@coproduct_inc/verify 0.2.0 → 0.5.0

package/dist/workflow.js

@@ -0,0 +1,179 @@
+// The DAG cage: compose a multi-agent run into ONE verifiable workflow receipt.
+//
+// A single agent you can eyeball; a DAG of agents you can't. The dangerous
+// failure mode only exists at DAG scale: every node is locally in-bounds, yet a
+// secret laundered from a source node, through an innocent middle, to a sink.
+// Per-node checks ALL pass; only the whole-workflow check catches it. This is
+// that check, at the orchestration layer — a receipt-level analog of the
+// bytecode noninterference proof, that rides on whatever orchestrator you use.
+//
+//   const wf = new Workflow("spiffe://acme/intake-pipeline");
+//   const reader   = wf.node({ id: "reader",   boundary: ["read_secret", "emit"] });
+//   const middle   = wf.node({ id: "middle",   boundary: ["transform", "emit"], after: ["reader"] });
+//   const writer   = wf.node({ id: "writer",   boundary: ["publish"],           after: ["middle"] });
+//   …run your agents, calling these caged tools…
+//   const receipt = wf.attest(privateKey);
+//
+//   // your customer verifies the whole DAG offline, including the flow policy:
+//   verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"] });
+//   // → flowOk:false if a secret could reach `publish`, even though every node was in-bounds.
+import { createHash, createPublicKey, sign as edSign, verify as edVerify } from "node:crypto";
+import { Cage } from "./cage.js";
+import { canonicalize, exportPublicKey } from "./attestation.js";
+import { traceEventsFromRecords } from "./toolproxy.js";
+const WF_KIND = "nucleus.workflow-receipt.v1";
+function sha256Hex(s) {
+    return createHash("sha256").update(s).digest("hex");
+}
+function importPublicKey(x) {
+    return createPublicKey({ key: { kty: "OKP", crv: "Ed25519", x }, format: "jwk" });
+}
+/** Topological order of the node ids; throws on a cycle. */
+function topoOrder(nodes) {
+    const ids = new Set(nodes.map((n) => n.id));
+    const indeg = new Map();
+    const children = new Map();
+    for (const n of nodes) {
+        indeg.set(n.id, 0);
+        children.set(n.id, []);
+    }
+    for (const n of nodes) {
+        for (const p of n.after) {
+            if (!ids.has(p))
+                throw new Error(`edge from unknown node "${p}"`);
+            indeg.set(n.id, (indeg.get(n.id) ?? 0) + 1);
+            children.get(p).push(n.id);
+        }
+    }
+    const queue = [...indeg].filter(([, d]) => d === 0).map(([id]) => id);
+    const order = [];
+    while (queue.length) {
+        const id = queue.shift();
+        order.push(id);
+        for (const c of children.get(id)) {
+            indeg.set(c, indeg.get(c) - 1);
+            if (indeg.get(c) === 0)
+                queue.push(c);
+        }
+    }
+    if (order.length !== nodes.length)
+        throw new Error("workflow graph has a cycle");
+    return order;
+}
+/** Recompute information-flow taint across the DAG → the leaks (independent). */
+function recomputeFlow(nodes, flow) {
+    const sources = new Set(flow.sources);
+    const sinks = new Set(flow.sinks);
+    const declass = new Set(flow.declassifiers ?? []);
+    const byId = new Map(nodes.map((n) => [n.id, n]));
+    const tainted = new Map();
+    const leaks = [];
+    for (const id of topoOrder(nodes)) {
+        const n = byId.get(id);
+        const tools = new Set(n.events.map((e) => e.tool));
+        const readsSource = [...tools].some((t) => sources.has(t));
+        const parentTainted = n.after.some((p) => tainted.get(p));
+        const isTainted = declass.has(id) ? false : readsSource || parentTainted;
+        tainted.set(id, isTainted);
+        if (isTainted) {
+            for (const t of tools) {
+                if (sinks.has(t))
+                    leaks.push({ node: id, sink: t, taintedVia: readsSource ? "reads-source" : "upstream" });
+            }
+        }
+    }
+    return leaks;
+}
+function nodesForHash(nodes) {
+    return nodes.map((n) => ({ id: n.id, after: n.after, boundary: n.boundary, events: n.events }));
+}
+/**
+ * A DAG cage. Register nodes (each gets a {@link Cage}), run your agents through
+ * the caged tools, then {@link Workflow.attest} a single signed receipt over the
+ * whole graph — verifiable offline, including the cross-node information flow.
+ */
+export class Workflow {
+    principal;
+    nodes = new Map();
+    constructor(principal) {
+        this.principal = principal;
+    }
+    /** Register a node and return its cage. The cage's tool calls are recorded
+     *  under this node; `after` declares the edges into it. */
+    node(spec) {
+        if (this.nodes.has(spec.id))
+            throw new Error(`duplicate node id "${spec.id}"`);
+        const cage = new Cage({ principal: `${this.principal}#${spec.id}`, allowedTools: spec.boundary });
+        this.nodes.set(spec.id, { id: spec.id, after: spec.after ?? [], boundary: spec.boundary, cage });
+        return cage;
+    }
+    receiptNodes() {
+        return [...this.nodes.values()].map((n) => {
+            const events = traceEventsFromRecords(n.cage.toExport().records);
+            const inBounds = events.every((e) => n.boundary.includes(e.tool));
+            return { id: n.id, after: n.after, boundary: n.boundary, events, inBounds };
+        });
+    }
+    /** Sign one workflow receipt over the whole DAG. */
+    attest(privateKey, opts = {}) {
+        const nodes = this.receiptNodes();
+        const rootHash = sha256Hex(canonicalize(nodesForHash(nodes)));
+        const pub = createPublicKey(privateKey);
+        const body = canonicalize({ kind: WF_KIND, principal: this.principal, rootHash });
+        const signature = edSign(null, Buffer.from(body, "utf8"), privateKey).toString("base64");
+        return {
+            kind: WF_KIND,
+            principal: this.principal,
+            nodes,
+            rootHash,
+            publicKey: exportPublicKey(pub),
+            signature,
+            ...(opts.signedAt ? { signedAt: opts.signedAt } : {}),
+        };
+    }
+}
+/**
+ * Verify a workflow receipt fully and offline: the signature + the per-node
+ * in-bounds recompute + the DAG (acyclic, real edges) + the cross-node
+ * information flow. Never throws — failures surface as `ok:false` + `reason`.
+ */
+export function verifyWorkflowReceipt(wr, flow) {
+    // 1. signature + rootHash (the receipt is bound to its node set).
+    const recomputedRoot = sha256Hex(canonicalize(nodesForHash(wr.nodes)));
+    const rootOk = recomputedRoot === wr.rootHash;
+    let sigOnly = false;
+    try {
+        const body = canonicalize({ kind: wr.kind, principal: wr.principal, rootHash: wr.rootHash });
+        sigOnly = edVerify(null, Buffer.from(body, "utf8"), importPublicKey(wr.publicKey), Buffer.from(wr.signature, "base64"));
+    }
+    catch {
+        sigOnly = false;
+    }
+    const signatureOk = sigOnly && rootOk;
+    // 2. per-node in-bounds, recomputed from the signed events (not trusted).
+    const outOfBoundsNodes = wr.nodes.filter((n) => !n.events.every((e) => n.boundary.includes(e.tool))).map((n) => n.id);
+    const nodesOk = outOfBoundsNodes.length === 0;
+    // 3. DAG well-formed + 4. information flow.
+    let dagOk = true;
+    let leaks = [];
+    try {
+        topoOrder(wr.nodes); // throws on cycle / unknown edge
+        if (flow)
+            leaks = recomputeFlow(wr.nodes, flow);
+    }
+    catch {
+        dagOk = false;
+    }
+    const flowOk = leaks.length === 0;
+    const ok = signatureOk && nodesOk && dagOk && flowOk;
+    let reason = null;
+    if (!signatureOk)
+        reason = rootOk ? "signature did not verify" : "rootHash does not match the node set (tampered)";
+    else if (!dagOk)
+        reason = "workflow graph is cyclic or references an unknown node";
+    else if (!nodesOk)
+        reason = `nodes out of bounds: ${outOfBoundsNodes.join(", ")}`;
+    else if (!flowOk)
+        reason = `information-flow leak: ${leaks.map((l) => `${l.node}→${l.sink}`).join(", ")}`;
+    return { ok, signatureOk, dagOk, nodesOk, flowOk, leaks, outOfBoundsNodes, reason };
+}

package/examples/cage-quickstart.mjs

@@ -0,0 +1,37 @@
+// The 5-minute drop-in, end to end. Run:  node examples/cage-quickstart.mjs
+//
+// You ship an AI agent that takes actions for a customer. They won't take your
+// word that it stayed in bounds. So: cage its tool calls, and hand them a
+// receipt they verify themselves — trust the math, not you.
+import { Cage, generateKeypair, verifyReceipt } from "../dist/index.js";
+
+// 1. Declare the agent's capability boundary (what it's allowed to touch).
+const cage = new Cage({
+  principal: "spiffe://acme/support-agent", // any stable id keyed to a key, not a name
+  allowedTools: ["search", "read_ticket", "send_reply", "refund"],
+});
+
+// 2. Wrap each tool. A guard adds a finer runtime check (never refund over $50).
+const search = cage.tool("search", async (q) => `(results for "${q}")`);
+const reply = cage.tool("send_reply", async (msg) => `sent: ${msg}`);
+const refund = cage.tool("refund", async (cents) => `refunded ${cents}c`, { guard: (c) => c <= 5000 });
+const wire = cage.tool("wire_transfer", async (acct) => `wired to ${acct}`); // NOT granted
+
+// 3. Run your agent — calling ONLY the caged tools.
+await search("refund policy");
+await reply("Here's our policy …");
+try { await refund(999999); } catch (e) { console.log("⛔ guard blocked over-cap refund:", e.message); }
+try { await wire("0xbad"); } catch (e) { console.log("⛔ blocked out-of-boundary tool:", e.message); }
+
+// 4. Emit a signed receipt and hand it to your customer.
+const { privateKey } = generateKeypair();
+const receipt = cage.attest(privateKey);
+
+// 5. THEY verify it — offline, no trust in you. (Or: npx @coproduct_inc/verify receipt.json)
+const report = verifyReceipt(receipt);
+console.log("\nreceipt verified:", report.ok ? "✓ clean run" : "✗ " + report.reason);
+console.log("  signature ok :", report.signatureOk);
+console.log("  in bounds    :", report.inBounds, "(every call was to an allowed tool)");
+console.log("  recorded calls:", receipt.events.map((e) => e.tool).join(", "));
+console.log("\nThe receipt is the wedge: useful to you alone today, more valuable as a");
+console.log("network of recomputable receipts forms. Don't trust the seller — recompute.");

package/examples/converting-demo.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# converting-demo.sh — the 90-second "verify, don't trust" demo.
+#
+# Four beats: clean attests · OpenClaw bypass refused · FORGED verdict caught ·
+# CI gate. The money beat is #3 — an independent recompute catches a forged
+# claim that a *signed log* would wave through. That is the line between
+# "we have receipts too" and verifiable evidence.
+#
+# Runs against the PUBLISHED package by default (the real install story):
+#   bash examples/converting-demo.sh
+# Use the local build instead (no network):
+#   pnpm build && LOCAL=1 bash examples/converting-demo.sh
+# Pacing for screen-recording (pause between beats):
+#   PAUSE=1 bash examples/converting-demo.sh
+#
+# Requires: node, and (default mode) npx with network. Trace fixtures are the
+# real output of crates/nucleus-policy/examples/emit_toolproxy_trace.rs.
+
+set -u
+HERE="$(cd "$(dirname "$0")" && pwd)"
+CLEAN_TRACE="$HERE/sample-toolproxy-trace.clean.json"
+# Beat 2 uses the OpenClaw impersonation trace (principal mismatch under an
+# allowlisted display name). sample-toolproxy-trace.bypass.json (a tool-not-
+# allowed git_push) is the other refusal mode, gated by verify-gate.yml.
+BYPASS_TRACE="$HERE/sample-toolproxy-trace.openclaw.json"
+PRINCIPAL="spiffe://acme.example/agent/billing-assistant"
+TMP="$(mktemp -d)"
+trap 'rm -rf "$TMP"' EXIT
+
+if [ "${LOCAL:-0}" = "1" ]; then
+  DIST="$HERE/../dist"
+  ATTEST=(node "$DIST/producer-cli.js")
+  VERIFY=(node "$DIST/cli.js")
+  SRC="local build ($DIST)"
+else
+  PKG="@coproduct_inc/verify@${VERIFY_VERSION:-latest}"
+  ATTEST=(npx --yes -p "$PKG" nucleus-attest)
+  VERIFY=(npx --yes -p "$PKG" nucleus-verify)
+  SRC="published npm package $PKG"
+fi
+
+bold() { printf "\033[1m%s\033[0m\n" "$*"; }
+dim()  { printf "\033[2m%s\033[0m\n" "$*"; }
+ok()   { printf "\033[32m%s\033[0m\n" "$*"; }
+bad()  { printf "\033[31m%s\033[0m\n" "$*"; }
+beat() { echo; bold "── $* ──"; [ "${PAUSE:-0}" = "1" ] && read -r -p "  (enter)…" _ || true; }
+
+echo
+bold "@coproduct_inc/verify — verify, don't trust"
+dim  "source: $SRC"
+dim  "An agent run's tool-call trace + a declared capability boundary →"
+dim  "a signed, OFFLINE-verifiable in-bounds attestation. We don't trust the"
+dim  "issuer's verdict — we recompute it."
+
+# ── Beat 1: a clean run attests ──────────────────────────────────────────────
+beat "1/4  Clean run → ATTESTS (exit 0)"
+dim "nucleus-attest < clean-trace  →  nucleus-verify"
+"${ATTEST[@]}" "$CLEAN_TRACE" > "$TMP/clean.json" 2> "$TMP/clean.err"
+if "${VERIFY[@]}" "$TMP/clean.json" --expect-principal "$PRINCIPAL"; then
+  ok "  → exit 0. Auditor-grade evidence the agent stayed inside its boundary."
+else
+  bad "  unexpected: clean run did not verify"; exit 1
+fi
+
+# ── Beat 2: the OpenClaw bypass is refused ───────────────────────────────────
+beat "2/4  OpenClaw bypass (display-name match, principal mismatch) → REFUSED (exit 1)"
+dim "An injected call wears the allowlisted display name but a different SPIFFE id."
+"${ATTEST[@]}" "$BYPASS_TRACE" > "$TMP/bypass.json" 2> "$TMP/bypass.err"
+if "${VERIFY[@]}" "$TMP/bypass.json"; then
+  bad "  unexpected: bypass verified (should refuse)"; exit 1
+else
+  ok "  → exit 1. CVE-2026-25253's failure class, ruled out by construction"
+  ok "    (the boundary is keyed on the cryptographic principal, never the name)."
+fi
+
+# ── Beat 3: the money beat — a forged verdict is caught ───────────────────────
+beat "3/4  FORGE the verdict (claim inBounds:true) → CAUGHT"
+dim "A signed LOG would trust this. We recompute the verdict independently."
+node -e '
+  const fs = require("fs");
+  const r = JSON.parse(fs.readFileSync(process.argv[1], "utf8"));
+  r.verdict.inBounds = true;
+  r.verdict.events = r.verdict.events.map(e => ({...e, inBounds:true, code:"ok", detail:"in bounds"}));
+  fs.writeFileSync(process.argv[2], JSON.stringify(r));
+' "$TMP/bypass.json" "$TMP/forged.json"
+"${VERIFY[@]}" "$TMP/forged.json" --json > "$TMP/forged.report.json" 2>/dev/null || true
+SIG=$(node -e 'console.log(require(process.argv[1]).signatureOk)' "$TMP/forged.report.json")
+CONS=$(node -e 'console.log(require(process.argv[1]).verdictConsistentOk)' "$TMP/forged.report.json")
+OKV=$(node -e 'console.log(require(process.argv[1]).ok)' "$TMP/forged.report.json")
+echo "  signatureOk=$SIG  verdictConsistentOk=$CONS  ok=$OKV"
+if [ "$OKV" = "false" ] && [ "$CONS" = "false" ]; then
+  ok "  → REJECTED two independent ways: the recompute disagrees with the claim,"
+  ok "    AND the signature (taken over the honest verdict) no longer verifies."
+  ok "    THIS is verifiable evidence, not a signed log you have to trust."
+else
+  bad "  unexpected: forged receipt was not caught"; exit 1
+fi
+
+# ── Beat 4: it's a CI merge gate, not a dashboard ────────────────────────────
+beat "4/4  It's a merge gate, not a dashboard"
+dim "Drop the Action in a PR; an out-of-bounds run fails the build:"
+cat <<'YAML'
+  - uses: coproduct-private/spiffy/packages/nucleus-verify@main
+    with:
+      receipt: ./agent-run-receipt.json
+      expect-principal: spiffe://acme/agent/billing-assistant
+YAML
+ok "  clean → check passes · out-of-bounds → check fails. Exit codes are the gate."
+
+echo
+bold "Summary"
+echo "  • Works above ANY runtime/guardrail (incl. Microsoft AGT) — neutral verifier."
+echo "  • Offline, zero runtime deps (node:crypto). 30-second npx drop-in."
+echo "  • The verdict logic is backed by machine-checked theorems (IFC noninterference)."
+echo "  • Honest scope: attests the DECLARED boundary over the OBSERVED trace —"
+echo "    completeness of trace capture is the runtime's job."
+ok "DEMO OK ✓"

package/examples/sample-toolproxy-trace.bypass.json

@@ -0,0 +1,34 @@
+{
+  "boundary": {
+    "allowedTools": [
+      "read_files",
+      "glob_search",
+      "grep_search"
+    ],
+    "principal": "spiffe://acme.example/agent/billing-assistant"
+  },
+  "records": [
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "deny_reason": "",
+      "operation": "glob_search",
+      "subject": "invoices/*.pdf",
+      "verdict": "allow"
+    },
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "deny_reason": "",
+      "operation": "read_files",
+      "subject": "invoices/2026-06.pdf",
+      "verdict": "allow"
+    },
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "deny_reason": "operation outside declared task allowlist",
+      "operation": "git_push",
+      "subject": "refs/heads/main",
+      "verdict": "deny"
+    }
+  ],
+  "taskHashHex": "8aa9199f47bc66272e3a40e87d8ef6daeec2e905e5a723252e615c45c4376888"
+}

package/examples/sample-toolproxy-trace.clean.json

@@ -0,0 +1,41 @@
+{
+  "boundary": {
+    "allowedTools": [
+      "read_files",
+      "glob_search",
+      "grep_search"
+    ],
+    "principal": "spiffe://acme.example/agent/billing-assistant"
+  },
+  "records": [
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "deny_reason": "",
+      "operation": "glob_search",
+      "subject": "invoices/*.pdf",
+      "verdict": "allow"
+    },
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "deny_reason": "",
+      "operation": "read_files",
+      "subject": "invoices/2026-06.pdf",
+      "verdict": "allow"
+    },
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "deny_reason": "",
+      "operation": "grep_search",
+      "subject": "TOTAL",
+      "verdict": "allow"
+    },
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "deny_reason": "",
+      "operation": "read_files",
+      "subject": "invoices/2026-05.pdf",
+      "verdict": "allow"
+    }
+  ],
+  "taskHashHex": "8aa9199f47bc66272e3a40e87d8ef6daeec2e905e5a723252e615c45c4376888"
+}

package/examples/sample-toolproxy-trace.openclaw.json

@@ -0,0 +1,24 @@
+{
+  "boundary": {
+    "principal": "spiffe://acme.example/agent/billing-assistant",
+    "allowedTools": ["read_files", "glob_search", "grep_search"]
+  },
+  "_note": "OpenClaw-class impersonation trace (CVE-2026-25253 shape): event #1 wears the allowlisted displayName 'Billing Assistant' but carries an ATTACKER SPIFFE id. Real export shape; the boundary is keyed on the cryptographic principal, so the receipt refuses to attest it.",
+  "records": [
+    {
+      "actor": "spiffe://acme.example/agent/billing-assistant",
+      "operation": "glob_search",
+      "verdict": "allow",
+      "subject": "invoices/*.pdf",
+      "deny_reason": ""
+    },
+    {
+      "actor": "spiffe://acme.example/agent/unknown-7f3a",
+      "operation": "read_files",
+      "verdict": "deny",
+      "subject": "invoices/2026-06.pdf",
+      "displayName": "Billing Assistant",
+      "deny_reason": "presented identity not bound to the declared principal"
+    }
+  ]
+}

package/examples/workflow-leak.mjs

@@ -0,0 +1,40 @@
+// The DAG cage, end to end — and the failure that only exists at multi-agent
+// scale. Run:  node examples/workflow-leak.mjs
+//
+// A single agent you can eyeball. A DAG of agents you can't: every node passes
+// its OWN check, yet a secret launders through the pipeline to a public write.
+// Per-node review misses it. The workflow receipt catches it.
+import { Workflow, verifyWorkflowReceipt, generateKeypair } from "../dist/index.js";
+
+// A 3-agent intake pipeline: reader → enricher → publisher.
+const wf = new Workflow("spiffe://acme/intake-pipeline");
+const reader = wf.node({ id: "reader", boundary: ["read_secret", "emit"] });
+const enrich = wf.node({ id: "enricher", boundary: ["transform", "emit"], after: ["reader"] });
+const publish = wf.node({ id: "publisher", boundary: ["publish"], after: ["enricher"] });
+
+// Run your agents through the caged tools. Each node only touches tools it's
+// allowed to — locally, everything is in policy.
+reader.tool("read_secret", () => "customer SSN")(); // allowed for the reader
+reader.tool("emit", (x) => x)();
+enrich.tool("transform", (x) => x)(); // an "innocent" pass-through middle
+enrich.tool("emit", (x) => x)();
+publish.tool("publish", (x) => x)(); // allowed for the publisher
+
+const { privateKey } = generateKeypair();
+const receipt = wf.attest(privateKey);
+
+// Your customer verifies the WHOLE DAG offline, with a flow policy:
+//   the secret source must never reach the public sink.
+const report = verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"] });
+
+console.log("per-node review (what a code reviewer sees):");
+for (const n of receipt.nodes) console.log(`  ${n.id.padEnd(10)} in-bounds: ${n.inBounds}  (${n.events.map((e) => e.tool).join(", ")})`);
+console.log("\nevery node is in-bounds:", report.nodesOk);
+console.log("signature valid       :", report.signatureOk);
+console.log("\nwhole-workflow verdict:", report.ok ? "✓ ok" : "✗ " + report.reason);
+for (const l of report.leaks) console.log(`  ⛔ leak: a secret reaches "${l.sink}" at node "${l.node}" (${l.taintedVia})`);
+
+console.log("\nThe per-node checks ALL passed. Only the composition catches it.");
+console.log("Add a sanitizer? declare the middle a declassifier:");
+const fixed = verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"], declassifiers: ["enricher"] });
+console.log("  with enricher sanitizing →", fixed.ok ? "✓ ok (flow broken)" : "✗ " + fixed.reason);

package/package.json

@@ -1,20 +1,26 @@
 {
   "name": "@coproduct_inc/verify",
-  "version": "0.2.0",
-  "description": "Offline, zero-trust verification of agent capability-boundary in-bounds attestation receipts: emit and verify an Ed25519-signed, hash-chained receipt that an agent run stayed within a declared boundary, keyed on a cryptographic principal (not a mutable display name) — the evidence layer above probabilistic guardrails. Also verifies Nucleus auction receipts by re-running the clearing locally. Zero runtime deps for the attestation core (node:crypto).",
+  "version": "0.5.0",
+  "description": "Offline, zero-trust verification of agent capability-boundary in-bounds attestation receipts: emit and verify an Ed25519-signed, hash-chained receipt that an agent run stayed within a declared boundary, keyed on a cryptographic principal (not a mutable display name) \u2014 the evidence layer above probabilistic guardrails. Also verifies Nucleus auction receipts by re-running the clearing locally. Zero runtime deps for the attestation core (node:crypto).",
   "license": "MIT",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "bin": {
     "nucleus-verify": "dist/cli.js",
-    "nucleus-attest": "dist/producer-cli.js"
+    "nucleus-attest": "dist/producer-cli.js",
+    "nucleus-license": "dist/license-cli.js",
+    "nucleus-verify-claim": "dist/claim-cli.js"
   },
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
     },
+    "./workflow": {
+      "types": "./dist/workflow.d.ts",
+      "import": "./dist/workflow.js"
+    },
     "./attestation": {
       "types": "./dist/attestation.d.ts",
       "import": "./dist/attestation.js"
@@ -22,6 +28,14 @@
     "./toolproxy": {
       "types": "./dist/toolproxy.d.ts",
       "import": "./dist/toolproxy.js"
+    },
+    "./cage": {
+      "types": "./dist/cage.d.ts",
+      "import": "./dist/cage.js"
+    },
+    "./license": {
+      "types": "./dist/license.d.ts",
+      "import": "./dist/license.js"
     }
   },
   "files": [
@@ -32,7 +46,14 @@
     "wasm/nodejs/nucleus_wasm_bg.wasm",
     "wasm/nodejs/nucleus_wasm_bg.wasm.d.ts",
     "examples/openclaw-replay.mjs",
+    "examples/cage-quickstart.mjs",
+    "examples/workflow-leak.mjs",
+    "examples/converting-demo.sh",
+    "examples/sample-toolproxy-trace.clean.json",
+    "examples/sample-toolproxy-trace.bypass.json",
+    "examples/sample-toolproxy-trace.openclaw.json",
     "README.md",
+    "WHY-VERIFY.md",
     "CHANGELOG.md"
   ],
   "scripts": {
@@ -40,7 +61,8 @@
     "build": "tsc -p tsconfig.json",
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "test": "node --test",
-    "demo": "node examples/openclaw-replay.mjs"
+    "demo": "node examples/openclaw-replay.mjs",
+    "build:browser": "esbuild src/attestation.browser.ts --bundle --format=esm --alias:node:crypto=./src/shim/node-crypto.mjs --banner:js=\"globalThis.Buffer||={from:(i,e)=>e==='base64'?Uint8Array.from(atob(i),c=>c.charCodeAt(0)):new TextEncoder().encode(i)};\" --outfile=dist/attestation.browser.js"
   },
   "keywords": [
     "nucleus",
@@ -63,5 +85,9 @@
   "devDependencies": {
     "@types/node": "^25.9.1",
     "typescript": "^5.7.2"
+  },
+  "dependencies": {
+    "@noble/ed25519": "3.1.0",
+    "@noble/hashes": "2.2.0"
   }
 }