@hesohq/node 0.5.1-dev.127 → 0.5.1-dev.131

package/index.d.ts

@@ -1,7 +1,17 @@
-/* tslint:disable */
+/* auto-generated by NAPI-RS */
 /* eslint-disable */
+/** A loaded operator key, exposing just the public-key surface. */
+export declare class OperatorKey {
+  /** Return the base64 standard-alphabet public key. */
+  publicKeyB64(): string
+}
 
-/* auto-generated by NAPI-RS */
+/**
+ * Return the RFC-8785 (JCS) canonical bytes of an ActionContent JSON string,
+ * with `action_hash` stripped. Single source of canonical bytes — never
+ * reimplement JCS in TS.
+ */
+export declare function actionCanonicalBytesJs(contentJson: string): Buffer
 
 /** The verdict returned by all single-receipt verify functions. */
 export interface ActionVerdict {
@@ -10,6 +20,7 @@ export interface ActionVerdict {
   /** The re-derived trust level: "L0" or "L1" (only meaningful when verdict == "Valid"). */
   trustLevel: string
 }
+
 /** Extended verdict that also includes the trusted-time status. */
 export interface ActionVerdictWithTime {
   verdict: string
@@ -17,18 +28,10 @@ export interface ActionVerdictWithTime {
   /** "NoTrustedTime" or "AnchoredRfc3161:<gen_time>". */
   timeStatus: string
 }
-/** Outcome of a chain verification. */
-export interface ChainResult {
-  ok: boolean
-  /** Number of receipts verified (only set when ok == true). */
-  length?: number
-  /** Error kind string (only set when ok == false). */
-  error?: string
-  /** The seq at which the error occurred (only set when ok == false). */
-  seq?: number
-  /** Human-readable detail (only set when ok == false). */
-  detail?: string
-}
+
+/** Pre-anchor BLAKE3 hash (excludes `time_anchor` from the canonical bytes). */
+export declare function anchoredContentHashJs(contentJson: string): string
+
 /** Decoded claims from a verified approval token. */
 export interface ApprovalTokenClaims {
   /** The 32-byte random nonce as a Buffer. */
@@ -42,35 +45,203 @@ export interface ApprovalTokenClaims {
   /** Base64-encoded Ed25519 public key of the approver. */
   approverPublicKey: string
 }
-/** The verified, decoded result of a delegation envelope. */
-export interface VerifiedDelegation {
-  /** The authorized key `K` (raw 32-byte Ed25519 public key) as a Buffer. */
-  authorizedKey: Buffer
-  /** The subject string the operator stamped onto the delegation. */
-  sub: string
-  /** The scope the delegated authority was bound to. */
-  scope: string
-  /** The envelope's expiry as Unix seconds (BigInt). */
-  expiryUnixSecs: bigint
-  /** The envelope's not_before as Unix seconds (BigInt). */
-  notBeforeUnixSecs: bigint
+
+/**
+ * Assemble a complete L1 ActionReceipt from a suspended L0 body and an approver's
+ * detached co-signature, operator-signing locally with the project's key.
+ *
+ * MANDATORY-1 is enforced in-core: the loaded operator key MUST equal the
+ * suspended body's `agent_identity`, else `assemble_l1_from_parts` fails closed
+ * with `OperatorKeyMismatch`. After assembly the receipt is verified locally and
+ * returned ONLY if it opens `Valid(L1)`; any other verdict is surfaced as an
+ * error rather than handing back a receipt the offline verifier would reject.
+ *
+ * Returns the serialized ActionReceipt JSON bytes WITH the kernel-signed
+ * commitment block spliced in as a top-level `commitment` sibling (the same shape
+ * the engine `process` path emits, and the shape the SDK finalize consumer lifts
+ * via `receipt.get("commitment")`). The commitment is signed over the FINAL L1
+ * body by the SAME operator key — the SDK never holds the key (CORE-WIRE design
+ * §0.2). `chainHead` is the prior chain head this commitment links to (the SDK
+ * reads it off its local chain); absent/empty defaults to genesis. Only available
+ * with `process` (loads a key from the filesystem; never wasm-reachable).
+ */
+export declare function assembleL1FromParts(suspendedContentJson: string, approverRecordJson: string, approverPubkeyB64: string, coSigB64: string, projectRoot: string, keyPassphrase?: string | undefined | null, relayedAnchorJson?: string | undefined | null, chainHead?: string | undefined | null): Buffer
+
+/**
+ * Assemble a complete multi-approver k-of-n QUORUM ActionReceipt from a suspended
+ * L0 body, the gate's `threshold` + `roster`, and the per-approver detached
+ * co-signatures — operator-signing locally with the project's key. The result
+ * derives and embeds `L1` WITH a `multi_approval` block (a quorum is not a higher
+ * level than single-approver L1).
+ *
+ * MANDATORY-1 is enforced in-core: the loaded operator key MUST equal the
+ * suspended body's `agent_identity`, else assembly fails closed with
+ * `OperatorKeyMismatch` (surfaced as the discriminable `[OperatorKeyMismatch]`
+ * prefix the SDK's key-rotation catch keys on). After assembly the receipt is
+ * verified locally and returned ONLY if it opens `Valid(L1)` with a quorum block;
+ * any other verdict is surfaced as an error rather than handing back a receipt the
+ * offline verifier would reject.
+ *
+ * `parts_json` is a JSON array of `{ record, approverPubkeyB64, coSigB64 }`
+ * objects. `roster_json` is a JSON array of base64 approver public keys.
+ *
+ * Returns the serialized ActionReceipt JSON bytes WITH the kernel-signed commitment
+ * block spliced in as a top-level `commitment` sibling (the same shape the engine
+ * `process` path emits, and the shape the SDK finalize consumer lifts via
+ * `receipt.get("commitment")`). The commitment is signed over the FINAL quorum L1
+ * body by the SAME operator key — the SDK never holds the key (§0.2). `chainHead`
+ * is the prior chain head this commitment links to; absent/empty defaults to
+ * genesis. Only available with `process` (loads a key from the filesystem; never
+ * wasm-reachable).
+ */
+export declare function assembleQuorumFromParts(suspendedContentJson: string, threshold: number, rosterJson: string, partsJson: string, projectRoot: string, keyPassphrase?: string | undefined | null, chainHead?: string | undefined | null): Buffer
+
+/**
+ * Stamp the cross-receipt chain block (`session_id`, `seq`, `prev_receipt_hash`)
+ * into an `ActionContent` BEFORE it is signed, then recompute its `action_hash`
+ * so the returned content is ready to sign — the producer-side helper that closes
+ * the JS verifiable-chain gap (CORE-WIRE design §A.4).
+ *
+ * `contentJson`     — the unstamped `ActionContent` JSON
+ * `sessionId`       — the chain/session this action is bound to
+ * `prevContentJson` — the predecessor receipt's `ActionContent` JSON, or `null`
+ *                     for genesis. The link hash + next `seq` are COMPUTED from
+ *                     it via the kernel's `link_hash` rule (matching `derive.py`).
+ *
+ * CRYPTO-SAFETY: stamping the chain block changes `action_canonical_bytes` →
+ * `action_hash` → the operator signature. This is a SUCCESS-PATH byte change. It
+ * is invoked ONLY for chained sessions; a standalone receipt (no call here) stays
+ * byte-identical to the existing standalone goldens.
+ */
+export declare function bindIntoChainJs(contentJson: string, sessionId: string, prevContentJson?: string | undefined | null): Buffer
+
+/**
+ * BLAKE3 (64-hex) of arbitrary bytes — the result-hash primitive the Node SDK
+ * binds a tool result under, keeping "zero crypto in TS" (Node's crypto has no
+ * BLAKE3). Always available (no OsRng); the JS-side `recordResult` calls this.
+ */
+export declare function blake3Hex(data: Buffer | Uint8Array | string): string
+
+/**
+ * Compute a domain-separated BLAKE3 chain-link digest from two 64-hex hashes.
+ * Maps to the display helper used by the web's crypto.ts.
+ */
+export declare function chainHashHex(prevHex: string, actionHex: string): string
+
+/** Outcome of a chain verification. */
+export interface ChainResult {
+  ok: boolean
+  /** Number of receipts verified (only set when ok == true). */
+  length?: number
+  /** Error kind string (only set when ok == false). */
+  error?: string
+  /** The seq at which the error occurred (only set when ok == false). */
+  seq?: number
+  /** Human-readable detail (only set when ok == false). */
+  detail?: string
 }
-/** Result of a commit-and-reveal redaction. */
-export interface RedactCommitResult {
-  /** The modified fields map as JSON. */
-  fields: string
-  /** The RedactionRecord as JSON. */
-  redactionRecord: string
-  /** The redaction sidecar (salts + reveals) as JSON. */
-  sidecar: string
+
+/**
+ * Classify observed facts against the taxonomy and return the derived ERT.
+ *
+ * `signal_hints_json`: JSON-encoded `SignalHints` (Buffer, Uint8Array, or string)
+ * — the same wire shape as the `signal` field in `ProcessInput`. The target host
+ * is read out-of-band from a custom top-level `host` JSON key (SignalHints itself
+ * has no host field), exactly as the PyO3 `classify` twin does.
+ * `taxonomy_src`: pass `null` for the embedded taxonomy (the pinned
+ * `9f3bbaaf…` anchor), or TOML bytes to classify against a custom taxonomy.
+ *
+ * PURE READ-ONLY: this is an advisory probe — it signs/mints nothing and touches
+ * no canonical/signed bytes. It mirrors the fixed PyO3 `classify` byte-for-byte:
+ * the recorded enum hints (`effect`/`origin`/`observed_via`) are lowered via the
+ * SAME `Effect::parse`/`Origin::parse`/`ObservedVia::parse` the engine uses, so an
+ * unrecognized value parses to `None` (never an invented/relaxed lane). Only
+ * available with the `process` feature (it links `heso-engine`).
+ */
+export declare function classify(signalHintsJson: Buffer | Uint8Array | string, taxonomySrc?: Buffer | undefined | null): ClassifyErt
+
+/**
+ * The derived ERT a `classify` probe returns — the structural classification of
+ * observed facts against the taxonomy. Read-only and advisory: it signs/mints
+ * nothing and touches NO canonical/signed bytes (the same role as the PyO3
+ * `classify`). The string fields are the `snake_case` wire spellings.
+ */
+export interface ClassifyErt {
+  /** The matched taxonomy resource class id (e.g. `payment_endpoint`). */
+  resourceClass: string
+  /** The resource effect (`read_only`/`mutating`/`destructive`/…). */
+  effect: string
+  /** The egress lane (`none`/`internal`/`external`/…). */
+  egress: string
+  /** The observability lane. */
+  observability: string
+  /** The coarse verb wire spelling (`delete`/`payment`/`account_change`/…). */
+  coarseVerb: string
 }
+
 /**
- * Verify a single ActionReceipt from its raw JSON bytes (Buffer, Uint8Array, or string).
- * Never panics — structural failures become `Malformed:…`.
+ * PURE. Return the RFC-8785 (JCS) canonical bytes of a commitment envelope JSON
+ * string — the exact bytes the detached operator signature is computed over
+ * (after the `COMMITMENT_SIGNING_DOMAIN` prefix). Delegates to the single kernel
+ * JCS impl; never re-canonicalizes. Throws `[MALFORMED]` if the JSON does not
+ * parse as a `CommitmentEnvelope` and `[CANON]` if it cannot be canonicalized.
  */
-export declare function verify(receiptBytes: Buffer | Uint8Array | string): ActionVerdict
-/** Verify a receipt AND report its trusted-time status separately. */
-export declare function verifyWithTime(receiptBytesInput: Buffer | Uint8Array | string): ActionVerdictWithTime
+export declare function commitmentEnvelopeCanonicalBytes(envelopeJson: string): Buffer
+
+/**
+ * The **commitment fingerprint** of an Ed25519 public key: `blake3(raw_pubkey)`,
+ * the full 32-byte digest, lowercase 64-hex, NO prefix. This is the value the
+ * producer puts in the wire `signer_fpr` and the cloud joins `approver_keys` on.
+ * It is DISTINCT from [`signer_fingerprint`] (the `heso:`-prefixed Grade-0
+ * fingerprint). Throws `[MALFORMED]` if `pubkeyB64` is not base64 of 32 bytes.
+ */
+export declare function commitmentFingerprint(pubkeyB64: string): string
+
+/**
+ * The kind-tagged verdict of [`verify_commitment`]. `verdict` is one of
+ * `"Valid"`, `"InvalidSignature"`, `"FingerprintMismatch"`, `"WrongAlgorithm"`,
+ * `"Malformed"`; the cloud appends ONLY on `"Valid"`. `signer_fpr` carries the
+ * recomputed `blake3(pubkey)` fingerprint (only meaningful on `"Valid"`).
+ */
+export interface CommitmentVerdict {
+  verdict: string
+  signerFpr: string
+}
+
+/** BLAKE3 (64-hex) of the canonical bytes — the value that goes into `action_hash`. */
+export declare function contentHash(contentJson: string): string
+
+/**
+ * Generate a fresh random OperatorKey using OS entropy (native-only).
+ * Do NOT call from any wasm-reachable path.
+ */
+export declare function generateKey(): OperatorKey
+
+/**
+ * True when a coarse verb wire spelling trips the credential floor's
+ * "destructive" lane — the LOCKED set `{delete, payment, account_change}`. The
+ * single source of this mapping for JS callers, mirroring the PyO3 helper so the
+ * two bindings agree. Pure read-only.
+ */
+export declare function isDestructive(coarseVerb: string): boolean
+
+/**
+ * Construct an OperatorKey from a 32-byte seed (OsRng-free, deterministic).
+ * The preferred/documented entry point.
+ */
+export declare function keyFromSeed(seed: Buffer): OperatorKey
+
+/**
+ * Promote a suspended L0 `ActionContent` to its L1 body (embed the approver
+ * record, recompute `action_hash`) and return that body's RFC-8785 (JCS)
+ * canonical bytes — the exact bytes the operator and approver sign.
+ *
+ * Key-free (`build_l1_content` is pure), so this is always compiled. It lets
+ * the SDK reproduce the L1 signing payload off-process and assert byte-parity
+ * with the native mint without ever touching a key.
+ */
+export declare function l1ContentCanonicalBytesJs(suspendedContentJson: string, approverRecordJson: string): Buffer
+
 /**
  * The base verdict + the rendered signed metrics + the offline-recomputed cost.
  *
@@ -120,56 +291,118 @@ export interface MetricsVerdict {
   /** Whether the passed-in card is the one the receipt named. */
   cardIdMatches: boolean
 }
+
 /**
- * Verify a single `ActionReceipt` AND render its signed metrics + recompute cost
- * from the passed-in public rate card — the node mirror of the WASM
- * `verifyActionReceiptWithRates`.
+ * Process an action through the compliance pipeline (in-process, no subprocess).
  *
- * Runs the EXISTING offline verify for the base outcome + trust level (so that
- * path is unchanged), then renders the signed metrics and recomputes the cost via
- * the SHARED `heso_action::metrics_view` glue. Never throws on a malformed receipt
- * or card — those degrade to `has_metrics: false` / `priced: false` exactly as the
- * WASM export does. The cost render is purely informational and NEVER masks a
- * verify failure: a tampered metric flips the `action_hash`, so `verdict` is a
- * non-`Valid` tag while the (meaningless) recompute still reflects whatever bytes
- * are present — the caller branches on `verdict`, never the dollar figure.
+ * `process_input_json`: JSON-encoded `ProcessInput` (Buffer, Uint8Array, or string).
+ * `project_root`: path to the project root holding `heso.toml` and `heso-local-data/`
+ * (operator key, audit log, approval queue) — the same layout the PyO3 wheel reads.
  *
- * `receipt_bytes`   — the raw `ActionReceipt` JSON bytes (Buffer/Uint8Array/string).
- * `rate_card_json`  — the public rate-card JSON the cost is recomputed from.
+ * Returns JSON-encoded `ProcessOutput` bytes, tagged on `status`
+ * (`allowed`/`blocked`/`suspended`). Only available with the `process` feature.
+ *
+ * Named `process_action` (JS `processAction`) — NOT `process` — because a napi
+ * export named `process` shadows Node's global `process` in the generated loader.
  */
-export declare function verifyWithRates(receiptBytes: Buffer | Uint8Array | string, rateCardJson: string): MetricsVerdict
+export declare function processAction(processInputJson: Buffer | Uint8Array | string, projectRoot: string): Buffer
+
 /**
- * Verify a receipt AND re-derive its ERT classification from the embedded taxonomy
- * (heso-engine's ClassifyReDeriver). Only available when `process` is enabled.
+ * Append an approver/ledger-signed decision link to a session's chain. Mirrors the
+ * PyO3 `process_append_decision` body 1:1.
+ *
+ * `kind`: one of `"approved"` / `"denied"` / `"escalated"` / `"expired"`. **Fails
+ * closed** without a `decision.key` unless `INSECURE_DECISION_KEY_ENV` is set
+ * (see `load_decision_signer`) — the approver key is cloud-custodied in prod.
  */
-export declare function verifyRederiving(receiptBytesInput: Buffer | Uint8Array | string): ActionVerdict
+export declare function processAppendDecision(projectRoot: string, sessionId: string, kind: string, reason?: string | undefined | null, decidedAt?: string | undefined | null): void
+
 /**
- * Return the RFC-8785 (JCS) canonical bytes of an ActionContent JSON string,
- * with `action_hash` stripped. Single source of canonical bytes — never
- * reimplement JCS in TS.
+ * Read the current lifecycle state of a session chain (the head link's kind).
+ * Mirrors the PyO3 `process_read_chain_head` body 1:1.
+ *
+ * Returns the head kind as a lowercase string (`"suspended"` / `"approved"` /
+ * `"denied"` / `"expired"` / `"completed"` / `"escalated"`), or `None` if no chain
+ * exists yet.
  */
-export declare function actionCanonicalBytesJs(contentJson: string): Buffer
+export declare function processReadChainHead(projectRoot: string, sessionId: string): string | null
+
 /**
- * Promote a suspended L0 `ActionContent` to its L1 body (embed the approver
- * record, recompute `action_hash`) and return that body's RFC-8785 (JCS)
- * canonical bytes — the exact bytes the operator and approver sign.
+ * Resume a suspended session: re-read the chain, apply the decision, fire-or-replay.
+ * Mirrors the PyO3 `process_resume` body 1:1. On `Fire` it mints + appends the
+ * `completed` link under `ACTION_SIGNING_DOMAIN` and advances the cursor.
  *
- * Key-free (`build_l1_content` is pure), so this is always compiled. It lets
- * the SDK reproduce the L1 signing payload off-process and assert byte-parity
- * with the native mint without ever touching a key.
+ * Returns JSON bytes `{"decision": str, "committed": bool, "kind"?: str,
+ * "reason"?: str}` where `decision` is one of
+ * `fire`/`replay`/`pending`/`terminal`/`uncertain`/`refused`.
  */
-export declare function l1ContentCanonicalBytesJs(suspendedContentJson: string, approverRecordJson: string): Buffer
-/** BLAKE3 (64-hex) of the canonical bytes — the value that goes into `action_hash`. */
-export declare function contentHash(contentJson: string): string
-/** Pre-anchor BLAKE3 hash (excludes `time_anchor` from the canonical bytes). */
-export declare function anchoredContentHashJs(contentJson: string): string
+export declare function processResume(processInputJson: Buffer | Uint8Array | string, projectRoot: string, sessionId: string, presentedToken: string, contextBlob: Buffer): Buffer
+
+/**
+ * Suspend a gated action: mint the signed `suspended` chain link and return the
+ * raw resume token (returned ONCE) plus the action spec hash. Mirrors the PyO3
+ * `process_suspend` body 1:1 — the ProcessInput MUST carry `reclassify=false` so
+ * the descriptor is signed verbatim and stays byte-stable across the lifecycle.
+ *
+ * Returns JSON bytes:
+ * `{"session_id": str, "resume_token": str, "action_spec": str, "chain_path": str}`.
+ */
+export declare function processSuspend(processInputJson: Buffer | Uint8Array | string, projectRoot: string, sessionId: string, sla: string, expiresAt: string, onTimeout: string, contextScheme: string, contextBlob: Buffer, toolVersionHash?: string | undefined | null): Buffer
+
+/**
+ * Commit-and-reveal redaction.
+ * `salts` is an array of 32-byte Buffers (one per field, in order).
+ */
+export declare function redactCommitJs(fieldsJson: string, fieldPaths: Array<string>, salts: Array<Buffer>): RedactCommitResult
+
+/** Result of a commit-and-reveal redaction. */
+export interface RedactCommitResult {
+  /** The modified fields map as JSON. */
+  fields: string
+  /** The RedactionRecord as JSON. */
+  redactionRecord: string
+  /** The redaction sidecar (salts + reveals) as JSON. */
+  sidecar: string
+}
+
+/** Destructively redact fields and return the modified fields JSON. */
+export declare function redactDestructiveJs(fieldsJson: string, fieldPaths: Array<string>): string
+
 /** Return a short display form of a 64-hex BLAKE3 hash: `{prefix}:{first8}`. */
 export declare function shortHash(hex: string, prefix?: string | undefined | null): string
+
 /**
- * Compute a domain-separated BLAKE3 chain-link digest from two 64-hex hashes.
- * Maps to the display helper used by the web's crypto.ts.
+ * The `heso:`-prefixed Grade-0 **signer fingerprint** of an Ed25519 public key
+ * (`heso_verify::signer_fingerprint`). This is the identity-tier fingerprint —
+ * NOT the commitment fingerprint (see [`commitment_fingerprint`]). Exposed here
+ * because it is otherwise unexposed in every binding and other surfaces need it.
+ * Returns `null` when `pubkeyB64` is not a valid 32-byte Ed25519 key.
  */
-export declare function chainHashHex(prevHex: string, actionHex: string): string
+export declare function signerFingerprint(pubkeyB64: string): string | null
+
+/** Return the hex hash of the embedded taxonomy (golden: 9f3bbaaf…). */
+export declare function taxonomyHash(): string
+
+/** The verified, decoded result of a delegation envelope. */
+export interface VerifiedDelegation {
+  /** The authorized key `K` (raw 32-byte Ed25519 public key) as a Buffer. */
+  authorizedKey: Buffer
+  /** The subject string the operator stamped onto the delegation. */
+  sub: string
+  /** The scope the delegated authority was bound to. */
+  scope: string
+  /** The envelope's expiry as Unix seconds (BigInt). */
+  expiryUnixSecs: bigint
+  /** The envelope's not_before as Unix seconds (BigInt). */
+  notBeforeUnixSecs: bigint
+}
+
+/**
+ * Verify a single ActionReceipt from its raw JSON bytes (Buffer, Uint8Array, or string).
+ * Never panics — structural failures become `Malformed:…`.
+ */
+export declare function verify(receiptBytes: Buffer | Uint8Array | string): ActionVerdict
+
 /**
  * Verify an approval token. Throws a napi Error with a `[CODE]` prefix on failure.
  *
@@ -178,30 +411,19 @@ export declare function chainHashHex(prevHex: string, actionHex: string): string
  * rejected `[OutOfDecision]`.
  */
 export declare function verifyApprovalToken(token: Buffer, actionCanonical: Buffer, nowUnixSecs: bigint, seenNonces: Array<Buffer>, requiredScope: string, requiredDecision: string, registeredKeysB64: Array<string>): ApprovalTokenClaims
+
 /**
- * Verify a delegation envelope and its human co-sign. Throws a napi Error with a
- * `[CODE]` prefix on failure (mirrors `verifyApprovalToken`).
- *
- * `wire`                — raw delegation envelope bytes (Buffer)
- * `registered_operator_key` — the org-registered operator public key (raw 32-byte Buffer)
- * `action_hash`         — the raw 32-byte BLAKE3 action digest being authorized (Buffer)
- * `approval_token`      — the human co-sign bearer token presented by K (Buffer)
- * `required_scope`      — the required scope string
- * `required_decision`   — the verdict the co-sign must carry ("approved"/"rejected"),
- *                         NON-DEFAULTED (same SEC-02 binding as the approver path)
- * `now_unix_secs`       — current time as BigInt Unix seconds
+ * Verify a BLAKE3 audit chain from its raw JSONL bytes (Buffer or string).
+ * Returns true if every link hashes correctly, false on any break.
  */
-export declare function verifyDelegation(wire: Buffer, registeredOperatorKey: Buffer, actionHash: Buffer, approvalToken: Buffer, requiredScope: string, requiredDecision: string, nowUnixSecs: bigint): VerifiedDelegation
+export declare function verifyAuditChain(bytes: Buffer | string): boolean
+
 /**
- * The kind-tagged verdict of [`verify_commitment`]. `verdict` is one of
- * `"Valid"`, `"InvalidSignature"`, `"FingerprintMismatch"`, `"WrongAlgorithm"`,
- * `"Malformed"`; the cloud appends ONLY on `"Valid"`. `signer_fpr` carries the
- * recomputed `blake3(pubkey)` fingerprint (only meaningful on `"Valid"`).
+ * Verify an ordered array of ActionReceipts as a tamper-evident chain.
+ * Input: array of Buffers (one per receipt) OR a JSON string of an array.
  */
-export interface CommitmentVerdict {
-  verdict: string
-  signerFpr: string
-}
+export declare function verifyChain(receiptsBytes: Array<Buffer> | string): ChainResult
+
 /**
  * REJECT-MORE-ONLY. Verify a detached commitment-envelope signature received by
  * the cloud: parse the envelope JSON bytes, re-canonicalize VIA THE KERNEL,
@@ -218,61 +440,25 @@ export interface CommitmentVerdict {
  * `claimedSignerFpr`  — the wire `signer_fpr` (`blake3(pubkey)` 64-hex)
  */
 export declare function verifyCommitment(envelopeBytes: Buffer, operatorPubkeyB64: string, detachedSigB64: string, claimedSignerFpr: string): CommitmentVerdict
+
+/** RFC-6962 consistency proof verification. */
+export declare function verifyConsistencyJs(oldSize: number, oldRootHex: string, newSize: number, newRootHex: string, proofHashes: Array<string>): boolean
+
 /**
- * PURE. Return the RFC-8785 (JCS) canonical bytes of a commitment envelope JSON
- * string — the exact bytes the detached operator signature is computed over
- * (after the `COMMITMENT_SIGNING_DOMAIN` prefix). Delegates to the single kernel
- * JCS impl; never re-canonicalizes. Throws `[MALFORMED]` if the JSON does not
- * parse as a `CommitmentEnvelope` and `[CANON]` if it cannot be canonicalized.
- */
-export declare function commitmentEnvelopeCanonicalBytes(envelopeJson: string): Buffer
-/**
- * The **commitment fingerprint** of an Ed25519 public key: `blake3(raw_pubkey)`,
- * the full 32-byte digest, lowercase 64-hex, NO prefix. This is the value the
- * producer puts in the wire `signer_fpr` and the cloud joins `approver_keys` on.
- * It is DISTINCT from [`signer_fingerprint`] (the `heso:`-prefixed Grade-0
- * fingerprint). Throws `[MALFORMED]` if `pubkeyB64` is not base64 of 32 bytes.
- */
-export declare function commitmentFingerprint(pubkeyB64: string): string
-/**
- * The `heso:`-prefixed Grade-0 **signer fingerprint** of an Ed25519 public key
- * (`heso_verify::signer_fingerprint`). This is the identity-tier fingerprint —
- * NOT the commitment fingerprint (see [`commitment_fingerprint`]). Exposed here
- * because it is otherwise unexposed in every binding and other surfaces need it.
- * Returns `null` when `pubkeyB64` is not a valid 32-byte Ed25519 key.
- */
-export declare function signerFingerprint(pubkeyB64: string): string | null
-/**
- * Stamp the cross-receipt chain block (`session_id`, `seq`, `prev_receipt_hash`)
- * into an `ActionContent` BEFORE it is signed, then recompute its `action_hash`
- * so the returned content is ready to sign — the producer-side helper that closes
- * the JS verifiable-chain gap (CORE-WIRE design §A.4).
- *
- * `contentJson`     — the unstamped `ActionContent` JSON
- * `sessionId`       — the chain/session this action is bound to
- * `prevContentJson` — the predecessor receipt's `ActionContent` JSON, or `null`
- *                     for genesis. The link hash + next `seq` are COMPUTED from
- *                     it via the kernel's `link_hash` rule (matching `derive.py`).
+ * Verify a delegation envelope and its human co-sign. Throws a napi Error with a
+ * `[CODE]` prefix on failure (mirrors `verifyApprovalToken`).
  *
- * CRYPTO-SAFETY: stamping the chain block changes `action_canonical_bytes` →
- * `action_hash` → the operator signature. This is a SUCCESS-PATH byte change. It
- * is invoked ONLY for chained sessions; a standalone receipt (no call here) stays
- * byte-identical to the existing standalone goldens.
- */
-export declare function bindIntoChainJs(contentJson: string, sessionId: string, prevContentJson?: string | undefined | null): Buffer
-/**
- * Verify an ordered array of ActionReceipts as a tamper-evident chain.
- * Input: array of Buffers (one per receipt) OR a JSON string of an array.
- */
-export declare function verifyChain(receiptsBytes: Array<Buffer> | string): ChainResult
-/** Verify a session chain (lifecycle role + transition checks). */
-export declare function verifySessionChainJs(receiptsBytes: Array<Buffer> | string): ChainResult
-/**
- * Verify a session chain with key-rotation as-of-position enforcement.
- * `producer_key` is the base64 genesis producer key (TOFU pin).
- * `decision_key` is the optional base64 genesis decision key.
+ * `wire`                — raw delegation envelope bytes (Buffer)
+ * `registered_operator_key` — the org-registered operator public key (raw 32-byte Buffer)
+ * `action_hash`         — the raw 32-byte BLAKE3 action digest being authorized (Buffer)
+ * `approval_token`      — the human co-sign bearer token presented by K (Buffer)
+ * `required_scope`      — the required scope string
+ * `required_decision`   — the verdict the co-sign must carry ("approved"/"rejected"),
+ *                         NON-DEFAULTED (same SEC-02 binding as the approver path)
+ * `now_unix_secs`       — current time as BigInt Unix seconds
  */
-export declare function verifySessionChainWithRotationJs(receiptsBytes: Array<Buffer> | string, producerKey: string, decisionKey?: string | undefined | null): ChainResult
+export declare function verifyDelegation(wire: Buffer, registeredOperatorKey: Buffer, actionHash: Buffer, approvalToken: Buffer, requiredScope: string, requiredDecision: string, nowUnixSecs: bigint): VerifiedDelegation
+
 /**
  * RFC-6962 inclusion proof verification (SHA-256 Merkle tree).
  * `leaf_value_hex` is the 64-hex `action_hash`; raw bytes are the leaf value.
@@ -280,65 +466,13 @@ export declare function verifySessionChainWithRotationJs(receiptsBytes: Array<Bu
  * `root_hex` is the 64-hex SHA-256 tree root.
  */
 export declare function verifyInclusionJs(leafValueHex: string, index: number, size: number, rootHex: string, proofHashes: Array<string>): boolean
-/** RFC-6962 consistency proof verification. */
-export declare function verifyConsistencyJs(oldSize: number, oldRootHex: string, newSize: number, newRootHex: string, proofHashes: Array<string>): boolean
-/**
- * Verify a BLAKE3 audit chain from its raw JSONL bytes (Buffer or string).
- * Returns true if every link hashes correctly, false on any break.
- */
-export declare function verifyAuditChain(bytes: Buffer | string): boolean
-/** Return the hex hash of the embedded taxonomy (golden: 9f3bbaaf…). */
-export declare function taxonomyHash(): string
-/**
- * The derived ERT a `classify` probe returns — the structural classification of
- * observed facts against the taxonomy. Read-only and advisory: it signs/mints
- * nothing and touches NO canonical/signed bytes (the same role as the PyO3
- * `classify`). The string fields are the `snake_case` wire spellings.
- */
-export interface ClassifyErt {
-  /** The matched taxonomy resource class id (e.g. `payment_endpoint`). */
-  resourceClass: string
-  /** The resource effect (`read_only`/`mutating`/`destructive`/…). */
-  effect: string
-  /** The egress lane (`none`/`internal`/`external`/…). */
-  egress: string
-  /** The observability lane. */
-  observability: string
-  /** The coarse verb wire spelling (`delete`/`payment`/`account_change`/…). */
-  coarseVerb: string
-}
-/**
- * Classify observed facts against the taxonomy and return the derived ERT.
- *
- * `signal_hints_json`: JSON-encoded `SignalHints` (Buffer, Uint8Array, or string)
- * — the same wire shape as the `signal` field in `ProcessInput`. The target host
- * is read out-of-band from a custom top-level `host` JSON key (SignalHints itself
- * has no host field), exactly as the PyO3 `classify` twin does.
- * `taxonomy_src`: pass `null` for the embedded taxonomy (the pinned
- * `9f3bbaaf…` anchor), or TOML bytes to classify against a custom taxonomy.
- *
- * PURE READ-ONLY: this is an advisory probe — it signs/mints nothing and touches
- * no canonical/signed bytes. It mirrors the fixed PyO3 `classify` byte-for-byte:
- * the recorded enum hints (`effect`/`origin`/`observed_via`) are lowered via the
- * SAME `Effect::parse`/`Origin::parse`/`ObservedVia::parse` the engine uses, so an
- * unrecognized value parses to `None` (never an invented/relaxed lane). Only
- * available with the `process` feature (it links `heso-engine`).
- */
-export declare function classify(signalHintsJson: Buffer | Uint8Array | string, taxonomySrc?: Buffer | undefined | null): ClassifyErt
-/**
- * True when a coarse verb wire spelling trips the credential floor's
- * "destructive" lane — the LOCKED set `{delete, payment, account_change}`. The
- * single source of this mapping for JS callers, mirroring the PyO3 helper so the
- * two bindings agree. Pure read-only.
- */
-export declare function isDestructive(coarseVerb: string): boolean
-/** Destructively redact fields and return the modified fields JSON. */
-export declare function redactDestructiveJs(fieldsJson: string, fieldPaths: Array<string>): string
+
 /**
- * Commit-and-reveal redaction.
- * `salts` is an array of 32-byte Buffers (one per field, in order).
+ * Verify a receipt AND re-derive its ERT classification from the embedded taxonomy
+ * (heso-engine's ClassifyReDeriver). Only available when `process` is enabled.
  */
-export declare function redactCommitJs(fieldsJson: string, fieldPaths: Array<string>, salts: Array<Buffer>): RedactCommitResult
+export declare function verifyRederiving(receiptBytesInput: Buffer | Uint8Array | string): ActionVerdict
+
 /**
  * Verify a single commit-and-reveal field reveal against its signed redaction
  * marker: recompute `BLAKE3(salt ++ field_path ++ value)` and check it equals
@@ -350,124 +484,35 @@ export declare function redactCommitJs(fieldsJson: string, fieldPaths: Array<str
  *                 `content.redaction.markers`.
  */
 export declare function verifyRevealJs(revealJson: string, markerJson: string): boolean
+
+/** Verify a session chain (lifecycle role + transition checks). */
+export declare function verifySessionChainJs(receiptsBytes: Array<Buffer> | string): ChainResult
+
 /**
- * Construct an OperatorKey from a 32-byte seed (OsRng-free, deterministic).
- * The preferred/documented entry point.
- */
-export declare function keyFromSeed(seed: Buffer): OperatorKey
-/**
- * Generate a fresh random OperatorKey using OS entropy (native-only).
- * Do NOT call from any wasm-reachable path.
- */
-export declare function generateKey(): OperatorKey
-/**
- * BLAKE3 (64-hex) of arbitrary bytes — the result-hash primitive the Node SDK
- * binds a tool result under, keeping "zero crypto in TS" (Node's crypto has no
- * BLAKE3). Always available (no OsRng); the JS-side `recordResult` calls this.
- */
-export declare function blake3Hex(data: Buffer | Uint8Array | string): string
-/**
- * Process an action through the compliance pipeline (in-process, no subprocess).
- *
- * `process_input_json`: JSON-encoded `ProcessInput` (Buffer, Uint8Array, or string).
- * `project_root`: path to the project root holding `heso.toml` and `heso-local-data/`
- * (operator key, audit log, approval queue) — the same layout the PyO3 wheel reads.
- *
- * Returns JSON-encoded `ProcessOutput` bytes, tagged on `status`
- * (`allowed`/`blocked`/`suspended`). Only available with the `process` feature.
- *
- * Named `process_action` (JS `processAction`) — NOT `process` — because a napi
- * export named `process` shadows Node's global `process` in the generated loader.
- */
-export declare function processAction(processInputJson: Buffer | Uint8Array | string, projectRoot: string): Buffer
-/**
- * Assemble a complete L1 ActionReceipt from a suspended L0 body and an approver's
- * detached co-signature, operator-signing locally with the project's key.
- *
- * MANDATORY-1 is enforced in-core: the loaded operator key MUST equal the
- * suspended body's `agent_identity`, else `assemble_l1_from_parts` fails closed
- * with `OperatorKeyMismatch`. After assembly the receipt is verified locally and
- * returned ONLY if it opens `Valid(L1)`; any other verdict is surfaced as an
- * error rather than handing back a receipt the offline verifier would reject.
- *
- * Returns the serialized ActionReceipt JSON bytes WITH the kernel-signed
- * commitment block spliced in as a top-level `commitment` sibling (the same shape
- * the engine `process` path emits, and the shape the SDK finalize consumer lifts
- * via `receipt.get("commitment")`). The commitment is signed over the FINAL L1
- * body by the SAME operator key — the SDK never holds the key (CORE-WIRE design
- * §0.2). `chainHead` is the prior chain head this commitment links to (the SDK
- * reads it off its local chain); absent/empty defaults to genesis. Only available
- * with `process` (loads a key from the filesystem; never wasm-reachable).
- */
-export declare function assembleL1FromParts(suspendedContentJson: string, approverRecordJson: string, approverPubkeyB64: string, coSigB64: string, projectRoot: string, keyPassphrase?: string | undefined | null, relayedAnchorJson?: string | undefined | null, chainHead?: string | undefined | null): Buffer
-/**
- * Assemble a complete multi-approver k-of-n QUORUM ActionReceipt from a suspended
- * L0 body, the gate's `threshold` + `roster`, and the per-approver detached
- * co-signatures — operator-signing locally with the project's key. The result
- * derives and embeds `L1` WITH a `multi_approval` block (a quorum is not a higher
- * level than single-approver L1).
- *
- * MANDATORY-1 is enforced in-core: the loaded operator key MUST equal the
- * suspended body's `agent_identity`, else assembly fails closed with
- * `OperatorKeyMismatch` (surfaced as the discriminable `[OperatorKeyMismatch]`
- * prefix the SDK's key-rotation catch keys on). After assembly the receipt is
- * verified locally and returned ONLY if it opens `Valid(L1)` with a quorum block;
- * any other verdict is surfaced as an error rather than handing back a receipt the
- * offline verifier would reject.
- *
- * `parts_json` is a JSON array of `{ record, approverPubkeyB64, coSigB64 }`
- * objects. `roster_json` is a JSON array of base64 approver public keys.
- *
- * Returns the serialized ActionReceipt JSON bytes WITH the kernel-signed commitment
- * block spliced in as a top-level `commitment` sibling (the same shape the engine
- * `process` path emits, and the shape the SDK finalize consumer lifts via
- * `receipt.get("commitment")`). The commitment is signed over the FINAL quorum L1
- * body by the SAME operator key — the SDK never holds the key (§0.2). `chainHead`
- * is the prior chain head this commitment links to; absent/empty defaults to
- * genesis. Only available with `process` (loads a key from the filesystem; never
- * wasm-reachable).
- */
-export declare function assembleQuorumFromParts(suspendedContentJson: string, threshold: number, rosterJson: string, partsJson: string, projectRoot: string, keyPassphrase?: string | undefined | null, chainHead?: string | undefined | null): Buffer
-/**
- * Suspend a gated action: mint the signed `suspended` chain link and return the
- * raw resume token (returned ONCE) plus the action spec hash. Mirrors the PyO3
- * `process_suspend` body 1:1 — the ProcessInput MUST carry `reclassify=false` so
- * the descriptor is signed verbatim and stays byte-stable across the lifecycle.
- *
- * Returns JSON bytes:
- * `{"session_id": str, "resume_token": str, "action_spec": str, "chain_path": str}`.
- */
-export declare function processSuspend(processInputJson: Buffer | Uint8Array | string, projectRoot: string, sessionId: string, sla: string, expiresAt: string, onTimeout: string, contextScheme: string, contextBlob: Buffer, toolVersionHash?: string | undefined | null): Buffer
-/**
- * Resume a suspended session: re-read the chain, apply the decision, fire-or-replay.
- * Mirrors the PyO3 `process_resume` body 1:1. On `Fire` it mints + appends the
- * `completed` link under `ACTION_SIGNING_DOMAIN` and advances the cursor.
- *
- * Returns JSON bytes `{"decision": str, "committed": bool, "kind"?: str,
- * "reason"?: str}` where `decision` is one of
- * `fire`/`replay`/`pending`/`terminal`/`uncertain`/`refused`.
+ * Verify a session chain with key-rotation as-of-position enforcement.
+ * `producer_key` is the base64 genesis producer key (TOFU pin).
+ * `decision_key` is the optional base64 genesis decision key.
  */
-export declare function processResume(processInputJson: Buffer | Uint8Array | string, projectRoot: string, sessionId: string, presentedToken: string, contextBlob: Buffer): Buffer
+export declare function verifySessionChainWithRotationJs(receiptsBytes: Array<Buffer> | string, producerKey: string, decisionKey?: string | undefined | null): ChainResult
+
 /**
- * Append an approver/ledger-signed decision link to a session's chain. Mirrors the
- * PyO3 `process_append_decision` body 1:1.
+ * Verify a single `ActionReceipt` AND render its signed metrics + recompute cost
+ * from the passed-in public rate card — the node mirror of the WASM
+ * `verifyActionReceiptWithRates`.
  *
- * `kind`: one of `"approved"` / `"denied"` / `"escalated"` / `"expired"`. **Fails
- * closed** without a `decision.key` unless [`INSECURE_DECISION_KEY_ENV`] is set
- * (see `load_decision_signer`) — the approver key is cloud-custodied in prod.
- */
-export declare function processAppendDecision(projectRoot: string, sessionId: string, kind: string, reason?: string | undefined | null, decidedAt?: string | undefined | null): void
-/**
- * Read the current lifecycle state of a session chain (the head link's kind).
- * Mirrors the PyO3 `process_read_chain_head` body 1:1.
+ * Runs the EXISTING offline verify for the base outcome + trust level (so that
+ * path is unchanged), then renders the signed metrics and recomputes the cost via
+ * the SHARED `heso_action::metrics_view` glue. Never throws on a malformed receipt
+ * or card — those degrade to `has_metrics: false` / `priced: false` exactly as the
+ * WASM export does. The cost render is purely informational and NEVER masks a
+ * verify failure: a tampered metric flips the `action_hash`, so `verdict` is a
+ * non-`Valid` tag while the (meaningless) recompute still reflects whatever bytes
+ * are present — the caller branches on `verdict`, never the dollar figure.
  *
- * Returns the head kind as a lowercase string (`"suspended"` / `"approved"` /
- * `"denied"` / `"expired"` / `"completed"` / `"escalated"`), or `None` if no chain
- * exists yet.
+ * `receipt_bytes`   — the raw `ActionReceipt` JSON bytes (Buffer/Uint8Array/string).
+ * `rate_card_json`  — the public rate-card JSON the cost is recomputed from.
  */
-export declare function processReadChainHead(projectRoot: string, sessionId: string): string | null
-/** A loaded operator key, exposing just the public-key surface. */
-export declare class OperatorKey {
-  /** Return the base64 standard-alphabet public key. */
-  publicKeyB64(): string
-}
+export declare function verifyWithRates(receiptBytes: Buffer | Uint8Array | string, rateCardJson: string): MetricsVerdict
+
+/** Verify a receipt AND report its trusted-time status separately. */
+export declare function verifyWithTime(receiptBytesInput: Buffer | Uint8Array | string): ActionVerdictWithTime