@cinchor/sdk 0.1.0

package/dist/index.js

@@ -0,0 +1,755 @@
+// src/capability-registry.ts
+import {
+  OmneClient,
+  OmneContract,
+  AbiEncode,
+  encodeContractCall
+} from "@omne/sdk";
+
+// src/address.ts
+import { bech32m } from "@scure/base";
+import { ArgType } from "@omne/sdk";
+var ADDRESS_HRP = "om";
+var WITNESS_VERSION = 2;
+function decodeAddress(address) {
+  const { prefix, words } = bech32m.decode(address);
+  if (prefix !== ADDRESS_HRP) {
+    throw new Error(`Invalid address HRP: expected "${ADDRESS_HRP}", got "${prefix}"`);
+  }
+  if (words[0] !== WITNESS_VERSION) {
+    throw new Error(`Invalid witness version: expected ${WITNESS_VERSION}, got ${words[0]}`);
+  }
+  return new Uint8Array(bech32m.fromWords(Array.from(words.slice(1))));
+}
+function encodeAddress(payload) {
+  if (payload.length !== 32) {
+    throw new Error(`Address payload must be 32 bytes, got ${payload.length}`);
+  }
+  const dataWords = bech32m.toWords(payload);
+  const words = new Uint8Array(dataWords.length + 1);
+  words[0] = WITNESS_VERSION;
+  words.set(dataWords, 1);
+  return bech32m.encode(ADDRESS_HRP, words);
+}
+function addressArg(address) {
+  return { type: ArgType.Address, data: decodeAddress(address) };
+}
+async function sha256(bytes) {
+  const ab = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(ab).set(bytes);
+  return new Uint8Array(await crypto.subtle.digest("SHA-256", ab));
+}
+function u64be(value) {
+  const b = new Uint8Array(8);
+  new DataView(b.buffer).setBigUint64(0, BigInt(value), false);
+  return b;
+}
+function concat(...parts) {
+  const total = parts.reduce((n, p) => n + p.length, 0);
+  const out = new Uint8Array(total);
+  let off = 0;
+  for (const p of parts) {
+    out.set(p, off);
+    off += p.length;
+  }
+  return out;
+}
+async function deriveCapabilityId(principal, agent, nonce, createdAt) {
+  const preimage = concat(
+    decodeAddress(principal),
+    decodeAddress(agent),
+    u64be(nonce),
+    u64be(createdAt)
+  );
+  return encodeAddress(await sha256(preimage));
+}
+async function counterpartyKey(capabilityId, counterparty) {
+  const preimage = concat(decodeAddress(capabilityId), decodeAddress(counterparty));
+  return encodeAddress(await sha256(preimage));
+}
+
+// src/config.ts
+function exportPrefixFor(contract) {
+  return contract.exportPrefix ?? `axiom_contract::${contract.name}::`;
+}
+var DEFAULT_GAS_LIMIT = 2e5;
+var DEFAULT_GAS_PRICE = "5000";
+var BURN_SENTINEL = "om1zmm0dahk7mm0dahk7mm0dahk7mm0dahk7mm0dahk7mm0dahk7mm0qdtuxap";
+var IGNIS_LOCAL = {
+  name: "ignis",
+  chainId: 3,
+  rpcUrl: "http://127.0.0.1:26657"
+};
+
+// src/types.ts
+var CapabilityStatus = /* @__PURE__ */ ((CapabilityStatus3) => {
+  CapabilityStatus3[CapabilityStatus3["NotFound"] = 0] = "NotFound";
+  CapabilityStatus3[CapabilityStatus3["Active"] = 1] = "Active";
+  CapabilityStatus3[CapabilityStatus3["Revoked"] = 2] = "Revoked";
+  return CapabilityStatus3;
+})(CapabilityStatus || {});
+var CAPABILITY_STATUS_LABELS = [
+  "not_found",
+  "active",
+  "revoked"
+];
+var EnforcementCode = /* @__PURE__ */ ((EnforcementCode2) => {
+  EnforcementCode2[EnforcementCode2["NotFound"] = 0] = "NotFound";
+  EnforcementCode2[EnforcementCode2["Allowed"] = 1] = "Allowed";
+  EnforcementCode2[EnforcementCode2["Revoked"] = 2] = "Revoked";
+  EnforcementCode2[EnforcementCode2["Expired"] = 3] = "Expired";
+  EnforcementCode2[EnforcementCode2["OverBudget"] = 4] = "OverBudget";
+  EnforcementCode2[EnforcementCode2["OutOfAllowlist"] = 5] = "OutOfAllowlist";
+  return EnforcementCode2;
+})(EnforcementCode || {});
+var ENFORCEMENT_LABELS = {
+  [0 /* NotFound */]: "not_found",
+  [1 /* Allowed */]: "allowed",
+  [2 /* Revoked */]: "revoked",
+  [3 /* Expired */]: "expired",
+  [4 /* OverBudget */]: "over_budget",
+  [5 /* OutOfAllowlist */]: "out_of_allowlist"
+};
+var Verdict = /* @__PURE__ */ ((Verdict2) => {
+  Verdict2[Verdict2["InPolicy"] = 1] = "InPolicy";
+  Verdict2[Verdict2["OutOfPolicy"] = 2] = "OutOfPolicy";
+  return Verdict2;
+})(Verdict || {});
+
+// src/capability-registry.ts
+function toBigInt(v) {
+  return BigInt(v ?? 0);
+}
+function toNumber(v) {
+  return Number(v ?? 0);
+}
+var CapabilityRegistry = class _CapabilityRegistry {
+  contract;
+  rpcUrl;
+  chainId;
+  contractAddress;
+  exportPrefix;
+  defaultGasLimit;
+  defaultGasPrice;
+  /** Per-signer next-nonce cache (see {@link sendSigned} for node nonce semantics). */
+  nonces = /* @__PURE__ */ new Map();
+  constructor(contract, config) {
+    this.contract = contract;
+    this.rpcUrl = config.network.rpcUrl;
+    this.chainId = config.network.chainId;
+    this.contractAddress = config.contract.address;
+    this.exportPrefix = exportPrefixFor(config.contract);
+    this.defaultGasLimit = config.defaultGasLimit ?? DEFAULT_GAS_LIMIT;
+    this.defaultGasPrice = config.defaultGasPrice ?? DEFAULT_GAS_PRICE;
+  }
+  static async connect(config) {
+    const client = new OmneClient(config.network.rpcUrl);
+    await client.connect();
+    const contract = new OmneContract(client, config.contract.address);
+    return new _CapabilityRegistry(contract, config);
+  }
+  fn(name) {
+    return this.exportPrefix + name;
+  }
+  /** A single, non-retrying JSON-RPC POST. */
+  async rpc(method, params) {
+    const resp = await fetch(this.rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", method, params, id: 1 })
+    });
+    if (!resp.ok) {
+      throw new Error(`${method} HTTP ${resp.status}: ${await resp.text()}`);
+    }
+    const json = await resp.json();
+    if (json.error) throw new Error(`${method} rejected: ${json.error.message ?? "unknown"}`);
+    return json.result;
+  }
+  // ── Write path ──────────────────────────────────────────────────
+  /**
+   * Build, SIGN, and submit a state-changing contract call. The Omne node
+   * mandates a valid ML-DSA-44 signature on every transaction; we encode the
+   * call data, build the transaction, sign it with the role's signer (chainId
+   * 3 = Ignis), and submit via a single raw JSON-RPC POST. The submitter
+   * ("from") must equal the signer's om1z address — the node re-derives the PQC
+   * address from the public key and checks it matches.
+   */
+  async sendSigned(signer, method, args, gasLimit = this.defaultGasLimit) {
+    const data = encodeContractCall(this.fn(method), args);
+    let nonce = this.nonces.get(signer.address);
+    if (nonce === void 0) nonce = await this.fetchNonce(signer.address);
+    for (let attempt = 0; attempt < 2; attempt++) {
+      const wire = this.buildSignedWire(signer, data, nonce, gasLimit);
+      const res = await this.submitOnce(wire);
+      if (res.status === "ok" || res.status === "duplicate") {
+        this.nonces.set(signer.address, nonce + 1);
+        return this.pollReceipt(res.txHash);
+      }
+      const fresh = await this.fetchNonce(signer.address);
+      if (attempt === 0 && fresh > nonce) {
+        nonce = fresh;
+        this.nonces.set(signer.address, fresh);
+        continue;
+      }
+      throw new Error(
+        `transaction rejected nonce ${nonce} as too low; node reports ${fresh} (cannot recover)`
+      );
+    }
+    throw new Error("sendSigned: exhausted submit attempts");
+  }
+  /** Fetch the signer's next nonce from the node (0 on this devnet). */
+  async fetchNonce(address) {
+    try {
+      const n = await this.rpc("omne_getNonce", [address]);
+      return Number(n ?? 0);
+    } catch {
+      const acct = await this.rpc("omne_getAccount", [address]);
+      return Number(acct?.nonce ?? 0);
+    }
+  }
+  /**
+   * Build a signed wire payload for a contract call at a given nonce, validating
+   * the ML-DSA-44 signature/pubkey/chainId lengths locally before submit so a
+   * malformed signed object fails fast here, not at the node.
+   */
+  buildSignedWire(signer, data, nonce, gasLimit) {
+    const tx = {
+      from: signer.address,
+      to: this.contractAddress,
+      value: "0",
+      gasLimit,
+      gasPrice: this.defaultGasPrice,
+      nonce,
+      data,
+      chainId: this.chainId
+    };
+    const signed = signer.signTransaction(tx, { chainId: this.chainId });
+    if (typeof signed.signature !== "string" || !/^[0-9a-f]{4840}$/i.test(signed.signature)) {
+      throw new Error(
+        `signTransaction produced an invalid ML-DSA-44 signature (expected 4840 hex chars, got ${signed.signature?.length ?? 0})`
+      );
+    }
+    if (typeof signed.publicKey !== "string" || !/^[0-9a-f]{2624}$/i.test(signed.publicKey)) {
+      throw new Error(
+        `signTransaction produced an invalid ML-DSA-44 public key (expected 2624 hex chars, got ${signed.publicKey?.length ?? 0})`
+      );
+    }
+    if (!Number.isInteger(signed.chainId) || signed.chainId < 0) {
+      throw new Error(`signed tx carries an invalid chainId: ${signed.chainId}`);
+    }
+    return {
+      from: signed.from,
+      to: signed.to,
+      value: signed.value,
+      gasLimit: signed.gasLimit,
+      gasPrice: signed.gasPrice,
+      nonce: signed.nonce,
+      chainId: signed.chainId,
+      data: signed.data ?? "",
+      signature: { signature: signed.signature, publicKey: signed.publicKey }
+    };
+  }
+  /** Submit a signed wire payload with one non-retrying POST. */
+  async submitOnce(wire) {
+    const resp = await fetch(this.rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", method: "omne_sendTransaction", params: [wire], id: 1 })
+    });
+    if (!resp.ok) {
+      throw new Error(`omne_sendTransaction HTTP ${resp.status}: ${await resp.text()}`);
+    }
+    const json = await resp.json();
+    if (json.error) {
+      const msg = String(json.error.message ?? json.error);
+      if (/already\s*known|already\s*exists|duplicate/i.test(msg)) {
+        return { status: "duplicate", txHash: null };
+      }
+      if (/nonce\s*too\s*low|invalid\s*nonce/i.test(msg)) {
+        return { status: "stale_nonce", txHash: null };
+      }
+      throw new Error(`omne_sendTransaction rejected: ${msg}`);
+    }
+    const r = json.result;
+    return { status: "ok", txHash: typeof r === "string" ? r : r?.transactionHash ?? null };
+  }
+  /**
+   * Poll for a transaction receipt, tolerating the node's "receipt not found"
+   * RPC error while the tx is still in the mempool. 60s default: a 4-node BFT
+   * mesh confirms contract calls in ~20-30s.
+   */
+  async pollReceipt(txHash, timeoutMs = 6e4, intervalMs = 1e3) {
+    if (!txHash) return { transactionHash: null, status: "submitted", blockNumber: null };
+    const start = Date.now();
+    let lastTransportError = null;
+    while (Date.now() - start < timeoutMs) {
+      try {
+        const r = await this.rpc("omne_getTransactionReceipt", [txHash]);
+        if (r) return r;
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        if (/receipt.*not\s*found|not\s*found|-32000|-32602/i.test(msg)) {
+        } else {
+          lastTransportError = msg;
+        }
+      }
+      await new Promise((res) => setTimeout(res, intervalMs));
+    }
+    return {
+      transactionHash: txHash,
+      status: "pending",
+      blockNumber: null,
+      note: lastTransportError ? `receipt not available within ${timeoutMs}ms; last transport error: ${lastTransportError}` : `receipt not available within ${timeoutMs}ms`
+    };
+  }
+  // ── Reads ───────────────────────────────────────────────────────
+  async queryNumber(method, id) {
+    const r = await this.contract.query(this.fn(method), [addressArg(id)]);
+    return toNumber(r.returnValue);
+  }
+  async queryBigInt(method, id) {
+    const r = await this.contract.query(this.fn(method), [addressArg(id)]);
+    return toBigInt(r.returnValue);
+  }
+  async queryAddress(method, id) {
+    const r = await this.contract.query(this.fn(method), [addressArg(id)]);
+    return parseAddressReturn(r.returnValue);
+  }
+  getStatus(capabilityId) {
+    return this.queryNumber("get_status", capabilityId);
+  }
+  getMaxSpend(capabilityId) {
+    return this.queryBigInt("get_max_spend", capabilityId);
+  }
+  getValidUntil(capabilityId) {
+    return this.queryBigInt("get_valid_until", capabilityId);
+  }
+  getTotalSpent(capabilityId) {
+    return this.queryBigInt("get_total_spent", capabilityId);
+  }
+  getActionCount(capabilityId) {
+    return this.queryBigInt("get_action_count", capabilityId);
+  }
+  getCreatedAt(capabilityId) {
+    return this.queryBigInt("get_created_at", capabilityId);
+  }
+  getRevokedAt(capabilityId) {
+    return this.queryBigInt("get_revoked_at", capabilityId);
+  }
+  getPolicyVersion(capabilityId) {
+    return this.queryBigInt("get_policy_version", capabilityId);
+  }
+  getAttestationCount(capabilityId) {
+    return this.queryBigInt("get_attestation_count", capabilityId);
+  }
+  async getAllowlistEnabled(capabilityId) {
+    return await this.queryNumber("get_allowlist_enabled", capabilityId) === 1;
+  }
+  async isCounterpartyAllowed(capabilityId, counterparty) {
+    const key = await counterpartyKey(capabilityId, counterparty);
+    const r = await this.contract.query(this.fn("is_counterparty_allowed"), [addressArg(key)]);
+    return toNumber(r.returnValue) === 1;
+  }
+  /** Read a decision attestation's on-chain record (the tamper-evidence anchor). */
+  async getAttestation(attestationId) {
+    const [exists, ch, pv, v, t] = await Promise.all([
+      this.contract.query(this.fn("get_attestation_exists"), [addressArg(attestationId)]),
+      this.contract.query(this.fn("get_attestation_context_hash"), [addressArg(attestationId)]),
+      this.contract.query(this.fn("get_attestation_policy_version"), [addressArg(attestationId)]),
+      this.contract.query(this.fn("get_attestation_verdict"), [addressArg(attestationId)]),
+      this.contract.query(this.fn("get_attestation_time"), [addressArg(attestationId)])
+    ]);
+    return {
+      exists: toNumber(exists.returnValue) === 1,
+      contextHash: parseAddressReturn(ch.returnValue),
+      policyVersion: toBigInt(pv.returnValue),
+      verdict: toNumber(v.returnValue),
+      time: toBigInt(t.returnValue)
+    };
+  }
+  /** Fetch the complete state of a capability in one call. */
+  async getCapabilityState(capabilityId) {
+    const [
+      status,
+      principal,
+      agent,
+      maxSpend,
+      validUntil,
+      totalSpent,
+      actionCount,
+      createdAt,
+      revokedAt
+    ] = await Promise.all([
+      this.getStatus(capabilityId),
+      this.queryAddress("get_principal", capabilityId).catch(() => ""),
+      this.queryAddress("get_agent", capabilityId).catch(() => ""),
+      this.getMaxSpend(capabilityId),
+      this.getValidUntil(capabilityId),
+      this.getTotalSpent(capabilityId),
+      this.getActionCount(capabilityId),
+      this.getCreatedAt(capabilityId),
+      this.getRevokedAt(capabilityId)
+    ]);
+    return {
+      capabilityId,
+      status,
+      statusLabel: CAPABILITY_STATUS_LABELS[status] ?? "not_found",
+      principal,
+      agent,
+      maxSpend,
+      validUntil,
+      totalSpent,
+      actionCount,
+      createdAt,
+      revokedAt
+    };
+  }
+  // ── Writes (signed; require a funded signer) ─────────────────────
+  /** Principal mints a scoped capability to an agent. Signed by the principal. */
+  mintPermission(opts) {
+    return this.sendSigned(
+      opts.signer,
+      "mint_permission",
+      [
+        addressArg(opts.capabilityId),
+        addressArg(opts.principal),
+        addressArg(opts.agent),
+        AbiEncode.i64(opts.maxSpend),
+        AbiEncode.i64(opts.validUntil),
+        AbiEncode.i64(opts.allowlistEnabled ? 1n : 0n),
+        AbiEncode.i64(opts.currentTime)
+      ],
+      opts.gasLimit
+    );
+  }
+  /** Principal authorizes a counterparty for a capability's allowlist. */
+  async addAllowedCounterparty(opts) {
+    const key = await counterpartyKey(opts.capabilityId, opts.counterparty);
+    return this.sendSigned(
+      opts.signer,
+      "add_allowed_counterparty",
+      [addressArg(opts.capabilityId), addressArg(key), AbiEncode.i64(opts.currentTime)],
+      opts.gasLimit
+    );
+  }
+  /** Principal updates a capability's policy (limits) and bumps its on-chain version. */
+  updatePolicy(opts) {
+    return this.sendSigned(
+      opts.signer,
+      "update_policy",
+      [
+        addressArg(opts.capabilityId),
+        AbiEncode.i64(opts.newMaxSpend),
+        AbiEncode.i64(opts.newValidUntil),
+        AbiEncode.i64(opts.currentTime)
+      ],
+      opts.gasLimit
+    );
+  }
+  /**
+   * Agent records a capability-bound action — the substrate Policy Enforcement
+   * Point. Signed by the agent. `counterparty` is ignored when the capability's
+   * allowlist is disabled; when enabled, the substrate refuses (code 5) unless
+   * the counterparty has been allowlisted.
+   */
+  async recordAction(opts) {
+    const cp = opts.counterparty ?? BURN_SENTINEL;
+    const key = await counterpartyKey(opts.capabilityId, cp);
+    return this.sendSigned(
+      opts.signer,
+      "record_action",
+      [
+        addressArg(opts.capabilityId),
+        AbiEncode.i64(opts.amountSpent),
+        addressArg(key),
+        AbiEncode.i64(opts.currentTime)
+      ],
+      opts.gasLimit
+    );
+  }
+  /** Principal revokes a capability. Terminal. Signed by the principal. */
+  revokePermission(opts) {
+    return this.sendSigned(
+      opts.signer,
+      "revoke_permission",
+      [addressArg(opts.capabilityId), AbiEncode.i64(opts.currentTime)],
+      opts.gasLimit
+    );
+  }
+  /**
+   * Agent records a decision attestation (provable-after). Commits the
+   * decision's context_hash + verdict, bound to the capability's current policy
+   * version. Signed by the agent.
+   */
+  recordAttestation(opts) {
+    return this.sendSigned(
+      opts.signer,
+      "record_attestation",
+      [
+        addressArg(opts.attestationId),
+        addressArg(opts.capabilityId),
+        addressArg(opts.contextHash),
+        AbiEncode.i64(BigInt(opts.verdict)),
+        AbiEncode.i64(opts.currentTime)
+      ],
+      opts.gasLimit
+    );
+  }
+};
+function parseAddressReturn(returnValue) {
+  if (typeof returnValue === "string" && /^(0x)?[0-9a-fA-F]+$/.test(returnValue)) {
+    let hex = returnValue.replace(/^0x/, "");
+    if (hex.length > 64) return returnValue;
+    hex = hex.padStart(64, "0");
+    const bytes = new Uint8Array(32);
+    for (let i = 0; i < 32; i++) {
+      bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    try {
+      return encodeAddress(bytes);
+    } catch {
+      return returnValue;
+    }
+  }
+  if (returnValue === "0" || returnValue === null) return "";
+  return String(returnValue);
+}
+
+// src/attestation.ts
+function canonicalJson(value) {
+  const norm = (v) => {
+    if (Array.isArray(v)) return v.map(norm);
+    if (v && typeof v === "object") {
+      return Object.keys(v).sort().reduce((acc, k) => {
+        acc[k] = norm(v[k]);
+        return acc;
+      }, {});
+    }
+    return v;
+  };
+  return JSON.stringify(norm(value));
+}
+async function hashDecisionContext(context) {
+  const bytes = new TextEncoder().encode(canonicalJson(context));
+  return encodeAddress(await sha256(bytes));
+}
+async function deriveAttestationId(capabilityId, contextHash, seq) {
+  const preimage = concat(
+    decodeAddress(capabilityId),
+    decodeAddress(contextHash),
+    u64be(seq)
+  );
+  return encodeAddress(await sha256(preimage));
+}
+async function verifyDecisionContext(context, onChainContextHash) {
+  const recomputed = await hashDecisionContext(context);
+  return { ok: recomputed === onChainContextHash, recomputed };
+}
+
+// src/client.ts
+function nowSecs() {
+  return BigInt(Math.floor(Date.now() / 1e3));
+}
+async function settle(read, done, timeoutMs = 12e3, intervalMs = 750) {
+  const start = Date.now();
+  let last = await read();
+  while (!done(last) && Date.now() - start < timeoutMs) {
+    await new Promise((r) => setTimeout(r, intervalMs));
+    last = await read();
+  }
+  return last;
+}
+var CinchorClient = class _CinchorClient {
+  registry;
+  constructor(registry) {
+    this.registry = registry;
+  }
+  /** Connect to a network + deployed accountability contract. */
+  static async connect(config) {
+    return new _CinchorClient(await CapabilityRegistry.connect(config));
+  }
+  // ── Capability lifecycle ─────────────────────────────────────────
+  /**
+   * Mint a cryptographically-scoped capability to an agent: capability, spend
+   * ceiling, validity window, revocable at will. Returns the derived capability
+   * id and the commit receipt.
+   */
+  async mintCapability(opts) {
+    const currentTime = opts.currentTime ?? nowSecs();
+    const validUntil = opts.validUntil ?? (opts.ttlSeconds !== void 0 ? currentTime + BigInt(opts.ttlSeconds) : (() => {
+      throw new Error("mintCapability requires either validUntil or ttlSeconds");
+    })());
+    const nonce = opts.nonce ?? Math.floor(Math.random() * 2 ** 48);
+    const capabilityId = await deriveCapabilityId(
+      opts.principal.address,
+      opts.agent,
+      nonce,
+      Number(currentTime)
+    );
+    const receipt = await this.registry.mintPermission({
+      signer: opts.principal,
+      capabilityId,
+      principal: opts.principal.address,
+      agent: opts.agent,
+      maxSpend: opts.maxSpend,
+      validUntil,
+      allowlistEnabled: opts.allowlist,
+      currentTime,
+      gasLimit: opts.gasLimit
+    });
+    await settle(
+      () => this.getCapability(capabilityId),
+      (c) => c.status === 1 /* Active */
+    );
+    return { capabilityId, receipt };
+  }
+  /** Revoke a capability. Terminal. Signed by the principal. */
+  async revoke(opts) {
+    const receipt = await this.registry.revokePermission({
+      signer: opts.principal,
+      capabilityId: opts.capability,
+      currentTime: opts.currentTime ?? nowSecs(),
+      gasLimit: opts.gasLimit
+    });
+    await settle(
+      () => this.getCapability(opts.capability),
+      (c) => c.status === 2 /* Revoked */
+    );
+    return receipt;
+  }
+  /** Update a capability's policy (limits) and bump its on-chain version. */
+  updatePolicy(opts) {
+    return this.registry.updatePolicy({
+      signer: opts.principal,
+      capabilityId: opts.capability,
+      newMaxSpend: opts.maxSpend,
+      newValidUntil: opts.validUntil,
+      currentTime: opts.currentTime ?? nowSecs(),
+      gasLimit: opts.gasLimit
+    });
+  }
+  /** Authorize a counterparty for a capability's allowlist. */
+  allowCounterparty(opts) {
+    return this.registry.addAllowedCounterparty({
+      signer: opts.principal,
+      capabilityId: opts.capability,
+      counterparty: opts.counterparty,
+      currentTime: opts.currentTime ?? nowSecs(),
+      gasLimit: opts.gasLimit
+    });
+  }
+  // ── The two verbs ────────────────────────────────────────────────
+  /**
+   * Authorize-or-refuse a consequential action. The substrate enforces the
+   * capability's invariants atomically: an out-of-scope action commits no state
+   * change. The verdict is read back from committed state (a record_action
+   * receipt does not carry the contract's return code).
+   *
+   * Verdict classification assumes serial, single-signer use of the capability
+   * (one in-flight action at a time) — the documented integration pattern.
+   */
+  async enforce(opts) {
+    const currentTime = opts.currentTime ?? nowSecs();
+    const before = await this.registry.getCapabilityState(opts.capability);
+    const receipt = await this.registry.recordAction({
+      signer: opts.agent,
+      capabilityId: opts.capability,
+      amountSpent: opts.amount,
+      counterparty: opts.counterparty,
+      currentTime,
+      gasLimit: opts.gasLimit
+    });
+    const after = await settle(
+      () => this.registry.getCapabilityState(opts.capability),
+      (a) => a.actionCount > before.actionCount,
+      8e3
+    );
+    const code = await this.classify(before, after, opts.amount, currentTime, opts);
+    return { allowed: code === 1 /* Allowed */, code, reason: ENFORCEMENT_LABELS[code], receipt };
+  }
+  async classify(before, after, amount, t, opts) {
+    if (after.actionCount > before.actionCount && after.totalSpent === before.totalSpent + amount) {
+      return 1 /* Allowed */;
+    }
+    if (before.status === 0 /* NotFound */) return 0 /* NotFound */;
+    if (before.status === 2 /* Revoked */) return 2 /* Revoked */;
+    if (t > before.validUntil) return 3 /* Expired */;
+    if (before.totalSpent + amount > before.maxSpend) return 4 /* OverBudget */;
+    if (await this.registry.getAllowlistEnabled(opts.capability)) {
+      const cp = opts.counterparty ?? BURN_SENTINEL;
+      if (!await this.registry.isCounterpartyAllowed(opts.capability, cp)) {
+        return 5 /* OutOfAllowlist */;
+      }
+    }
+    return 0 /* NotFound */;
+  }
+  /**
+   * Commit a tamper-evident attestation of a decision. The full context is
+   * hashed canonically; the hash + verdict are committed on-chain, bound to the
+   * capability's current policy version. An auditor later re-hashes the
+   * off-chain artifact and confirms it matches (see {@link verifyAttestation}).
+   */
+  async attest(opts) {
+    const currentTime = opts.currentTime ?? nowSecs();
+    const verdict = opts.verdict ?? 1 /* InPolicy */;
+    const seq = opts.seq ?? 0;
+    const contextHash = await hashDecisionContext(opts.context);
+    const attestationId = await deriveAttestationId(opts.capability, contextHash, seq);
+    const receipt = await this.registry.recordAttestation({
+      signer: opts.agent,
+      attestationId,
+      capabilityId: opts.capability,
+      contextHash,
+      verdict,
+      currentTime,
+      gasLimit: opts.gasLimit
+    });
+    await settle(() => this.registry.getAttestation(attestationId), (a) => a.exists);
+    return { attestationId, contextHash, verdict, receipt };
+  }
+  // ── Audit (reads; no signer required) ────────────────────────────
+  /** Read the full on-chain state of a capability. */
+  getCapability(capabilityId) {
+    return this.registry.getCapabilityState(capabilityId);
+  }
+  /** Read a decision attestation's on-chain record. */
+  getAttestation(attestationId) {
+    return this.registry.getAttestation(attestationId);
+  }
+  /**
+   * Tamper check: re-hash a decision context and confirm it matches the
+   * attestation's on-chain commitment. Returns whether it matches, the
+   * recomputed hash, and the on-chain record.
+   */
+  async verifyAttestation(context, attestationId) {
+    const onChain = await this.registry.getAttestation(attestationId);
+    const { ok, recomputed } = await verifyDecisionContext(context, onChain.contextHash);
+    return { ok: ok && onChain.exists, recomputed, onChain };
+  }
+};
+export {
+  BURN_SENTINEL,
+  CAPABILITY_STATUS_LABELS,
+  CapabilityRegistry,
+  CapabilityStatus,
+  CinchorClient,
+  DEFAULT_GAS_LIMIT,
+  DEFAULT_GAS_PRICE,
+  ENFORCEMENT_LABELS,
+  EnforcementCode,
+  IGNIS_LOCAL,
+  Verdict,
+  addressArg,
+  canonicalJson,
+  counterpartyKey,
+  decodeAddress,
+  deriveAttestationId,
+  deriveCapabilityId,
+  encodeAddress,
+  exportPrefixFor,
+  hashDecisionContext,
+  nowSecs,
+  parseAddressReturn,
+  verifyDecisionContext
+};
+//# sourceMappingURL=index.js.map