@coproduct_inc/verify 0.3.0 → 0.6.0

package/dist/claim.js

@@ -0,0 +1,186 @@
+/**
+ * `claim.ts` — a **recompute-verified claim** façade.
+ *
+ * One uniform call — `verifyClaim(claim) → ClaimVerdict` — over the package's
+ * existing recompute engines, so any surface (a comment-box widget, a CI
+ * check, an MCP tool) can render a single ✓/✗ plus a human-readable recompute
+ * trace next to a claim, without knowing which engine adjudicated it.
+ *
+ * ## The honest boundary
+ *
+ * This verifies **only** claims that reduce to a *deterministic recomputation
+ * over committed evidence* — never arbitrary prose. A claim is adjudicable iff
+ * its value is the output of a pure function the caller can re-run from the
+ * cited inputs:
+ *
+ *   - `clearing`  — re-run an auction's clearing from its SIGNED bid set and
+ *                   check the receipt's price/winner (WASM kernel; the exact
+ *                   `verify` / `recomputeClearing` path).
+ *   - `in_bounds` — re-run an agent run's capability verdict from its tool
+ *                   trace + declared boundary (pure-node attestation engine).
+ *   - `signature` — authenticity only: Ed25519 + BLAKE3 root hash, no
+ *                   value recompute.
+ *
+ * Anything NOT reducible to a recompute (e.g. "10k users downloaded this")
+ * returns `verified: false` with an explicit `unsupported`/`reason` — it is
+ * never silently passed. `eval_score` and `dataset_aggregate` are the planned
+ * next kinds (see docs/RECOMPUTE-VERIFIED-CLAIMS.md); until wired they report
+ * unsupported rather than faking a check.
+ *
+ * ## Proof-carrying numbers
+ *
+ * When a claim carries an `asserted` value (the number a human wrote in prose,
+ * e.g. "cleared at 400000 µ$"), it is cross-checked against the recomputed
+ * value. A receipt that is authentic but whose prose number was altered fails
+ * (`verified: false`, `asserted.matched: false`) — the receipt can't lie, and
+ * neither can the sentence quoting it.
+ */
+import { verify, recomputeClearing } from "./index.js";
+import { verifyReceipt } from "./attestation.js";
+function receiptJson(ev) {
+    return typeof ev.receipt === "string" ? ev.receipt : JSON.stringify(ev.receipt);
+}
+/**
+ * Adjudicate a claim by recomputation. Never throws — a malformed receipt,
+ * an unknown kind, or an engine error surface as `verified: false` with a
+ * `reason`, so the widget can always render a definite ✓/✗.
+ */
+export async function verifyClaim(claim) {
+    const base = { kind: claim.kind, statement: claim.statement };
+    try {
+        switch (claim.kind) {
+            case "clearing":
+                return await verifyClearingClaim(claim, base);
+            case "in_bounds":
+                return verifyInBoundsClaim(claim, base);
+            case "signature":
+                return await verifySignatureClaim(claim, base);
+            default:
+                return {
+                    ...base,
+                    verified: false,
+                    recomputed: null,
+                    asserted: null,
+                    trace: [{ check: "kind-supported", ok: false, detail: `unsupported kind: ${claim.kind}` }],
+                    reason: `unsupported claim kind: ${claim.kind} (not recomputable)`,
+                };
+        }
+    }
+    catch (e) {
+        return {
+            ...base,
+            verified: false,
+            recomputed: null,
+            asserted: null,
+            trace: [{ check: "engine", ok: false, detail: String(e) }],
+            reason: `recompute engine error: ${e instanceof Error ? e.message : String(e)}`,
+        };
+    }
+}
+async function verifyClearingClaim(claim, base) {
+    const json = receiptJson(claim.evidence);
+    const trace = [];
+    let recomputedPrice;
+    let coreOk;
+    let reason;
+    if (claim.evidence.jwks) {
+        // Full path: signature + root hash + price recompute.
+        const r = await verify(json, claim.evidence.jwks);
+        trace.push({ check: "signature", ok: r.signature_ok });
+        trace.push({ check: "root-hash", ok: r.root_hash_ok });
+        trace.push({ check: "price-recomputed", ok: r.price_recomputed_ok });
+        recomputedPrice = r.recomputed_price_micro_usd;
+        coreOk = r.ok;
+        reason = r.reason;
+    }
+    else {
+        // Recompute-only path (no pinned JWKS supplied).
+        const r = await recomputeClearing(json);
+        trace.push({ check: "price-recomputed", ok: r.matches_receipt });
+        trace.push({ check: "winner-recomputed", ok: r.winner_matches });
+        recomputedPrice = r.recomputed_price_micro_usd;
+        coreOk = r.matches_receipt;
+        reason = r.reason;
+    }
+    const asserted = crossCheck(claim.asserted, recomputedPrice, trace, "asserted-price");
+    return {
+        ...base,
+        verified: coreOk && (asserted?.matched ?? true),
+        recomputed: { label: "clearing_price_micro_usd", value: recomputedPrice },
+        asserted,
+        trace,
+        reason: !coreOk ? (reason ?? "clearing did not recompute") : assertedReason(asserted),
+    };
+}
+function verifyInBoundsClaim(claim, base) {
+    const receipt = typeof claim.evidence.receipt === "string"
+        ? JSON.parse(claim.evidence.receipt)
+        : claim.evidence.receipt;
+    const r = verifyReceipt(receipt, {
+        expectPrincipal: claim.evidence.expectPrincipal,
+        expectPublicKey: claim.evidence.expectPublicKey,
+    });
+    const trace = [
+        { check: "signature", ok: r.signatureOk },
+        { check: "root-hash", ok: r.rootHashOk },
+        { check: "verdict-consistent", ok: r.verdictConsistentOk },
+        { check: "in-bounds", ok: r.inBounds },
+    ];
+    if (claim.evidence.expectPrincipal !== undefined) {
+        trace.push({ check: "principal-pinned", ok: r.principalOk ?? false });
+    }
+    const asserted = crossCheck(claim.asserted, r.inBounds, trace, "asserted-in-bounds");
+    return {
+        ...base,
+        verified: r.ok && (asserted?.matched ?? true),
+        recomputed: { label: "in_bounds", value: r.inBounds },
+        asserted,
+        trace,
+        reason: !r.ok ? (r.reason ?? "attestation did not verify") : assertedReason(asserted),
+    };
+}
+async function verifySignatureClaim(claim, base) {
+    if (!claim.evidence.jwks) {
+        return {
+            ...base,
+            verified: false,
+            recomputed: null,
+            asserted: null,
+            trace: [{ check: "jwks-present", ok: false }],
+            reason: "signature claim requires evidence.jwks",
+        };
+    }
+    // Reuse the full verifier but gate on authenticity only (signature + root
+    // hash), not price correctness — the `signature` kind asserts provenance.
+    const r = await verify(receiptJson(claim.evidence), claim.evidence.jwks);
+    const ok = r.signature_ok && r.root_hash_ok;
+    return {
+        ...base,
+        verified: ok,
+        recomputed: { label: "authentic", value: ok },
+        asserted: null,
+        trace: [
+            { check: "signature", ok: r.signature_ok },
+            { check: "root-hash", ok: r.root_hash_ok },
+        ],
+        reason: ok ? null : (r.reason ?? "signature or root hash failed"),
+    };
+}
+/** Cross-check a prose-asserted value against the recomputed value. */
+function crossCheck(asserted, recomputed, trace, check) {
+    if (asserted === undefined)
+        return null;
+    const matched = asserted.value === recomputed;
+    trace.push({
+        check,
+        ok: matched,
+        detail: matched ? undefined : `asserted ${String(asserted.value)} ≠ recomputed ${String(recomputed)}`,
+    });
+    return { value: asserted.value, matched };
+}
+function assertedReason(asserted) {
+    if (asserted && !asserted.matched) {
+        return `asserted value (${String(asserted.value)}) does not match the recompute`;
+    }
+    return null;
+}

package/dist/ifc-decide.d.ts

@@ -0,0 +1,20 @@
+/** The declared-input kinds the IFC model recognises (nucleus-ifc DeclaredInput). */
+export type DeclaredInputToken = "user_prompt" | "web_content" | "tool_response" | "file_read" | "env_var" | "secret" | "database_row" | "memory_read" | "http_response";
+/** A recomputable IFC verdict (the serialized `nucleus_ifc::decision::IfcVerdict`). */
+export interface IfcVerdict {
+    allow: boolean;
+    reason: string;
+    declared_inputs: string[];
+}
+/**
+ * Recompute the proven IFC decision for an action: given the declared inputs
+ * reaching a sink and the sink's nature, is the flow safe? `requiresAuthority` =
+ * the action needs directive authority (so adversarial / no-authority inputs are
+ * refused — the prompt-injection guard); `sinkPublic` = the sink is publicly
+ * visible (so secret inputs are refused). Returns the same `IfcVerdict` nucleus's
+ * production gate returns — you trust the proven model, not this package.
+ */
+export declare function ifcDecide(inputs: DeclaredInputToken[], opts?: {
+    requiresAuthority?: boolean;
+    sinkPublic?: boolean;
+}): IfcVerdict;

package/dist/ifc-decide.js

@@ -0,0 +1,18 @@
+// The ONE proven IFC decision, consumed from the real model — not a TS mirror.
+// `ifc_decide` is compiled from `nucleus-ifc` (the Denning lattice + the
+// FlowDeclaration→IfcVerdict decision the production gate runs; its lattice laws
+// are Lean-proven in portcullis-core) into the package's wasm. The DAG-cage flow
+// check (`./workflow`) delegates its verdict here, so the recomputable decision
+// is the same one nucleus runs — closing the port→source gap.
+import * as wasm from "../wasm/nodejs/nucleus_wasm.js";
+/**
+ * Recompute the proven IFC decision for an action: given the declared inputs
+ * reaching a sink and the sink's nature, is the flow safe? `requiresAuthority` =
+ * the action needs directive authority (so adversarial / no-authority inputs are
+ * refused — the prompt-injection guard); `sinkPublic` = the sink is publicly
+ * visible (so secret inputs are refused). Returns the same `IfcVerdict` nucleus's
+ * production gate returns — you trust the proven model, not this package.
+ */
+export function ifcDecide(inputs, opts = {}) {
+    return wasm.ifc_decide(JSON.stringify(inputs), !!opts.requiresAuthority, !!opts.sinkPublic);
+}

package/dist/ifc.d.ts

@@ -0,0 +1,52 @@
+export declare enum ConfLevel {
+    Public = 0,
+    Internal = 1,
+    Secret = 2
+}
+export declare enum IntegLevel {
+    Adversarial = 0,
+    Untrusted = 1,
+    Trusted = 2
+}
+export declare enum AuthorityLevel {
+    NoAuthority = 0,
+    Informational = 1,
+    Suggestive = 2,
+    Directive = 3
+}
+export interface IFCLabel {
+    conf: ConfLevel;
+    integ: IntegLevel;
+    authority: AuthorityLevel;
+}
+/** Least-restrictive label (public, trusted, directive) — the join identity. */
+export declare const BOTTOM: IFCLabel;
+/** Lattice join (⊔): how labels combine as data flows together. Confidentiality
+ *  rises (max), integrity and authority fall to the least-trusted input (min) —
+ *  taint cannot be laundered by mixing in trusted data. */
+export declare function join(a: IFCLabel, b: IFCLabel): IFCLabel;
+/**
+ * Can data labelled `a` flow to a sink that admits up to `sink` (a ⊑ sink)?
+ * The sink encodes: the MAX confidentiality it may receive, and the MIN
+ * integrity/authority it requires. A flow is allowed iff confidentiality is not
+ * too high, integrity is at least required, and authority is at least required.
+ */
+export declare function flowsTo(a: IFCLabel, sink: IFCLabel): boolean;
+/** Web/scraped content: public, ADVERSARIAL integrity, NO authority to instruct. */
+export declare const WEB_CONTENT: IFCLabel;
+/** A read secret (API key, PII): SECRET confidentiality. */
+export declare const SECRET_READ: IFCLabel;
+/** A user prompt: trusted + directive (it MAY steer the agent). */
+export declare const USER_PROMPT: IFCLabel;
+/** A PUBLIC external sink (egress): admits only Public conf; demands no trust. */
+export declare const PUBLIC_EGRESS: IFCLabel;
+/** An ACTION sink that fires only on trusted, directive-authority data — the
+ *  prompt-injection guard: adversarial / no-authority data can't drive it. */
+export declare const TRUSTED_ACTION: IFCLabel;
+/**
+ * Check the lattice laws this port relies on (the ones Lean-proven in nucleus):
+ * idempotent / commutative / associative join, taint-absorption on each axis,
+ * and the bounds. Returns the first violation, or null when all hold — so a test
+ * can assert parity with the proven model instead of trusting the port.
+ */
+export declare function ifcLatticeLaws(): string | null;

package/dist/ifc.js

@@ -0,0 +1,106 @@
+// A TypeScript REFLECTION of the Denning information-flow lattice from
+// `nucleus-ifc` / `portcullis-core` (the production IFC model). The workflow flow
+// check itself consumes the REAL compiled decision (`./ifc-decide` → wasm); these
+// helpers are for direct in-process lattice work, kept parity-checked against
+// that real model (see test/ifc.test.mjs) and against the Lean-proven laws via
+// `ifcLatticeLaws()` (portcullis-core/lean/IFCSemilatticeProofs.lean). So this is
+// a checked reflection, not a second source of truth.
+//
+// Three axes, each with its lattice direction:
+//   confidentiality — COVARIANT  (join = max; Secret dominates: don't leak it out)
+//   integrity       — CONTRAVARIANT (join = min; Adversarial dominates: Biba)
+//   authority       — CONTRAVARIANT (join = min; NoAuthority dominates: untrusted
+//                     data can be READ but never acquires authority to INSTRUCT —
+//                     the formal block on indirect prompt injection)
+export var ConfLevel;
+(function (ConfLevel) {
+    ConfLevel[ConfLevel["Public"] = 0] = "Public";
+    ConfLevel[ConfLevel["Internal"] = 1] = "Internal";
+    ConfLevel[ConfLevel["Secret"] = 2] = "Secret";
+})(ConfLevel || (ConfLevel = {}));
+export var IntegLevel;
+(function (IntegLevel) {
+    IntegLevel[IntegLevel["Adversarial"] = 0] = "Adversarial";
+    IntegLevel[IntegLevel["Untrusted"] = 1] = "Untrusted";
+    IntegLevel[IntegLevel["Trusted"] = 2] = "Trusted";
+})(IntegLevel || (IntegLevel = {}));
+export var AuthorityLevel;
+(function (AuthorityLevel) {
+    AuthorityLevel[AuthorityLevel["NoAuthority"] = 0] = "NoAuthority";
+    AuthorityLevel[AuthorityLevel["Informational"] = 1] = "Informational";
+    AuthorityLevel[AuthorityLevel["Suggestive"] = 2] = "Suggestive";
+    AuthorityLevel[AuthorityLevel["Directive"] = 3] = "Directive";
+})(AuthorityLevel || (AuthorityLevel = {}));
+/** Least-restrictive label (public, trusted, directive) — the join identity. */
+export const BOTTOM = {
+    conf: ConfLevel.Public,
+    integ: IntegLevel.Trusted,
+    authority: AuthorityLevel.Directive,
+};
+/** Lattice join (⊔): how labels combine as data flows together. Confidentiality
+ *  rises (max), integrity and authority fall to the least-trusted input (min) —
+ *  taint cannot be laundered by mixing in trusted data. */
+export function join(a, b) {
+    return {
+        conf: Math.max(a.conf, b.conf),
+        integ: Math.min(a.integ, b.integ),
+        authority: Math.min(a.authority, b.authority),
+    };
+}
+/**
+ * Can data labelled `a` flow to a sink that admits up to `sink` (a ⊑ sink)?
+ * The sink encodes: the MAX confidentiality it may receive, and the MIN
+ * integrity/authority it requires. A flow is allowed iff confidentiality is not
+ * too high, integrity is at least required, and authority is at least required.
+ */
+export function flowsTo(a, sink) {
+    return a.conf <= sink.conf && a.integ >= sink.integ && a.authority >= sink.authority;
+}
+// ── node-kind presets (mirror nucleus-ifc's NodeKind labelling) ──────────────
+/** Web/scraped content: public, ADVERSARIAL integrity, NO authority to instruct. */
+export const WEB_CONTENT = { conf: ConfLevel.Public, integ: IntegLevel.Adversarial, authority: AuthorityLevel.NoAuthority };
+/** A read secret (API key, PII): SECRET confidentiality. */
+export const SECRET_READ = { conf: ConfLevel.Secret, integ: IntegLevel.Trusted, authority: AuthorityLevel.NoAuthority };
+/** A user prompt: trusted + directive (it MAY steer the agent). */
+export const USER_PROMPT = { conf: ConfLevel.Internal, integ: IntegLevel.Trusted, authority: AuthorityLevel.Directive };
+/** A PUBLIC external sink (egress): admits only Public conf; demands no trust. */
+export const PUBLIC_EGRESS = { conf: ConfLevel.Public, integ: IntegLevel.Adversarial, authority: AuthorityLevel.NoAuthority };
+/** An ACTION sink that fires only on trusted, directive-authority data — the
+ *  prompt-injection guard: adversarial / no-authority data can't drive it. */
+export const TRUSTED_ACTION = { conf: ConfLevel.Secret, integ: IntegLevel.Untrusted, authority: AuthorityLevel.Directive };
+/**
+ * Check the lattice laws this port relies on (the ones Lean-proven in nucleus):
+ * idempotent / commutative / associative join, taint-absorption on each axis,
+ * and the bounds. Returns the first violation, or null when all hold — so a test
+ * can assert parity with the proven model instead of trusting the port.
+ */
+export function ifcLatticeLaws() {
+    const labels = [];
+    for (const c of [ConfLevel.Public, ConfLevel.Internal, ConfLevel.Secret])
+        for (const i of [IntegLevel.Adversarial, IntegLevel.Untrusted, IntegLevel.Trusted])
+            for (const au of [AuthorityLevel.NoAuthority, AuthorityLevel.Informational, AuthorityLevel.Suggestive, AuthorityLevel.Directive])
+                labels.push({ conf: c, integ: i, authority: au });
+    const eq = (x, y) => x.conf === y.conf && x.integ === y.integ && x.authority === y.authority;
+    for (const a of labels) {
+        if (!eq(join(a, a), a))
+            return "join not idempotent";
+        if (!eq(join(a, BOTTOM), a))
+            return "BOTTOM is not the identity";
+        // taint-absorption: mixing in the most-tainted value on each axis dominates
+        if (join(a, WEB_CONTENT).integ !== IntegLevel.Adversarial)
+            return "adversarial integrity does not absorb";
+        if (join(a, SECRET_READ).conf !== ConfLevel.Secret)
+            return "secret confidentiality does not absorb";
+        if (join(a, WEB_CONTENT).authority !== AuthorityLevel.NoAuthority)
+            return "no-authority does not absorb";
+        for (const b of labels) {
+            if (!eq(join(a, b), join(b, a)))
+                return "join not commutative";
+            for (const c of labels) {
+                if (!eq(join(join(a, b), c), join(a, join(b, c))))
+                    return "join not associative";
+            }
+        }
+    }
+    return null;
+}

package/dist/index.d.ts

@@ -95,4 +95,9 @@ export declare function recomputeClearing(receiptJson: string): Promise<Recomput
 export declare function verifySignature(receiptJson: string, jwksJson: string): Promise<unknown>;
 export * from "./attestation.js";
 export * from "./toolproxy.js";
+export * from "./cage.js";
+export * from "./ifc-decide.js";
+export * from "./ifc.js";
+export * from "./workflow.js";
 export * from "./license.js";
+export * from "./claim.js";

package/dist/index.js

@@ -70,6 +70,21 @@ export * from "./attestation.js";
 // Producer-side instrumentation: turn a nucleus-tool-proxy trace into a signed
 // in-bounds receipt. See `./toolproxy` and the `nucleus-attest` CLI.
 export * from "./toolproxy.js";
+// The 5-minute drop-in: a runtime `Cage` wraps an agent's tool calls (enforce +
+// record) and emits a signed receipt the lines above verify. See `./cage`.
+export * from "./cage.js";
+// The ONE proven IFC decision, consumed from nucleus-ifc via wasm (`ifcDecide`).
+export * from "./ifc-decide.js";
+// The Denning lattice helpers (a faithful TS reflection of the same model, kept
+// parity-checked against `ifcDecide`) for direct in-process use.
+export * from "./ifc.js";
+// The DAG cage: compose a multi-agent run into one verifiable `WorkflowReceipt`,
+// including the cross-node information flow ("locally fine, globally leaks").
+export * from "./workflow.js";
 // Offline Ed25519 license keys: entitlement with no user DB / no callback.
 // See `./license` and the `nucleus-license` CLI.
 export * from "./license.js";
+// Recompute-verified CLAIM façade: one `verifyClaim(claim) → ClaimVerdict`
+// over all of the above engines, for embeddable ✓/✗ + recompute-trace
+// widgets. See `./claim` and docs/RECOMPUTE-VERIFIED-CLAIMS.md.
+export * from "./claim.js";

package/dist/workflow.d.ts

@@ -0,0 +1,96 @@
+import { type KeyObject } from "node:crypto";
+import { Cage } from "./cage.js";
+import { type TraceEvent } from "./attestation.js";
+declare const WF_KIND = "nucleus.workflow-receipt.v1";
+export interface WorkflowNodeSpec {
+    /** Unique node id within the workflow. */
+    id: string;
+    /** This node's capability boundary (the tools it may call). */
+    boundary: string[];
+    /** Parent node ids — the DAG edges (data flows parent → this node). */
+    after?: string[];
+}
+export interface WorkflowReceiptNode {
+    id: string;
+    after: string[];
+    boundary: string[];
+    events: TraceEvent[];
+    /** Independently recomputed by the verifier; the emitter's claim is not trusted. */
+    inBounds: boolean;
+}
+export interface WorkflowReceipt {
+    kind: typeof WF_KIND;
+    principal: string;
+    nodes: WorkflowReceiptNode[];
+    rootHash: string;
+    publicKey: string;
+    signature: string;
+    signedAt?: string;
+}
+/**
+ * An information-flow policy checked across the whole DAG, grounded in the
+ * Denning lattice (`./ifc`, a faithful port of nucleus-ifc — Lean-proven laws).
+ * `sources`/`sinks` are the confidentiality axis (don't leak a secret to a
+ * public sink); the optional axes cover integrity / indirect prompt injection.
+ */
+export interface FlowPolicy {
+    /** Tools that read SECRET data (raise confidentiality). */
+    sources: string[];
+    /** Public-egress tools a secret must never reach. */
+    sinks: string[];
+    /** Nodes that sanitize — they clear incoming taint (a declassifier). */
+    declassifiers?: string[];
+    /** Tools that introduce ADVERSARIAL integrity (e.g. web fetch) — the indirect
+     *  prompt-injection taint. */
+    adversarialSources?: string[];
+    /** Action tools that must only fire on trusted, directive-authority data —
+     *  adversarial / no-authority data reaching them is a leak. */
+    actionSinks?: string[];
+}
+export interface FlowLeak {
+    node: string;
+    sink: string;
+    taintedVia: "reads-source" | "upstream";
+}
+export interface WorkflowVerifyReport {
+    /** `signatureOk && dagOk && nodesOk && flowOk`. */
+    ok: boolean;
+    /** Ed25519 signature verifies AND the recomputed rootHash matches. */
+    signatureOk: boolean;
+    /** Edges reference real nodes and the graph is acyclic. */
+    dagOk: boolean;
+    /** Every node's recorded calls were within its declared boundary. */
+    nodesOk: boolean;
+    /** No source→sink information flow across the DAG (per the flow policy). */
+    flowOk: boolean;
+    /** The source→sink leaks found (empty when `flowOk`). */
+    leaks: FlowLeak[];
+    /** Nodes whose recompute found an out-of-boundary call. */
+    outOfBoundsNodes: string[];
+    reason: string | null;
+}
+/**
+ * A DAG cage. Register nodes (each gets a {@link Cage}), run your agents through
+ * the caged tools, then {@link Workflow.attest} a single signed receipt over the
+ * whole graph — verifiable offline, including the cross-node information flow.
+ */
+export declare class Workflow {
+    private readonly principal;
+    private readonly nodes;
+    constructor(principal: string);
+    /** Register a node and return its cage. The cage's tool calls are recorded
+     *  under this node; `after` declares the edges into it. */
+    node(spec: WorkflowNodeSpec): Cage;
+    private receiptNodes;
+    /** Sign one workflow receipt over the whole DAG. */
+    attest(privateKey: KeyObject, opts?: {
+        signedAt?: string;
+    }): WorkflowReceipt;
+}
+/**
+ * Verify a workflow receipt fully and offline: the signature + the per-node
+ * in-bounds recompute + the DAG (acyclic, real edges) + the cross-node
+ * information flow. Never throws — failures surface as `ok:false` + `reason`.
+ */
+export declare function verifyWorkflowReceipt(wr: WorkflowReceipt, flow?: FlowPolicy): WorkflowVerifyReport;
+export {};