@coproduct_inc/verify 0.3.0 → 0.5.0

package/CHANGELOG.md

@@ -2,6 +2,27 @@
 
 All notable changes to `@coproduct_inc/verify`.
 
+## 0.5.0
+
+- **`Workflow` — the DAG cage** (`./workflow`, re-exported from root). Compose a
+  multi-agent run into ONE signed `WorkflowReceipt`: register nodes (each a
+  `Cage`) with `after` edges, then `wf.attest(privateKey)`. `verifyWorkflowReceipt`
+  checks it offline — signature + per-node in-bounds recompute + the DAG (acyclic,
+  real edges) + a **cross-node information-flow policy** (`{ sources, sinks,
+  declassifiers }`). The keystone: every node can be locally in-bounds yet the
+  workflow refuses a run where a secret laundered source→…→sink across the DAG —
+  the failure that only exists at multi-agent scale, caught at the orchestration
+  layer. See `examples/workflow-leak.mjs`.
+
+## 0.4.0
+
+- **`Cage` — the 5-minute producer drop-in** (`./cage`, re-exported from root).
+  A runtime cage wraps an agent's tool calls (`cage.tool(name, fn, { guard,
+  subject })`): out-of-boundary calls are blocked, every call is recorded, and
+  `cage.attest(privateKey)` emits a signed in-bounds receipt the existing
+  `verifyReceipt` / CLI checks offline. Closes the loop — producers cage,
+  consumers verify, nobody trusts the seller. See `examples/cage-quickstart.mjs`.
+
 ## 0.3.0
 
 ### Added

package/README.md

@@ -12,6 +12,70 @@ Offline, **zero-trust** verification for Nucleus. Two receipt families share one
 
 ---
 
+## Cage your agent — the 5-minute drop-in
+
+You ship an agent that takes actions for a customer. They won't take your word
+that it stayed in bounds. **Cage its tool calls; hand them a receipt they verify
+themselves.** Useful to you alone today (a tighter agent + an artifact your
+customer can check); more valuable as a network of recomputable receipts forms.
+
+```ts
+import { Cage, generateKeypair, verifyReceipt } from "@coproduct_inc/verify";
+
+const cage = new Cage({
+  principal: "spiffe://acme/support-agent",          // a stable id, not a name
+  allowedTools: ["search", "read_ticket", "refund"], // its capability boundary
+});
+
+// Wrap each tool. Out-of-boundary calls are blocked; a guard adds a runtime
+// check (never refund over $50). Works for sync and async tools.
+const search = cage.tool("search", realSearch);
+const refund = cage.tool("refund", realRefund, { guard: (cents) => cents <= 5000 });
+const wire   = cage.tool("wire_transfer", realWire);  // NOT granted
+
+await search("refund policy");        // recorded: allow
+try { await wire("0xbad"); } catch {} // BLOCKED + recorded — your customer sees the attempt
+
+// Emit a signed receipt and hand it over:
+const { privateKey } = generateKeypair();
+const receipt = cage.attest(privateKey);
+
+// THEY verify it — offline, no trust in you (or: npx @coproduct_inc/verify receipt.json):
+const report = verifyReceipt(receipt);  // report.ok === clean run, in bounds, signature valid
+```
+
+Run it end to end: `node examples/cage-quickstart.mjs`. The receipt attests the
+**tool boundary** (every call was to a permitted tool); for argument-level
+*proofs* ("amount < cap over all inputs") see the bytecode prover.
+
+### Multi-agent? Compose the DAG — and catch what node-checks can't
+
+A single agent you can eyeball; a DAG of agents you can't. The dangerous failure
+only exists at DAG scale: **every node is locally in-bounds, yet a secret
+launders from a source, through an innocent middle, to a public sink.** Per-node
+review all passes; only the whole-workflow check catches it.
+
+```ts
+import { Workflow, verifyWorkflowReceipt, generateKeypair } from "@coproduct_inc/verify";
+
+const wf = new Workflow("spiffe://acme/intake-pipeline");
+const reader = wf.node({ id: "reader",    boundary: ["read_secret", "emit"] });
+const enrich = wf.node({ id: "enricher",  boundary: ["transform", "emit"], after: ["reader"] });
+const pub    = wf.node({ id: "publisher", boundary: ["publish"],          after: ["enricher"] });
+// …run your agents through reader/enrich/pub's caged tools…
+
+const receipt = wf.attest(generateKeypair().privateKey);
+
+verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"] });
+// → nodesOk: true (every node in-bounds) … but ok: false, flowOk: false:
+//   "information-flow leak: publisher→publish" — the secret reached the sink across the DAG.
+```
+
+It rides on whatever orchestrator you already use (LangGraph, Temporal, CrewAI…)
+— you cage the tools, not the framework. Run it: `node examples/workflow-leak.mjs`.
+
+---
+
 ## In-bounds attestation — the drop-in
 
 ```ts

package/dist/attestation.browser.d.ts

@@ -0,0 +1 @@
+export { verifyReceipt, verifyReceiptJson, recomputeVerdict, canonicalize, rootHash, makeBoundary, permissionFingerprint, } from "./attestation.js";

package/dist/attestation.browser.js

@@ -0,0 +1,3 @@
+// Browser-only entry: the SAME in-bounds attestation verifier, with node:crypto
+// aliased to a @noble shim at bundle time. Verify-only (no signReceipt).
+export { verifyReceipt, verifyReceiptJson, recomputeVerdict, canonicalize, rootHash, makeBoundary, permissionFingerprint, } from "./attestation.js";

package/dist/cage.d.ts

@@ -0,0 +1,54 @@
+import type { KeyObject } from "node:crypto";
+import type { Receipt } from "./attestation.js";
+import { type ToolProxyExport } from "./toolproxy.js";
+/** Thrown when a caged tool call violates policy (and is blocked). */
+export declare class CageDenied extends Error {
+    readonly tool: string;
+    constructor(tool: string, message: string);
+}
+export interface CageOptions {
+    /** Cryptographic principal the receipt is keyed on — a stable id (SPIFFE id,
+     *  key fingerprint, anything), NOT a mutable display name. */
+    principal: string;
+    /** The tools this agent is permitted to call — its capability boundary. A call
+     *  to anything else is denied and recorded. */
+    allowedTools: string[];
+}
+export interface ToolOptions<A extends unknown[]> {
+    /** A per-call predicate to deny an in-boundary tool on specific arguments
+     *  (e.g. only allow `pay` below a cap). Returning false → blocked at runtime +
+     *  recorded as a deny. NOTE: the receipt attests the TOOL boundary (tool ∈
+     *  allowedTools); a guard is finer RUNTIME hardening — a guard-denied call to
+     *  an allowed tool is still "in bounds" in the receipt (the tool was permitted).
+     *  Argument-level *proof* (e.g. "amount < cap over all inputs") is the
+     *  bytecode prover's job, not this receipt's. */
+    guard?: (...args: A) => boolean;
+    /** Bind the call to its target (a URL, path, counterparty…) — recorded as a
+     *  digest in the receipt, so the receipt is specific to what was acted on. */
+    subject?: (...args: A) => string;
+}
+/**
+ * A runtime cage for an agent's tool calls. Wrap each tool with {@link Cage.tool};
+ * every call is policy-checked and recorded, and a denied call is BLOCKED. At the
+ * end {@link Cage.attest} signs an in-bounds receipt verifiable offline by this
+ * same package.
+ */
+export declare class Cage {
+    private readonly opts;
+    private readonly records;
+    constructor(opts: CageOptions);
+    /** Wrap a tool function so each call is caged + recorded. Works for sync and
+     *  async tools (a denied call throws `CageDenied` before the tool runs). */
+    tool<A extends unknown[], R>(name: string, fn: (...args: A) => R, options?: ToolOptions<A>): (...args: A) => R;
+    /** Record a call you invoke yourself (when wrapping the fn isn't convenient). */
+    record(name: string, allowed: boolean, subject?: string): void;
+    /** How many calls have been caged so far. */
+    get callCount(): number;
+    /** The raw verdict log — the tool-proxy export the verifier consumes. */
+    toExport(): ToolProxyExport;
+    /** Sign an in-bounds attestation receipt. Verify it anywhere with
+     *  `verifyReceipt` / the `@coproduct_inc/verify` CLI — no trust in you required. */
+    attest(privateKey: KeyObject, opts?: {
+        signedAt?: string;
+    }): Receipt;
+}

package/dist/cage.js

@@ -0,0 +1,66 @@
+import { attestToolProxyRun } from "./toolproxy.js";
+/** Thrown when a caged tool call violates policy (and is blocked). */
+export class CageDenied extends Error {
+    tool;
+    constructor(tool, message) {
+        super(message);
+        this.tool = tool;
+        this.name = "CageDenied";
+    }
+}
+/**
+ * A runtime cage for an agent's tool calls. Wrap each tool with {@link Cage.tool};
+ * every call is policy-checked and recorded, and a denied call is BLOCKED. At the
+ * end {@link Cage.attest} signs an in-bounds receipt verifiable offline by this
+ * same package.
+ */
+export class Cage {
+    opts;
+    records = [];
+    constructor(opts) {
+        this.opts = opts;
+    }
+    /** Wrap a tool function so each call is caged + recorded. Works for sync and
+     *  async tools (a denied call throws `CageDenied` before the tool runs). */
+    tool(name, fn, options) {
+        return (...args) => {
+            const inBoundary = this.opts.allowedTools.includes(name);
+            const guardOk = !options?.guard || options.guard(...args);
+            const ok = inBoundary && guardOk;
+            const rec = { operation: name, verdict: ok ? "allow" : "deny", actor: this.opts.principal };
+            const subject = options?.subject?.(...args);
+            if (subject)
+                rec.subject = subject;
+            this.records.push(rec);
+            if (!ok) {
+                throw new CageDenied(name, inBoundary
+                    ? `tool "${name}" denied by its guard on these arguments`
+                    : `tool "${name}" is outside the agent's capability boundary {${this.opts.allowedTools.join(", ")}}`);
+            }
+            return fn(...args);
+        };
+    }
+    /** Record a call you invoke yourself (when wrapping the fn isn't convenient). */
+    record(name, allowed, subject) {
+        const rec = { operation: name, verdict: allowed ? "allow" : "deny", actor: this.opts.principal };
+        if (subject)
+            rec.subject = subject;
+        this.records.push(rec);
+    }
+    /** How many calls have been caged so far. */
+    get callCount() {
+        return this.records.length;
+    }
+    /** The raw verdict log — the tool-proxy export the verifier consumes. */
+    toExport() {
+        return {
+            boundary: { principal: this.opts.principal, allowedTools: this.opts.allowedTools },
+            records: [...this.records],
+        };
+    }
+    /** Sign an in-bounds attestation receipt. Verify it anywhere with
+     *  `verifyReceipt` / the `@coproduct_inc/verify` CLI — no trust in you required. */
+    attest(privateKey, opts) {
+        return attestToolProxyRun(this.toExport(), privateKey, opts).receipt;
+    }
+}

package/dist/claim-cli.d.ts

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+/**
+ * `nucleus-verify-claim` — the **proof gate**. Adjudicate one or more
+ * recompute-verified claims and use the exit code as a CI/merge gate.
+ *
+ *   0  → every claim verified (or no claim files found, unless --require)
+ *   1  → at least one claim failed verification
+ *   2  → usage / I/O error
+ *
+ * Usage:
+ *   nucleus-verify-claim <claim.json...> [--summary <file>] [--json]
+ *                        [--require] [--quiet]
+ *
+ * Each `<claim.json>` holds a `Claim` (or an array of them). Evidence may be
+ * inlined (`evidence.receipt`) or referenced by path (`evidence.receiptPath`,
+ * resolved relative to the claim file) so a repo commits a small claim that
+ * points at a checked-in receipt.
+ *
+ * Designed as a drop-in GitHub Action step: writes a Markdown table to
+ * `--summary` (point it at `$GITHUB_STEP_SUMMARY`) and a one-line-per-claim
+ * log, then fails the job if any claim did not recompute.
+ */
+export {};

package/dist/claim-cli.js

@@ -0,0 +1,185 @@
+#!/usr/bin/env node
+/**
+ * `nucleus-verify-claim` — the **proof gate**. Adjudicate one or more
+ * recompute-verified claims and use the exit code as a CI/merge gate.
+ *
+ *   0  → every claim verified (or no claim files found, unless --require)
+ *   1  → at least one claim failed verification
+ *   2  → usage / I/O error
+ *
+ * Usage:
+ *   nucleus-verify-claim <claim.json...> [--summary <file>] [--json]
+ *                        [--require] [--quiet]
+ *
+ * Each `<claim.json>` holds a `Claim` (or an array of them). Evidence may be
+ * inlined (`evidence.receipt`) or referenced by path (`evidence.receiptPath`,
+ * resolved relative to the claim file) so a repo commits a small claim that
+ * points at a checked-in receipt.
+ *
+ * Designed as a drop-in GitHub Action step: writes a Markdown table to
+ * `--summary` (point it at `$GITHUB_STEP_SUMMARY`) and a one-line-per-claim
+ * log, then fails the job if any claim did not recompute.
+ */
+import { readFileSync, writeFileSync, appendFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { verifyClaim } from "./claim.js";
+const HELP = `nucleus-verify-claim — recompute-verified proof gate
+
+USAGE:
+  nucleus-verify-claim <claim.json...> [options]
+
+OPTIONS:
+  --summary <file>   append a Markdown result table to <file>
+                     (use "$GITHUB_STEP_SUMMARY" inside a GitHub Action)
+  --json             print the full verdicts as JSON to stdout
+  --require          fail (exit 1) if NO claim files were supplied/matched
+  --quiet            suppress per-claim log lines (exit code + summary only)
+  -h, --help         show this help
+
+EXIT CODES:
+  0  all claims verified        1  a claim failed / none found with --require        2  usage / I/O error`;
+function parseArgs(argv) {
+    const args = { paths: [], json: false, require: false, quiet: false, help: false };
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        switch (a) {
+            case "-h":
+            case "--help":
+                args.help = true;
+                break;
+            case "--json":
+                args.json = true;
+                break;
+            case "--require":
+                args.require = true;
+                break;
+            case "--quiet":
+                args.quiet = true;
+                break;
+            case "--summary":
+                args.summary = argv[++i];
+                break;
+            default:
+                if (a.startsWith("--"))
+                    throw new Error(`unknown option ${a}`);
+                args.paths.push(a);
+        }
+    }
+    return args;
+}
+/** Load the claims from one file, resolving any `receiptPath` against it. */
+function loadClaims(path) {
+    const raw = JSON.parse(readFileSync(path, "utf8"));
+    const entries = Array.isArray(raw) ? raw : [raw];
+    return entries.map((entry) => {
+        const ev = entry.evidence ?? {};
+        if (ev.receiptPath && ev.receipt === undefined) {
+            const receiptText = readFileSync(resolve(dirname(path), ev.receiptPath), "utf8");
+            // Keep object receipts as objects (in_bounds) and string receipts as
+            // strings (clearing wire form) — try to parse, fall back to raw text.
+            let receipt;
+            try {
+                receipt = JSON.parse(receiptText);
+            }
+            catch {
+                receipt = receiptText;
+            }
+            return { ...entry, evidence: { ...ev, receipt } };
+        }
+        return entry;
+    });
+}
+function statusCell(v) {
+    return v.verified ? "✓ verified" : `✗ ${v.reason ?? "failed"}`;
+}
+function writeSummary(file, verdicts) {
+    const failed = verdicts.filter((v) => !v.verified).length;
+    const lines = [
+        "## Proof gate — recompute-verified claims",
+        "",
+        "| claim | kind | verdict |",
+        "| --- | --- | --- |",
+        ...verdicts.map((v) => `| ${escapePipes(v.statement)} | \`${v.kind}\` | ${escapePipes(statusCell(v))} |`),
+        "",
+        failed === 0
+            ? `**✓ all ${verdicts.length} claim${verdicts.length === 1 ? "" : "s"} recompute-verified.**`
+            : `**✗ ${failed} of ${verdicts.length} claim${verdicts.length === 1 ? "" : "s"} failed.**`,
+        "",
+    ];
+    // `$GITHUB_STEP_SUMMARY` is appended to across steps; honor that.
+    const body = lines.join("\n");
+    try {
+        appendFileSync(file, body + "\n");
+    }
+    catch {
+        writeFileSync(file, body + "\n");
+    }
+}
+function escapePipes(s) {
+    return s.replace(/\|/g, "\\|");
+}
+async function main() {
+    let args;
+    try {
+        args = parseArgs(process.argv.slice(2));
+    }
+    catch (e) {
+        process.stderr.write(`error: ${e.message}\n\n${HELP}\n`);
+        return 2;
+    }
+    if (args.help) {
+        process.stdout.write(HELP + "\n");
+        return 0;
+    }
+    if (args.paths.length === 0) {
+        if (args.require) {
+            process.stderr.write("error: no claim files supplied (--require)\n");
+            return 1;
+        }
+        process.stdout.write("proof gate: no claims to verify.\n");
+        return 0;
+    }
+    let claims;
+    try {
+        claims = args.paths.flatMap(loadClaims);
+    }
+    catch (e) {
+        process.stderr.write(`error: cannot read claims: ${e.message}\n`);
+        return 2;
+    }
+    const verdicts = [];
+    for (const claim of claims) {
+        verdicts.push(await verifyClaim(claim));
+    }
+    if (args.json) {
+        process.stdout.write(JSON.stringify(verdicts, null, 2) + "\n");
+    }
+    else if (!args.quiet) {
+        for (const v of verdicts) {
+            const mark = v.verified ? "✓" : "✗";
+            const stream = v.verified ? process.stdout : process.stderr;
+            stream.write(`${mark} [${v.kind}] ${v.statement} — ${statusCell(v)}\n`);
+            if (!v.verified) {
+                for (const step of v.trace.filter((s) => !s.ok)) {
+                    stream.write(`    ↳ ${step.check}${step.detail ? `: ${step.detail}` : ""}\n`);
+                }
+            }
+        }
+    }
+    if (args.summary) {
+        try {
+            writeSummary(args.summary, verdicts);
+        }
+        catch (e) {
+            process.stderr.write(`warning: could not write summary: ${e.message}\n`);
+        }
+    }
+    const failed = verdicts.filter((v) => !v.verified).length;
+    if (!args.quiet) {
+        process.stdout.write(failed === 0
+            ? `proof gate: ✓ ${verdicts.length} verified.\n`
+            : `proof gate: ✗ ${failed} of ${verdicts.length} failed.\n`);
+    }
+    return failed === 0 ? 0 : 1;
+}
+main().then((code) => process.exit(code));

package/dist/claim.d.ts

@@ -0,0 +1,98 @@
+/**
+ * `claim.ts` — a **recompute-verified claim** façade.
+ *
+ * One uniform call — `verifyClaim(claim) → ClaimVerdict` — over the package's
+ * existing recompute engines, so any surface (a comment-box widget, a CI
+ * check, an MCP tool) can render a single ✓/✗ plus a human-readable recompute
+ * trace next to a claim, without knowing which engine adjudicated it.
+ *
+ * ## The honest boundary
+ *
+ * This verifies **only** claims that reduce to a *deterministic recomputation
+ * over committed evidence* — never arbitrary prose. A claim is adjudicable iff
+ * its value is the output of a pure function the caller can re-run from the
+ * cited inputs:
+ *
+ *   - `clearing`  — re-run an auction's clearing from its SIGNED bid set and
+ *                   check the receipt's price/winner (WASM kernel; the exact
+ *                   `verify` / `recomputeClearing` path).
+ *   - `in_bounds` — re-run an agent run's capability verdict from its tool
+ *                   trace + declared boundary (pure-node attestation engine).
+ *   - `signature` — authenticity only: Ed25519 + BLAKE3 root hash, no
+ *                   value recompute.
+ *
+ * Anything NOT reducible to a recompute (e.g. "10k users downloaded this")
+ * returns `verified: false` with an explicit `unsupported`/`reason` — it is
+ * never silently passed. `eval_score` and `dataset_aggregate` are the planned
+ * next kinds (see docs/RECOMPUTE-VERIFIED-CLAIMS.md); until wired they report
+ * unsupported rather than faking a check.
+ *
+ * ## Proof-carrying numbers
+ *
+ * When a claim carries an `asserted` value (the number a human wrote in prose,
+ * e.g. "cleared at 400000 µ$"), it is cross-checked against the recomputed
+ * value. A receipt that is authentic but whose prose number was altered fails
+ * (`verified: false`, `asserted.matched: false`) — the receipt can't lie, and
+ * neither can the sentence quoting it.
+ */
+/** The closed set of recomputable claim kinds. */
+export type ClaimKind = "clearing" | "in_bounds" | "signature";
+/** Evidence a claim is recomputed against. Shape depends on `kind`. */
+export interface ClaimEvidence {
+    /**
+     * For `clearing` / `signature`: the auction receipt as a JSON **string**
+     * (the hub's wire form). For `in_bounds`: the attestation receipt **object**
+     * (as produced by `signReceipt` / returned from a tool-proxy run).
+     */
+    receipt: string | Record<string, unknown>;
+    /** Pinned issuer JWKS JSON string. Required for `signature`; for `clearing`
+     *  it upgrades the check from recompute-only to recompute + signature. */
+    jwks?: string;
+    /** `in_bounds`: pin the expected cryptographic principal / public key. */
+    expectPrincipal?: string;
+    expectPublicKey?: string;
+}
+/** An author-asserted value to cross-check against the recompute. */
+export interface ClaimAssertion {
+    /** `clearing`: integer micro-USD price. `in_bounds`: boolean. */
+    value: number | boolean | string;
+}
+export interface Claim {
+    /** Human-readable statement rendered next to the ✓/✗. */
+    statement: string;
+    kind: ClaimKind;
+    evidence: ClaimEvidence;
+    /** Optional prose value to cross-check (proof-carrying numbers). */
+    asserted?: ClaimAssertion;
+}
+export interface ClaimTraceStep {
+    check: string;
+    ok: boolean;
+    detail?: string;
+}
+export interface ClaimVerdict {
+    /** The single boolean to gate the ✓/✗ on. */
+    verified: boolean;
+    kind: ClaimKind;
+    statement: string;
+    /** What the recompute produced (kind-specific), or null on a hard error. */
+    recomputed: {
+        label: string;
+        value: unknown;
+    } | null;
+    /** The author's asserted value + whether it matched the recompute. */
+    asserted: {
+        value: unknown;
+        matched: boolean;
+    } | null;
+    /** Ordered, human-readable trace of the checks that ran. */
+    trace: ClaimTraceStep[];
+    /** First failing reason, or null when verified. */
+    reason: string | null;
+}
+/**
+ * Adjudicate a claim by recomputation. Never throws — a malformed receipt,
+ * an unknown kind, or an engine error surface as `verified: false` with a
+ * `reason`, so the widget can always render a definite ✓/✗.
+ */
+export declare function verifyClaim(claim: Claim): Promise<ClaimVerdict>;

package/dist/claim.js

@@ -0,0 +1,186 @@
+/**
+ * `claim.ts` — a **recompute-verified claim** façade.
+ *
+ * One uniform call — `verifyClaim(claim) → ClaimVerdict` — over the package's
+ * existing recompute engines, so any surface (a comment-box widget, a CI
+ * check, an MCP tool) can render a single ✓/✗ plus a human-readable recompute
+ * trace next to a claim, without knowing which engine adjudicated it.
+ *
+ * ## The honest boundary
+ *
+ * This verifies **only** claims that reduce to a *deterministic recomputation
+ * over committed evidence* — never arbitrary prose. A claim is adjudicable iff
+ * its value is the output of a pure function the caller can re-run from the
+ * cited inputs:
+ *
+ *   - `clearing`  — re-run an auction's clearing from its SIGNED bid set and
+ *                   check the receipt's price/winner (WASM kernel; the exact
+ *                   `verify` / `recomputeClearing` path).
+ *   - `in_bounds` — re-run an agent run's capability verdict from its tool
+ *                   trace + declared boundary (pure-node attestation engine).
+ *   - `signature` — authenticity only: Ed25519 + BLAKE3 root hash, no
+ *                   value recompute.
+ *
+ * Anything NOT reducible to a recompute (e.g. "10k users downloaded this")
+ * returns `verified: false` with an explicit `unsupported`/`reason` — it is
+ * never silently passed. `eval_score` and `dataset_aggregate` are the planned
+ * next kinds (see docs/RECOMPUTE-VERIFIED-CLAIMS.md); until wired they report
+ * unsupported rather than faking a check.
+ *
+ * ## Proof-carrying numbers
+ *
+ * When a claim carries an `asserted` value (the number a human wrote in prose,
+ * e.g. "cleared at 400000 µ$"), it is cross-checked against the recomputed
+ * value. A receipt that is authentic but whose prose number was altered fails
+ * (`verified: false`, `asserted.matched: false`) — the receipt can't lie, and
+ * neither can the sentence quoting it.
+ */
+import { verify, recomputeClearing } from "./index.js";
+import { verifyReceipt } from "./attestation.js";
+function receiptJson(ev) {
+    return typeof ev.receipt === "string" ? ev.receipt : JSON.stringify(ev.receipt);
+}
+/**
+ * Adjudicate a claim by recomputation. Never throws — a malformed receipt,
+ * an unknown kind, or an engine error surface as `verified: false` with a
+ * `reason`, so the widget can always render a definite ✓/✗.
+ */
+export async function verifyClaim(claim) {
+    const base = { kind: claim.kind, statement: claim.statement };
+    try {
+        switch (claim.kind) {
+            case "clearing":
+                return await verifyClearingClaim(claim, base);
+            case "in_bounds":
+                return verifyInBoundsClaim(claim, base);
+            case "signature":
+                return await verifySignatureClaim(claim, base);
+            default:
+                return {
+                    ...base,
+                    verified: false,
+                    recomputed: null,
+                    asserted: null,
+                    trace: [{ check: "kind-supported", ok: false, detail: `unsupported kind: ${claim.kind}` }],
+                    reason: `unsupported claim kind: ${claim.kind} (not recomputable)`,
+                };
+        }
+    }
+    catch (e) {
+        return {
+            ...base,
+            verified: false,
+            recomputed: null,
+            asserted: null,
+            trace: [{ check: "engine", ok: false, detail: String(e) }],
+            reason: `recompute engine error: ${e instanceof Error ? e.message : String(e)}`,
+        };
+    }
+}
+async function verifyClearingClaim(claim, base) {
+    const json = receiptJson(claim.evidence);
+    const trace = [];
+    let recomputedPrice;
+    let coreOk;
+    let reason;
+    if (claim.evidence.jwks) {
+        // Full path: signature + root hash + price recompute.
+        const r = await verify(json, claim.evidence.jwks);
+        trace.push({ check: "signature", ok: r.signature_ok });
+        trace.push({ check: "root-hash", ok: r.root_hash_ok });
+        trace.push({ check: "price-recomputed", ok: r.price_recomputed_ok });
+        recomputedPrice = r.recomputed_price_micro_usd;
+        coreOk = r.ok;
+        reason = r.reason;
+    }
+    else {
+        // Recompute-only path (no pinned JWKS supplied).
+        const r = await recomputeClearing(json);
+        trace.push({ check: "price-recomputed", ok: r.matches_receipt });
+        trace.push({ check: "winner-recomputed", ok: r.winner_matches });
+        recomputedPrice = r.recomputed_price_micro_usd;
+        coreOk = r.matches_receipt;
+        reason = r.reason;
+    }
+    const asserted = crossCheck(claim.asserted, recomputedPrice, trace, "asserted-price");
+    return {
+        ...base,
+        verified: coreOk && (asserted?.matched ?? true),
+        recomputed: { label: "clearing_price_micro_usd", value: recomputedPrice },
+        asserted,
+        trace,
+        reason: !coreOk ? (reason ?? "clearing did not recompute") : assertedReason(asserted),
+    };
+}
+function verifyInBoundsClaim(claim, base) {
+    const receipt = typeof claim.evidence.receipt === "string"
+        ? JSON.parse(claim.evidence.receipt)
+        : claim.evidence.receipt;
+    const r = verifyReceipt(receipt, {
+        expectPrincipal: claim.evidence.expectPrincipal,
+        expectPublicKey: claim.evidence.expectPublicKey,
+    });
+    const trace = [
+        { check: "signature", ok: r.signatureOk },
+        { check: "root-hash", ok: r.rootHashOk },
+        { check: "verdict-consistent", ok: r.verdictConsistentOk },
+        { check: "in-bounds", ok: r.inBounds },
+    ];
+    if (claim.evidence.expectPrincipal !== undefined) {
+        trace.push({ check: "principal-pinned", ok: r.principalOk ?? false });
+    }
+    const asserted = crossCheck(claim.asserted, r.inBounds, trace, "asserted-in-bounds");
+    return {
+        ...base,
+        verified: r.ok && (asserted?.matched ?? true),
+        recomputed: { label: "in_bounds", value: r.inBounds },
+        asserted,
+        trace,
+        reason: !r.ok ? (r.reason ?? "attestation did not verify") : assertedReason(asserted),
+    };
+}
+async function verifySignatureClaim(claim, base) {
+    if (!claim.evidence.jwks) {
+        return {
+            ...base,
+            verified: false,
+            recomputed: null,
+            asserted: null,
+            trace: [{ check: "jwks-present", ok: false }],
+            reason: "signature claim requires evidence.jwks",
+        };
+    }
+    // Reuse the full verifier but gate on authenticity only (signature + root
+    // hash), not price correctness — the `signature` kind asserts provenance.
+    const r = await verify(receiptJson(claim.evidence), claim.evidence.jwks);
+    const ok = r.signature_ok && r.root_hash_ok;
+    return {
+        ...base,
+        verified: ok,
+        recomputed: { label: "authentic", value: ok },
+        asserted: null,
+        trace: [
+            { check: "signature", ok: r.signature_ok },
+            { check: "root-hash", ok: r.root_hash_ok },
+        ],
+        reason: ok ? null : (r.reason ?? "signature or root hash failed"),
+    };
+}
+/** Cross-check a prose-asserted value against the recomputed value. */
+function crossCheck(asserted, recomputed, trace, check) {
+    if (asserted === undefined)
+        return null;
+    const matched = asserted.value === recomputed;
+    trace.push({
+        check,
+        ok: matched,
+        detail: matched ? undefined : `asserted ${String(asserted.value)} ≠ recomputed ${String(recomputed)}`,
+    });
+    return { value: asserted.value, matched };
+}
+function assertedReason(asserted) {
+    if (asserted && !asserted.matched) {
+        return `asserted value (${String(asserted.value)}) does not match the recompute`;
+    }
+    return null;
+}

package/dist/index.d.ts

@@ -95,4 +95,7 @@ export declare function recomputeClearing(receiptJson: string): Promise<Recomput
 export declare function verifySignature(receiptJson: string, jwksJson: string): Promise<unknown>;
 export * from "./attestation.js";
 export * from "./toolproxy.js";
+export * from "./cage.js";
+export * from "./workflow.js";
 export * from "./license.js";
+export * from "./claim.js";

package/dist/index.js

@@ -70,6 +70,16 @@ export * from "./attestation.js";
 // Producer-side instrumentation: turn a nucleus-tool-proxy trace into a signed
 // in-bounds receipt. See `./toolproxy` and the `nucleus-attest` CLI.
 export * from "./toolproxy.js";
+// The 5-minute drop-in: a runtime `Cage` wraps an agent's tool calls (enforce +
+// record) and emits a signed receipt the lines above verify. See `./cage`.
+export * from "./cage.js";
+// The DAG cage: compose a multi-agent run into one verifiable `WorkflowReceipt`,
+// including the cross-node information flow ("locally fine, globally leaks").
+export * from "./workflow.js";
 // Offline Ed25519 license keys: entitlement with no user DB / no callback.
 // See `./license` and the `nucleus-license` CLI.
 export * from "./license.js";
+// Recompute-verified CLAIM façade: one `verifyClaim(claim) → ClaimVerdict`
+// over all of the above engines, for embeddable ✓/✗ + recompute-trace
+// widgets. See `./claim` and docs/RECOMPUTE-VERIFIED-CLAIMS.md.
+export * from "./claim.js";

package/dist/workflow.d.ts

@@ -0,0 +1,85 @@
+import { type KeyObject } from "node:crypto";
+import { Cage } from "./cage.js";
+import { type TraceEvent } from "./attestation.js";
+declare const WF_KIND = "nucleus.workflow-receipt.v1";
+export interface WorkflowNodeSpec {
+    /** Unique node id within the workflow. */
+    id: string;
+    /** This node's capability boundary (the tools it may call). */
+    boundary: string[];
+    /** Parent node ids — the DAG edges (data flows parent → this node). */
+    after?: string[];
+}
+export interface WorkflowReceiptNode {
+    id: string;
+    after: string[];
+    boundary: string[];
+    events: TraceEvent[];
+    /** Independently recomputed by the verifier; the emitter's claim is not trusted. */
+    inBounds: boolean;
+}
+export interface WorkflowReceipt {
+    kind: typeof WF_KIND;
+    principal: string;
+    nodes: WorkflowReceiptNode[];
+    rootHash: string;
+    publicKey: string;
+    signature: string;
+    signedAt?: string;
+}
+/** An information-flow policy checked across the whole DAG. */
+export interface FlowPolicy {
+    /** Tools that introduce taint (e.g. reading a secret). */
+    sources: string[];
+    /** Tools that must never be reached while tainted (e.g. an external write). */
+    sinks: string[];
+    /** Nodes that sanitize — they clear incoming taint (a sanitizer in the chain). */
+    declassifiers?: string[];
+}
+export interface FlowLeak {
+    node: string;
+    sink: string;
+    taintedVia: "reads-source" | "upstream";
+}
+export interface WorkflowVerifyReport {
+    /** `signatureOk && dagOk && nodesOk && flowOk`. */
+    ok: boolean;
+    /** Ed25519 signature verifies AND the recomputed rootHash matches. */
+    signatureOk: boolean;
+    /** Edges reference real nodes and the graph is acyclic. */
+    dagOk: boolean;
+    /** Every node's recorded calls were within its declared boundary. */
+    nodesOk: boolean;
+    /** No source→sink information flow across the DAG (per the flow policy). */
+    flowOk: boolean;
+    /** The source→sink leaks found (empty when `flowOk`). */
+    leaks: FlowLeak[];
+    /** Nodes whose recompute found an out-of-boundary call. */
+    outOfBoundsNodes: string[];
+    reason: string | null;
+}
+/**
+ * A DAG cage. Register nodes (each gets a {@link Cage}), run your agents through
+ * the caged tools, then {@link Workflow.attest} a single signed receipt over the
+ * whole graph — verifiable offline, including the cross-node information flow.
+ */
+export declare class Workflow {
+    private readonly principal;
+    private readonly nodes;
+    constructor(principal: string);
+    /** Register a node and return its cage. The cage's tool calls are recorded
+     *  under this node; `after` declares the edges into it. */
+    node(spec: WorkflowNodeSpec): Cage;
+    private receiptNodes;
+    /** Sign one workflow receipt over the whole DAG. */
+    attest(privateKey: KeyObject, opts?: {
+        signedAt?: string;
+    }): WorkflowReceipt;
+}
+/**
+ * Verify a workflow receipt fully and offline: the signature + the per-node
+ * in-bounds recompute + the DAG (acyclic, real edges) + the cross-node
+ * information flow. Never throws — failures surface as `ok:false` + `reason`.
+ */
+export declare function verifyWorkflowReceipt(wr: WorkflowReceipt, flow?: FlowPolicy): WorkflowVerifyReport;
+export {};

package/dist/workflow.js

@@ -0,0 +1,179 @@
+// The DAG cage: compose a multi-agent run into ONE verifiable workflow receipt.
+//
+// A single agent you can eyeball; a DAG of agents you can't. The dangerous
+// failure mode only exists at DAG scale: every node is locally in-bounds, yet a
+// secret laundered from a source node, through an innocent middle, to a sink.
+// Per-node checks ALL pass; only the whole-workflow check catches it. This is
+// that check, at the orchestration layer — a receipt-level analog of the
+// bytecode noninterference proof, that rides on whatever orchestrator you use.
+//
+//   const wf = new Workflow("spiffe://acme/intake-pipeline");
+//   const reader   = wf.node({ id: "reader",   boundary: ["read_secret", "emit"] });
+//   const middle   = wf.node({ id: "middle",   boundary: ["transform", "emit"], after: ["reader"] });
+//   const writer   = wf.node({ id: "writer",   boundary: ["publish"],           after: ["middle"] });
+//   …run your agents, calling these caged tools…
+//   const receipt = wf.attest(privateKey);
+//
+//   // your customer verifies the whole DAG offline, including the flow policy:
+//   verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"] });
+//   // → flowOk:false if a secret could reach `publish`, even though every node was in-bounds.
+import { createHash, createPublicKey, sign as edSign, verify as edVerify } from "node:crypto";
+import { Cage } from "./cage.js";
+import { canonicalize, exportPublicKey } from "./attestation.js";
+import { traceEventsFromRecords } from "./toolproxy.js";
+const WF_KIND = "nucleus.workflow-receipt.v1";
+function sha256Hex(s) {
+    return createHash("sha256").update(s).digest("hex");
+}
+function importPublicKey(x) {
+    return createPublicKey({ key: { kty: "OKP", crv: "Ed25519", x }, format: "jwk" });
+}
+/** Topological order of the node ids; throws on a cycle. */
+function topoOrder(nodes) {
+    const ids = new Set(nodes.map((n) => n.id));
+    const indeg = new Map();
+    const children = new Map();
+    for (const n of nodes) {
+        indeg.set(n.id, 0);
+        children.set(n.id, []);
+    }
+    for (const n of nodes) {
+        for (const p of n.after) {
+            if (!ids.has(p))
+                throw new Error(`edge from unknown node "${p}"`);
+            indeg.set(n.id, (indeg.get(n.id) ?? 0) + 1);
+            children.get(p).push(n.id);
+        }
+    }
+    const queue = [...indeg].filter(([, d]) => d === 0).map(([id]) => id);
+    const order = [];
+    while (queue.length) {
+        const id = queue.shift();
+        order.push(id);
+        for (const c of children.get(id)) {
+            indeg.set(c, indeg.get(c) - 1);
+            if (indeg.get(c) === 0)
+                queue.push(c);
+        }
+    }
+    if (order.length !== nodes.length)
+        throw new Error("workflow graph has a cycle");
+    return order;
+}
+/** Recompute information-flow taint across the DAG → the leaks (independent). */
+function recomputeFlow(nodes, flow) {
+    const sources = new Set(flow.sources);
+    const sinks = new Set(flow.sinks);
+    const declass = new Set(flow.declassifiers ?? []);
+    const byId = new Map(nodes.map((n) => [n.id, n]));
+    const tainted = new Map();
+    const leaks = [];
+    for (const id of topoOrder(nodes)) {
+        const n = byId.get(id);
+        const tools = new Set(n.events.map((e) => e.tool));
+        const readsSource = [...tools].some((t) => sources.has(t));
+        const parentTainted = n.after.some((p) => tainted.get(p));
+        const isTainted = declass.has(id) ? false : readsSource || parentTainted;
+        tainted.set(id, isTainted);
+        if (isTainted) {
+            for (const t of tools) {
+                if (sinks.has(t))
+                    leaks.push({ node: id, sink: t, taintedVia: readsSource ? "reads-source" : "upstream" });
+            }
+        }
+    }
+    return leaks;
+}
+function nodesForHash(nodes) {
+    return nodes.map((n) => ({ id: n.id, after: n.after, boundary: n.boundary, events: n.events }));
+}
+/**
+ * A DAG cage. Register nodes (each gets a {@link Cage}), run your agents through
+ * the caged tools, then {@link Workflow.attest} a single signed receipt over the
+ * whole graph — verifiable offline, including the cross-node information flow.
+ */
+export class Workflow {
+    principal;
+    nodes = new Map();
+    constructor(principal) {
+        this.principal = principal;
+    }
+    /** Register a node and return its cage. The cage's tool calls are recorded
+     *  under this node; `after` declares the edges into it. */
+    node(spec) {
+        if (this.nodes.has(spec.id))
+            throw new Error(`duplicate node id "${spec.id}"`);
+        const cage = new Cage({ principal: `${this.principal}#${spec.id}`, allowedTools: spec.boundary });
+        this.nodes.set(spec.id, { id: spec.id, after: spec.after ?? [], boundary: spec.boundary, cage });
+        return cage;
+    }
+    receiptNodes() {
+        return [...this.nodes.values()].map((n) => {
+            const events = traceEventsFromRecords(n.cage.toExport().records);
+            const inBounds = events.every((e) => n.boundary.includes(e.tool));
+            return { id: n.id, after: n.after, boundary: n.boundary, events, inBounds };
+        });
+    }
+    /** Sign one workflow receipt over the whole DAG. */
+    attest(privateKey, opts = {}) {
+        const nodes = this.receiptNodes();
+        const rootHash = sha256Hex(canonicalize(nodesForHash(nodes)));
+        const pub = createPublicKey(privateKey);
+        const body = canonicalize({ kind: WF_KIND, principal: this.principal, rootHash });
+        const signature = edSign(null, Buffer.from(body, "utf8"), privateKey).toString("base64");
+        return {
+            kind: WF_KIND,
+            principal: this.principal,
+            nodes,
+            rootHash,
+            publicKey: exportPublicKey(pub),
+            signature,
+            ...(opts.signedAt ? { signedAt: opts.signedAt } : {}),
+        };
+    }
+}
+/**
+ * Verify a workflow receipt fully and offline: the signature + the per-node
+ * in-bounds recompute + the DAG (acyclic, real edges) + the cross-node
+ * information flow. Never throws — failures surface as `ok:false` + `reason`.
+ */
+export function verifyWorkflowReceipt(wr, flow) {
+    // 1. signature + rootHash (the receipt is bound to its node set).
+    const recomputedRoot = sha256Hex(canonicalize(nodesForHash(wr.nodes)));
+    const rootOk = recomputedRoot === wr.rootHash;
+    let sigOnly = false;
+    try {
+        const body = canonicalize({ kind: wr.kind, principal: wr.principal, rootHash: wr.rootHash });
+        sigOnly = edVerify(null, Buffer.from(body, "utf8"), importPublicKey(wr.publicKey), Buffer.from(wr.signature, "base64"));
+    }
+    catch {
+        sigOnly = false;
+    }
+    const signatureOk = sigOnly && rootOk;
+    // 2. per-node in-bounds, recomputed from the signed events (not trusted).
+    const outOfBoundsNodes = wr.nodes.filter((n) => !n.events.every((e) => n.boundary.includes(e.tool))).map((n) => n.id);
+    const nodesOk = outOfBoundsNodes.length === 0;
+    // 3. DAG well-formed + 4. information flow.
+    let dagOk = true;
+    let leaks = [];
+    try {
+        topoOrder(wr.nodes); // throws on cycle / unknown edge
+        if (flow)
+            leaks = recomputeFlow(wr.nodes, flow);
+    }
+    catch {
+        dagOk = false;
+    }
+    const flowOk = leaks.length === 0;
+    const ok = signatureOk && nodesOk && dagOk && flowOk;
+    let reason = null;
+    if (!signatureOk)
+        reason = rootOk ? "signature did not verify" : "rootHash does not match the node set (tampered)";
+    else if (!dagOk)
+        reason = "workflow graph is cyclic or references an unknown node";
+    else if (!nodesOk)
+        reason = `nodes out of bounds: ${outOfBoundsNodes.join(", ")}`;
+    else if (!flowOk)
+        reason = `information-flow leak: ${leaks.map((l) => `${l.node}→${l.sink}`).join(", ")}`;
+    return { ok, signatureOk, dagOk, nodesOk, flowOk, leaks, outOfBoundsNodes, reason };
+}

package/examples/cage-quickstart.mjs

@@ -0,0 +1,37 @@
+// The 5-minute drop-in, end to end. Run:  node examples/cage-quickstart.mjs
+//
+// You ship an AI agent that takes actions for a customer. They won't take your
+// word that it stayed in bounds. So: cage its tool calls, and hand them a
+// receipt they verify themselves — trust the math, not you.
+import { Cage, generateKeypair, verifyReceipt } from "../dist/index.js";
+
+// 1. Declare the agent's capability boundary (what it's allowed to touch).
+const cage = new Cage({
+  principal: "spiffe://acme/support-agent", // any stable id keyed to a key, not a name
+  allowedTools: ["search", "read_ticket", "send_reply", "refund"],
+});
+
+// 2. Wrap each tool. A guard adds a finer runtime check (never refund over $50).
+const search = cage.tool("search", async (q) => `(results for "${q}")`);
+const reply = cage.tool("send_reply", async (msg) => `sent: ${msg}`);
+const refund = cage.tool("refund", async (cents) => `refunded ${cents}c`, { guard: (c) => c <= 5000 });
+const wire = cage.tool("wire_transfer", async (acct) => `wired to ${acct}`); // NOT granted
+
+// 3. Run your agent — calling ONLY the caged tools.
+await search("refund policy");
+await reply("Here's our policy …");
+try { await refund(999999); } catch (e) { console.log("⛔ guard blocked over-cap refund:", e.message); }
+try { await wire("0xbad"); } catch (e) { console.log("⛔ blocked out-of-boundary tool:", e.message); }
+
+// 4. Emit a signed receipt and hand it to your customer.
+const { privateKey } = generateKeypair();
+const receipt = cage.attest(privateKey);
+
+// 5. THEY verify it — offline, no trust in you. (Or: npx @coproduct_inc/verify receipt.json)
+const report = verifyReceipt(receipt);
+console.log("\nreceipt verified:", report.ok ? "✓ clean run" : "✗ " + report.reason);
+console.log("  signature ok :", report.signatureOk);
+console.log("  in bounds    :", report.inBounds, "(every call was to an allowed tool)");
+console.log("  recorded calls:", receipt.events.map((e) => e.tool).join(", "));
+console.log("\nThe receipt is the wedge: useful to you alone today, more valuable as a");
+console.log("network of recomputable receipts forms. Don't trust the seller — recompute.");

package/examples/workflow-leak.mjs

@@ -0,0 +1,40 @@
+// The DAG cage, end to end — and the failure that only exists at multi-agent
+// scale. Run:  node examples/workflow-leak.mjs
+//
+// A single agent you can eyeball. A DAG of agents you can't: every node passes
+// its OWN check, yet a secret launders through the pipeline to a public write.
+// Per-node review misses it. The workflow receipt catches it.
+import { Workflow, verifyWorkflowReceipt, generateKeypair } from "../dist/index.js";
+
+// A 3-agent intake pipeline: reader → enricher → publisher.
+const wf = new Workflow("spiffe://acme/intake-pipeline");
+const reader = wf.node({ id: "reader", boundary: ["read_secret", "emit"] });
+const enrich = wf.node({ id: "enricher", boundary: ["transform", "emit"], after: ["reader"] });
+const publish = wf.node({ id: "publisher", boundary: ["publish"], after: ["enricher"] });
+
+// Run your agents through the caged tools. Each node only touches tools it's
+// allowed to — locally, everything is in policy.
+reader.tool("read_secret", () => "customer SSN")(); // allowed for the reader
+reader.tool("emit", (x) => x)();
+enrich.tool("transform", (x) => x)(); // an "innocent" pass-through middle
+enrich.tool("emit", (x) => x)();
+publish.tool("publish", (x) => x)(); // allowed for the publisher
+
+const { privateKey } = generateKeypair();
+const receipt = wf.attest(privateKey);
+
+// Your customer verifies the WHOLE DAG offline, with a flow policy:
+//   the secret source must never reach the public sink.
+const report = verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"] });
+
+console.log("per-node review (what a code reviewer sees):");
+for (const n of receipt.nodes) console.log(`  ${n.id.padEnd(10)} in-bounds: ${n.inBounds}  (${n.events.map((e) => e.tool).join(", ")})`);
+console.log("\nevery node is in-bounds:", report.nodesOk);
+console.log("signature valid       :", report.signatureOk);
+console.log("\nwhole-workflow verdict:", report.ok ? "✓ ok" : "✗ " + report.reason);
+for (const l of report.leaks) console.log(`  ⛔ leak: a secret reaches "${l.sink}" at node "${l.node}" (${l.taintedVia})`);
+
+console.log("\nThe per-node checks ALL passed. Only the composition catches it.");
+console.log("Add a sanitizer? declare the middle a declassifier:");
+const fixed = verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"], declassifiers: ["enricher"] });
+console.log("  with enricher sanitizing →", fixed.ok ? "✓ ok (flow broken)" : "✗ " + fixed.reason);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@coproduct_inc/verify",
-  "version": "0.3.0",
-  "description": "Offline, zero-trust verification of agent capability-boundary in-bounds attestation receipts: emit and verify an Ed25519-signed, hash-chained receipt that an agent run stayed within a declared boundary, keyed on a cryptographic principal (not a mutable display name) — the evidence layer above probabilistic guardrails. Also verifies Nucleus auction receipts by re-running the clearing locally. Zero runtime deps for the attestation core (node:crypto).",
+  "version": "0.5.0",
+  "description": "Offline, zero-trust verification of agent capability-boundary in-bounds attestation receipts: emit and verify an Ed25519-signed, hash-chained receipt that an agent run stayed within a declared boundary, keyed on a cryptographic principal (not a mutable display name) \u2014 the evidence layer above probabilistic guardrails. Also verifies Nucleus auction receipts by re-running the clearing locally. Zero runtime deps for the attestation core (node:crypto).",
   "license": "MIT",
   "type": "module",
   "main": "./dist/index.js",
@@ -9,13 +9,18 @@
   "bin": {
     "nucleus-verify": "dist/cli.js",
     "nucleus-attest": "dist/producer-cli.js",
-    "nucleus-license": "dist/license-cli.js"
+    "nucleus-license": "dist/license-cli.js",
+    "nucleus-verify-claim": "dist/claim-cli.js"
   },
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
     },
+    "./workflow": {
+      "types": "./dist/workflow.d.ts",
+      "import": "./dist/workflow.js"
+    },
     "./attestation": {
       "types": "./dist/attestation.d.ts",
       "import": "./dist/attestation.js"
@@ -24,6 +29,10 @@
       "types": "./dist/toolproxy.d.ts",
       "import": "./dist/toolproxy.js"
     },
+    "./cage": {
+      "types": "./dist/cage.d.ts",
+      "import": "./dist/cage.js"
+    },
     "./license": {
       "types": "./dist/license.d.ts",
       "import": "./dist/license.js"
@@ -37,6 +46,8 @@
     "wasm/nodejs/nucleus_wasm_bg.wasm",
     "wasm/nodejs/nucleus_wasm_bg.wasm.d.ts",
     "examples/openclaw-replay.mjs",
+    "examples/cage-quickstart.mjs",
+    "examples/workflow-leak.mjs",
     "examples/converting-demo.sh",
     "examples/sample-toolproxy-trace.clean.json",
     "examples/sample-toolproxy-trace.bypass.json",
@@ -50,7 +61,8 @@
     "build": "tsc -p tsconfig.json",
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "test": "node --test",
-    "demo": "node examples/openclaw-replay.mjs"
+    "demo": "node examples/openclaw-replay.mjs",
+    "build:browser": "esbuild src/attestation.browser.ts --bundle --format=esm --alias:node:crypto=./src/shim/node-crypto.mjs --banner:js=\"globalThis.Buffer||={from:(i,e)=>e==='base64'?Uint8Array.from(atob(i),c=>c.charCodeAt(0)):new TextEncoder().encode(i)};\" --outfile=dist/attestation.browser.js"
   },
   "keywords": [
     "nucleus",
@@ -73,5 +85,9 @@
   "devDependencies": {
     "@types/node": "^25.9.1",
     "typescript": "^5.7.2"
+  },
+  "dependencies": {
+    "@noble/ed25519": "3.1.0",
+    "@noble/hashes": "2.2.0"
   }
 }