@full-self-browsing/lattice 1.4.0 → 1.5.0

package/dist/replay-CtIhpLek.js

@@ -0,0 +1,964 @@
+import { r as toArtifactRef } from "./artifact-DOfpeXLb.js";
+import { a as decodeEnvelope, i as buildPae, n as PAYLOAD_TYPE, o as canonicalizeReceiptBody, r as base64Encode, t as createReceipt } from "./receipt-FYouoPHv.js";
+import { n as receiptCid, t as computeArtifactLineageMerkleRoot } from "./lineage-DBgoPWAZ.js";
+import { r as withPlanStatus, t as createExecutionPlan } from "./plan-DFm8Llep.js";
+import { t as fingerprintArtifactValue } from "./fingerprint-DodDbQKN.js";
+import canonicalize from "canonicalize";
+//#region src/observability/otel.ts
+const DEFAULT_SPAN_NAME = "lattice.run";
+const DEFAULT_LANGFUSE_BASE_URL = "https://cloud.langfuse.com";
+const DEFAULT_PHOENIX_BASE_URL = "http://localhost:6006";
+const OTEL_STATUS_OK = 1;
+const OTEL_STATUS_ERROR = 2;
+const SECRET_KEY_RE = /api[-_]?key|authorization|credentials?|headers?|password|secret|token/iu;
+const CONTENT_KEY_RE = /artifact|body|content|input|inputs|message|messages|output|outputs|payload|prompt|rawOutputs|task|value/iu;
+function createOtelRunEventSink(options) {
+	const spans = /* @__PURE__ */ new Map();
+	return async (event) => {
+		const span = getOrCreateRunSpan(event, options, spans);
+		const attributes = await createRunEventAttributes(event, options);
+		setSpanAttributes(span, attributes);
+		span.addEvent?.(`lattice.${event.kind}`, attributes);
+		if (event.kind === "capabilities.negotiation.fallback") {
+			span.setStatus?.({ code: OTEL_STATUS_OK });
+			span.end?.(eventTime(event));
+			spans.delete(event.runId);
+			return;
+		}
+		if (event.kind === "run.complete") {
+			span.setStatus?.({ code: OTEL_STATUS_OK });
+			span.end?.(eventTime(event));
+			spans.delete(event.runId);
+			return;
+		}
+		if (event.kind === "run.failed") {
+			const message = metadataString(event, "reason");
+			span.setStatus?.({
+				code: OTEL_STATUS_ERROR,
+				...message !== void 0 ? { message } : {}
+			});
+			if (message !== void 0) span.recordException?.(message);
+			span.end?.(eventTime(event));
+			spans.delete(event.runId);
+		}
+	};
+}
+function sanitizeRunEventAttributes(event, options = {}) {
+	const attributes = {
+		"lattice.event.kind": event.kind,
+		"lattice.run.id": event.runId
+	};
+	assignString(attributes, "lattice.plan.id", event.planId);
+	assignString(attributes, "lattice.stage.id", event.stageId);
+	assignString(attributes, "lattice.provider.id", event.providerId);
+	assignString(attributes, "lattice.model.id", event.modelId);
+	assignString(attributes, "lattice.artifact.id", event.artifactId);
+	assignString(attributes, "gen_ai.provider.name", event.providerId);
+	assignString(attributes, "gen_ai.request.model", event.modelId);
+	if (event.kind === "stream.start" || event.kind === "stream.complete" || event.kind === "stream.failed") attributes["gen_ai.request.stream"] = true;
+	const metadata = event.metadata ?? {};
+	assignString(attributes, "lattice.event.status", metadataString(event, "status"));
+	assignBoolean(attributes, "lattice.error.present", metadataString(event, "error") !== void 0 ? true : void 0);
+	assignString(attributes, "lattice.failure.reason", metadataString(event, "reason"));
+	assignString(attributes, "lattice.tripwire.invariant_id", asString(metadata.invariantId));
+	assignString(attributes, "lattice.artifact.source", asString(metadata.source));
+	assignString(attributes, "lattice.receipt.id", asString(metadata.receiptId));
+	assignBoolean(attributes, "lattice.receipt.mint_error.present", asString(metadata.mintError) !== void 0 ? true : void 0);
+	assignString(attributes, "lattice.route.selected_model", asString(metadata.selected));
+	assignNumber(attributes, "lattice.route.rejected.count", asNumber(metadata.rejected));
+	assignNumber(attributes, "lattice.route.fallback.count", asNumber(metadata.fallbacks));
+	assignBoolean(attributes, "lattice.provider.attempt.fallback", asBoolean(metadata.fallback));
+	assignNumber(attributes, "lattice.context.estimated_tokens", asNumber(metadata.estimatedTokens));
+	assignNumber(attributes, "lattice.context.included.count", asNumber(metadata.included));
+	assignNumber(attributes, "lattice.context.summarized.count", asNumber(metadata.summarized));
+	assignNumber(attributes, "lattice.context.omitted.count", asNumber(metadata.omitted));
+	assignString(attributes, "lattice.tool.name", asString(metadata.toolName));
+	assignString(attributes, "lattice.tool.call.id", asString(metadata.callId));
+	assignStringArray(attributes, "lattice.output.names", asStringArray(metadata.outputNames));
+	assignUsage(attributes, metadata);
+	assignGateway(attributes, metadata.gateway);
+	captureSafeMetadata(attributes, metadata, options);
+	return attributes;
+}
+async function createOtelReceiptAttributes(envelope) {
+	const attributes = {
+		"lattice.receipt.cid": await receiptCid(envelope),
+		"lattice.receipt.signature.count": envelope.signatures.length
+	};
+	assignString(attributes, "lattice.receipt.signature.keyid", envelope.signatures[0]?.keyid);
+	return attributes;
+}
+function createLangfuseOtlpConfig(options = {}) {
+	const authString = langfuseAuthString(options);
+	return {
+		endpoint: langfuseTraceEndpoint(options.baseUrl ?? DEFAULT_LANGFUSE_BASE_URL),
+		headers: {
+			...authString !== void 0 ? { Authorization: `Basic ${authString}` } : {},
+			"x-langfuse-ingestion-version": options.ingestionVersion ?? "4",
+			...options.headers ?? {}
+		}
+	};
+}
+function createPhoenixOtlpConfig(options = {}) {
+	return {
+		endpoint: options.endpoint ?? phoenixTraceEndpoint(options.baseUrl ?? DEFAULT_PHOENIX_BASE_URL),
+		headers: {
+			...options.apiKey !== void 0 ? { Authorization: `Bearer ${options.apiKey}` } : {},
+			...options.projectName !== void 0 ? { "x-project-name": options.projectName } : {},
+			...options.headers ?? {}
+		}
+	};
+}
+function getOrCreateRunSpan(event, options, spans) {
+	const existing = spans.get(event.runId);
+	if (existing !== void 0) return existing;
+	const span = options.tracer.startSpan(options.spanName ?? DEFAULT_SPAN_NAME, {
+		attributes: sanitizeRunEventAttributes(event, options),
+		startTime: eventTime(event)
+	});
+	spans.set(event.runId, span);
+	return span;
+}
+function setSpanAttributes(span, attributes) {
+	if (span.setAttributes !== void 0) {
+		span.setAttributes(attributes);
+		return;
+	}
+	for (const [key, value] of Object.entries(attributes)) span.setAttribute?.(key, value);
+}
+async function createRunEventAttributes(event, options) {
+	const attributes = sanitizeRunEventAttributes(event, options);
+	const envelope = findReceiptEnvelope(event.metadata);
+	if (envelope === void 0) return attributes;
+	try {
+		return {
+			...attributes,
+			...await createOtelReceiptAttributes(envelope)
+		};
+	} catch {
+		return attributes;
+	}
+}
+function eventTime(event) {
+	return new Date(event.timestamp);
+}
+function metadataString(event, key) {
+	return asString(event.metadata?.[key]);
+}
+function assignString(attributes, key, value) {
+	if (value !== void 0) attributes[key] = value;
+}
+function assignNumber(attributes, key, value) {
+	if (value !== void 0) attributes[key] = value;
+}
+function assignBoolean(attributes, key, value) {
+	if (value !== void 0) attributes[key] = value;
+}
+function assignStringArray(attributes, key, value) {
+	if (value !== void 0 && value.length > 0) attributes[key] = value;
+}
+function assignNumberArray(attributes, key, value) {
+	if (value !== void 0 && value.length > 0) attributes[key] = value;
+}
+function assignBooleanArray(attributes, key, value) {
+	if (value !== void 0 && value.length > 0) attributes[key] = value;
+}
+function asString(value) {
+	return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function asNumber(value) {
+	return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+}
+function asBoolean(value) {
+	return typeof value === "boolean" ? value : void 0;
+}
+function asStringArray(value) {
+	return Array.isArray(value) && value.every((item) => typeof item === "string") ? value : void 0;
+}
+function asNumberArray(value) {
+	return Array.isArray(value) && value.every((item) => typeof item === "number" && Number.isFinite(item)) ? value : void 0;
+}
+function asBooleanArray(value) {
+	return Array.isArray(value) && value.every((item) => typeof item === "boolean") ? value : void 0;
+}
+function assignUsage(attributes, metadata) {
+	const usage = usageFrom(metadata.normalizedUsage) ?? usageFrom(metadata.usage) ?? usageFrom(metadata);
+	if (usage === void 0) return;
+	assignNumber(attributes, "gen_ai.usage.input_tokens", usage.inputTokens);
+	assignNumber(attributes, "gen_ai.usage.output_tokens", usage.outputTokens);
+	assignNumber(attributes, "llm.token_count.prompt", usage.inputTokens);
+	assignNumber(attributes, "llm.token_count.completion", usage.outputTokens);
+	assignNumber(attributes, "lattice.usage.cost_usd", usage.costUsd);
+}
+function usageFrom(value) {
+	if (!isRecord(value)) return;
+	const inputTokens = asNumber(value.promptTokens) ?? asNumber(value.inputTokens);
+	const outputTokens = asNumber(value.completionTokens) ?? asNumber(value.outputTokens);
+	const costUsd = asNumber(value.costUsd);
+	if (inputTokens === void 0 && outputTokens === void 0 && costUsd === void 0) return;
+	return {
+		...inputTokens !== void 0 ? { inputTokens } : {},
+		...outputTokens !== void 0 ? { outputTokens } : {},
+		...costUsd !== void 0 ? { costUsd } : {}
+	};
+}
+function assignGateway(attributes, value) {
+	if (!isRecord(value)) return;
+	assignBoolean(attributes, "lattice.gateway.used", asBoolean(value.used));
+	assignString(attributes, "lattice.gateway.provider.id", asString(value.providerId));
+	assignString(attributes, "lattice.gateway.selected_provider.id", asString(value.selectedProviderId));
+	assignString(attributes, "lattice.gateway.requested_model", asString(value.requestedModel));
+	assignString(attributes, "lattice.gateway.observed_model", asString(value.observedModel));
+	assignStringArray(attributes, "lattice.gateway.fallback_models", asStringArray(value.fallbackModels));
+	const requestedModel = asString(value.requestedModel);
+	const observedModel = asString(value.observedModel);
+	if (requestedModel !== void 0 && attributes["gen_ai.request.model"] === void 0) attributes["gen_ai.request.model"] = requestedModel;
+	assignString(attributes, "gen_ai.response.model", observedModel);
+}
+function captureSafeMetadata(attributes, metadata, options) {
+	if (options.contentCapture !== "metadata") return;
+	const knownKeys = new Set([
+		"callId",
+		"estimatedTokens",
+		"error",
+		"fallback",
+		"fallbacks",
+		"gateway",
+		"included",
+		"invariantId",
+		"mintError",
+		"normalizedUsage",
+		"omitted",
+		"outputNames",
+		"reason",
+		"receiptId",
+		"rejected",
+		"selected",
+		"source",
+		"status",
+		"summarized",
+		"toolName",
+		"usage"
+	]);
+	for (const [key, value] of Object.entries(metadata)) {
+		if (knownKeys.has(key) || isUnsafeMetadataKey(key)) continue;
+		const attrKey = `lattice.metadata.${safeAttributeKey(key)}`;
+		assignString(attributes, attrKey, asString(value));
+		assignNumber(attributes, attrKey, asNumber(value));
+		assignBoolean(attributes, attrKey, asBoolean(value));
+		assignStringArray(attributes, attrKey, asStringArray(value));
+		assignNumberArray(attributes, attrKey, asNumberArray(value));
+		assignBooleanArray(attributes, attrKey, asBooleanArray(value));
+	}
+}
+function isUnsafeMetadataKey(key) {
+	return SECRET_KEY_RE.test(key) || CONTENT_KEY_RE.test(key);
+}
+function safeAttributeKey(key) {
+	return key.replace(/[^a-zA-Z0-9_.-]+/gu, "_");
+}
+function findReceiptEnvelope(metadata) {
+	if (metadata === void 0) return;
+	return [
+		metadata.envelope,
+		metadata.receiptEnvelope,
+		metadata.receipt
+	].find(isReceiptEnvelope);
+}
+function isReceiptEnvelope(value) {
+	return isRecord(value) && value.payloadType === "application/vnd.lattice.receipt+json" && typeof value.payload === "string" && Array.isArray(value.signatures) && value.signatures.every((signature) => isRecord(signature) && typeof signature.keyid === "string" && typeof signature.sig === "string");
+}
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function langfuseAuthString(options) {
+	if (options.authString !== void 0) return options.authString;
+	if (options.publicKey === void 0 && options.secretKey === void 0) return;
+	if (options.publicKey === void 0 || options.secretKey === void 0) throw new Error("Langfuse OTLP auth requires both publicKey and secretKey.");
+	return base64Utf8(`${options.publicKey}:${options.secretKey}`);
+}
+function langfuseTraceEndpoint(baseUrl) {
+	const base = trimTrailingSlashes(baseUrl);
+	if (base.endsWith("/api/public/otel/v1/traces")) return base;
+	if (base.endsWith("/api/public/otel")) return `${base}/v1/traces`;
+	return `${base}/api/public/otel/v1/traces`;
+}
+function phoenixTraceEndpoint(baseUrl) {
+	const base = trimTrailingSlashes(baseUrl);
+	if (base.endsWith("/v1/traces")) return base;
+	return `${base}/v1/traces`;
+}
+function trimTrailingSlashes(value) {
+	return value.replace(/\/+$/u, "");
+}
+function base64Utf8(value) {
+	const bytes = new TextEncoder().encode(value);
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary);
+}
+//#endregion
+//#region src/receipts/keyset.ts
+/**
+* In-memory KeySet factory.
+*
+* Verification flow (plan 09-03):
+*   - keySet.lookup(kid) returns undefined  → VerifyError {kind: "key-not-found"}
+*   - entry.state === "revoked"             → VerifyError {kind: "key-revoked"}
+*   - entry.state === "retired"             → VerifyOk + keyState: "retired" (caller may warn)
+*   - entry.state === "active"              → VerifyOk + keyState: "active"
+*
+* Duplicate kids: last write wins (deterministic — callers control entry order).
+* Empty entries array is legal — every lookup returns undefined.
+* Returned KeySet exposes only `lookup` — no enumeration.
+*
+* See 09-CONTEXT.md "Key Management (UNRETROFITTABLE)".
+*/
+function createMemoryKeySet(entries) {
+	const byKid = /* @__PURE__ */ new Map();
+	for (const entry of entries) byKid.set(entry.kid, entry);
+	return { lookup(kid) {
+		return byKid.get(kid);
+	} };
+}
+//#endregion
+//#region src/receipts/remote-signer.ts
+/**
+* Adapt a remote signing service to Lattice's existing ReceiptSigner contract.
+*
+* The callback receives the exact DSSE PAE bytes that createReceipt signs.
+* Cloud-specific request construction, hashing choices, credentials, retries,
+* and audit logging stay outside core.
+*/
+function createRemoteReceiptSigner(options) {
+	return {
+		kid: options.kid,
+		publicKeyJwk: options.publicKeyJwk,
+		async sign(bytes) {
+			const result = await options.sign({
+				kid: options.kid,
+				publicKeyJwk: options.publicKeyJwk,
+				bytes: copyBytes(bytes),
+				payloadFormat: "dsse-pae",
+				algorithm: "Ed25519",
+				...options.provider !== void 0 ? { provider: options.provider } : {},
+				...options.keyRef !== void 0 ? { keyRef: options.keyRef } : {},
+				...options.metadata !== void 0 ? { metadata: options.metadata } : {}
+			});
+			return copyBytes(result instanceof Uint8Array ? result : result.signature);
+		}
+	};
+}
+function copyBytes(bytes) {
+	const copy = new Uint8Array(bytes.byteLength);
+	copy.set(bytes);
+	return copy;
+}
+//#endregion
+//#region src/receipts/sign.ts
+const ALG = "Ed25519";
+/**
+* Copy a Uint8Array into a fresh ArrayBuffer. WebCrypto's BufferSource type
+* (under exactOptionalPropertyTypes + strict TS) rejects `Uint8Array<ArrayBufferLike>`
+* because the underlying buffer could be a SharedArrayBuffer. Matches the
+* pattern used in storage/fingerprint.ts.
+*/
+function toArrayBuffer(bytes) {
+	const copy = new Uint8Array(bytes.byteLength);
+	copy.set(bytes);
+	return copy.buffer;
+}
+async function importEd25519PrivateKey(jwk) {
+	return crypto.subtle.importKey("jwk", jwk, ALG, true, ["sign"]);
+}
+async function importEd25519PublicKey(jwk) {
+	return crypto.subtle.importKey("jwk", jwk, ALG, true, ["verify"]);
+}
+async function generateEd25519KeyPairJwk() {
+	const pair = await crypto.subtle.generateKey(ALG, true, ["sign", "verify"]);
+	const [privateKeyJwk, publicKeyJwk] = await Promise.all([crypto.subtle.exportKey("jwk", pair.privateKey), crypto.subtle.exportKey("jwk", pair.publicKey)]);
+	return {
+		privateKeyJwk,
+		publicKeyJwk
+	};
+}
+async function verifyEd25519Signature(publicKeyJwk, message, signature) {
+	let key;
+	try {
+		key = await importEd25519PublicKey(publicKeyJwk);
+	} catch {
+		return false;
+	}
+	try {
+		return await crypto.subtle.verify(ALG, key, toArrayBuffer(signature), toArrayBuffer(message));
+	} catch {
+		return false;
+	}
+}
+function createInMemorySigner(privateKeyJwk, options) {
+	let cachedKey;
+	const ensureKey = async () => {
+		if (cachedKey === void 0) cachedKey = await importEd25519PrivateKey(privateKeyJwk);
+		return cachedKey;
+	};
+	return {
+		kid: options.kid,
+		publicKeyJwk: options.publicKeyJwk,
+		async sign(bytes) {
+			const key = await ensureKey();
+			const sig = await crypto.subtle.sign(ALG, key, toArrayBuffer(bytes));
+			return new Uint8Array(sig);
+		}
+	};
+}
+//#endregion
+//#region src/receipts/verify.ts
+function fail$1(kind, message) {
+	return {
+		ok: false,
+		error: {
+			kind,
+			message
+		}
+	};
+}
+function bytesEqual(a, b) {
+	if (a.byteLength !== b.byteLength) return false;
+	for (let i = 0; i < a.byteLength; i += 1) if (a[i] !== b[i]) return false;
+	return true;
+}
+/**
+* Receipt body shape check. We trust the JSON parse — but we re-validate
+* that the required fields exist with the right primitive types before
+* canonicalizing again. Anything off -> version-mismatch (the body is
+* structurally NOT a v1 receipt, even if it parses as JSON).
+*/
+function asReceiptBody(value) {
+	if (typeof value !== "object" || value === null) return void 0;
+	const v = value;
+	if (v.version !== void 0 && v.version !== "lattice-receipt/v1" && v.version !== "lattice-receipt/v1.1" && v.version !== "lattice-receipt/v1.2" && v.version !== "lattice-receipt/v1.3") return;
+	if (typeof v.receiptId !== "string") return void 0;
+	if (typeof v.runId !== "string") return void 0;
+	if (typeof v.issuedAt !== "string") return void 0;
+	if (typeof v.kid !== "string") return void 0;
+	if (typeof v.model !== "object" || v.model === null) return void 0;
+	if (typeof v.route !== "object" || v.route === null) return void 0;
+	if (typeof v.usage !== "object" || v.usage === null) return void 0;
+	if (typeof v.contractVerdict !== "string") return void 0;
+	if (!Array.isArray(v.inputHashes)) return void 0;
+	if (typeof v.redactionPolicyId !== "string") return void 0;
+	if (!Array.isArray(v.redactions)) return void 0;
+	return v;
+}
+/**
+* Pure receipt verifier.
+*
+* Returns a typed VerifyResult — never throws across the verification
+* boundary (PITFALLS.md security: "Verifier panics on malformed receipts
+* -> DoS via crafted input"). All parsing failures become typed errors.
+*
+* Decision tree (first match wins):
+*   1. decodeEnvelope throws OR signatures[] empty       -> envelope-malformed
+*   2. payload bytes are not valid JSON                  -> envelope-malformed
+*   3. body shape check fails OR version unknown literal -> version-mismatch
+*   4. body.version === undefined OR "lattice-receipt/v1"-> schema-version-too-low (CRYPTO-01)
+*   5. keySet.lookup(keyid) === undefined                -> key-not-found
+*   6. entry.state === "revoked"                         -> key-revoked
+*   7. re-canonicalized body != signed payloadBytes      -> canonicalization-mismatch
+*   8. Ed25519 verification of PAE fails                 -> signature-invalid
+*   9. body.kid !== entry.kid (defense in depth)         -> signature-invalid
+*  10. otherwise                                         -> ok + keyState
+*/
+async function verifyReceipt(envelope, keySet) {
+	let decoded;
+	try {
+		decoded = decodeEnvelope(envelope);
+	} catch (error) {
+		return fail$1("envelope-malformed", error instanceof Error ? error.message : String(error));
+	}
+	if (decoded.signatures.length === 0) return fail$1("envelope-malformed", "envelope has no signatures");
+	let parsed;
+	try {
+		parsed = JSON.parse(new TextDecoder().decode(decoded.payloadBytes));
+	} catch (error) {
+		return fail$1("envelope-malformed", `payload is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
+	}
+	const body = asReceiptBody(parsed);
+	if (body === void 0) return fail$1("version-mismatch", "receipt body is not a lattice-receipt/v1.1, lattice-receipt/v1.2, or lattice-receipt/v1.3 shape");
+	if (body.version === void 0 || body.version === "lattice-receipt/v1") return fail$1("schema-version-too-low", "Receipt body.version must be 'lattice-receipt/v1.1', 'lattice-receipt/v1.2', or 'lattice-receipt/v1.3' — v1 receipts are not accepted (CRYPTO-01).");
+	const firstSig = decoded.signatures[0];
+	const entry = keySet.lookup(firstSig.keyid);
+	if (entry === void 0) return fail$1("key-not-found", `keySet has no entry for kid "${firstSig.keyid}"`);
+	if (entry.state === "revoked") return fail$1("key-revoked", `key "${entry.kid}" is revoked`);
+	if (!bytesEqual(canonicalizeReceiptBody(body), decoded.payloadBytes)) return fail$1("canonicalization-mismatch", "re-canonicalized body does not match signed payload bytes");
+	const pae = buildPae(PAYLOAD_TYPE, base64Encode(decoded.payloadBytes));
+	if (!await verifyEd25519Signature(entry.publicKeyJwk, pae, firstSig.sig)) return fail$1("signature-invalid", "Ed25519 signature does not verify");
+	if (body.kid !== entry.kid) return fail$1("signature-invalid", `body.kid "${body.kid}" does not match envelope keyid "${entry.kid}"`);
+	return {
+		ok: true,
+		body,
+		keyState: entry.state
+	};
+}
+//#endregion
+//#region src/version.ts
+const latticeVersion = "1.5.0";
+//#endregion
+//#region src/audit/external-execution.ts
+async function createExternalExecutionAudit(input, signer) {
+	const runId = input.runId ?? createId("external-run");
+	const receiptId = input.receiptId ?? createId("external-receipt");
+	const issuedAt = input.issuedAt ?? (/* @__PURE__ */ new Date()).toISOString();
+	const artifacts = input.artifacts ?? [];
+	const artifactRefs = artifacts.map(toArtifactRef);
+	const outputSpecs = input.outputSpecs ?? inferOutputSpecs(input.outputs);
+	const inputHashes = await hashInputArtifacts(artifacts);
+	const outputHash = input.outputs === void 0 ? null : await hashUnknown(input.outputs);
+	const contractHash = await hashCanonical(input.contract);
+	const lineageMerkleRoot = await computeArtifactLineageMerkleRoot(artifacts);
+	const rawRequestHash = input.rawRequest === void 0 ? void 0 : await hashUnknown(input.rawRequest) ?? void 0;
+	const rawResponseHash = input.rawResponse === void 0 ? void 0 : await hashUnknown(input.rawResponse) ?? void 0;
+	const contractVerdict = input.contractVerdict ?? "success";
+	const receipt = await createReceipt({
+		runId,
+		receiptId,
+		issuedAt,
+		model: input.model,
+		route: input.route,
+		...lineageMerkleRoot !== void 0 ? { lineageMerkleRoot } : {},
+		usage: input.usage,
+		contractVerdict,
+		contractHash,
+		inputHashes,
+		outputHash
+	}, signer);
+	return {
+		receipt,
+		sidecar: {
+			version: "lattice-sidecar/v1",
+			task: input.task,
+			outputs: outputSpecs,
+			policy: input.policy,
+			contract: input.contract,
+			...input.outputs !== void 0 ? { rawOutputs: input.outputs } : {},
+			externalExecution: {
+				kind: "external-execution",
+				model: input.model,
+				route: input.route,
+				usage: input.usage,
+				...input.rawRequest !== void 0 ? { rawRequest: input.rawRequest } : {},
+				...input.rawResponse !== void 0 ? { rawResponse: input.rawResponse } : {},
+				...rawRequestHash !== void 0 ? { rawRequestHash } : {},
+				...rawResponseHash !== void 0 ? { rawResponseHash } : {},
+				inputHashes,
+				outputHash,
+				...input.metadata !== void 0 ? { metadata: input.metadata } : {}
+			}
+		},
+		replayEnvelope: createExternalReplayEnvelope({
+			runId,
+			task: input.task,
+			artifacts: artifactRefs,
+			outputSpecs,
+			outputs: input.outputs,
+			catalogVersion: input.catalogVersion ?? "external",
+			route: input.route,
+			usage: input.usage,
+			receipt,
+			contract: input.contract,
+			contractVerdict,
+			metadata: input.metadata
+		}),
+		inputHashes,
+		outputHash
+	};
+}
+function createExternalReplayEnvelope(input) {
+	const isSuccess = input.contractVerdict === "success";
+	const attempt = {
+		providerId: input.route.providerId,
+		modelId: input.route.capabilityId,
+		status: isSuccess ? "succeeded" : "failed",
+		usage: usageRecord(input.usage),
+		metadata: { externalExecution: true },
+		...!isSuccess ? { error: input.contractVerdict } : {}
+	};
+	const plan = withPlanStatus(createExecutionPlan({
+		task: input.task,
+		artifacts: input.artifacts,
+		outputs: input.outputSpecs,
+		route: {
+			catalogVersion: input.catalogVersion,
+			selected: {
+				providerId: input.route.providerId,
+				modelId: input.route.capabilityId,
+				score: 0,
+				estimates: {
+					inputTokens: input.usage.promptTokens,
+					outputTokens: input.usage.completionTokens,
+					...input.usage.costUsd !== null ? { costUsd: input.usage.costUsd } : {}
+				},
+				inputModalities: [],
+				outputModalities: [],
+				fileTransport: []
+			},
+			candidates: [],
+			rejected: [],
+			fallbackChain: [],
+			noRouteReasons: []
+		},
+		metadata: {
+			externalExecution: true,
+			runId: input.runId,
+			contractVerdict: input.contractVerdict,
+			...input.metadata !== void 0 ? { external: input.metadata } : {}
+		}
+	}), isSuccess ? "completed" : "failed", {
+		stages: isSuccess ? markAllStagesCompleted : markExternalStagesFailed(input.contractVerdict),
+		attempts: [attempt]
+	});
+	return {
+		kind: "replay-envelope",
+		version: 1,
+		runtimeVersion: latticeVersion,
+		catalogVersion: input.catalogVersion,
+		createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+		plan,
+		artifacts: input.artifacts,
+		...isSuccess && input.outputs !== void 0 ? { outputs: input.outputs } : {},
+		warnings: [],
+		errors: isSuccess ? [] : [input.contractVerdict],
+		usage: usageRecord(input.usage),
+		events: [],
+		receipt: input.receipt,
+		contract: input.contract
+	};
+}
+function markExternalStagesFailed(verdict) {
+	const failedStage = failedStageForVerdict(verdict);
+	let hasFailed = false;
+	return markAllStagesCompleted.map((stage) => {
+		if (stage.kind === failedStage) {
+			hasFailed = true;
+			return {
+				...stage,
+				status: "failed",
+				warnings: [...stage.warnings, verdict]
+			};
+		}
+		if (hasFailed) return {
+			...stage,
+			status: "skipped"
+		};
+		return stage;
+	});
+}
+function failedStageForVerdict(verdict) {
+	switch (verdict) {
+		case "validation-failed": return "validation";
+		case "tripwire-violated": return "tripwire";
+		case "no-contract-match": return "analysis";
+		case "execution-failed":
+		case "success": return "execution";
+	}
+}
+function usageRecord(usage) {
+	return {
+		inputTokens: usage.promptTokens,
+		outputTokens: usage.completionTokens,
+		totalTokens: usage.promptTokens + usage.completionTokens,
+		...usage.costUsd !== null ? { costUsd: usage.costUsd } : {}
+	};
+}
+function inferOutputSpecs(outputs) {
+	if (outputs === void 0) return {};
+	return Object.fromEntries(Object.keys(outputs).map((name) => [name, "text"]));
+}
+async function hashInputArtifacts(artifacts) {
+	const hashes = [];
+	for (const artifact of artifacts) hashes.push(artifact.fingerprint?.value ?? await hashUnknown(artifact.value) ?? "");
+	return hashes;
+}
+async function hashUnknown(value) {
+	return (await fingerprintArtifactValue(value))?.value ?? null;
+}
+async function hashCanonical(value) {
+	const canonical = canonicalize(value);
+	if (canonical === void 0) return null;
+	return hashUnknown(canonical);
+}
+function createId(prefix) {
+	if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") return `${prefix}:${crypto.randomUUID()}`;
+	return `${prefix}:${Date.now()}:${Math.random().toString(16).slice(2)}`;
+}
+const markAllStagesCompleted = [
+	{
+		id: "stage:analysis",
+		kind: "analysis",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:transforms",
+		kind: "transforms",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:context-packing",
+		kind: "context-packing",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:provider-packaging",
+		kind: "provider-packaging",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:tool-execution",
+		kind: "tool-execution",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:execution",
+		kind: "execution",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:validation",
+		kind: "validation",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:tripwire",
+		kind: "tripwire",
+		status: "completed",
+		warnings: []
+	},
+	{
+		id: "stage:persistence",
+		kind: "persistence",
+		status: "completed",
+		warnings: []
+	}
+];
+//#endregion
+//#region src/replay/materialize.ts
+function asMaterializationError(value) {
+	return typeof value === "object" && value !== null && typeof value.kind === "string" && typeof value.message === "string";
+}
+/** Throwable shape — `instanceof Error` is not required for typed unions, so
+*  the function just throws a plain object literal that matches the
+*  `MaterializationError` shape. Callers pattern-match on `err.kind`. */
+function fail(kind, message) {
+	return {
+		kind,
+		message
+	};
+}
+/**
+* Pure async function that reconstructs a `ReplayEnvelope` from a receipt.
+*
+* Verify-FIRST ordering: `verifyReceipt` runs before `artifactLoader` is
+* touched. Tampered receipts MUST NOT cause loader side effects.
+*/
+async function materializeReplayEnvelope(receipt, options) {
+	const verifyResult = await verifyReceipt(receipt, options.keySet);
+	if (!verifyResult.ok) throw fail(verifyResult.error.kind === "envelope-malformed" ? "envelope-malformed" : "verify-failed", verifyResult.error.message);
+	const body = verifyResult.body;
+	const loadedInputs = [];
+	for (const hash of body.inputHashes) {
+		if (hash === "") continue;
+		try {
+			const input = await options.artifactLoader(hash);
+			loadedInputs.push(input);
+		} catch (error) {
+			throw fail("artifact-load-failed", error instanceof Error ? error.message : asMaterializationError(error) ? error.message : String(error));
+		}
+	}
+	const artifactRefs = loadedInputs.map(toArtifactRef);
+	const outputsMap = options.outputs !== void 0 ? Object.fromEntries(Object.keys(options.outputs).map((k) => [k, "text"])) : {};
+	const plan = createExecutionPlan({
+		task: options.task ?? "",
+		artifacts: artifactRefs,
+		outputs: outputsMap,
+		route: {
+			catalogVersion: "materialized",
+			selected: {
+				providerId: body.route.providerId,
+				modelId: body.route.capabilityId,
+				score: 0,
+				estimates: {
+					inputTokens: 0,
+					outputTokens: 0
+				},
+				inputModalities: [],
+				outputModalities: [],
+				fileTransport: []
+			},
+			candidates: [],
+			rejected: [],
+			fallbackChain: [],
+			noRouteReasons: []
+		},
+		warnings: [],
+		metadata: {
+			materialized: true,
+			receiptId: body.receiptId,
+			runId: body.runId,
+			contractVerdict: body.contractVerdict,
+			...options.policy !== void 0 ? { policy: { ...options.policy } } : {}
+		}
+	});
+	const usage = {
+		inputTokens: body.usage.promptTokens,
+		outputTokens: body.usage.completionTokens,
+		...body.usage.costUsd !== null ? { costUsd: Number(body.usage.costUsd) } : {}
+	};
+	return {
+		kind: "replay-envelope",
+		version: 1,
+		runtimeVersion: latticeVersion,
+		catalogVersion: "materialized",
+		createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+		plan,
+		artifacts: artifactRefs,
+		...options.outputs !== void 0 ? { outputs: options.outputs } : {},
+		warnings: [],
+		errors: [],
+		usage,
+		events: [],
+		receipt,
+		...options.contract !== void 0 ? { contract: options.contract } : {}
+	};
+}
+//#endregion
+//#region src/replay/replay.ts
+function createReplayEnvelope(result) {
+	if (result.plan.kind !== "execution-plan") throw new Error("Replay envelopes require an execution plan.");
+	const usage = result.plan.attempts.at(-1)?.usage;
+	return {
+		kind: "replay-envelope",
+		version: 1,
+		runtimeVersion: latticeVersion,
+		catalogVersion: result.plan.route.catalogVersion,
+		createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+		plan: redactPlan(result.plan),
+		artifacts: result.ok ? result.artifacts : result.plan.artifactRefs,
+		...result.ok ? { outputs: result.outputs } : {},
+		warnings: result.plan.warnings,
+		errors: result.ok ? [] : [result.error.message],
+		...usage !== void 0 ? { usage } : {},
+		events: result.events ?? []
+	};
+}
+async function replayOffline(envelope) {
+	const replayedUsage = envelopeUsage(envelope);
+	if (envelope.outputs === void 0) return {
+		ok: false,
+		error: {
+			kind: "execution_unavailable",
+			message: "Replay envelope does not contain successful outputs."
+		},
+		usage: replayedUsage,
+		plan: envelope.plan,
+		events: envelope.events
+	};
+	return {
+		ok: true,
+		outputs: envelope.outputs,
+		artifacts: envelope.artifacts,
+		usage: replayedUsage,
+		plan: envelope.plan,
+		events: envelope.events
+	};
+}
+function envelopeUsage(envelope) {
+	if (envelope.usage === void 0) return {
+		promptTokens: 0,
+		completionTokens: 0,
+		costUsd: null
+	};
+	return {
+		promptTokens: envelope.usage.inputTokens ?? 0,
+		completionTokens: envelope.usage.outputTokens ?? 0,
+		costUsd: envelope.usage.costUsd ?? null
+	};
+}
+async function rerunLive(ai, envelope, intent) {
+	const result = await ai.run(intent);
+	if (result.plan.kind === "execution-plan") return {
+		...result,
+		plan: {
+			...result.plan,
+			warnings: [...result.plan.warnings, `Live rerun of ${envelope.plan.id}: provider behavior, model versions, cost, and latency may differ.`]
+		}
+	};
+	return result;
+}
+function redactReplayEnvelope(envelope) {
+	return {
+		...envelope,
+		plan: redactPlan(envelope.plan),
+		artifacts: envelope.artifacts.map(redactArtifactRef),
+		events: envelope.events.map((event) => {
+			const metadata = redactRecord(event.metadata);
+			return {
+				...event,
+				...metadata !== void 0 ? { metadata } : {}
+			};
+		})
+	};
+}
+function redactPlan(plan) {
+	return {
+		...plan,
+		task: redactText(plan.task),
+		artifactRefs: plan.artifactRefs.map(redactArtifactRef),
+		...plan.providerPackaging !== void 0 ? { providerPackaging: {
+			...plan.providerPackaging,
+			artifacts: plan.providerPackaging.artifacts.map((item) => ({
+				...item,
+				warnings: item.warnings.map(redactText)
+			})),
+			warnings: plan.providerPackaging.warnings.map(redactText)
+		} } : {},
+		warnings: plan.warnings.map(redactText)
+	};
+}
+function redactArtifactRef(ref) {
+	const redactedMetadata = redactRecord(ref.metadata);
+	return {
+		...ref,
+		...redactedMetadata !== void 0 ? { metadata: redactedMetadata } : {},
+		...ref.source === "url" ? { metadata: {
+			...redactedMetadata,
+			redactedSource: "url"
+		} } : {}
+	};
+}
+function redactRecord(record) {
+	if (record === void 0) return;
+	return Object.fromEntries(Object.entries(record).map(([key, value]) => [key, shouldRedactKey(key) ? "[redacted]" : redactValue(value)]));
+}
+function redactValue(value) {
+	if (typeof value === "string") return redactText(value);
+	if (Array.isArray(value)) return value.map(redactValue);
+	if (typeof value === "object" && value !== null) return redactRecord(value);
+	return value;
+}
+function redactText(value) {
+	return value.replace(/Bearer\s+[A-Za-z0-9._-]+/gu, "Bearer [redacted]").replace(/https?:\/\/[^\s)]+/gu, "[redacted-url]").replace(/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/gu, "[redacted-email]");
+}
+function shouldRedactKey(key) {
+	return /api.?key|authorization|token|secret|password|credential|signed.?url|raw|body|transcript/iu.test(key);
+}
+//#endregion
+export { createOtelRunEventSink as _, replayOffline as a, createExternalExecutionAudit as c, createInMemorySigner as d, generateEd25519KeyPairJwk as f, createOtelReceiptAttributes as g, createLangfuseOtlpConfig as h, redactReplayEnvelope as i, latticeVersion as l, createMemoryKeySet as m, redactArtifactRef as n, rerunLive as o, createRemoteReceiptSigner as p, redactPlan as r, materializeReplayEnvelope as s, createReplayEnvelope as t, verifyReceipt as u, createPhoenixOtlpConfig as v, sanitizeRunEventAttributes as y };
+
+//# sourceMappingURL=replay-CtIhpLek.js.map