@coproduct_inc/verify 0.5.0 → 0.6.0

package/CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to `@coproduct_inc/verify`.
 
+## 0.6.0
+
+- **The `Workflow` flow check now CONSUMES the one proven IFC model** —
+  `nucleus-ifc`'s `FlowDeclaration → IfcVerdict` decision, compiled into the
+  package's wasm and exposed as `ifcDecide` (`./ifc-decide`). The DAG walk
+  accumulates each node's declared inputs (`secret`, `web_content`, …) and asks
+  the proven `decide()` whether they may reach a sink — the same decision
+  nucleus's production gate runs, recomputed locally. No TS mirror in the
+  decision path.
+- New `FlowPolicy` axes `adversarialSources` + `actionSinks` enable **indirect
+  prompt-injection** detection: web content (Adversarial integrity, NoAuthority)
+  reaching an action sink is refused across the DAG; a declassifier breaks the
+  path. Existing confidentiality policies are unchanged.
+- **IFC lattice helpers** (`./ifc`) — a TS reflection of the same Denning lattice
+  for direct in-process use, kept **parity-checked against `ifcDecide`** (and the
+  Lean-proven laws via `ifcLatticeLaws()`).
+- Build: `nucleus-wasm` now depends on `nucleus-ifc` (lattice-only, no `ring`) and
+  exports `ifc_decide`; the `build:wasm` script preserves the wasm dir's
+  `commonjs` marker so the CJS bindings load inside this ESM package.
+
 ## 0.5.0
 
 - **`Workflow` — the DAG cage** (`./workflow`, re-exported from root). Compose a

package/README.md

@@ -74,6 +74,13 @@ verifyWorkflowReceipt(receipt, { sources: ["read_secret"], sinks: ["publish"] })
 It rides on whatever orchestrator you already use (LangGraph, Temporal, CrewAI…)
 — you cage the tools, not the framework. Run it: `node examples/workflow-leak.mjs`.
 
+The flow check is grounded in the **Denning IFC lattice** (`./ifc`, a faithful
+port of `nucleus-ifc` whose lattice laws are Lean-proven). Beyond confidentiality
+(`sources`/`sinks`), the `adversarialSources` + `actionSinks` axes catch
+**indirect prompt injection** — web content (Adversarial integrity, no authority
+to instruct) reaching an action sink is refused across the DAG, and a
+declassifier breaks the path.
+
 ---
 
 ## In-bounds attestation — the drop-in

package/dist/ifc-decide.d.ts

@@ -0,0 +1,20 @@
+/** The declared-input kinds the IFC model recognises (nucleus-ifc DeclaredInput). */
+export type DeclaredInputToken = "user_prompt" | "web_content" | "tool_response" | "file_read" | "env_var" | "secret" | "database_row" | "memory_read" | "http_response";
+/** A recomputable IFC verdict (the serialized `nucleus_ifc::decision::IfcVerdict`). */
+export interface IfcVerdict {
+    allow: boolean;
+    reason: string;
+    declared_inputs: string[];
+}
+/**
+ * Recompute the proven IFC decision for an action: given the declared inputs
+ * reaching a sink and the sink's nature, is the flow safe? `requiresAuthority` =
+ * the action needs directive authority (so adversarial / no-authority inputs are
+ * refused — the prompt-injection guard); `sinkPublic` = the sink is publicly
+ * visible (so secret inputs are refused). Returns the same `IfcVerdict` nucleus's
+ * production gate returns — you trust the proven model, not this package.
+ */
+export declare function ifcDecide(inputs: DeclaredInputToken[], opts?: {
+    requiresAuthority?: boolean;
+    sinkPublic?: boolean;
+}): IfcVerdict;

package/dist/ifc-decide.js

@@ -0,0 +1,18 @@
+// The ONE proven IFC decision, consumed from the real model — not a TS mirror.
+// `ifc_decide` is compiled from `nucleus-ifc` (the Denning lattice + the
+// FlowDeclaration→IfcVerdict decision the production gate runs; its lattice laws
+// are Lean-proven in portcullis-core) into the package's wasm. The DAG-cage flow
+// check (`./workflow`) delegates its verdict here, so the recomputable decision
+// is the same one nucleus runs — closing the port→source gap.
+import * as wasm from "../wasm/nodejs/nucleus_wasm.js";
+/**
+ * Recompute the proven IFC decision for an action: given the declared inputs
+ * reaching a sink and the sink's nature, is the flow safe? `requiresAuthority` =
+ * the action needs directive authority (so adversarial / no-authority inputs are
+ * refused — the prompt-injection guard); `sinkPublic` = the sink is publicly
+ * visible (so secret inputs are refused). Returns the same `IfcVerdict` nucleus's
+ * production gate returns — you trust the proven model, not this package.
+ */
+export function ifcDecide(inputs, opts = {}) {
+    return wasm.ifc_decide(JSON.stringify(inputs), !!opts.requiresAuthority, !!opts.sinkPublic);
+}

package/dist/ifc.d.ts

@@ -0,0 +1,52 @@
+export declare enum ConfLevel {
+    Public = 0,
+    Internal = 1,
+    Secret = 2
+}
+export declare enum IntegLevel {
+    Adversarial = 0,
+    Untrusted = 1,
+    Trusted = 2
+}
+export declare enum AuthorityLevel {
+    NoAuthority = 0,
+    Informational = 1,
+    Suggestive = 2,
+    Directive = 3
+}
+export interface IFCLabel {
+    conf: ConfLevel;
+    integ: IntegLevel;
+    authority: AuthorityLevel;
+}
+/** Least-restrictive label (public, trusted, directive) — the join identity. */
+export declare const BOTTOM: IFCLabel;
+/** Lattice join (⊔): how labels combine as data flows together. Confidentiality
+ *  rises (max), integrity and authority fall to the least-trusted input (min) —
+ *  taint cannot be laundered by mixing in trusted data. */
+export declare function join(a: IFCLabel, b: IFCLabel): IFCLabel;
+/**
+ * Can data labelled `a` flow to a sink that admits up to `sink` (a ⊑ sink)?
+ * The sink encodes: the MAX confidentiality it may receive, and the MIN
+ * integrity/authority it requires. A flow is allowed iff confidentiality is not
+ * too high, integrity is at least required, and authority is at least required.
+ */
+export declare function flowsTo(a: IFCLabel, sink: IFCLabel): boolean;
+/** Web/scraped content: public, ADVERSARIAL integrity, NO authority to instruct. */
+export declare const WEB_CONTENT: IFCLabel;
+/** A read secret (API key, PII): SECRET confidentiality. */
+export declare const SECRET_READ: IFCLabel;
+/** A user prompt: trusted + directive (it MAY steer the agent). */
+export declare const USER_PROMPT: IFCLabel;
+/** A PUBLIC external sink (egress): admits only Public conf; demands no trust. */
+export declare const PUBLIC_EGRESS: IFCLabel;
+/** An ACTION sink that fires only on trusted, directive-authority data — the
+ *  prompt-injection guard: adversarial / no-authority data can't drive it. */
+export declare const TRUSTED_ACTION: IFCLabel;
+/**
+ * Check the lattice laws this port relies on (the ones Lean-proven in nucleus):
+ * idempotent / commutative / associative join, taint-absorption on each axis,
+ * and the bounds. Returns the first violation, or null when all hold — so a test
+ * can assert parity with the proven model instead of trusting the port.
+ */
+export declare function ifcLatticeLaws(): string | null;

package/dist/ifc.js

@@ -0,0 +1,106 @@
+// A TypeScript REFLECTION of the Denning information-flow lattice from
+// `nucleus-ifc` / `portcullis-core` (the production IFC model). The workflow flow
+// check itself consumes the REAL compiled decision (`./ifc-decide` → wasm); these
+// helpers are for direct in-process lattice work, kept parity-checked against
+// that real model (see test/ifc.test.mjs) and against the Lean-proven laws via
+// `ifcLatticeLaws()` (portcullis-core/lean/IFCSemilatticeProofs.lean). So this is
+// a checked reflection, not a second source of truth.
+//
+// Three axes, each with its lattice direction:
+//   confidentiality — COVARIANT  (join = max; Secret dominates: don't leak it out)
+//   integrity       — CONTRAVARIANT (join = min; Adversarial dominates: Biba)
+//   authority       — CONTRAVARIANT (join = min; NoAuthority dominates: untrusted
+//                     data can be READ but never acquires authority to INSTRUCT —
+//                     the formal block on indirect prompt injection)
+export var ConfLevel;
+(function (ConfLevel) {
+    ConfLevel[ConfLevel["Public"] = 0] = "Public";
+    ConfLevel[ConfLevel["Internal"] = 1] = "Internal";
+    ConfLevel[ConfLevel["Secret"] = 2] = "Secret";
+})(ConfLevel || (ConfLevel = {}));
+export var IntegLevel;
+(function (IntegLevel) {
+    IntegLevel[IntegLevel["Adversarial"] = 0] = "Adversarial";
+    IntegLevel[IntegLevel["Untrusted"] = 1] = "Untrusted";
+    IntegLevel[IntegLevel["Trusted"] = 2] = "Trusted";
+})(IntegLevel || (IntegLevel = {}));
+export var AuthorityLevel;
+(function (AuthorityLevel) {
+    AuthorityLevel[AuthorityLevel["NoAuthority"] = 0] = "NoAuthority";
+    AuthorityLevel[AuthorityLevel["Informational"] = 1] = "Informational";
+    AuthorityLevel[AuthorityLevel["Suggestive"] = 2] = "Suggestive";
+    AuthorityLevel[AuthorityLevel["Directive"] = 3] = "Directive";
+})(AuthorityLevel || (AuthorityLevel = {}));
+/** Least-restrictive label (public, trusted, directive) — the join identity. */
+export const BOTTOM = {
+    conf: ConfLevel.Public,
+    integ: IntegLevel.Trusted,
+    authority: AuthorityLevel.Directive,
+};
+/** Lattice join (⊔): how labels combine as data flows together. Confidentiality
+ *  rises (max), integrity and authority fall to the least-trusted input (min) —
+ *  taint cannot be laundered by mixing in trusted data. */
+export function join(a, b) {
+    return {
+        conf: Math.max(a.conf, b.conf),
+        integ: Math.min(a.integ, b.integ),
+        authority: Math.min(a.authority, b.authority),
+    };
+}
+/**
+ * Can data labelled `a` flow to a sink that admits up to `sink` (a ⊑ sink)?
+ * The sink encodes: the MAX confidentiality it may receive, and the MIN
+ * integrity/authority it requires. A flow is allowed iff confidentiality is not
+ * too high, integrity is at least required, and authority is at least required.
+ */
+export function flowsTo(a, sink) {
+    return a.conf <= sink.conf && a.integ >= sink.integ && a.authority >= sink.authority;
+}
+// ── node-kind presets (mirror nucleus-ifc's NodeKind labelling) ──────────────
+/** Web/scraped content: public, ADVERSARIAL integrity, NO authority to instruct. */
+export const WEB_CONTENT = { conf: ConfLevel.Public, integ: IntegLevel.Adversarial, authority: AuthorityLevel.NoAuthority };
+/** A read secret (API key, PII): SECRET confidentiality. */
+export const SECRET_READ = { conf: ConfLevel.Secret, integ: IntegLevel.Trusted, authority: AuthorityLevel.NoAuthority };
+/** A user prompt: trusted + directive (it MAY steer the agent). */
+export const USER_PROMPT = { conf: ConfLevel.Internal, integ: IntegLevel.Trusted, authority: AuthorityLevel.Directive };
+/** A PUBLIC external sink (egress): admits only Public conf; demands no trust. */
+export const PUBLIC_EGRESS = { conf: ConfLevel.Public, integ: IntegLevel.Adversarial, authority: AuthorityLevel.NoAuthority };
+/** An ACTION sink that fires only on trusted, directive-authority data — the
+ *  prompt-injection guard: adversarial / no-authority data can't drive it. */
+export const TRUSTED_ACTION = { conf: ConfLevel.Secret, integ: IntegLevel.Untrusted, authority: AuthorityLevel.Directive };
+/**
+ * Check the lattice laws this port relies on (the ones Lean-proven in nucleus):
+ * idempotent / commutative / associative join, taint-absorption on each axis,
+ * and the bounds. Returns the first violation, or null when all hold — so a test
+ * can assert parity with the proven model instead of trusting the port.
+ */
+export function ifcLatticeLaws() {
+    const labels = [];
+    for (const c of [ConfLevel.Public, ConfLevel.Internal, ConfLevel.Secret])
+        for (const i of [IntegLevel.Adversarial, IntegLevel.Untrusted, IntegLevel.Trusted])
+            for (const au of [AuthorityLevel.NoAuthority, AuthorityLevel.Informational, AuthorityLevel.Suggestive, AuthorityLevel.Directive])
+                labels.push({ conf: c, integ: i, authority: au });
+    const eq = (x, y) => x.conf === y.conf && x.integ === y.integ && x.authority === y.authority;
+    for (const a of labels) {
+        if (!eq(join(a, a), a))
+            return "join not idempotent";
+        if (!eq(join(a, BOTTOM), a))
+            return "BOTTOM is not the identity";
+        // taint-absorption: mixing in the most-tainted value on each axis dominates
+        if (join(a, WEB_CONTENT).integ !== IntegLevel.Adversarial)
+            return "adversarial integrity does not absorb";
+        if (join(a, SECRET_READ).conf !== ConfLevel.Secret)
+            return "secret confidentiality does not absorb";
+        if (join(a, WEB_CONTENT).authority !== AuthorityLevel.NoAuthority)
+            return "no-authority does not absorb";
+        for (const b of labels) {
+            if (!eq(join(a, b), join(b, a)))
+                return "join not commutative";
+            for (const c of labels) {
+                if (!eq(join(join(a, b), c), join(a, join(b, c))))
+                    return "join not associative";
+            }
+        }
+    }
+    return null;
+}

package/dist/index.d.ts

@@ -96,6 +96,8 @@ export declare function verifySignature(receiptJson: string, jwksJson: string):
 export * from "./attestation.js";
 export * from "./toolproxy.js";
 export * from "./cage.js";
+export * from "./ifc-decide.js";
+export * from "./ifc.js";
 export * from "./workflow.js";
 export * from "./license.js";
 export * from "./claim.js";

package/dist/index.js

@@ -73,6 +73,11 @@ export * from "./toolproxy.js";
 // The 5-minute drop-in: a runtime `Cage` wraps an agent's tool calls (enforce +
 // record) and emits a signed receipt the lines above verify. See `./cage`.
 export * from "./cage.js";
+// The ONE proven IFC decision, consumed from nucleus-ifc via wasm (`ifcDecide`).
+export * from "./ifc-decide.js";
+// The Denning lattice helpers (a faithful TS reflection of the same model, kept
+// parity-checked against `ifcDecide`) for direct in-process use.
+export * from "./ifc.js";
 // The DAG cage: compose a multi-agent run into one verifiable `WorkflowReceipt`,
 // including the cross-node information flow ("locally fine, globally leaks").
 export * from "./workflow.js";

package/dist/workflow.d.ts

@@ -27,14 +27,25 @@ export interface WorkflowReceipt {
     signature: string;
     signedAt?: string;
 }
-/** An information-flow policy checked across the whole DAG. */
+/**
+ * An information-flow policy checked across the whole DAG, grounded in the
+ * Denning lattice (`./ifc`, a faithful port of nucleus-ifc — Lean-proven laws).
+ * `sources`/`sinks` are the confidentiality axis (don't leak a secret to a
+ * public sink); the optional axes cover integrity / indirect prompt injection.
+ */
 export interface FlowPolicy {
-    /** Tools that introduce taint (e.g. reading a secret). */
+    /** Tools that read SECRET data (raise confidentiality). */
     sources: string[];
-    /** Tools that must never be reached while tainted (e.g. an external write). */
+    /** Public-egress tools a secret must never reach. */
     sinks: string[];
-    /** Nodes that sanitize — they clear incoming taint (a sanitizer in the chain). */
+    /** Nodes that sanitize — they clear incoming taint (a declassifier). */
     declassifiers?: string[];
+    /** Tools that introduce ADVERSARIAL integrity (e.g. web fetch) — the indirect
+     *  prompt-injection taint. */
+    adversarialSources?: string[];
+    /** Action tools that must only fire on trusted, directive-authority data —
+     *  adversarial / no-authority data reaching them is a leak. */
+    actionSinks?: string[];
 }
 export interface FlowLeak {
     node: string;

package/dist/workflow.js

@@ -21,6 +21,7 @@ import { createHash, createPublicKey, sign as edSign, verify as edVerify } from
 import { Cage } from "./cage.js";
 import { canonicalize, exportPublicKey } from "./attestation.js";
 import { traceEventsFromRecords } from "./toolproxy.js";
+import { ifcDecide } from "./ifc-decide.js";
 const WF_KIND = "nucleus.workflow-receipt.v1";
 function sha256Hex(s) {
     return createHash("sha256").update(s).digest("hex");
@@ -60,26 +61,47 @@ function topoOrder(nodes) {
         throw new Error("workflow graph has a cycle");
     return order;
 }
-/** Recompute information-flow taint across the DAG → the leaks (independent). */
+/**
+ * Recompute the information flow across the DAG, delegating each sink's VERDICT
+ * to the proven model (`ifcDecide`, compiled from nucleus-ifc). The DAG walk
+ * accumulates the declared-input KINDS reaching each node (a `source` tool
+ * declares a `secret` input, an `adversarialSource` declares `web_content`); a
+ * declassifier clears them; at a sink we ask the proven `decide()` whether that
+ * input set may reach that sink. So the topology is ours, the IFC decision is
+ * the one nucleus runs — not a TS mirror.
+ */
 function recomputeFlow(nodes, flow) {
     const sources = new Set(flow.sources);
+    const adversarial = new Set(flow.adversarialSources ?? []);
     const sinks = new Set(flow.sinks);
+    const actionSinks = new Set(flow.actionSinks ?? []);
     const declass = new Set(flow.declassifiers ?? []);
     const byId = new Map(nodes.map((n) => [n.id, n]));
-    const tainted = new Map();
+    const inputsAt = new Map();
     const leaks = [];
     for (const id of topoOrder(nodes)) {
         const n = byId.get(id);
         const tools = new Set(n.events.map((e) => e.tool));
-        const readsSource = [...tools].some((t) => sources.has(t));
-        const parentTainted = n.after.some((p) => tainted.get(p));
-        const isTainted = declass.has(id) ? false : readsSource || parentTainted;
-        tainted.set(id, isTainted);
-        if (isTainted) {
-            for (const t of tools) {
-                if (sinks.has(t))
-                    leaks.push({ node: id, sink: t, taintedVia: readsSource ? "reads-source" : "upstream" });
-            }
+        const acc = new Set();
+        for (const p of n.after)
+            for (const t of inputsAt.get(p))
+                acc.add(t); // inherit upstream inputs
+        const readsSecret = [...tools].some((t) => sources.has(t));
+        const readsWeb = [...tools].some((t) => adversarial.has(t));
+        if (readsSecret)
+            acc.add("secret");
+        if (readsWeb)
+            acc.add("web_content");
+        if (declass.has(id))
+            acc.clear(); // a declassifier sanitizes incoming + own inputs
+        inputsAt.set(id, acc);
+        const declared = [...acc];
+        const via = (readsSecret || readsWeb) && !declass.has(id) ? "reads-source" : "upstream";
+        for (const t of tools) {
+            if (sinks.has(t) && !ifcDecide(declared, { sinkPublic: true }).allow)
+                leaks.push({ node: id, sink: t, taintedVia: via });
+            if (actionSinks.has(t) && !ifcDecide(declared, { requiresAuthority: true }).allow)
+                leaks.push({ node: id, sink: t, taintedVia: via });
         }
     }
     return leaks;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coproduct_inc/verify",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Offline, zero-trust verification of agent capability-boundary in-bounds attestation receipts: emit and verify an Ed25519-signed, hash-chained receipt that an agent run stayed within a declared boundary, keyed on a cryptographic principal (not a mutable display name) \u2014 the evidence layer above probabilistic guardrails. Also verifies Nucleus auction receipts by re-running the clearing locally. Zero runtime deps for the attestation core (node:crypto).",
   "license": "MIT",
   "type": "module",
@@ -21,6 +21,10 @@
       "types": "./dist/workflow.d.ts",
       "import": "./dist/workflow.js"
     },
+    "./ifc": {
+      "types": "./dist/ifc.d.ts",
+      "import": "./dist/ifc.js"
+    },
     "./attestation": {
       "types": "./dist/attestation.d.ts",
       "import": "./dist/attestation.js"
@@ -57,7 +61,7 @@
     "CHANGELOG.md"
   ],
   "scripts": {
-    "build:wasm": "wasm-pack build ../../crates/nucleus-wasm --target nodejs --out-dir ../../packages/nucleus-verify/wasm/nodejs && rm -f wasm/nodejs/.gitignore wasm/nodejs/package.json",
+    "build:wasm": "wasm-pack build ../../crates/nucleus-wasm --target nodejs --out-dir ../../packages/nucleus-verify/wasm/nodejs && rm -f wasm/nodejs/.gitignore && printf '%s' '{\"type\":\"commonjs\"}' > wasm/nodejs/package.json",
     "build": "tsc -p tsconfig.json",
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "test": "node --test",

package/wasm/nodejs/nucleus_wasm.d.ts

@@ -51,6 +51,21 @@ export function compute_dependency_graph(chain_jsonl: string): any;
  */
 export function compute_savings_summary(plan_json: string, cost_map_json: string): any;
 
+/**
+ * **The ONE proven IFC decision, surfaced to JS.** Recomputes the
+ * `FlowDeclaration → IfcVerdict` decision over the Denning lattice from
+ * `nucleus-ifc` (whose lattice laws are Lean-proven in `portcullis-core`) — the
+ * SAME `decide()` the production gate runs. `@coproduct_inc/verify`'s DAG-cage
+ * flow check delegates here instead of a TS mirror, so there is one model.
+ *
+ * `input_tokens_json` is a JSON array of declared-input tokens — one of:
+ * `user_prompt`, `web_content`, `tool_response`, `file_read`, `env_var`,
+ * `secret`, `database_row`, `memory_read`, `http_response`. `requires_authority`
+ * = the action needs directive authority; `sink_public` = the sink is publicly
+ * visible. Returns the recomputable `IfcVerdict` (allow/deny + reason).
+ */
+export function ifc_decide(input_tokens_json: string, requires_authority: boolean, sink_public: boolean): any;
+
 /**
  * Install a browser-friendly panic hook. The hook routes any wasm-side
  * `panic!` into `console.error`, which means failed assertions in the

package/wasm/nodejs/nucleus_wasm.js

@@ -89,6 +89,34 @@ function compute_savings_summary(plan_json, cost_map_json) {
 }
 exports.compute_savings_summary = compute_savings_summary;
 
+/**
+ * **The ONE proven IFC decision, surfaced to JS.** Recomputes the
+ * `FlowDeclaration → IfcVerdict` decision over the Denning lattice from
+ * `nucleus-ifc` (whose lattice laws are Lean-proven in `portcullis-core`) — the
+ * SAME `decide()` the production gate runs. `@coproduct_inc/verify`'s DAG-cage
+ * flow check delegates here instead of a TS mirror, so there is one model.
+ *
+ * `input_tokens_json` is a JSON array of declared-input tokens — one of:
+ * `user_prompt`, `web_content`, `tool_response`, `file_read`, `env_var`,
+ * `secret`, `database_row`, `memory_read`, `http_response`. `requires_authority`
+ * = the action needs directive authority; `sink_public` = the sink is publicly
+ * visible. Returns the recomputable `IfcVerdict` (allow/deny + reason).
+ * @param {string} input_tokens_json
+ * @param {boolean} requires_authority
+ * @param {boolean} sink_public
+ * @returns {any}
+ */
+function ifc_decide(input_tokens_json, requires_authority, sink_public) {
+    const ptr0 = passStringToWasm0(input_tokens_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.ifc_decide(ptr0, len0, requires_authority, sink_public);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return takeFromExternrefTable0(ret[0]);
+}
+exports.ifc_decide = ifc_decide;
+
 /**
  * Install a browser-friendly panic hook. The hook routes any wasm-side
  * `panic!` into `console.error`, which means failed assertions in the

package/wasm/nodejs/nucleus_wasm_bg.wasm.d.ts

@@ -4,6 +4,7 @@ export const memory: WebAssembly.Memory;
 export const analyze_correction_event: (a: number, b: number, c: number, d: number) => [number, number, number];
 export const compute_dependency_graph: (a: number, b: number) => [number, number, number];
 export const compute_savings_summary: (a: number, b: number, c: number, d: number) => [number, number, number];
+export const ifc_decide: (a: number, b: number, c: number, d: number) => [number, number, number];
 export const parse_claude_code_session: (a: number, b: number) => [number, number, number];
 export const parse_lineage_chain: (a: number, b: number) => [number, number, number];
 export const verify_auction_receipt: (a: number, b: number, c: number, d: number) => [number, number, number];

package/wasm/nodejs/package.json

@@ -1,9 +1 @@
-{
-  "name": "nucleus-wasm-nodejs-core",
-  "version": "0.1.0",
-  "private": true,
-  "type": "commonjs",
-  "main": "nucleus_wasm.js",
-  "types": "nucleus_wasm.d.ts",
-  "comment": "wasm-pack `nodejs` target (CommonJS). This nested package.json pins `type: commonjs` so the CJS `require`/`module.exports`/`__dirname` glue keeps working when imported from the ESM `@nucleus/verify` parent. Regenerated by `pnpm build:wasm`; do not hand-edit the sibling .js/.wasm."
-}
+{"type":"commonjs"}