|
export declare function readLedgerRecords(filePath: string): Promise<LedgerRecord[]>;
|
|
547
|
+
export type RevokeActionPassResult = {
|
|
548
|
+
revocation: ActionPassRevocation;
|
|
549
|
+
ledgerEvent: LedgerAppendResult | null;
|
|
550
|
+
revokedRecordId: string | null;
|
|
551
|
+
};
|
|
552
|
+
/**
|
|
553
|
+
* Revoke a pass through the single honest path used by both the CLI and the
|
|
554
|
+
* dashboard: first write the durable trust-store revocation (the enforcement
|
|
555
|
+
* authority the proxy/adapters/MCP check), then append a tamper-evident
|
|
556
|
+
* revocation event to the hash-chained ledger bound to the most recent record
|
|
557
|
+
* naming that pass. Enforcement is written first so a later audit-append
|
|
558
|
+
* failure still leaves the pass actually revoked. When no ledger record names
|
|
559
|
+
* the pass (e.g. it never ran locally), the revocation is still authoritative
|
|
560
|
+
* and `ledgerEvent` is null — never faked.
|
|
561
|
+
*/
|
|
562
|
+
export declare function revokeActionPassWithLedgerEvent(input: {
|
|
563
|
+
trustStore: LocalActionPassTrustStore;
|
|
564
|
+
ledger: LocalJsonlLedger;
|
|
565
|
+
passId: string;
|
|
566
|
+
revokedBy?: string;
|
|
567
|
+
reason?: string;
|
|
568
|
+
occurredAt?: Date;
|
|
569
|
+
}): Promise<RevokeActionPassResult>;
|
|
319
570
|
export declare function verifyLedgerFile(filePath: string): Promise<VerifyLedgerResult>;
|
|
320
571
|
export declare function exportLedgerRecords(input: ExportLedgerRecordsInput): Promise<LedgerExport>;
|
|
572
|
+
export declare function exportLedgerRecordsToOtlp(input: ExportOtelTracesInput): Promise<OtelTraceExportResult>;
|
|
321
573
|
export declare function syncLedgerExport(input: SyncLedgerExportInput): Promise<LedgerSyncResult>;
|
|
322
574
|
export declare function formatLedgerExport(input: FormatLedgerExportInput): string;
|
|
323
575
|
export declare function computeLedgerHash(record: Omit<LedgerRecord, "ledgerHash">): string;
|
|
576
|
+
export declare const LEDGER_ATTESTATION_VERSION = "axtary.ledger_attestation.v0";
|
|
577
|
+
export declare const LedgerAttestationClaimsSchema: z.ZodObject<{
|
|
578
|
+
lav: z.ZodLiteral<"axtary.ledger_attestation.v0">;
|
|
579
|
+
iss: z.ZodString;
|
|
580
|
+
iat: z.ZodNumber;
|
|
581
|
+
tenant: z.ZodOptional<z.ZodString>;
|
|
582
|
+
exportDigest: z.ZodString;
|
|
583
|
+
recordCount: z.ZodNumber;
|
|
584
|
+
firstLedgerHash: z.ZodNullable<z.ZodString>;
|
|
585
|
+
segmentHead: z.ZodNullable<z.ZodString>;
|
|
586
|
+
sourceLastLedgerHash: z.ZodNullable<z.ZodString>;
|
|
587
|
+
range: z.ZodObject<{
|
|
588
|
+
from: z.ZodNullable<z.ZodString>;
|
|
589
|
+
to: z.ZodNullable<z.ZodString>;
|
|
590
|
+
decisions: z.ZodNullable<z.ZodArray<z.ZodEnum<{
|
|
591
|
+
allow: "allow";
|
|
592
|
+
deny: "deny";
|
|
593
|
+
step_up: "step_up";
|
|
594
|
+
}>>>;
|
|
595
|
+
}, z.core.$strip>;
|
|
596
|
+
merkleRoot: z.ZodOptional<z.ZodString>;
|
|
597
|
+
treeSize: z.ZodOptional<z.ZodNumber>;
|
|
598
|
+
}, z.core.$strip>;
|
|
599
|
+
export type LedgerAttestationClaims = z.infer<typeof LedgerAttestationClaimsSchema>;
|
|
600
|
+
export type LedgerAttestation = {
|
|
601
|
+
schemaVersion: typeof LEDGER_ATTESTATION_VERSION;
|
|
602
|
+
token: string;
|
|
603
|
+
claims: LedgerAttestationClaims;
|
|
604
|
+
};
|
|
605
|
+
export type AttestLedgerExportInput = {
|
|
606
|
+
export: LedgerExport;
|
|
607
|
+
issuer: string;
|
|
608
|
+
signingKey: SigningKey;
|
|
609
|
+
keyId?: string;
|
|
610
|
+
algorithm?: SigningAlgorithm;
|
|
611
|
+
tenant?: string;
|
|
612
|
+
now?: Date;
|
|
613
|
+
};
|
|
614
|
+
export type VerifyLedgerAttestationInput = {
|
|
615
|
+
export: LedgerExport;
|
|
616
|
+
attestation: string | LedgerAttestation;
|
|
617
|
+
verificationKey?: VerificationKey;
|
|
618
|
+
verificationKeys?: VerificationKeySet | VerificationKeyResolver;
|
|
619
|
+
issuer?: string;
|
|
620
|
+
algorithms?: SigningAlgorithm[];
|
|
621
|
+
currentDate?: Date;
|
|
622
|
+
};
|
|
623
|
+
export type VerifyLedgerAttestationResult = {
|
|
624
|
+
valid: true;
|
|
625
|
+
claims: LedgerAttestationClaims;
|
|
626
|
+
recomputedDigest: string;
|
|
627
|
+
} | {
|
|
628
|
+
valid: false;
|
|
629
|
+
reason: string;
|
|
630
|
+
};
|
|
631
|
+
/** SHA-256 digest of the canonical (JCS) ledger export — the content binding. */
|
|
632
|
+
export declare function computeLedgerExportDigest(exportInput: LedgerExport): string;
|
|
633
|
+
/**
|
|
634
|
+
* RFC 6962 leaves for an export: one leaf per record, committing to that
|
|
635
|
+
* record's `ledgerHash`. Because a verifier recomputes each `ledgerHash` from
|
|
636
|
+
* record content (spec §9.1), binding leaves to `ledgerHash` transitively binds
|
|
637
|
+
* the full record content — a one-byte rewrite changes the leaf and the root.
|
|
638
|
+
*/
|
|
639
|
+
export declare function ledgerExportLeafHashes(exportInput: LedgerExport): Buffer[];
|
|
640
|
+
/** Merkle Tree Hash (RFC 6962) over the export's record leaves, as `sha256:hex`. */
|
|
641
|
+
export declare function computeLedgerExportMerkleRoot(exportInput: LedgerExport): string;
|
|
642
|
+
export declare function attestLedgerExport(input: AttestLedgerExportInput): Promise<LedgerAttestation>;
|
|
643
|
+
/**
|
|
644
|
+
* Standalone verifier: confirm a ledger export carries a valid issuer signature
|
|
645
|
+
* and has not been altered. Needs only the export, the attestation token, and
|
|
646
|
+
* the issuer public key — re-derivable from the spec alone.
|
|
647
|
+
*/
|
|
648
|
+
export declare function verifyLedgerAttestation(input: VerifyLedgerAttestationInput): Promise<VerifyLedgerAttestationResult>;
|
|
649
|
+
type OtlpAnyValue = {
|
|
650
|
+
stringValue: string;
|
|
651
|
+
} | {
|
|
652
|
+
boolValue: boolean;
|
|
653
|
+
} | {
|
|
654
|
+
intValue: string;
|
|
655
|
+
} | {
|
|
656
|
+
arrayValue: {
|
|
657
|
+
values: OtlpAnyValue[];
|
|
658
|
+
};
|
|
659
|
+
};
|
|
660
|
+
type OtlpAttribute = {
|
|
661
|
+
key: string;
|
|
662
|
+
value: OtlpAnyValue;
|
|
663
|
+
};
|
|
664
|
+
type BuildOtlpTraceRequestInput = {
|
|
665
|
+
records: LedgerRecord[];
|
|
666
|
+
serviceName?: string;
|
|
667
|
+
serviceVersion?: string;
|
|
668
|
+
};
|
|
669
|
+
export declare function buildOtlpTraceRequest(input: BuildOtlpTraceRequestInput): {
|
|
670
|
+
resourceSpans: {
|
|
671
|
+
resource: {
|
|
672
|
+
attributes: OtlpAttribute[];
|
|
673
|
+
};
|
|
674
|
+
scopeSpans: {
|
|
675
|
+
scope: {
|
|
676
|
+
name: string;
|
|
677
|
+
version: string;
|
|
678
|
+
};
|
|
679
|
+
spans: {
|
|
680
|
+
status?: {
|
|
681
|
+
code: string;
|
|
682
|
+
message: string;
|
|
683
|
+
} | {
|
|
684
|
+
code: string;
|
|
685
|
+
message?: undefined;
|
|
686
|
+
} | undefined;
|
|
687
|
+
traceId: string;
|
|
688
|
+
spanId: string;
|
|
689
|
+
name: string;
|
|
690
|
+
kind: string;
|
|
691
|
+
startTimeUnixNano: string;
|
|
692
|
+
endTimeUnixNano: string;
|
|
693
|
+
attributes: OtlpAttribute[];
|
|
694
|
+
}[];
|
|
695
|
+
}[];
|
|
696
|
+
}[];
|
|
697
|
+
};
|
|
698
|
+
export declare const LEDGER_ATTESTATION_BUNDLE_VERSION = "axtary.ledger_attestation_bundle.v0";
|
|
699
|
+
export declare const LedgerAttestationBundleSchema: z.ZodObject<{
|
|
700
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_attestation_bundle.v0">;
|
|
701
|
+
export: z.ZodObject<{
|
|
702
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_export.v0">;
|
|
703
|
+
exportedAt: z.ZodString;
|
|
704
|
+
source: z.ZodObject<{
|
|
705
|
+
filePath: z.ZodString;
|
|
706
|
+
totalRecords: z.ZodNumber;
|
|
707
|
+
lastLedgerHash: z.ZodNullable<z.ZodString>;
|
|
708
|
+
}, z.core.$strip>;
|
|
709
|
+
filters: z.ZodObject<{
|
|
710
|
+
from: z.ZodNullable<z.ZodString>;
|
|
711
|
+
to: z.ZodNullable<z.ZodString>;
|
|
712
|
+
decisions: z.ZodNullable<z.ZodArray<z.ZodEnum<{
|
|
713
|
+
allow: "allow";
|
|
714
|
+
deny: "deny";
|
|
715
|
+
step_up: "step_up";
|
|
716
|
+
}>>>;
|
|
717
|
+
}, z.core.$strip>;
|
|
718
|
+
records: z.ZodArray<z.ZodObject<{
|
|
719
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger.v0">;
|
|
720
|
+
id: z.ZodString;
|
|
721
|
+
occurredAt: z.ZodString;
|
|
722
|
+
auditContext: z.ZodOptional<z.ZodObject<{
|
|
723
|
+
tenant: z.ZodNullable<z.ZodString>;
|
|
724
|
+
agentId: z.ZodString;
|
|
725
|
+
humanOwner: z.ZodString;
|
|
726
|
+
taskId: z.ZodString;
|
|
727
|
+
tool: z.ZodString;
|
|
728
|
+
resource: z.ZodString;
|
|
729
|
+
}, z.core.$strip>>;
|
|
730
|
+
actionHash: z.ZodString;
|
|
731
|
+
payloadHash: z.ZodString;
|
|
732
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
733
|
+
decision: z.ZodEnum<{
|
|
734
|
+
allow: "allow";
|
|
735
|
+
deny: "deny";
|
|
736
|
+
step_up: "step_up";
|
|
737
|
+
}>;
|
|
738
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
739
|
+
policy: z.ZodObject<{
|
|
740
|
+
nativeRule: z.ZodString;
|
|
741
|
+
version: z.ZodString;
|
|
742
|
+
cedarCompatible: z.ZodBoolean;
|
|
743
|
+
opaCompatible: z.ZodBoolean;
|
|
744
|
+
}, z.core.$strip>;
|
|
745
|
+
providerEvidence: z.ZodOptional<z.ZodObject<{
|
|
746
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_provider_evidence.v0">;
|
|
747
|
+
provider: z.ZodEnum<{
|
|
748
|
+
github: "github";
|
|
749
|
+
slack: "slack";
|
|
750
|
+
linear: "linear";
|
|
751
|
+
docs: "docs";
|
|
752
|
+
drive: "drive";
|
|
753
|
+
mcp: "mcp";
|
|
754
|
+
aws: "aws";
|
|
755
|
+
gcp: "gcp";
|
|
756
|
+
jira: "jira";
|
|
757
|
+
postgres: "postgres";
|
|
758
|
+
}>;
|
|
759
|
+
tool: z.ZodString;
|
|
760
|
+
operation: z.ZodString;
|
|
761
|
+
resource: z.ZodObject<{
|
|
762
|
+
provider: z.ZodEnum<{
|
|
763
|
+
github: "github";
|
|
764
|
+
slack: "slack";
|
|
765
|
+
linear: "linear";
|
|
766
|
+
docs: "docs";
|
|
767
|
+
drive: "drive";
|
|
768
|
+
mcp: "mcp";
|
|
769
|
+
aws: "aws";
|
|
770
|
+
gcp: "gcp";
|
|
771
|
+
jira: "jira";
|
|
772
|
+
postgres: "postgres";
|
|
773
|
+
}>;
|
|
774
|
+
kind: z.ZodString;
|
|
775
|
+
id: z.ZodString;
|
|
776
|
+
label: z.ZodOptional<z.ZodString>;
|
|
777
|
+
url: z.ZodOptional<z.ZodString>;
|
|
778
|
+
}, z.core.$strict>;
|
|
779
|
+
normalized: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<import("@axtary/actionpass").JsonValue, unknown, z.core.$ZodTypeInternals<import("@axtary/actionpass").JsonValue, unknown>>>>;
|
|
780
|
+
fieldChanges: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
781
|
+
field: z.ZodString;
|
|
782
|
+
before: z.ZodOptional<z.ZodType<import("@axtary/actionpass").JsonValue, unknown, z.core.$ZodTypeInternals<import("@axtary/actionpass").JsonValue, unknown>>>;
|
|
783
|
+
after: z.ZodOptional<z.ZodType<import("@axtary/actionpass").JsonValue, unknown, z.core.$ZodTypeInternals<import("@axtary/actionpass").JsonValue, unknown>>>;
|
|
784
|
+
}, z.core.$strip>>>;
|
|
785
|
+
diff: z.ZodOptional<z.ZodObject<{
|
|
786
|
+
provider: z.ZodEnum<{
|
|
787
|
+
github: "github";
|
|
788
|
+
slack: "slack";
|
|
789
|
+
linear: "linear";
|
|
790
|
+
docs: "docs";
|
|
791
|
+
drive: "drive";
|
|
792
|
+
mcp: "mcp";
|
|
793
|
+
aws: "aws";
|
|
794
|
+
gcp: "gcp";
|
|
795
|
+
jira: "jira";
|
|
796
|
+
postgres: "postgres";
|
|
797
|
+
}>;
|
|
798
|
+
summary: z.ZodOptional<z.ZodString>;
|
|
799
|
+
files: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
800
|
+
path: z.ZodString;
|
|
801
|
+
oldPath: z.ZodOptional<z.ZodString>;
|
|
802
|
+
status: z.ZodEnum<{
|
|
803
|
+
added: "added";
|
|
804
|
+
modified: "modified";
|
|
805
|
+
deleted: "deleted";
|
|
806
|
+
renamed: "renamed";
|
|
807
|
+
}>;
|
|
808
|
+
additions: z.ZodDefault<z.ZodNumber>;
|
|
809
|
+
deletions: z.ZodDefault<z.ZodNumber>;
|
|
810
|
+
hunks: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
811
|
+
header: z.ZodString;
|
|
812
|
+
lines: z.ZodArray<z.ZodObject<{
|
|
813
|
+
type: z.ZodEnum<{
|
|
814
|
+
context: "context";
|
|
815
|
+
addition: "addition";
|
|
816
|
+
deletion: "deletion";
|
|
817
|
+
}>;
|
|
818
|
+
content: z.ZodString;
|
|
819
|
+
oldLine: z.ZodOptional<z.ZodNumber>;
|
|
820
|
+
newLine: z.ZodOptional<z.ZodNumber>;
|
|
821
|
+
}, z.core.$strip>>;
|
|
822
|
+
}, z.core.$strip>>>;
|
|
823
|
+
}, z.core.$strip>>>;
|
|
824
|
+
}, z.core.$strip>>;
|
|
825
|
+
}, z.core.$strip>>;
|
|
826
|
+
executionOutcome: z.ZodOptional<z.ZodObject<{
|
|
827
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_execution_outcome.v0">;
|
|
828
|
+
status: z.ZodEnum<{
|
|
829
|
+
succeeded: "succeeded";
|
|
830
|
+
failed: "failed";
|
|
831
|
+
}>;
|
|
832
|
+
provider: z.ZodOptional<z.ZodEnum<{
|
|
833
|
+
github: "github";
|
|
834
|
+
slack: "slack";
|
|
835
|
+
linear: "linear";
|
|
836
|
+
docs: "docs";
|
|
837
|
+
drive: "drive";
|
|
838
|
+
mcp: "mcp";
|
|
839
|
+
aws: "aws";
|
|
840
|
+
gcp: "gcp";
|
|
841
|
+
jira: "jira";
|
|
842
|
+
postgres: "postgres";
|
|
843
|
+
}>>;
|
|
844
|
+
resultId: z.ZodOptional<z.ZodString>;
|
|
845
|
+
resultUrl: z.ZodOptional<z.ZodString>;
|
|
846
|
+
resourceId: z.ZodOptional<z.ZodString>;
|
|
847
|
+
resourceLabel: z.ZodOptional<z.ZodString>;
|
|
848
|
+
failureReason: z.ZodOptional<z.ZodString>;
|
|
849
|
+
errorClass: z.ZodOptional<z.ZodString>;
|
|
850
|
+
sideEffectProof: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<import("@axtary/actionpass").JsonValue, unknown, z.core.$ZodTypeInternals<import("@axtary/actionpass").JsonValue, unknown>>>>;
|
|
851
|
+
}, z.core.$strict>>;
|
|
852
|
+
traceId: z.ZodOptional<z.ZodString>;
|
|
853
|
+
actionPassId: z.ZodNullable<z.ZodString>;
|
|
854
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
855
|
+
parentPassId: z.ZodString;
|
|
856
|
+
childPassId: z.ZodString;
|
|
857
|
+
depth: z.ZodNumber;
|
|
858
|
+
rootPassId: z.ZodString;
|
|
859
|
+
}, z.core.$strip>>;
|
|
860
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
861
|
+
reservationId: z.ZodNullable<z.ZodString>;
|
|
862
|
+
scope: z.ZodString;
|
|
863
|
+
status: z.ZodEnum<{
|
|
864
|
+
pending: "pending";
|
|
865
|
+
committed: "committed";
|
|
866
|
+
rolled_back: "rolled_back";
|
|
867
|
+
denied: "denied";
|
|
868
|
+
}>;
|
|
869
|
+
expiresAt: z.ZodNullable<z.ZodString>;
|
|
870
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
871
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
872
|
+
committedBefore: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
873
|
+
committedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
874
|
+
reservedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
875
|
+
}, z.core.$strip>>;
|
|
876
|
+
correlationId: z.ZodOptional<z.ZodString>;
|
|
877
|
+
previousLedgerHash: z.ZodNullable<z.ZodString>;
|
|
878
|
+
ledgerHash: z.ZodString;
|
|
879
|
+
}, z.core.$strip>>;
|
|
880
|
+
}, z.core.$strip>;
|
|
881
|
+
attestation: z.ZodObject<{
|
|
882
|
+
token: z.ZodString;
|
|
883
|
+
claims: z.ZodObject<{
|
|
884
|
+
lav: z.ZodLiteral<"axtary.ledger_attestation.v0">;
|
|
885
|
+
iss: z.ZodString;
|
|
886
|
+
iat: z.ZodNumber;
|
|
887
|
+
tenant: z.ZodOptional<z.ZodString>;
|
|
888
|
+
exportDigest: z.ZodString;
|
|
889
|
+
recordCount: z.ZodNumber;
|
|
890
|
+
firstLedgerHash: z.ZodNullable<z.ZodString>;
|
|
891
|
+
segmentHead: z.ZodNullable<z.ZodString>;
|
|
892
|
+
sourceLastLedgerHash: z.ZodNullable<z.ZodString>;
|
|
893
|
+
range: z.ZodObject<{
|
|
894
|
+
from: z.ZodNullable<z.ZodString>;
|
|
895
|
+
to: z.ZodNullable<z.ZodString>;
|
|
896
|
+
decisions: z.ZodNullable<z.ZodArray<z.ZodEnum<{
|
|
897
|
+
allow: "allow";
|
|
898
|
+
deny: "deny";
|
|
899
|
+
step_up: "step_up";
|
|
900
|
+
}>>>;
|
|
901
|
+
}, z.core.$strip>;
|
|
902
|
+
merkleRoot: z.ZodOptional<z.ZodString>;
|
|
903
|
+
treeSize: z.ZodOptional<z.ZodNumber>;
|
|
904
|
+
}, z.core.$strip>;
|
|
905
|
+
}, z.core.$strip>;
|
|
906
|
+
publicJwk: z.ZodRecord<z.ZodString, z.ZodUnknown>;
|
|
907
|
+
keyId: z.ZodNullable<z.ZodString>;
|
|
908
|
+
}, z.core.$strip>;
|
|
909
|
+
export type LedgerAttestationBundle = z.infer<typeof LedgerAttestationBundleSchema>;
|
|
910
|
+
/** Bundle an export, its attestation, and the public key into one artifact. */
|
|
911
|
+
export declare function buildLedgerAttestationBundle(input: {
|
|
912
|
+
export: LedgerExport;
|
|
913
|
+
attestation: LedgerAttestation;
|
|
914
|
+
publicJwk: Record<string, unknown>;
|
|
915
|
+
keyId?: string | null;
|
|
916
|
+
}): LedgerAttestationBundle;
|
|
917
|
+
/** Verify a self-contained attestation bundle (export + token + embedded public key). */
|
|
918
|
+
export declare function verifyLedgerAttestationBundle(bundleInput: unknown, options?: {
|
|
919
|
+
issuer?: string;
|
|
920
|
+
algorithms?: SigningAlgorithm[];
|
|
921
|
+
currentDate?: Date;
|
|
922
|
+
}): Promise<VerifyLedgerAttestationResult>;
|
|
923
|
+
export declare const LEDGER_INCLUSION_PROOF_VERSION = "axtary.ledger_inclusion_proof.v0";
|
|
924
|
+
export declare const LedgerInclusionProofSchema: z.ZodObject<{
|
|
925
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_inclusion_proof.v0">;
|
|
926
|
+
recordId: z.ZodString;
|
|
927
|
+
ledgerHash: z.ZodString;
|
|
928
|
+
leafIndex: z.ZodNumber;
|
|
929
|
+
treeSize: z.ZodNumber;
|
|
930
|
+
merkleRoot: z.ZodString;
|
|
931
|
+
auditPath: z.ZodArray<z.ZodString>;
|
|
932
|
+
}, z.core.$strip>;
|
|
933
|
+
export type LedgerInclusionProof = z.infer<typeof LedgerInclusionProofSchema>;
|
|
934
|
+
export declare const LEDGER_CONSISTENCY_PROOF_VERSION = "axtary.ledger_consistency_proof.v0";
|
|
935
|
+
export declare const LedgerConsistencyProofSchema: z.ZodObject<{
|
|
936
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_consistency_proof.v0">;
|
|
937
|
+
firstSize: z.ZodNumber;
|
|
938
|
+
secondSize: z.ZodNumber;
|
|
939
|
+
firstRoot: z.ZodString;
|
|
940
|
+
secondRoot: z.ZodString;
|
|
941
|
+
proof: z.ZodArray<z.ZodString>;
|
|
942
|
+
}, z.core.$strip>;
|
|
943
|
+
export type LedgerConsistencyProof = z.infer<typeof LedgerConsistencyProofSchema>;
|
|
944
|
+
export type ProofVerificationResult = {
|
|
945
|
+
valid: true;
|
|
946
|
+
} | {
|
|
947
|
+
valid: false;
|
|
948
|
+
reason: string;
|
|
949
|
+
};
|
|
950
|
+
/** Build an inclusion proof for one record (by id or 0-based index). */
|
|
951
|
+
export declare function proveLedgerInclusion(input: {
|
|
952
|
+
export: LedgerExport;
|
|
953
|
+
recordId?: string;
|
|
954
|
+
index?: number;
|
|
955
|
+
}): LedgerInclusionProof;
|
|
956
|
+
/**
|
|
957
|
+
* Verify an inclusion proof against a Merkle root. Pass `expectedRoot` (e.g. a
|
|
958
|
+
* signed attestation's `merkleRoot`) to bind the proof to a signed tree head.
|
|
959
|
+
* Pass `record` to additionally recompute the leaf from record content so a
|
|
960
|
+
* proof cannot smuggle a `ledgerHash` that does not match the record.
|
|
961
|
+
*/
|
|
962
|
+
export declare function verifyLedgerInclusionProof(input: {
|
|
963
|
+
proof: unknown;
|
|
964
|
+
expectedRoot?: string;
|
|
965
|
+
record?: LedgerRecord;
|
|
966
|
+
}): ProofVerificationResult;
|
|
967
|
+
/**
|
|
968
|
+
* Build a consistency proof showing the `second` export append-only-extends the
|
|
969
|
+
* `first`. Roots are computed from each export independently; if `first` is not
|
|
970
|
+
* a genuine prefix, verification fails (the honest, fail-closed outcome).
|
|
971
|
+
*/
|
|
972
|
+
export declare function proveLedgerConsistency(input: {
|
|
973
|
+
first: LedgerExport;
|
|
974
|
+
second: LedgerExport;
|
|
975
|
+
}): LedgerConsistencyProof;
|
|
976
|
+
/**
|
|
977
|
+
* Verify a consistency proof. Pass `firstExpectedRoot`/`secondExpectedRoot`
|
|
978
|
+
* (the two signed heads' `merkleRoot`s) to bind the proof to signed tree heads.
|
|
979
|
+
*/
|
|
980
|
+
export declare function verifyLedgerConsistencyProof(input: {
|
|
981
|
+
proof: unknown;
|
|
982
|
+
firstExpectedRoot?: string;
|
|
983
|
+
secondExpectedRoot?: string;
|
|
984
|
+
}): ProofVerificationResult;
|
|
324
985
|
//# sourceMappingURL=index.d.ts.map
|