@cardanowall/sdk-ts 0.2.0 → 0.4.0

package/dist/verifier/index.d.cts

@@ -1,71 +1,43 @@
-import { g as VerifyReport, E as ExitCode, h as VerifyTxInput, a as Profile, f as VerifyRecordSignature, l as VerifyUriCheck, d as VerifyItemDecryption, e as VerifyMerkleCheck, j as VerifyTxSummary, k as VerifyTxWitness } from '../types-CLXdbjqr.cjs';
-export { D as DecryptionVerdict, I as ItemHashCheck, M as MerkleVerdict, N as Network, P as PROFILE_RANK, S as SignatureFailureReason, b as SignatureVerdict, c as SignerType, V as Verdict, i as VerifyTxOutput } from '../types-CLXdbjqr.cjs';
-import { F as FetchOutbound, H as HttpCallRecord } from '../fetch-outbound-BT5-NiYN.cjs';
-export { B as BodyTooLargeError, D as DEFAULT_OUTBOUND_MAX_BYTES, a as DENY_HOSTS_DEFAULT, b as DenyHostError, c as FetchOutboundOptions, d as FetchOutboundResult, O as OutboundExhaustedError, R as RetryConfig, U as UnsupportedMethodError, g as UnsupportedProtocolError, W as WrapFetchOutboundConfig, h as defaultFetchOutbound, i as fetchOutbound, w as wrapFetchOutbound } from '../fetch-outbound-BT5-NiYN.cjs';
-import { PoeRecord, ValidationIssue } from '@cardanowall/poe-standard';
+import { g as VerifyReport, b as ExitCode, h as VerifyResolvedInput, i as VerifyTxInput, f as VerifyRecordSignature, c as Profile, k as VerifyTxSummary, l as VerifyTxWitness } from '../types-Cexm4VH9.cjs';
+export { C as ContentCheck, D as DecryptionCredential, a as DecryptionOutcome, E as EXIT_CODE_FOR_VERDICT, I as ItemReportEntry, M as MerkleReportEntry, P as PROFILE_RANK, S as SignatureFailureReason, d as SignatureVerdict, e as SignerType, V as Verdict, j as VerifyTxOutput } from '../types-Cexm4VH9.cjs';
+import { ValidationIssue, ErrorCode, Severity, PoeRecord } from '@cardanowall/poe-standard';
 export { ValidationIssue } from '@cardanowall/poe-standard';
+import { F as FetchOutbound } from '../fetch-outbound-dOK3ZxYa.cjs';
+export { B as BodyTooLargeError, D as DEFAULT_OUTBOUND_MAX_BYTES, a as DENY_HOSTS_DEFAULT, b as DenyHostError, c as FetchOutboundOptions, d as FetchOutboundResult, H as HttpCallRecord, O as OutboundExhaustedError, R as RetryConfig, U as UnsupportedMethodError, g as UnsupportedProtocolError, W as WrapFetchOutboundConfig, h as defaultFetchOutbound, i as fetchOutbound, j as isBodyTooLargeError, k as isDenyHostError, w as wrapFetchOutbound } from '../fetch-outbound-dOK3ZxYa.cjs';
 
 declare const CONFIRMATION_DEPTH_THRESHOLD_DEFAULT = 15;
 declare function verifyTx(input: VerifyTxInput): Promise<VerifyReport>;
 /**
- * `verifyResolved` — same pipeline as `verifyTx` starting from step 3
- * (structural validator). The caller has already resolved the label-309
- * metadata bytes + block-info tuple from somewhere other than a live chain
- * fetch (typically an indexer database mirror).
- *
- * Use this when you trust an upstream indexer for the (metadataCbor,
- * blockTime, blockSlot, numConfirmations) tuple and want to skip the
- * /tx_cbor + /tx_info round-trip. The caller is responsible for the
- * confidence that the supplied bytes actually came from the label-309
- * metadata field of a confirmed Cardano transaction.
+ * Sibling entry point: run the pipeline from the structural-validator step
+ * onward over caller-supplied label-309 record-body bytes plus an
+ * explorer-asserted block-info tuple — the path a server-rendered viewer uses
+ * to display on-chain data without a render-time chain fetch. The caller is
+ * responsible for the confidence that the bytes came from the label-309
+ * metadata of a real Cardano transaction.
  */
-declare function verifyResolved(input: {
-    txHash: string;
-    metadataCbor: Uint8Array;
-    txCbor?: Uint8Array;
-    numConfirmations: number;
-    blockTime?: number;
-    blockSlot?: number;
-    network?: VerifyReport['network'];
-    cardanoNetwork?: VerifyTxInput['cardanoNetwork'];
-    profile?: Profile;
-    confirmationDepthThreshold?: number;
-    fetchOutbound?: FetchOutbound;
-    denyHosts?: ReadonlyArray<string>;
-    decryption?: VerifyTxInput['decryption'];
-    verifyMerkle?: boolean;
-}): Promise<VerifyReport>;
+declare function verifyResolved(input: VerifyResolvedInput): Promise<VerifyReport>;
 declare function exitCodeForVerdict(report: VerifyReport): ExitCode;
 
-interface VerifyRecordSignaturesArgs {
-    readonly record: PoeRecord;
-    readonly input: VerifyTxInput;
-}
-declare function verifyRecordSignatures(args: VerifyRecordSignaturesArgs): Promise<VerifyRecordSignature[]>;
-
-interface TryDecryptionsArgs {
-    readonly record: PoeRecord;
-    readonly input: VerifyTxInput;
-    readonly fetchFn: FetchOutbound;
-    readonly httpCalls: HttpCallRecord[];
-    readonly uriChecksOut: VerifyUriCheck[];
-    readonly allowUriFetch: boolean;
-}
-interface TryDecryptionsResult {
-    readonly results: VerifyItemDecryption[];
+type IssuePath = ReadonlyArray<string | number>;
+declare function issueOf(code: ErrorCode, path: IssuePath, message: string, severity?: Severity): ValidationIssue;
+declare function compareIssuePaths(a: IssuePath, b: IssuePath): number;
+declare function sortIssues(issues: ReadonlyArray<ValidationIssue>): ValidationIssue[];
+declare class IssueSink {
+    private readonly issues;
+    push(issue: ValidationIssue): void;
+    add(code: ErrorCode, path: IssuePath, message: string, severity?: Severity): void;
+    addOnce(code: ErrorCode, path: IssuePath, message: string, severity?: Severity): void;
+    pushAll(issues: ReadonlyArray<ValidationIssue>): void;
+    has(code: ErrorCode): boolean;
+    sorted(): ValidationIssue[];
 }
-declare function tryDecryptions(args: TryDecryptionsArgs): Promise<TryDecryptionsResult>;
 
-interface VerifyMerkleArgs {
+interface VerifyRecordSignaturesArgs {
     readonly record: PoeRecord;
-    readonly input: VerifyTxInput;
-    readonly fetchFn: FetchOutbound;
-    readonly uriChecksOut: VerifyUriCheck[];
+    readonly cardanoNetwork: 'mainnet' | 'preprod';
+    readonly issues: IssueSink;
 }
-interface VerifyMerkleResult {
-    readonly checks: VerifyMerkleCheck[];
-}
-declare function verifyMerkleCommitments(args: VerifyMerkleArgs): Promise<VerifyMerkleResult>;
+declare function verifyRecordSignatures(args: VerifyRecordSignaturesArgs): VerifyRecordSignature[];
 
 declare const DEFAULT_PROFILE: Profile;
 declare function profileImplements(actual: Profile, required: Profile): boolean;
@@ -74,70 +46,127 @@ interface ProfileSkipsResult {
     readonly verifySignatures: boolean;
     readonly verifyDecrypt: boolean;
 }
+/**
+ * Emit the minimum conformance profile a verifier MUST implement
+ * to read this record end-to-end. The profiles form a strict superset chain
+ * `core ⊂ signed ⊂ sealed ⊂ recipient-sealed`.
+ *
+ * The function classifies based on RECORD CONTENT only:
+ *   - `'core'`   — no signatures, no sealed items.
+ *   - `'signed'` — `record.sigs[]` is present, no sealed items.
+ *   - `'sealed'` — any `record.items[i].enc` is present (with or without sigs).
+ *
+ * The function does NOT return `'recipient-sealed'`: that profile is about
+ * VERIFIER CAPABILITY (whether the verifier decrypts with a recipient X25519
+ * key), not about record content. A separate helper is required if a caller
+ * needs to test whether a particular recipient key can unwrap any slot — see
+ * `@cardanowall/crypto-core/sealed-poe` for that pathway.
+ */
+declare function detectConformanceProfile(record: PoeRecord): 'core' | 'signed' | 'sealed';
 declare function planProfileSkips(profile: Profile, record: PoeRecord): ProfileSkipsResult;
 
-interface ResolvedTx {
-    readonly txCbor: Uint8Array;
-    readonly numConfirmations: number;
-    readonly blockTime: number;
-    readonly blockSlot: number;
-    readonly provider: 'koios' | 'blockfrost';
-    readonly providerUrl: string;
-}
-declare const KOIOS_MAINNET_URL = "https://api.koios.rest/api/v1";
-declare const BLOCKFROST_MAINNET_HOST = "https://cardano-mainnet.blockfrost.io/api/v0";
-declare class NotALabel309RecordError extends Error {
-    readonly code: "METADATA_NOT_FOUND";
-    constructor(message: string);
-}
-declare function resolveCardanoTx(args: {
-    readonly input: VerifyTxInput;
-    readonly fetchFn: FetchOutbound;
-}): Promise<ResolvedTx>;
-declare function extractLabel309Metadata(txCbor: Uint8Array): Uint8Array | null;
-
 /**
  * Byte-faithful components of a Cardano transaction, located by walking the
  * tx CBOR without a decode-then-re-encode pass.
  *
- * `txBody` and `witnessSet` are EXACT on-chain byte slices: `blake2b256(txBody)`
- * equals the transaction hash, and the witness set decodes to the vkey
- * witnesses that authorised the transaction. The slices are produced by the
- * same position-aware walk that finds label 309, so they never round-trip
- * through a CBOR re-encoder.
- *
- * `label309` is the reassembled label-309 value (chunked-bytes concatenated;
- * see `reassembleLabel309Value`), `null` when auxiliary_data is null/undefined
- * or label 309 is absent. `auxMetadataLabels` is the ascending-sorted list of
- * every integer key in the auxiliary metadata map (`[]` when aux is null).
+ * Every field is an EXACT on-chain byte slice: `blake2b256(txBody)` equals the
+ * transaction id, `blake2b256(auxiliaryData)` equals the body's
+ * `auxiliary_data_hash`, and the witness set decodes to the vkey witnesses
+ * that authorised the transaction. `auxiliaryData` is `null` when the
+ * transaction carries none (CBOR null/undefined at the auxiliary-data
+ * position).
  */
 interface TxComponents {
-    readonly label309: Uint8Array | null;
     readonly txBody: Uint8Array;
     readonly witnessSet: Uint8Array;
-    readonly auxMetadataLabels: number[];
+    readonly auxiliaryData: Uint8Array | null;
 }
 /**
  * Walk the transaction CBOR once and return its byte-faithful components.
- *
- * Throws `RangeError("MALFORMED_CBOR: …")` on structural violations. The body
- * and witness-set slices are the producer's ORIGINAL bytes; `label309` carries
- * the same byte-faithful guarantee `sliceLabel309Value` documents (no
- * decode-then-re-encode, so non-canonical encodings reach the structural
- * validator unchanged).
+ * Accepts the four-element post-Alonzo shape `[body, witness_set, is_valid,
+ * auxiliary_data]` and the three-element pre-Alonzo shape
+ * `[body, witness_set, auxiliary_data]`. Throws
+ * `RangeError("MALFORMED_CBOR: …")` on structural violations.
  */
 declare function sliceTxComponents(txCbor: Uint8Array): TxComponents;
 /**
- * Extract the byte slice corresponding to the value under metadata label 309.
- * Returns `null` when auxiliary_data is null/undefined or when label 309 is
- * absent. Throws `RangeError("MALFORMED_CBOR: …")` on structural violations.
+ * The unwrapped view of one auxiliary-data value: the raw label-309 value
+ * bytes (the transport chunk array exactly as carried; `null` when the
+ * metadata carries no label-309 entry) plus the ascending-sorted list of
+ * every metadata label present.
+ */
+interface UnwrappedAuxiliaryData {
+    readonly label309: Uint8Array | null;
+    readonly metadataLabels: ReadonlyArray<number>;
+}
+/**
+ * Unwrap auxiliary-data bytes down to the label-309 value. All three
+ * Conway-era envelope forms are accepted, dispatching PURELY on the top-level
+ * CBOR type and tag:
+ *
+ *   * tag 259            → keyed map; the metadata map sits under integer key 0;
+ *   * untagged array     → the two-element `[ transaction_metadata,
+ *                          auxiliary_scripts ]` form; the metadata map is
+ *                          element 0;
+ *   * untagged map       → ALWAYS the metadata map itself.
  *
- * Returns the producer's ORIGINAL on-chain bytes — no decode-then-re-encode
- * pass. The structural validator MUST receive these bytes verbatim so
- * non-canonical encodings surface as `MALFORMED_CBOR` rather than being
- * silently laundered.
+ * Map keys are never inspected to guess the shape — a metadata map is keyed
+ * by integer labels, so any key-sniffing heuristic would silently mis-parse
+ * legitimate metadata (e.g. a metadata map whose only label is 0). Any other
+ * top-level shape, and any tag other than 259, throws
+ * `RangeError("MALFORMED_CBOR: …")`.
+ *
+ * A tag-259 map with no key 0, and a metadata map with no entry under label
+ * 309, are well-formed auxiliary data that simply carry no PoE record —
+ * `label309` is `null` and the caller emits METADATA_NOT_FOUND.
  */
-declare function sliceLabel309Value(txCbor: Uint8Array): Uint8Array | null;
+declare function unwrapAuxiliaryData(auxBytes: Uint8Array): UnwrappedAuxiliaryData;
+/**
+ * Read the transaction body's `auxiliary_data_hash` (body-map key 7) as an
+ * exact byte slice; `null` when the body carries no key 7. Throws
+ * `RangeError("MALFORMED_CBOR: …")` when the body is not a CBOR map.
+ */
+declare function auxiliaryDataHashFromTxBody(txBody: Uint8Array): Uint8Array | null;
+
+declare const KOIOS_MAINNET_URL = "https://api.koios.rest/api/v1";
+declare const BLOCKFROST_MAINNET_HOST = "https://cardano-mainnet.blockfrost.io/api/v0";
+interface ResolvedTx {
+    readonly txCbor: Uint8Array;
+    readonly components: TxComponents;
+    readonly confirmationDepth: number;
+    readonly blockTime: number;
+    readonly blockSlot: number;
+    readonly provider: 'koios' | 'blockfrost';
+    readonly providerUrl: string;
+}
+type ResolveFailureCode = 'TX_NOT_FOUND' | 'PROVIDER_UNAVAILABLE' | 'TX_INTEGRITY_MISMATCH';
+type ResolveOutcome = {
+    readonly ok: true;
+    readonly resolved: ResolvedTx;
+} | {
+    readonly ok: false;
+    readonly code: ResolveFailureCode;
+    readonly message: string;
+};
+declare function resolveCardanoTx(args: {
+    readonly txHash: string;
+    readonly cardanoGatewayChain?: ReadonlyArray<string> | undefined;
+    readonly blockfrostProjectId?: string | undefined;
+    readonly fetchFn: FetchOutbound;
+}): Promise<ResolveOutcome>;
+
+type TxBindingResult = {
+    readonly ok: true;
+} | {
+    readonly ok: false;
+    readonly check: 'tx_hash' | 'auxiliary_data_hash';
+    readonly message: string;
+};
+declare function bindTransactionBytes(args: {
+    readonly requestedTxHashHex: string;
+    readonly txBody: Uint8Array;
+    readonly auxiliaryData: Uint8Array | null;
+}): TxBindingResult;
 
 /**
  * Decode the vkey witnesses of a transaction and verify each signature against
@@ -161,16 +190,35 @@ declare function decodeTxWitnesses(witnessSetBytes: Uint8Array, txBodyBytes: Uin
  */
 declare function decodeTxSummary(txBodyBytes: Uint8Array, witnessSetBytes: Uint8Array, network: 'mainnet' | 'preprod'): VerifyTxSummary;
 
-interface FetchItemCiphertextArgs {
-    readonly uris: ReadonlyArray<ReadonlyArray<string>>;
-    readonly arweaveGateways?: ReadonlyArray<string> | undefined;
-    readonly ipfsGateways?: ReadonlyArray<string> | undefined;
-    readonly fetchFn: FetchOutbound;
-    readonly uriChecksOut: VerifyUriCheck[];
-    readonly itemIndex: number;
+interface ParsedCid {
+    readonly version: 0 | 1;
+    readonly codec: number;
+    readonly multihashCode: number;
+    readonly digest: Uint8Array;
 }
-declare function fetchItemCiphertext(args: FetchItemCiphertextArgs): Promise<Uint8Array>;
+/**
+ * Decode the authority component of an `ipfs://` URI into its CID fields.
+ * Returns `null` for anything outside the profile's multibase set or for
+ * undecodable input — callers treat that exactly like an unsupported binding.
+ */
+declare function parseCid(cid: string): ParsedCid | null;
+type CidBindingOutcome = 'verified' | 'failed' | 'unsupported';
+/**
+ * The minimum binding check: for a raw-codec CIDv1 with no path component,
+ * recompute the multihash directly over the fetched bytes and compare it to
+ * the CID's digest. Everything else — CIDv0, DAG codecs, a path component
+ * (which navigates a DAG the raw recompute cannot reproduce), an
+ * out-of-profile multihash — is `unsupported`: the bytes stay unattributed
+ * and a mismatch indicts the provider, never the record.
+ */
+declare function verifyIpfsCidBinding(args: {
+    readonly cid: string;
+    readonly path: string;
+    readonly bytes: Uint8Array;
+}): CidBindingOutcome;
+
+declare const ARWEAVE_GATEWAY_DEFAULTS: ReadonlyArray<string>;
 
 declare function verifyReportToDict(report: VerifyReport): Record<string, unknown>;
 
-export { BLOCKFROST_MAINNET_HOST, CONFIRMATION_DEPTH_THRESHOLD_DEFAULT, DEFAULT_PROFILE, ExitCode, FetchOutbound, HttpCallRecord, KOIOS_MAINNET_URL, NotALabel309RecordError, Profile, type ResolvedTx, type TxComponents, VerifyItemDecryption, VerifyMerkleCheck, VerifyRecordSignature, VerifyReport, VerifyTxInput, VerifyTxSummary, VerifyTxWitness, VerifyUriCheck, decodeTxSummary, decodeTxWitnesses, exitCodeForVerdict, extractLabel309Metadata, fetchItemCiphertext, planProfileSkips, profileImplements, resolveCardanoTx, sliceLabel309Value, sliceTxComponents, tryDecryptions, verifyMerkleCommitments, verifyRecordSignatures, verifyReportToDict, verifyResolved, verifyTx };
+export { ARWEAVE_GATEWAY_DEFAULTS, BLOCKFROST_MAINNET_HOST, CONFIRMATION_DEPTH_THRESHOLD_DEFAULT, type CidBindingOutcome, DEFAULT_PROFILE, ExitCode, FetchOutbound, type IssuePath, IssueSink, KOIOS_MAINNET_URL, type ParsedCid, Profile, type ResolveFailureCode, type ResolveOutcome, type ResolvedTx, type TxBindingResult, type TxComponents, type UnwrappedAuxiliaryData, VerifyRecordSignature, VerifyReport, VerifyResolvedInput, VerifyTxInput, VerifyTxSummary, VerifyTxWitness, auxiliaryDataHashFromTxBody, bindTransactionBytes, compareIssuePaths, decodeTxSummary, decodeTxWitnesses, detectConformanceProfile, exitCodeForVerdict, issueOf, parseCid, planProfileSkips, profileImplements, resolveCardanoTx, sliceTxComponents, sortIssues, unwrapAuxiliaryData, verifyIpfsCidBinding, verifyRecordSignatures, verifyReportToDict, verifyResolved, verifyTx };

package/dist/verifier/index.d.ts

@@ -1,71 +1,43 @@
-import { g as VerifyReport, E as ExitCode, h as VerifyTxInput, a as Profile, f as VerifyRecordSignature, l as VerifyUriCheck, d as VerifyItemDecryption, e as VerifyMerkleCheck, j as VerifyTxSummary, k as VerifyTxWitness } from '../types-B8Q3gW54.js';
-export { D as DecryptionVerdict, I as ItemHashCheck, M as MerkleVerdict, N as Network, P as PROFILE_RANK, S as SignatureFailureReason, b as SignatureVerdict, c as SignerType, V as Verdict, i as VerifyTxOutput } from '../types-B8Q3gW54.js';
-import { F as FetchOutbound, H as HttpCallRecord } from '../fetch-outbound-BT5-NiYN.js';
-export { B as BodyTooLargeError, D as DEFAULT_OUTBOUND_MAX_BYTES, a as DENY_HOSTS_DEFAULT, b as DenyHostError, c as FetchOutboundOptions, d as FetchOutboundResult, O as OutboundExhaustedError, R as RetryConfig, U as UnsupportedMethodError, g as UnsupportedProtocolError, W as WrapFetchOutboundConfig, h as defaultFetchOutbound, i as fetchOutbound, w as wrapFetchOutbound } from '../fetch-outbound-BT5-NiYN.js';
-import { PoeRecord, ValidationIssue } from '@cardanowall/poe-standard';
+import { g as VerifyReport, b as ExitCode, h as VerifyResolvedInput, i as VerifyTxInput, f as VerifyRecordSignature, c as Profile, k as VerifyTxSummary, l as VerifyTxWitness } from '../types-CgoBub9J.js';
+export { C as ContentCheck, D as DecryptionCredential, a as DecryptionOutcome, E as EXIT_CODE_FOR_VERDICT, I as ItemReportEntry, M as MerkleReportEntry, P as PROFILE_RANK, S as SignatureFailureReason, d as SignatureVerdict, e as SignerType, V as Verdict, j as VerifyTxOutput } from '../types-CgoBub9J.js';
+import { ValidationIssue, ErrorCode, Severity, PoeRecord } from '@cardanowall/poe-standard';
 export { ValidationIssue } from '@cardanowall/poe-standard';
+import { F as FetchOutbound } from '../fetch-outbound-dOK3ZxYa.js';
+export { B as BodyTooLargeError, D as DEFAULT_OUTBOUND_MAX_BYTES, a as DENY_HOSTS_DEFAULT, b as DenyHostError, c as FetchOutboundOptions, d as FetchOutboundResult, H as HttpCallRecord, O as OutboundExhaustedError, R as RetryConfig, U as UnsupportedMethodError, g as UnsupportedProtocolError, W as WrapFetchOutboundConfig, h as defaultFetchOutbound, i as fetchOutbound, j as isBodyTooLargeError, k as isDenyHostError, w as wrapFetchOutbound } from '../fetch-outbound-dOK3ZxYa.js';
 
 declare const CONFIRMATION_DEPTH_THRESHOLD_DEFAULT = 15;
 declare function verifyTx(input: VerifyTxInput): Promise<VerifyReport>;
 /**
- * `verifyResolved` — same pipeline as `verifyTx` starting from step 3
- * (structural validator). The caller has already resolved the label-309
- * metadata bytes + block-info tuple from somewhere other than a live chain
- * fetch (typically an indexer database mirror).
- *
- * Use this when you trust an upstream indexer for the (metadataCbor,
- * blockTime, blockSlot, numConfirmations) tuple and want to skip the
- * /tx_cbor + /tx_info round-trip. The caller is responsible for the
- * confidence that the supplied bytes actually came from the label-309
- * metadata field of a confirmed Cardano transaction.
+ * Sibling entry point: run the pipeline from the structural-validator step
+ * onward over caller-supplied label-309 record-body bytes plus an
+ * explorer-asserted block-info tuple — the path a server-rendered viewer uses
+ * to display on-chain data without a render-time chain fetch. The caller is
+ * responsible for the confidence that the bytes came from the label-309
+ * metadata of a real Cardano transaction.
  */
-declare function verifyResolved(input: {
-    txHash: string;
-    metadataCbor: Uint8Array;
-    txCbor?: Uint8Array;
-    numConfirmations: number;
-    blockTime?: number;
-    blockSlot?: number;
-    network?: VerifyReport['network'];
-    cardanoNetwork?: VerifyTxInput['cardanoNetwork'];
-    profile?: Profile;
-    confirmationDepthThreshold?: number;
-    fetchOutbound?: FetchOutbound;
-    denyHosts?: ReadonlyArray<string>;
-    decryption?: VerifyTxInput['decryption'];
-    verifyMerkle?: boolean;
-}): Promise<VerifyReport>;
+declare function verifyResolved(input: VerifyResolvedInput): Promise<VerifyReport>;
 declare function exitCodeForVerdict(report: VerifyReport): ExitCode;
 
-interface VerifyRecordSignaturesArgs {
-    readonly record: PoeRecord;
-    readonly input: VerifyTxInput;
-}
-declare function verifyRecordSignatures(args: VerifyRecordSignaturesArgs): Promise<VerifyRecordSignature[]>;
-
-interface TryDecryptionsArgs {
-    readonly record: PoeRecord;
-    readonly input: VerifyTxInput;
-    readonly fetchFn: FetchOutbound;
-    readonly httpCalls: HttpCallRecord[];
-    readonly uriChecksOut: VerifyUriCheck[];
-    readonly allowUriFetch: boolean;
-}
-interface TryDecryptionsResult {
-    readonly results: VerifyItemDecryption[];
+type IssuePath = ReadonlyArray<string | number>;
+declare function issueOf(code: ErrorCode, path: IssuePath, message: string, severity?: Severity): ValidationIssue;
+declare function compareIssuePaths(a: IssuePath, b: IssuePath): number;
+declare function sortIssues(issues: ReadonlyArray<ValidationIssue>): ValidationIssue[];
+declare class IssueSink {
+    private readonly issues;
+    push(issue: ValidationIssue): void;
+    add(code: ErrorCode, path: IssuePath, message: string, severity?: Severity): void;
+    addOnce(code: ErrorCode, path: IssuePath, message: string, severity?: Severity): void;
+    pushAll(issues: ReadonlyArray<ValidationIssue>): void;
+    has(code: ErrorCode): boolean;
+    sorted(): ValidationIssue[];
 }
-declare function tryDecryptions(args: TryDecryptionsArgs): Promise<TryDecryptionsResult>;
 
-interface VerifyMerkleArgs {
+interface VerifyRecordSignaturesArgs {
     readonly record: PoeRecord;
-    readonly input: VerifyTxInput;
-    readonly fetchFn: FetchOutbound;
-    readonly uriChecksOut: VerifyUriCheck[];
+    readonly cardanoNetwork: 'mainnet' | 'preprod';
+    readonly issues: IssueSink;
 }
-interface VerifyMerkleResult {
-    readonly checks: VerifyMerkleCheck[];
-}
-declare function verifyMerkleCommitments(args: VerifyMerkleArgs): Promise<VerifyMerkleResult>;
+declare function verifyRecordSignatures(args: VerifyRecordSignaturesArgs): VerifyRecordSignature[];
 
 declare const DEFAULT_PROFILE: Profile;
 declare function profileImplements(actual: Profile, required: Profile): boolean;
@@ -74,70 +46,127 @@ interface ProfileSkipsResult {
     readonly verifySignatures: boolean;
     readonly verifyDecrypt: boolean;
 }
+/**
+ * Emit the minimum conformance profile a verifier MUST implement
+ * to read this record end-to-end. The profiles form a strict superset chain
+ * `core ⊂ signed ⊂ sealed ⊂ recipient-sealed`.
+ *
+ * The function classifies based on RECORD CONTENT only:
+ *   - `'core'`   — no signatures, no sealed items.
+ *   - `'signed'` — `record.sigs[]` is present, no sealed items.
+ *   - `'sealed'` — any `record.items[i].enc` is present (with or without sigs).
+ *
+ * The function does NOT return `'recipient-sealed'`: that profile is about
+ * VERIFIER CAPABILITY (whether the verifier decrypts with a recipient X25519
+ * key), not about record content. A separate helper is required if a caller
+ * needs to test whether a particular recipient key can unwrap any slot — see
+ * `@cardanowall/crypto-core/sealed-poe` for that pathway.
+ */
+declare function detectConformanceProfile(record: PoeRecord): 'core' | 'signed' | 'sealed';
 declare function planProfileSkips(profile: Profile, record: PoeRecord): ProfileSkipsResult;
 
-interface ResolvedTx {
-    readonly txCbor: Uint8Array;
-    readonly numConfirmations: number;
-    readonly blockTime: number;
-    readonly blockSlot: number;
-    readonly provider: 'koios' | 'blockfrost';
-    readonly providerUrl: string;
-}
-declare const KOIOS_MAINNET_URL = "https://api.koios.rest/api/v1";
-declare const BLOCKFROST_MAINNET_HOST = "https://cardano-mainnet.blockfrost.io/api/v0";
-declare class NotALabel309RecordError extends Error {
-    readonly code: "METADATA_NOT_FOUND";
-    constructor(message: string);
-}
-declare function resolveCardanoTx(args: {
-    readonly input: VerifyTxInput;
-    readonly fetchFn: FetchOutbound;
-}): Promise<ResolvedTx>;
-declare function extractLabel309Metadata(txCbor: Uint8Array): Uint8Array | null;
-
 /**
  * Byte-faithful components of a Cardano transaction, located by walking the
  * tx CBOR without a decode-then-re-encode pass.
  *
- * `txBody` and `witnessSet` are EXACT on-chain byte slices: `blake2b256(txBody)`
- * equals the transaction hash, and the witness set decodes to the vkey
- * witnesses that authorised the transaction. The slices are produced by the
- * same position-aware walk that finds label 309, so they never round-trip
- * through a CBOR re-encoder.
- *
- * `label309` is the reassembled label-309 value (chunked-bytes concatenated;
- * see `reassembleLabel309Value`), `null` when auxiliary_data is null/undefined
- * or label 309 is absent. `auxMetadataLabels` is the ascending-sorted list of
- * every integer key in the auxiliary metadata map (`[]` when aux is null).
+ * Every field is an EXACT on-chain byte slice: `blake2b256(txBody)` equals the
+ * transaction id, `blake2b256(auxiliaryData)` equals the body's
+ * `auxiliary_data_hash`, and the witness set decodes to the vkey witnesses
+ * that authorised the transaction. `auxiliaryData` is `null` when the
+ * transaction carries none (CBOR null/undefined at the auxiliary-data
+ * position).
  */
 interface TxComponents {
-    readonly label309: Uint8Array | null;
     readonly txBody: Uint8Array;
     readonly witnessSet: Uint8Array;
-    readonly auxMetadataLabels: number[];
+    readonly auxiliaryData: Uint8Array | null;
 }
 /**
  * Walk the transaction CBOR once and return its byte-faithful components.
- *
- * Throws `RangeError("MALFORMED_CBOR: …")` on structural violations. The body
- * and witness-set slices are the producer's ORIGINAL bytes; `label309` carries
- * the same byte-faithful guarantee `sliceLabel309Value` documents (no
- * decode-then-re-encode, so non-canonical encodings reach the structural
- * validator unchanged).
+ * Accepts the four-element post-Alonzo shape `[body, witness_set, is_valid,
+ * auxiliary_data]` and the three-element pre-Alonzo shape
+ * `[body, witness_set, auxiliary_data]`. Throws
+ * `RangeError("MALFORMED_CBOR: …")` on structural violations.
  */
 declare function sliceTxComponents(txCbor: Uint8Array): TxComponents;
 /**
- * Extract the byte slice corresponding to the value under metadata label 309.
- * Returns `null` when auxiliary_data is null/undefined or when label 309 is
- * absent. Throws `RangeError("MALFORMED_CBOR: …")` on structural violations.
+ * The unwrapped view of one auxiliary-data value: the raw label-309 value
+ * bytes (the transport chunk array exactly as carried; `null` when the
+ * metadata carries no label-309 entry) plus the ascending-sorted list of
+ * every metadata label present.
+ */
+interface UnwrappedAuxiliaryData {
+    readonly label309: Uint8Array | null;
+    readonly metadataLabels: ReadonlyArray<number>;
+}
+/**
+ * Unwrap auxiliary-data bytes down to the label-309 value. All three
+ * Conway-era envelope forms are accepted, dispatching PURELY on the top-level
+ * CBOR type and tag:
+ *
+ *   * tag 259            → keyed map; the metadata map sits under integer key 0;
+ *   * untagged array     → the two-element `[ transaction_metadata,
+ *                          auxiliary_scripts ]` form; the metadata map is
+ *                          element 0;
+ *   * untagged map       → ALWAYS the metadata map itself.
  *
- * Returns the producer's ORIGINAL on-chain bytes — no decode-then-re-encode
- * pass. The structural validator MUST receive these bytes verbatim so
- * non-canonical encodings surface as `MALFORMED_CBOR` rather than being
- * silently laundered.
+ * Map keys are never inspected to guess the shape — a metadata map is keyed
+ * by integer labels, so any key-sniffing heuristic would silently mis-parse
+ * legitimate metadata (e.g. a metadata map whose only label is 0). Any other
+ * top-level shape, and any tag other than 259, throws
+ * `RangeError("MALFORMED_CBOR: …")`.
+ *
+ * A tag-259 map with no key 0, and a metadata map with no entry under label
+ * 309, are well-formed auxiliary data that simply carry no PoE record —
+ * `label309` is `null` and the caller emits METADATA_NOT_FOUND.
  */
-declare function sliceLabel309Value(txCbor: Uint8Array): Uint8Array | null;
+declare function unwrapAuxiliaryData(auxBytes: Uint8Array): UnwrappedAuxiliaryData;
+/**
+ * Read the transaction body's `auxiliary_data_hash` (body-map key 7) as an
+ * exact byte slice; `null` when the body carries no key 7. Throws
+ * `RangeError("MALFORMED_CBOR: …")` when the body is not a CBOR map.
+ */
+declare function auxiliaryDataHashFromTxBody(txBody: Uint8Array): Uint8Array | null;
+
+declare const KOIOS_MAINNET_URL = "https://api.koios.rest/api/v1";
+declare const BLOCKFROST_MAINNET_HOST = "https://cardano-mainnet.blockfrost.io/api/v0";
+interface ResolvedTx {
+    readonly txCbor: Uint8Array;
+    readonly components: TxComponents;
+    readonly confirmationDepth: number;
+    readonly blockTime: number;
+    readonly blockSlot: number;
+    readonly provider: 'koios' | 'blockfrost';
+    readonly providerUrl: string;
+}
+type ResolveFailureCode = 'TX_NOT_FOUND' | 'PROVIDER_UNAVAILABLE' | 'TX_INTEGRITY_MISMATCH';
+type ResolveOutcome = {
+    readonly ok: true;
+    readonly resolved: ResolvedTx;
+} | {
+    readonly ok: false;
+    readonly code: ResolveFailureCode;
+    readonly message: string;
+};
+declare function resolveCardanoTx(args: {
+    readonly txHash: string;
+    readonly cardanoGatewayChain?: ReadonlyArray<string> | undefined;
+    readonly blockfrostProjectId?: string | undefined;
+    readonly fetchFn: FetchOutbound;
+}): Promise<ResolveOutcome>;
+
+type TxBindingResult = {
+    readonly ok: true;
+} | {
+    readonly ok: false;
+    readonly check: 'tx_hash' | 'auxiliary_data_hash';
+    readonly message: string;
+};
+declare function bindTransactionBytes(args: {
+    readonly requestedTxHashHex: string;
+    readonly txBody: Uint8Array;
+    readonly auxiliaryData: Uint8Array | null;
+}): TxBindingResult;
 
 /**
  * Decode the vkey witnesses of a transaction and verify each signature against
@@ -161,16 +190,35 @@ declare function decodeTxWitnesses(witnessSetBytes: Uint8Array, txBodyBytes: Uin
  */
 declare function decodeTxSummary(txBodyBytes: Uint8Array, witnessSetBytes: Uint8Array, network: 'mainnet' | 'preprod'): VerifyTxSummary;
 
-interface FetchItemCiphertextArgs {
-    readonly uris: ReadonlyArray<ReadonlyArray<string>>;
-    readonly arweaveGateways?: ReadonlyArray<string> | undefined;
-    readonly ipfsGateways?: ReadonlyArray<string> | undefined;
-    readonly fetchFn: FetchOutbound;
-    readonly uriChecksOut: VerifyUriCheck[];
-    readonly itemIndex: number;
+interface ParsedCid {
+    readonly version: 0 | 1;
+    readonly codec: number;
+    readonly multihashCode: number;
+    readonly digest: Uint8Array;
 }
-declare function fetchItemCiphertext(args: FetchItemCiphertextArgs): Promise<Uint8Array>;
+/**
+ * Decode the authority component of an `ipfs://` URI into its CID fields.
+ * Returns `null` for anything outside the profile's multibase set or for
+ * undecodable input — callers treat that exactly like an unsupported binding.
+ */
+declare function parseCid(cid: string): ParsedCid | null;
+type CidBindingOutcome = 'verified' | 'failed' | 'unsupported';
+/**
+ * The minimum binding check: for a raw-codec CIDv1 with no path component,
+ * recompute the multihash directly over the fetched bytes and compare it to
+ * the CID's digest. Everything else — CIDv0, DAG codecs, a path component
+ * (which navigates a DAG the raw recompute cannot reproduce), an
+ * out-of-profile multihash — is `unsupported`: the bytes stay unattributed
+ * and a mismatch indicts the provider, never the record.
+ */
+declare function verifyIpfsCidBinding(args: {
+    readonly cid: string;
+    readonly path: string;
+    readonly bytes: Uint8Array;
+}): CidBindingOutcome;
+
+declare const ARWEAVE_GATEWAY_DEFAULTS: ReadonlyArray<string>;
 
 declare function verifyReportToDict(report: VerifyReport): Record<string, unknown>;
 
-export { BLOCKFROST_MAINNET_HOST, CONFIRMATION_DEPTH_THRESHOLD_DEFAULT, DEFAULT_PROFILE, ExitCode, FetchOutbound, HttpCallRecord, KOIOS_MAINNET_URL, NotALabel309RecordError, Profile, type ResolvedTx, type TxComponents, VerifyItemDecryption, VerifyMerkleCheck, VerifyRecordSignature, VerifyReport, VerifyTxInput, VerifyTxSummary, VerifyTxWitness, VerifyUriCheck, decodeTxSummary, decodeTxWitnesses, exitCodeForVerdict, extractLabel309Metadata, fetchItemCiphertext, planProfileSkips, profileImplements, resolveCardanoTx, sliceLabel309Value, sliceTxComponents, tryDecryptions, verifyMerkleCommitments, verifyRecordSignatures, verifyReportToDict, verifyResolved, verifyTx };
+export { ARWEAVE_GATEWAY_DEFAULTS, BLOCKFROST_MAINNET_HOST, CONFIRMATION_DEPTH_THRESHOLD_DEFAULT, type CidBindingOutcome, DEFAULT_PROFILE, ExitCode, FetchOutbound, type IssuePath, IssueSink, KOIOS_MAINNET_URL, type ParsedCid, Profile, type ResolveFailureCode, type ResolveOutcome, type ResolvedTx, type TxBindingResult, type TxComponents, type UnwrappedAuxiliaryData, VerifyRecordSignature, VerifyReport, VerifyResolvedInput, VerifyTxInput, VerifyTxSummary, VerifyTxWitness, auxiliaryDataHashFromTxBody, bindTransactionBytes, compareIssuePaths, decodeTxSummary, decodeTxWitnesses, detectConformanceProfile, exitCodeForVerdict, issueOf, parseCid, planProfileSkips, profileImplements, resolveCardanoTx, sliceTxComponents, sortIssues, unwrapAuxiliaryData, verifyIpfsCidBinding, verifyRecordSignatures, verifyReportToDict, verifyResolved, verifyTx };