@coproduct_inc/verify 0.2.0 → 0.5.0

package/dist/claim.js

@@ -0,0 +1,186 @@
+/**
+ * `claim.ts` — a **recompute-verified claim** façade.
+ *
+ * One uniform call — `verifyClaim(claim) → ClaimVerdict` — over the package's
+ * existing recompute engines, so any surface (a comment-box widget, a CI
+ * check, an MCP tool) can render a single ✓/✗ plus a human-readable recompute
+ * trace next to a claim, without knowing which engine adjudicated it.
+ *
+ * ## The honest boundary
+ *
+ * This verifies **only** claims that reduce to a *deterministic recomputation
+ * over committed evidence* — never arbitrary prose. A claim is adjudicable iff
+ * its value is the output of a pure function the caller can re-run from the
+ * cited inputs:
+ *
+ *   - `clearing`  — re-run an auction's clearing from its SIGNED bid set and
+ *                   check the receipt's price/winner (WASM kernel; the exact
+ *                   `verify` / `recomputeClearing` path).
+ *   - `in_bounds` — re-run an agent run's capability verdict from its tool
+ *                   trace + declared boundary (pure-node attestation engine).
+ *   - `signature` — authenticity only: Ed25519 + BLAKE3 root hash, no
+ *                   value recompute.
+ *
+ * Anything NOT reducible to a recompute (e.g. "10k users downloaded this")
+ * returns `verified: false` with an explicit `unsupported`/`reason` — it is
+ * never silently passed. `eval_score` and `dataset_aggregate` are the planned
+ * next kinds (see docs/RECOMPUTE-VERIFIED-CLAIMS.md); until wired they report
+ * unsupported rather than faking a check.
+ *
+ * ## Proof-carrying numbers
+ *
+ * When a claim carries an `asserted` value (the number a human wrote in prose,
+ * e.g. "cleared at 400000 µ$"), it is cross-checked against the recomputed
+ * value. A receipt that is authentic but whose prose number was altered fails
+ * (`verified: false`, `asserted.matched: false`) — the receipt can't lie, and
+ * neither can the sentence quoting it.
+ */
+import { verify, recomputeClearing } from "./index.js";
+import { verifyReceipt } from "./attestation.js";
+function receiptJson(ev) {
+    return typeof ev.receipt === "string" ? ev.receipt : JSON.stringify(ev.receipt);
+}
+/**
+ * Adjudicate a claim by recomputation. Never throws — a malformed receipt,
+ * an unknown kind, or an engine error surface as `verified: false` with a
+ * `reason`, so the widget can always render a definite ✓/✗.
+ */
+export async function verifyClaim(claim) {
+    const base = { kind: claim.kind, statement: claim.statement };
+    try {
+        switch (claim.kind) {
+            case "clearing":
+                return await verifyClearingClaim(claim, base);
+            case "in_bounds":
+                return verifyInBoundsClaim(claim, base);
+            case "signature":
+                return await verifySignatureClaim(claim, base);
+            default:
+                return {
+                    ...base,
+                    verified: false,
+                    recomputed: null,
+                    asserted: null,
+                    trace: [{ check: "kind-supported", ok: false, detail: `unsupported kind: ${claim.kind}` }],
+                    reason: `unsupported claim kind: ${claim.kind} (not recomputable)`,
+                };
+        }
+    }
+    catch (e) {
+        return {
+            ...base,
+            verified: false,
+            recomputed: null,
+            asserted: null,
+            trace: [{ check: "engine", ok: false, detail: String(e) }],
+            reason: `recompute engine error: ${e instanceof Error ? e.message : String(e)}`,
+        };
+    }
+}
+async function verifyClearingClaim(claim, base) {
+    const json = receiptJson(claim.evidence);
+    const trace = [];
+    let recomputedPrice;
+    let coreOk;
+    let reason;
+    if (claim.evidence.jwks) {
+        // Full path: signature + root hash + price recompute.
+        const r = await verify(json, claim.evidence.jwks);
+        trace.push({ check: "signature", ok: r.signature_ok });
+        trace.push({ check: "root-hash", ok: r.root_hash_ok });
+        trace.push({ check: "price-recomputed", ok: r.price_recomputed_ok });
+        recomputedPrice = r.recomputed_price_micro_usd;
+        coreOk = r.ok;
+        reason = r.reason;
+    }
+    else {
+        // Recompute-only path (no pinned JWKS supplied).
+        const r = await recomputeClearing(json);
+        trace.push({ check: "price-recomputed", ok: r.matches_receipt });
+        trace.push({ check: "winner-recomputed", ok: r.winner_matches });
+        recomputedPrice = r.recomputed_price_micro_usd;
+        coreOk = r.matches_receipt;
+        reason = r.reason;
+    }
+    const asserted = crossCheck(claim.asserted, recomputedPrice, trace, "asserted-price");
+    return {
+        ...base,
+        verified: coreOk && (asserted?.matched ?? true),
+        recomputed: { label: "clearing_price_micro_usd", value: recomputedPrice },
+        asserted,
+        trace,
+        reason: !coreOk ? (reason ?? "clearing did not recompute") : assertedReason(asserted),
+    };
+}
+function verifyInBoundsClaim(claim, base) {
+    const receipt = typeof claim.evidence.receipt === "string"
+        ? JSON.parse(claim.evidence.receipt)
+        : claim.evidence.receipt;
+    const r = verifyReceipt(receipt, {
+        expectPrincipal: claim.evidence.expectPrincipal,
+        expectPublicKey: claim.evidence.expectPublicKey,
+    });
+    const trace = [
+        { check: "signature", ok: r.signatureOk },
+        { check: "root-hash", ok: r.rootHashOk },
+        { check: "verdict-consistent", ok: r.verdictConsistentOk },
+        { check: "in-bounds", ok: r.inBounds },
+    ];
+    if (claim.evidence.expectPrincipal !== undefined) {
+        trace.push({ check: "principal-pinned", ok: r.principalOk ?? false });
+    }
+    const asserted = crossCheck(claim.asserted, r.inBounds, trace, "asserted-in-bounds");
+    return {
+        ...base,
+        verified: r.ok && (asserted?.matched ?? true),
+        recomputed: { label: "in_bounds", value: r.inBounds },
+        asserted,
+        trace,
+        reason: !r.ok ? (r.reason ?? "attestation did not verify") : assertedReason(asserted),
+    };
+}
+async function verifySignatureClaim(claim, base) {
+    if (!claim.evidence.jwks) {
+        return {
+            ...base,
+            verified: false,
+            recomputed: null,
+            asserted: null,
+            trace: [{ check: "jwks-present", ok: false }],
+            reason: "signature claim requires evidence.jwks",
+        };
+    }
+    // Reuse the full verifier but gate on authenticity only (signature + root
+    // hash), not price correctness — the `signature` kind asserts provenance.
+    const r = await verify(receiptJson(claim.evidence), claim.evidence.jwks);
+    const ok = r.signature_ok && r.root_hash_ok;
+    return {
+        ...base,
+        verified: ok,
+        recomputed: { label: "authentic", value: ok },
+        asserted: null,
+        trace: [
+            { check: "signature", ok: r.signature_ok },
+            { check: "root-hash", ok: r.root_hash_ok },
+        ],
+        reason: ok ? null : (r.reason ?? "signature or root hash failed"),
+    };
+}
+/** Cross-check a prose-asserted value against the recomputed value. */
+function crossCheck(asserted, recomputed, trace, check) {
+    if (asserted === undefined)
+        return null;
+    const matched = asserted.value === recomputed;
+    trace.push({
+        check,
+        ok: matched,
+        detail: matched ? undefined : `asserted ${String(asserted.value)} ≠ recomputed ${String(recomputed)}`,
+    });
+    return { value: asserted.value, matched };
+}
+function assertedReason(asserted) {
+    if (asserted && !asserted.matched) {
+        return `asserted value (${String(asserted.value)}) does not match the recompute`;
+    }
+    return null;
+}

package/dist/index.d.ts

@@ -95,3 +95,7 @@ export declare function recomputeClearing(receiptJson: string): Promise<Recomput
 export declare function verifySignature(receiptJson: string, jwksJson: string): Promise<unknown>;
 export * from "./attestation.js";
 export * from "./toolproxy.js";
+export * from "./cage.js";
+export * from "./workflow.js";
+export * from "./license.js";
+export * from "./claim.js";

package/dist/index.js

@@ -70,3 +70,16 @@ export * from "./attestation.js";
 // Producer-side instrumentation: turn a nucleus-tool-proxy trace into a signed
 // in-bounds receipt. See `./toolproxy` and the `nucleus-attest` CLI.
 export * from "./toolproxy.js";
+// The 5-minute drop-in: a runtime `Cage` wraps an agent's tool calls (enforce +
+// record) and emits a signed receipt the lines above verify. See `./cage`.
+export * from "./cage.js";
+// The DAG cage: compose a multi-agent run into one verifiable `WorkflowReceipt`,
+// including the cross-node information flow ("locally fine, globally leaks").
+export * from "./workflow.js";
+// Offline Ed25519 license keys: entitlement with no user DB / no callback.
+// See `./license` and the `nucleus-license` CLI.
+export * from "./license.js";
+// Recompute-verified CLAIM façade: one `verifyClaim(claim) → ClaimVerdict`
+// over all of the above engines, for embeddable ✓/✗ + recompute-trace
+// widgets. See `./claim` and docs/RECOMPUTE-VERIFIED-CLAIMS.md.
+export * from "./claim.js";

package/dist/license-cli.d.ts

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+/**
+ * `nucleus-license` — issue + verify offline Ed25519 license keys.
+ *
+ *   nucleus-license keygen [--out-key vendor.pem] [--out-pub vendor.pub]
+ *     → generate a vendor keypair; prints the base64url public key to PIN.
+ *
+ *   nucleus-license issue --key vendor.pem --sub a@b.com --tier pro \
+ *       [--features dashboard,export] [--exp 2027-06-01] [--iat 2026-06-04]
+ *     → prints a license token (deliver this string as the MoR "license key").
+ *
+ *   nucleus-license verify <token> --pubkey <base64url> [--now 2026-06-04]
+ *     → exit 0 if valid, 1 if not.
+ *
+ * No server, no DB: the Merchant of Record holds the customer; this issues and
+ * checks a signature. Keep the vendor private key secret.
+ */
+export {};

package/dist/license-cli.js

@@ -0,0 +1,96 @@
+#!/usr/bin/env node
+/**
+ * `nucleus-license` — issue + verify offline Ed25519 license keys.
+ *
+ *   nucleus-license keygen [--out-key vendor.pem] [--out-pub vendor.pub]
+ *     → generate a vendor keypair; prints the base64url public key to PIN.
+ *
+ *   nucleus-license issue --key vendor.pem --sub a@b.com --tier pro \
+ *       [--features dashboard,export] [--exp 2027-06-01] [--iat 2026-06-04]
+ *     → prints a license token (deliver this string as the MoR "license key").
+ *
+ *   nucleus-license verify <token> --pubkey <base64url> [--now 2026-06-04]
+ *     → exit 0 if valid, 1 if not.
+ *
+ * No server, no DB: the Merchant of Record holds the customer; this issues and
+ * checks a signature. Keep the vendor private key secret.
+ */
+import { readFileSync, writeFileSync } from "node:fs";
+import { generateLicenseKeypair, exportLicensePublicKey, signLicense, verifyLicense, licensePrivateKeyFromPem, } from "./license.js";
+function opt(flag) {
+    const i = process.argv.indexOf(flag);
+    return i >= 0 ? process.argv[i + 1] : undefined;
+}
+function keygen() {
+    const { publicKey, privateKey } = generateLicenseKeypair();
+    const pub = exportLicensePublicKey(publicKey);
+    const pem = privateKey.export({ type: "pkcs8", format: "pem" });
+    const outKey = opt("--out-key");
+    const outPub = opt("--out-pub");
+    if (outKey)
+        writeFileSync(outKey, pem, { mode: 0o600 });
+    if (outPub)
+        writeFileSync(outPub, pub + "\n");
+    process.stdout.write(`vendor public key (PIN this in the verifier):\n${pub}\n`);
+    if (!outKey) {
+        process.stdout.write("\nvendor PRIVATE key (keep SECRET — store in your MoR webhook secret):\n");
+        process.stdout.write(pem);
+    }
+    else {
+        process.stderr.write(`wrote private key → ${outKey} (chmod 600)\n`);
+    }
+    return 0;
+}
+function issue() {
+    const keyPath = opt("--key");
+    const sub = opt("--sub");
+    const tier = (opt("--tier") ?? "pro");
+    if (!keyPath || !sub) {
+        process.stderr.write("error: issue needs --key <vendor.pem> and --sub <id>\n");
+        return 2;
+    }
+    const features = (opt("--features") ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+    const claims = {
+        sub,
+        tier,
+        features,
+        iat: opt("--iat") ?? new Date().toISOString().slice(0, 10),
+        ...(opt("--exp") ? { exp: opt("--exp") } : {}),
+    };
+    const key = licensePrivateKeyFromPem(readFileSync(keyPath, "utf8"));
+    process.stdout.write(signLicense(claims, key) + "\n");
+    return 0;
+}
+function verify() {
+    const token = process.argv[3];
+    const pubkey = opt("--pubkey");
+    if (!token || token.startsWith("--") || !pubkey) {
+        process.stderr.write("error: verify needs <token> and --pubkey <base64url>\n");
+        return 2;
+    }
+    const r = verifyLicense(token, pubkey, opt("--now"));
+    if (r.valid) {
+        process.stdout.write(`✓ valid — ${r.license.tier} for ${r.license.sub}` + (r.license.exp ? ` (exp ${r.license.exp})` : "") + `\n`);
+        return 0;
+    }
+    process.stderr.write(`✗ invalid — ${r.reason}\n`);
+    return 1;
+}
+function main() {
+    const cmd = process.argv[2];
+    switch (cmd) {
+        case "keygen":
+            return keygen();
+        case "issue":
+            return issue();
+        case "verify":
+            return verify();
+        default:
+            process.stdout.write("nucleus-license — offline Ed25519 license keys\n\n" +
+                "  nucleus-license keygen [--out-key vendor.pem] [--out-pub vendor.pub]\n" +
+                "  nucleus-license issue  --key vendor.pem --sub a@b.com --tier pro [--features x,y] [--exp ISO]\n" +
+                "  nucleus-license verify <token> --pubkey <base64url> [--now ISO]\n");
+            return cmd ? 2 : 0;
+    }
+}
+process.exit(main());

package/dist/license.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Offline Ed25519 license keys — entitlement without a user database or a
+ * callback. The vendor signs a tiny claims payload with a private key; the CLI
+ * (or a Pro feature path) verifies it against a PINNED public key. No server,
+ * no license API, no phone-home: the Merchant of Record (Polar / Lemon Squeezy)
+ * holds the customer record and delivers the signed string as the "license
+ * key"; this module is the verifier.
+ *
+ * Token format (compact, copy-pasteable):
+ *   nvlic1.<base64url(canonical-json payload)>.<base64url(ed25519 sig)>
+ * The signature is over the payload SEGMENT bytes (the base64url string), so
+ * verification never re-serializes — it checks the exact bytes that were signed.
+ *
+ * On-brand: a verification company gating its own Pro tier by a verifiable,
+ * offline-checkable signature rather than a trust-the-server license call.
+ */
+import { type KeyObject } from "node:crypto";
+export declare const LICENSE_PREFIX: "nvlic1";
+/** The claims a license asserts. Keep it small — it's pasted by hand. */
+export interface LicenseClaims {
+    /** Who the license is for (email / customer id from the MoR). */
+    sub: string;
+    /** Entitlement tier. */
+    tier: "pro" | "team" | "enterprise";
+    /** Unlocked features (free-form; checked by the Pro path). */
+    features: string[];
+    /** Issued-at (ISO date). Informational. */
+    iat: string;
+    /** Optional expiry (ISO date). Absent = perpetual. */
+    exp?: string;
+}
+export interface LicenseReport {
+    valid: boolean;
+    /** The verified claims, when valid. */
+    license: LicenseClaims | null;
+    /** First failing reason, or null when valid. */
+    reason: string | null;
+}
+/** Generate an Ed25519 vendor keypair. Keep the private key secret; ship the public. */
+export declare function generateLicenseKeypair(): {
+    publicKey: KeyObject;
+    privateKey: KeyObject;
+};
+/** Export a public key to the base64url raw form the verifier pins. */
+export declare function exportLicensePublicKey(publicKey: KeyObject): string;
+/** Sign a license token with the vendor private key. */
+export declare function signLicense(claims: LicenseClaims, privateKey: KeyObject): string;
+/** Load an Ed25519 private key from PEM (PKCS#8). */
+export declare function licensePrivateKeyFromPem(pem: string): KeyObject;
+/**
+ * Verify a license token offline against the pinned vendor public key
+ * (base64url raw Ed25519). Checks format + signature + expiry. Never throws.
+ *
+ * @param now optional ISO timestamp for expiry checks (defaults to absent =
+ *   skip expiry; pass an explicit time to enforce it deterministically).
+ */
+export declare function verifyLicense(token: string, vendorPublicKeyB64url: string, now?: string): LicenseReport;
+/** Convenience: does a verified license grant a given feature (or tier-implied)? */
+export declare function licenseGrants(report: LicenseReport, feature: string): boolean;

package/dist/license.js

@@ -0,0 +1,94 @@
+/**
+ * Offline Ed25519 license keys — entitlement without a user database or a
+ * callback. The vendor signs a tiny claims payload with a private key; the CLI
+ * (or a Pro feature path) verifies it against a PINNED public key. No server,
+ * no license API, no phone-home: the Merchant of Record (Polar / Lemon Squeezy)
+ * holds the customer record and delivers the signed string as the "license
+ * key"; this module is the verifier.
+ *
+ * Token format (compact, copy-pasteable):
+ *   nvlic1.<base64url(canonical-json payload)>.<base64url(ed25519 sig)>
+ * The signature is over the payload SEGMENT bytes (the base64url string), so
+ * verification never re-serializes — it checks the exact bytes that were signed.
+ *
+ * On-brand: a verification company gating its own Pro tier by a verifiable,
+ * offline-checkable signature rather than a trust-the-server license call.
+ */
+import { createPublicKey, createPrivateKey, sign as edSign, verify as edVerify, generateKeyPairSync } from "node:crypto";
+import { canonicalize } from "./attestation.js";
+export const LICENSE_PREFIX = "nvlic1";
+function b64url(buf) {
+    return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function fromB64url(s) {
+    return Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+function importPublicKey(b64urlX) {
+    return createPublicKey({ key: { kty: "OKP", crv: "Ed25519", x: b64urlX }, format: "jwk" });
+}
+// ---------------------------------------------------------------------------
+// Issuer side (run once per sale, or from a MoR webhook).
+// ---------------------------------------------------------------------------
+/** Generate an Ed25519 vendor keypair. Keep the private key secret; ship the public. */
+export function generateLicenseKeypair() {
+    return generateKeyPairSync("ed25519");
+}
+/** Export a public key to the base64url raw form the verifier pins. */
+export function exportLicensePublicKey(publicKey) {
+    const jwk = publicKey.export({ format: "jwk" });
+    if (!jwk.x)
+        throw new Error("not an Ed25519 public key");
+    return jwk.x;
+}
+/** Sign a license token with the vendor private key. */
+export function signLicense(claims, privateKey) {
+    const payloadB64 = b64url(Buffer.from(canonicalize(claims), "utf8"));
+    const sig = edSign(null, Buffer.from(payloadB64, "utf8"), privateKey);
+    return `${LICENSE_PREFIX}.${payloadB64}.${b64url(sig)}`;
+}
+/** Load an Ed25519 private key from PEM (PKCS#8). */
+export function licensePrivateKeyFromPem(pem) {
+    return createPrivateKey(pem);
+}
+// ---------------------------------------------------------------------------
+// Verifier side (ships in the CLI / Pro path; pins the vendor public key).
+// ---------------------------------------------------------------------------
+/**
+ * Verify a license token offline against the pinned vendor public key
+ * (base64url raw Ed25519). Checks format + signature + expiry. Never throws.
+ *
+ * @param now optional ISO timestamp for expiry checks (defaults to absent =
+ *   skip expiry; pass an explicit time to enforce it deterministically).
+ */
+export function verifyLicense(token, vendorPublicKeyB64url, now) {
+    const parts = token.trim().split(".");
+    if (parts.length !== 3 || parts[0] !== LICENSE_PREFIX) {
+        return { valid: false, license: null, reason: "malformed license token" };
+    }
+    const [, payloadB64, sigB64] = parts;
+    let sigOk = false;
+    try {
+        const pub = importPublicKey(vendorPublicKeyB64url);
+        sigOk = edVerify(null, Buffer.from(payloadB64, "utf8"), pub, fromB64url(sigB64));
+    }
+    catch {
+        sigOk = false;
+    }
+    if (!sigOk)
+        return { valid: false, license: null, reason: "signature did not verify under the pinned key" };
+    let claims;
+    try {
+        claims = JSON.parse(fromB64url(payloadB64).toString("utf8"));
+    }
+    catch (e) {
+        return { valid: false, license: null, reason: `license payload not valid JSON: ${e.message}` };
+    }
+    if (claims.exp && now && now > claims.exp) {
+        return { valid: false, license: claims, reason: `license expired on ${claims.exp}` };
+    }
+    return { valid: true, license: claims, reason: null };
+}
+/** Convenience: does a verified license grant a given feature (or tier-implied)? */
+export function licenseGrants(report, feature) {
+    return report.valid && !!report.license && report.license.features.includes(feature);
+}

package/dist/workflow.d.ts

@@ -0,0 +1,85 @@
+import { type KeyObject } from "node:crypto";
+import { Cage } from "./cage.js";
+import { type TraceEvent } from "./attestation.js";
+declare const WF_KIND = "nucleus.workflow-receipt.v1";
+export interface WorkflowNodeSpec {
+    /** Unique node id within the workflow. */
+    id: string;
+    /** This node's capability boundary (the tools it may call). */
+    boundary: string[];
+    /** Parent node ids — the DAG edges (data flows parent → this node). */
+    after?: string[];
+}
+export interface WorkflowReceiptNode {
+    id: string;
+    after: string[];
+    boundary: string[];
+    events: TraceEvent[];
+    /** Independently recomputed by the verifier; the emitter's claim is not trusted. */
+    inBounds: boolean;
+}
+export interface WorkflowReceipt {
+    kind: typeof WF_KIND;
+    principal: string;
+    nodes: WorkflowReceiptNode[];
+    rootHash: string;
+    publicKey: string;
+    signature: string;
+    signedAt?: string;
+}
+/** An information-flow policy checked across the whole DAG. */
+export interface FlowPolicy {
+    /** Tools that introduce taint (e.g. reading a secret). */
+    sources: string[];
+    /** Tools that must never be reached while tainted (e.g. an external write). */
+    sinks: string[];
+    /** Nodes that sanitize — they clear incoming taint (a sanitizer in the chain). */
+    declassifiers?: string[];
+}
+export interface FlowLeak {
+    node: string;
+    sink: string;
+    taintedVia: "reads-source" | "upstream";
+}
+export interface WorkflowVerifyReport {
+    /** `signatureOk && dagOk && nodesOk && flowOk`. */
+    ok: boolean;
+    /** Ed25519 signature verifies AND the recomputed rootHash matches. */
+    signatureOk: boolean;
+    /** Edges reference real nodes and the graph is acyclic. */
+    dagOk: boolean;
+    /** Every node's recorded calls were within its declared boundary. */
+    nodesOk: boolean;
+    /** No source→sink information flow across the DAG (per the flow policy). */
+    flowOk: boolean;
+    /** The source→sink leaks found (empty when `flowOk`). */
+    leaks: FlowLeak[];
+    /** Nodes whose recompute found an out-of-boundary call. */
+    outOfBoundsNodes: string[];
+    reason: string | null;
+}
+/**
+ * A DAG cage. Register nodes (each gets a {@link Cage}), run your agents through
+ * the caged tools, then {@link Workflow.attest} a single signed receipt over the
+ * whole graph — verifiable offline, including the cross-node information flow.
+ */
+export declare class Workflow {
+    private readonly principal;
+    private readonly nodes;
+    constructor(principal: string);
+    /** Register a node and return its cage. The cage's tool calls are recorded
+     *  under this node; `after` declares the edges into it. */
+    node(spec: WorkflowNodeSpec): Cage;
+    private receiptNodes;
+    /** Sign one workflow receipt over the whole DAG. */
+    attest(privateKey: KeyObject, opts?: {
+        signedAt?: string;
+    }): WorkflowReceipt;
+}
+/**
+ * Verify a workflow receipt fully and offline: the signature + the per-node
+ * in-bounds recompute + the DAG (acyclic, real edges) + the cross-node
+ * information flow. Never throws — failures surface as `ok:false` + `reason`.
+ */
+export declare function verifyWorkflowReceipt(wr: WorkflowReceipt, flow?: FlowPolicy): WorkflowVerifyReport;
+export {};