npm - @hesohq/verify-wasm - Versions diffs - 0.1.0-dev.2 - Mend

@hesohq/verify-wasm 0.1.0-dev.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/heso_wasm.js ADDED Viewed

@@ -0,0 +1,1125 @@
+/* @ts-self-types="./heso_wasm.d.ts" */
+/**
+ * The verdict returned by all single-receipt verify functions.
+ */
+export class ActionVerdict {
+    static __wrap(ptr) {
+        const obj = Object.create(ActionVerdict.prototype);
+        obj.__wbg_ptr = ptr;
+        ActionVerdictFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        ActionVerdictFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_actionverdict_free(ptr, 0);
+    }
+    /**
+     * The re-derived trust level: `"L0"` or `"L1"`.
+     * Only meaningful when `verdict == "Valid"`.
+     * @returns {string}
+     */
+    get trust_level() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_actionverdict_trust_level(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * One of the `ActionOutcome` variant names as a string. "Valid" on success;
+     * "WrongAlgorithm:…", "HashMismatch", "InvalidSignature:…", etc. on failure.
+     * @returns {string}
+     */
+    get verdict() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_actionverdict_verdict(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * The re-derived trust level: `"L0"` or `"L1"`.
+     * Only meaningful when `verdict == "Valid"`.
+     * @param {string} arg0
+     */
+    set trust_level(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_actionverdict_trust_level(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * One of the `ActionOutcome` variant names as a string. "Valid" on success;
+     * "WrongAlgorithm:…", "HashMismatch", "InvalidSignature:…", etc. on failure.
+     * @param {string} arg0
+     */
+    set verdict(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_actionverdict_verdict(this.__wbg_ptr, ptr0, len0);
+    }
+}
+if (Symbol.dispose) ActionVerdict.prototype[Symbol.dispose] = ActionVerdict.prototype.free;
+/**
+ * Decoded claims from a verified approval token.
+ */
+export class ApprovalTokenClaims {
+    static __wrap(ptr) {
+        const obj = Object.create(ApprovalTokenClaims.prototype);
+        obj.__wbg_ptr = ptr;
+        ApprovalTokenClaimsFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        ApprovalTokenClaimsFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_approvaltokenclaims_free(ptr, 0);
+    }
+    /**
+     * Base64-encoded Ed25519 public key of the approver.
+     * @returns {string}
+     */
+    get approver_public_key() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_approvaltokenclaims_approver_public_key(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * Expiry as Unix seconds (`BigInt`).
+     * @returns {bigint}
+     */
+    get expiry_unix_secs() {
+        const ret = wasm.__wbg_get_approvaltokenclaims_expiry_unix_secs(this.__wbg_ptr);
+        return ret;
+    }
+    /**
+     * The 32-byte random nonce as a `Uint8Array`.
+     * @returns {Uint8Array}
+     */
+    get nonce() {
+        const ret = wasm.__wbg_get_approvaltokenclaims_nonce(this.__wbg_ptr);
+        return ret;
+    }
+    /**
+     * The scope string encoded in the token.
+     * @returns {string}
+     */
+    get scope() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_approvaltokenclaims_scope(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * Base64-encoded Ed25519 public key of the approver.
+     * @param {string} arg0
+     */
+    set approver_public_key(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_approvaltokenclaims_approver_public_key(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * Expiry as Unix seconds (`BigInt`).
+     * @param {bigint} arg0
+     */
+    set expiry_unix_secs(arg0) {
+        wasm.__wbg_set_approvaltokenclaims_expiry_unix_secs(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The 32-byte random nonce as a `Uint8Array`.
+     * @param {Uint8Array} arg0
+     */
+    set nonce(arg0) {
+        wasm.__wbg_set_approvaltokenclaims_nonce(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The scope string encoded in the token.
+     * @param {string} arg0
+     */
+    set scope(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_approvaltokenclaims_scope(this.__wbg_ptr, ptr0, len0);
+    }
+}
+if (Symbol.dispose) ApprovalTokenClaims.prototype[Symbol.dispose] = ApprovalTokenClaims.prototype.free;
+/**
+ * The result of verifying a chain of `ActionReceipt`s.
+ */
+export class ChainResult {
+    static __wrap(ptr) {
+        const obj = Object.create(ChainResult.prototype);
+        obj.__wbg_ptr = ptr;
+        ChainResultFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        ChainResultFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_chainresult_free(ptr, 0);
+    }
+    /**
+     * Human-readable detail. Only set when `ok == false`.
+     * @returns {string | undefined}
+     */
+    get detail() {
+        const ret = wasm.__wbg_get_chainresult_detail(this.__wbg_ptr);
+        let v1;
+        if (ret[0] !== 0) {
+            v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+            wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+        }
+        return v1;
+    }
+    /**
+     * Error kind string. Only set when `ok == false`.
+     * @returns {string | undefined}
+     */
+    get error() {
+        const ret = wasm.__wbg_get_chainresult_error(this.__wbg_ptr);
+        let v1;
+        if (ret[0] !== 0) {
+            v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+            wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+        }
+        return v1;
+    }
+    /**
+     * Number of receipts verified. Only set when `ok == true`.
+     * @returns {number | undefined}
+     */
+    get length() {
+        const ret = wasm.__wbg_get_chainresult_length(this.__wbg_ptr);
+        return ret === Number.MAX_SAFE_INTEGER ? undefined : ret;
+    }
+    /**
+     * `true` when every link verified.
+     * @returns {boolean}
+     */
+    get ok() {
+        const ret = wasm.__wbg_get_chainresult_ok(this.__wbg_ptr);
+        return ret !== 0;
+    }
+    /**
+     * The `seq` at which the error occurred. Only set when `ok == false`.
+     * @returns {number | undefined}
+     */
+    get seq() {
+        const ret = wasm.__wbg_get_chainresult_seq(this.__wbg_ptr);
+        return ret === Number.MAX_SAFE_INTEGER ? undefined : ret;
+    }
+    /**
+     * Human-readable detail. Only set when `ok == false`.
+     * @param {string | null} [arg0]
+     */
+    set detail(arg0) {
+        var ptr0 = isLikeNone(arg0) ? 0 : passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        var len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_chainresult_detail(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * Error kind string. Only set when `ok == false`.
+     * @param {string | null} [arg0]
+     */
+    set error(arg0) {
+        var ptr0 = isLikeNone(arg0) ? 0 : passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        var len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_chainresult_error(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * Number of receipts verified. Only set when `ok == true`.
+     * @param {number | null} [arg0]
+     */
+    set length(arg0) {
+        wasm.__wbg_set_chainresult_length(this.__wbg_ptr, isLikeNone(arg0) ? Number.MAX_SAFE_INTEGER : (arg0) >>> 0);
+    }
+    /**
+     * `true` when every link verified.
+     * @param {boolean} arg0
+     */
+    set ok(arg0) {
+        wasm.__wbg_set_chainresult_ok(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The `seq` at which the error occurred. Only set when `ok == false`.
+     * @param {number | null} [arg0]
+     */
+    set seq(arg0) {
+        wasm.__wbg_set_chainresult_seq(this.__wbg_ptr, isLikeNone(arg0) ? Number.MAX_SAFE_INTEGER : (arg0) >>> 0);
+    }
+}
+if (Symbol.dispose) ChainResult.prototype[Symbol.dispose] = ChainResult.prototype.free;
+/**
+ * The verified, decoded result of a delegation envelope.
+ */
+export class VerifiedDelegation {
+    static __wrap(ptr) {
+        const obj = Object.create(VerifiedDelegation.prototype);
+        obj.__wbg_ptr = ptr;
+        VerifiedDelegationFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        VerifiedDelegationFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_verifieddelegation_free(ptr, 0);
+    }
+    /**
+     * The authorized key `K` (raw 32-byte Ed25519 public key) as a `Uint8Array`.
+     * @returns {Uint8Array}
+     */
+    get authorized_key() {
+        const ret = wasm.__wbg_get_verifieddelegation_authorized_key(this.__wbg_ptr);
+        return ret;
+    }
+    /**
+     * The envelope's expiry as Unix seconds (`BigInt`).
+     * @returns {bigint}
+     */
+    get expiry_unix_secs() {
+        const ret = wasm.__wbg_get_verifieddelegation_expiry_unix_secs(this.__wbg_ptr);
+        return ret;
+    }
+    /**
+     * The envelope's not_before as Unix seconds (`BigInt`).
+     * @returns {bigint}
+     */
+    get not_before_unix_secs() {
+        const ret = wasm.__wbg_get_verifieddelegation_not_before_unix_secs(this.__wbg_ptr);
+        return ret;
+    }
+    /**
+     * The scope the delegated authority was bound to.
+     * @returns {string}
+     */
+    get scope() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_verifieddelegation_scope(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * The subject string the operator stamped onto the delegation.
+     * @returns {string}
+     */
+    get sub() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_verifieddelegation_sub(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * The authorized key `K` (raw 32-byte Ed25519 public key) as a `Uint8Array`.
+     * @param {Uint8Array} arg0
+     */
+    set authorized_key(arg0) {
+        wasm.__wbg_set_verifieddelegation_authorized_key(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The envelope's expiry as Unix seconds (`BigInt`).
+     * @param {bigint} arg0
+     */
+    set expiry_unix_secs(arg0) {
+        wasm.__wbg_set_verifieddelegation_expiry_unix_secs(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The envelope's not_before as Unix seconds (`BigInt`).
+     * @param {bigint} arg0
+     */
+    set not_before_unix_secs(arg0) {
+        wasm.__wbg_set_verifieddelegation_not_before_unix_secs(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The scope the delegated authority was bound to.
+     * @param {string} arg0
+     */
+    set scope(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_verifieddelegation_scope(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * The subject string the operator stamped onto the delegation.
+     * @param {string} arg0
+     */
+    set sub(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_verifieddelegation_sub(this.__wbg_ptr, ptr0, len0);
+    }
+}
+if (Symbol.dispose) VerifiedDelegation.prototype[Symbol.dispose] = VerifiedDelegation.prototype.free;
+/**
+ * Return the RFC-8785 (JCS) canonical bytes of an `ActionContent` JSON string,
+ * with `action_hash` stripped. The shared canonicalizer — the browser MUST
+ * call this rather than any hand-rolled JCS implementation to avoid drift.
+ * @param {string} content_json
+ * @returns {Uint8Array}
+ */
+export function actionCanonicalBytes(content_json) {
+    const ptr0 = passStringToWasm0(content_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.actionCanonicalBytes(ptr0, len0);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return takeFromExternrefTable0(ret[0]);
+}
+/**
+ * Pre-anchor BLAKE3 hash (excludes `time_anchor` from the canonical bytes).
+ * Replaces `@noble/hashes` blake3 usage in `crypto.ts`.
+ * @param {string} content_json
+ * @returns {string}
+ */
+export function anchoredContentHash(content_json) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passStringToWasm0(content_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.anchoredContentHash(ptr0, len0);
+        var ptr2 = ret[0];
+        var len2 = ret[1];
+        if (ret[3]) {
+            ptr2 = 0; len2 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred3_0 = ptr2;
+        deferred3_1 = len2;
+        return getStringFromWasm0(ptr2, len2);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+/**
+ * Compute a domain-separated BLAKE3 chain-link digest from two 64-hex hashes.
+ * Replaces the `@noble`-backed chain helper in `crypto.ts`.
+ * @param {string} prev_hex
+ * @param {string} action_hex
+ * @returns {string}
+ */
+export function chainHashHex(prev_hex, action_hex) {
+    let deferred4_0;
+    let deferred4_1;
+    try {
+        const ptr0 = passStringToWasm0(prev_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(action_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.chainHashHex(ptr0, len0, ptr1, len1);
+        var ptr3 = ret[0];
+        var len3 = ret[1];
+        if (ret[3]) {
+            ptr3 = 0; len3 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred4_0 = ptr3;
+        deferred4_1 = len3;
+        return getStringFromWasm0(ptr3, len3);
+    } finally {
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+    }
+}
+/**
+ * BLAKE3 (64-hex) of the canonical bytes — the value that goes into
+ * `action_hash`. Replaces `@noble/hashes` blake3 usage in `crypto.ts`.
+ * @param {string} content_json
+ * @returns {string}
+ */
+export function contentHash(content_json) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passStringToWasm0(content_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.contentHash(ptr0, len0);
+        var ptr2 = ret[0];
+        var len2 = ret[1];
+        if (ret[3]) {
+            ptr2 = 0; len2 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred3_0 = ptr2;
+        deferred3_1 = len2;
+        return getStringFromWasm0(ptr2, len2);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+/**
+ * Parse + validate policy TOML, running the load-time dangerous-lane floor check.
+ * Throws a `[PARSE]` or `[FLOOR_BYPASS]` `JsError` on failure; returns nothing on
+ * success. The web calls this before deploy so a floor-bypassing policy is caught
+ * in the browser with the exact engine reason, not bounced by the backend.
+ * @param {string} toml_src
+ */
+export function parsePolicy(toml_src) {
+    const ptr0 = passStringToWasm0(toml_src, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.parsePolicy(ptr0, len0);
+    if (ret[1]) {
+        throw takeFromExternrefTable0(ret[0]);
+    }
+}
+/**
+ * Parse + validate policy TOML and return the rules as a JSON array of
+ * [`PolicyRule`] (the Rust wire shape) so the web renders a pulled policy via the
+ * REAL parser — no JS TOML library, no JS re-implementation of the parse (which
+ * today splits on the wrong marker and drops all conditions). Throws the same
+ * `[PARSE]` / `[FLOOR_BYPASS]` errors as `parsePolicy`. Empty TOML yields `[]`.
+ * @param {string} toml_src
+ * @returns {string}
+ */
+export function policyRulesFromToml(toml_src) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passStringToWasm0(toml_src, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.policyRulesFromToml(ptr0, len0);
+        var ptr2 = ret[0];
+        var len2 = ret[1];
+        if (ret[3]) {
+            ptr2 = 0; len2 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred3_0 = ptr2;
+        deferred3_1 = len2;
+        return getStringFromWasm0(ptr2, len2);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+/**
+ * Render a single rule (JSON [`PolicyRule`]) into the canonical English sentence
+ * — the SAME `rule_display` stamped on signed receipts. Replaces the drifting JS
+ * renderer so the in-UI preview is byte-identical to the audit string.
+ * @param {string} rule_json
+ * @returns {string}
+ */
+export function ruleToSentence(rule_json) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passStringToWasm0(rule_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.ruleToSentence(ptr0, len0);
+        var ptr2 = ret[0];
+        var len2 = ret[1];
+        if (ret[3]) {
+            ptr2 = 0; len2 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred3_0 = ptr2;
+        deferred3_1 = len2;
+        return getStringFromWasm0(ptr2, len2);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+/**
+ * Return a short display form of a 64-hex BLAKE3 hash: `{prefix}:{first8}`.
+ * Replaces the `@noble`-backed display helper in `crypto.ts`.
+ * @param {string} hex
+ * @param {string | null} [prefix]
+ * @returns {string}
+ */
+export function shortHash(hex, prefix) {
+    let deferred4_0;
+    let deferred4_1;
+    try {
+        const ptr0 = passStringToWasm0(hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        var ptr1 = isLikeNone(prefix) ? 0 : passStringToWasm0(prefix, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        var len1 = WASM_VECTOR_LEN;
+        const ret = wasm.shortHash(ptr0, len0, ptr1, len1);
+        var ptr3 = ret[0];
+        var len3 = ret[1];
+        if (ret[3]) {
+            ptr3 = 0; len3 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred4_0 = ptr3;
+        deferred4_1 = len3;
+        return getStringFromWasm0(ptr3, len3);
+    } finally {
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+    }
+}
+/**
+ * Floor pre-check over a candidate ruleset (JSON array of [`PolicyRule`]) WITHOUT
+ * serializing to TOML — the live check the builder runs as the user edits.
+ * Throws a `[FLOOR_BYPASS]` `JsError` (carrying the offending rule id + verb) when
+ * a rule would allow-without-approval a dangerous lane; returns nothing when the
+ * policy only tightens.
+ * @param {string} rules_json
+ */
+export function validateNoFloorBypass(rules_json) {
+    const ptr0 = passStringToWasm0(rules_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.validateNoFloorBypass(ptr0, len0);
+    if (ret[1]) {
+        throw takeFromExternrefTable0(ret[0]);
+    }
+}
+/**
+ * Verify a single `ActionReceipt` from its raw JSON bytes (`Uint8Array`) or a
+ * JSON string.
+ *
+ * Never panics — structural failures return an `ActionVerdict` with
+ * `verdict = "Malformed:…"`. This is the browser replacement for the
+ * `verifyReceipt` function in `crypto.ts`, backed by the identical Rust
+ * JCS + BLAKE3 + Ed25519 path so Node and browser get byte-identical results.
+ * @param {Uint8Array} receipt_bytes
+ * @returns {ActionVerdict}
+ */
+export function verifyActionReceipt(receipt_bytes) {
+    const ptr0 = passArray8ToWasm0(receipt_bytes, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyActionReceipt(ptr0, len0);
+    return ActionVerdict.__wrap(ret);
+}
+/**
+ * Verify a serialized approval token and return its decoded claims.
+ *
+ * Pure verify (Ed25519 `verify_strict` via heso-verify), no OsRng — wasm-safe.
+ * Throws a `JsError` with a stable `[CODE]` prefix per `ApprovalTokenError`
+ * variant, matching the napi surface.
+ *
+ * `token`             — raw token bytes (Uint8Array)
+ * `action_canonical`  — the action's canonical bytes (from `actionCanonicalBytes`)
+ * `now_unix_secs`     — current time as BigInt Unix seconds
+ * `seen_nonces`       — array of already-seen 32-byte nonces (Uint8Array each)
+ * `required_scope`    — the required scope string
+ * `registered_keys_b64` — array of base64 Ed25519 public keys on the allowlist
+ * @param {Uint8Array} token
+ * @param {Uint8Array} action_canonical
+ * @param {bigint} now_unix_secs
+ * @param {Array<any>} seen_nonces
+ * @param {string} required_scope
+ * @param {Array<any>} registered_keys_b64
+ * @returns {ApprovalTokenClaims}
+ */
+export function verifyApprovalToken(token, action_canonical, now_unix_secs, seen_nonces, required_scope, registered_keys_b64) {
+    const ptr0 = passArray8ToWasm0(token, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(action_canonical, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(required_scope, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyApprovalToken(ptr0, len0, ptr1, len1, now_unix_secs, seen_nonces, ptr2, len2, registered_keys_b64);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return ApprovalTokenClaims.__wrap(ret[0]);
+}
+/**
+ * Verify an ordered array of `ActionReceipt`s as a tamper-evident chain.
+ *
+ * Input: raw bytes of a JSON array of receipts (`Uint8Array` or similar).
+ * @param {Uint8Array} receipts_bytes
+ * @returns {ChainResult}
+ */
+export function verifyChain(receipts_bytes) {
+    const ptr0 = passArray8ToWasm0(receipts_bytes, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyChain(ptr0, len0);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return ChainResult.__wrap(ret[0]);
+}
+/**
+ * RFC-6962 consistency proof verification.
+ *
+ * Returns `true` iff the proof proves the new tree is an append-only extension.
+ * @param {number} old_size
+ * @param {string} old_root_hex
+ * @param {number} new_size
+ * @param {string} new_root_hex
+ * @param {string} proof_hashes_json
+ * @returns {boolean}
+ */
+export function verifyConsistency(old_size, old_root_hex, new_size, new_root_hex, proof_hashes_json) {
+    const ptr0 = passStringToWasm0(old_root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(new_root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(proof_hashes_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyConsistency(old_size, ptr0, len0, new_size, ptr1, len1, ptr2, len2);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return ret[0] !== 0;
+}
+/**
+ * Verify a serialized delegation envelope and its human co-sign.
+ *
+ * Pure verify (Ed25519 `verify_strict` via heso-verify), no OsRng — wasm-safe.
+ * Throws a `JsError` with a stable `[CODE]` prefix per `DelegationError` variant,
+ * matching the napi surface.
+ *
+ * `wire`                    — raw delegation envelope bytes (Uint8Array)
+ * `registered_operator_key` — the org-registered operator public key (raw 32 bytes)
+ * `action_hash`             — the raw 32-byte BLAKE3 action digest being authorized
+ * `approval_token`          — the human co-sign bearer token presented by K
+ * `required_scope`          — the required scope string
+ * `now_unix_secs`           — current time as BigInt Unix seconds
+ * @param {Uint8Array} wire
+ * @param {Uint8Array} registered_operator_key
+ * @param {Uint8Array} action_hash
+ * @param {Uint8Array} approval_token
+ * @param {string} required_scope
+ * @param {bigint} now_unix_secs
+ * @returns {VerifiedDelegation}
+ */
+export function verifyDelegation(wire, registered_operator_key, action_hash, approval_token, required_scope, now_unix_secs) {
+    const ptr0 = passArray8ToWasm0(wire, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(registered_operator_key, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passArray8ToWasm0(action_hash, wasm.__wbindgen_malloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ptr3 = passArray8ToWasm0(approval_token, wasm.__wbindgen_malloc);
+    const len3 = WASM_VECTOR_LEN;
+    const ptr4 = passStringToWasm0(required_scope, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len4 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyDelegation(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, ptr4, len4, now_unix_secs);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return VerifiedDelegation.__wrap(ret[0]);
+}
+/**
+ * RFC-6962 inclusion proof verification (SHA-256 Merkle tree).
+ *
+ * `leaf_value_hex`  — the 64-hex `action_hash`; raw bytes are the leaf value.
+ * `proof_hashes`    — array of 64-hex SHA-256 sibling hashes (space-separated
+ *                     OR JSON array string).
+ * `root_hex`        — 64-hex SHA-256 tree root.
+ *
+ * Returns `true` iff the proof verifies.
+ * @param {string} leaf_value_hex
+ * @param {number} index
+ * @param {number} size
+ * @param {string} root_hex
+ * @param {string} proof_hashes_json
+ * @returns {boolean}
+ */
+export function verifyInclusion(leaf_value_hex, index, size, root_hex, proof_hashes_json) {
+    const ptr0 = passStringToWasm0(leaf_value_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(proof_hashes_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyInclusion(ptr0, len0, index, size, ptr1, len1, ptr2, len2);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return ret[0] !== 0;
+}
+/**
+ * Verify a session chain (lifecycle role + transition checks).
+ * @param {Uint8Array} receipts_bytes
+ * @returns {ChainResult}
+ */
+export function verifySessionChain(receipts_bytes) {
+    const ptr0 = passArray8ToWasm0(receipts_bytes, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.verifySessionChain(ptr0, len0);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return ChainResult.__wrap(ret[0]);
+}
+/**
+ * Verify a session chain with key-rotation as-of-position enforcement.
+ *
+ * `producer_key` — base64 genesis producer key (TOFU pin).
+ * `decision_key` — optional base64 genesis decision key.
+ * @param {Uint8Array} receipts_bytes
+ * @param {string} producer_key
+ * @param {string | null} [decision_key]
+ * @returns {ChainResult}
+ */
+export function verifySessionChainWithRotation(receipts_bytes, producer_key, decision_key) {
+    const ptr0 = passArray8ToWasm0(receipts_bytes, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(producer_key, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    var ptr2 = isLikeNone(decision_key) ? 0 : passStringToWasm0(decision_key, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len2 = WASM_VECTOR_LEN;
+    const ret = wasm.verifySessionChainWithRotation(ptr0, len0, ptr1, len1, ptr2, len2);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return ChainResult.__wrap(ret[0]);
+}
+function __wbg_get_imports() {
+    const import0 = {
+        __proto__: null,
+        __wbg_Error_ef53bc310eb298a0: function(arg0, arg1) {
+            const ret = Error(getStringFromWasm0(arg0, arg1));
+            return ret;
+        },
+        __wbg___wbindgen_bigint_get_as_i64_38130e98eecd467d: function(arg0, arg1) {
+            const v = arg1;
+            const ret = typeof(v) === 'bigint' ? v : undefined;
+            getDataViewMemory0().setBigInt64(arg0 + 8 * 1, isLikeNone(ret) ? BigInt(0) : ret, true);
+            getDataViewMemory0().setInt32(arg0 + 4 * 0, !isLikeNone(ret), true);
+        },
+        __wbg___wbindgen_jsval_eq_1068e624fa87f6ab: function(arg0, arg1) {
+            const ret = arg0 === arg1;
+            return ret;
+        },
+        __wbg___wbindgen_string_get_72bdf95d3ae505b1: function(arg0, arg1) {
+            const obj = arg1;
+            const ret = typeof(obj) === 'string' ? obj : undefined;
+            var ptr1 = isLikeNone(ret) ? 0 : passStringToWasm0(ret, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+            var len1 = WASM_VECTOR_LEN;
+            getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
+            getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
+        },
+        __wbg___wbindgen_throw_1506f2235d1bdba0: function(arg0, arg1) {
+            throw new Error(getStringFromWasm0(arg0, arg1));
+        },
+        __wbg_get_unchecked_33f6e5c9e2f2d6b2: function(arg0, arg1) {
+            const ret = arg0[arg1 >>> 0];
+            return ret;
+        },
+        __wbg_length_4a591ecaa01354d9: function(arg0) {
+            const ret = arg0.length;
+            return ret;
+        },
+        __wbg_length_66f1a4b2e9026940: function(arg0) {
+            const ret = arg0.length;
+            return ret;
+        },
+        __wbg_new_from_slice_18fa1f71286d66b8: function(arg0, arg1) {
+            const ret = new Uint8Array(getArrayU8FromWasm0(arg0, arg1));
+            return ret;
+        },
+        __wbg_new_with_length_36a4998e27b014c5: function(arg0) {
+            const ret = new Uint8Array(arg0 >>> 0);
+            return ret;
+        },
+        __wbg_prototypesetcall_3249fc62a0fafa30: function(arg0, arg1, arg2) {
+            Uint8Array.prototype.set.call(getArrayU8FromWasm0(arg0, arg1), arg2);
+        },
+        __wbg_set_29c99a8aac1c01e5: function(arg0, arg1, arg2) {
+            arg0.set(getArrayU8FromWasm0(arg1, arg2));
+        },
+        __wbindgen_cast_0000000000000001: function(arg0) {
+            // Cast intrinsic for `U64 -> Externref`.
+            const ret = BigInt.asUintN(64, arg0);
+            return ret;
+        },
+        __wbindgen_init_externref_table: function() {
+            const table = wasm.__wbindgen_externrefs;
+            const offset = table.grow(4);
+            table.set(0, undefined);
+            table.set(offset + 0, undefined);
+            table.set(offset + 1, null);
+            table.set(offset + 2, true);
+            table.set(offset + 3, false);
+        },
+    };
+    return {
+        __proto__: null,
+        "./heso_wasm_bg.js": import0,
+    };
+}
+const ActionVerdictFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_actionverdict_free(ptr, 1));
+const ApprovalTokenClaimsFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_approvaltokenclaims_free(ptr, 1));
+const ChainResultFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_chainresult_free(ptr, 1));
+const VerifiedDelegationFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_verifieddelegation_free(ptr, 1));
+function getArrayU8FromWasm0(ptr, len) {
+    ptr = ptr >>> 0;
+    return getUint8ArrayMemory0().subarray(ptr / 1, ptr / 1 + len);
+}
+let cachedDataViewMemory0 = null;
+function getDataViewMemory0() {
+    if (cachedDataViewMemory0 === null || cachedDataViewMemory0.buffer.detached === true || (cachedDataViewMemory0.buffer.detached === undefined && cachedDataViewMemory0.buffer !== wasm.memory.buffer)) {
+        cachedDataViewMemory0 = new DataView(wasm.memory.buffer);
+    }
+    return cachedDataViewMemory0;
+}
+function getStringFromWasm0(ptr, len) {
+    return decodeText(ptr >>> 0, len);
+}
+let cachedUint8ArrayMemory0 = null;
+function getUint8ArrayMemory0() {
+    if (cachedUint8ArrayMemory0 === null || cachedUint8ArrayMemory0.byteLength === 0) {
+        cachedUint8ArrayMemory0 = new Uint8Array(wasm.memory.buffer);
+    }
+    return cachedUint8ArrayMemory0;
+}
+function isLikeNone(x) {
+    return x === undefined || x === null;
+}
+function passArray8ToWasm0(arg, malloc) {
+    const ptr = malloc(arg.length * 1, 1) >>> 0;
+    getUint8ArrayMemory0().set(arg, ptr / 1);
+    WASM_VECTOR_LEN = arg.length;
+    return ptr;
+}
+function passStringToWasm0(arg, malloc, realloc) {
+    if (realloc === undefined) {
+        const buf = cachedTextEncoder.encode(arg);
+        const ptr = malloc(buf.length, 1) >>> 0;
+        getUint8ArrayMemory0().subarray(ptr, ptr + buf.length).set(buf);
+        WASM_VECTOR_LEN = buf.length;
+        return ptr;
+    }
+    let len = arg.length;
+    let ptr = malloc(len, 1) >>> 0;
+    const mem = getUint8ArrayMemory0();
+    let offset = 0;
+    for (; offset < len; offset++) {
+        const code = arg.charCodeAt(offset);
+        if (code > 0x7F) break;
+        mem[ptr + offset] = code;
+    }
+    if (offset !== len) {
+        if (offset !== 0) {
+            arg = arg.slice(offset);
+        }
+        ptr = realloc(ptr, len, len = offset + arg.length * 3, 1) >>> 0;
+        const view = getUint8ArrayMemory0().subarray(ptr + offset, ptr + len);
+        const ret = cachedTextEncoder.encodeInto(arg, view);
+        offset += ret.written;
+        ptr = realloc(ptr, len, offset, 1) >>> 0;
+    }
+    WASM_VECTOR_LEN = offset;
+    return ptr;
+}
+function takeFromExternrefTable0(idx) {
+    const value = wasm.__wbindgen_externrefs.get(idx);
+    wasm.__externref_table_dealloc(idx);
+    return value;
+}
+let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+cachedTextDecoder.decode();
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
+function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+const cachedTextEncoder = new TextEncoder();
+if (!('encodeInto' in cachedTextEncoder)) {
+    cachedTextEncoder.encodeInto = function (arg, view) {
+        const buf = cachedTextEncoder.encode(arg);
+        view.set(buf);
+        return {
+            read: arg.length,
+            written: buf.length
+        };
+    };
+}
+let WASM_VECTOR_LEN = 0;
+let wasmModule, wasmInstance, wasm;
+function __wbg_finalize_init(instance, module) {
+    wasmInstance = instance;
+    wasm = instance.exports;
+    wasmModule = module;
+    cachedDataViewMemory0 = null;
+    cachedUint8ArrayMemory0 = null;
+    wasm.__wbindgen_start();
+    return wasm;
+}
+async function __wbg_load(module, imports) {
+    if (typeof Response === 'function' && module instanceof Response) {
+        if (typeof WebAssembly.instantiateStreaming === 'function') {
+            try {
+                return await WebAssembly.instantiateStreaming(module, imports);
+            } catch (e) {
+                const validResponse = module.ok && expectedResponseType(module.type);
+                if (validResponse && module.headers.get('Content-Type') !== 'application/wasm') {
+                    console.warn("`WebAssembly.instantiateStreaming` failed because your server does not serve Wasm with `application/wasm` MIME type. Falling back to `WebAssembly.instantiate` which is slower. Original error:\n", e);
+                } else { throw e; }
+            }
+        }
+        const bytes = await module.arrayBuffer();
+        return await WebAssembly.instantiate(bytes, imports);
+    } else {
+        const instance = await WebAssembly.instantiate(module, imports);
+        if (instance instanceof WebAssembly.Instance) {
+            return { instance, module };
+        } else {
+            return instance;
+        }
+    }
+    function expectedResponseType(type) {
+        switch (type) {
+            case 'basic': case 'cors': case 'default': return true;
+        }
+        return false;
+    }
+}
+function initSync(module) {
+    if (wasm !== undefined) return wasm;
+    if (module !== undefined) {
+        if (Object.getPrototypeOf(module) === Object.prototype) {
+            ({module} = module)
+        } else {
+            console.warn('using deprecated parameters for `initSync()`; pass a single object instead')
+        }
+    }
+    const imports = __wbg_get_imports();
+    if (!(module instanceof WebAssembly.Module)) {
+        module = new WebAssembly.Module(module);
+    }
+    const instance = new WebAssembly.Instance(module, imports);
+    return __wbg_finalize_init(instance, module);
+}
+async function __wbg_init(module_or_path) {
+    if (wasm !== undefined) return wasm;
+    if (module_or_path !== undefined) {
+        if (Object.getPrototypeOf(module_or_path) === Object.prototype) {
+            ({module_or_path} = module_or_path)
+        } else {
+            console.warn('using deprecated parameters for the initialization function; pass a single object instead')
+        }
+    }
+    if (module_or_path === undefined) {
+        module_or_path = new URL('heso_wasm_bg.wasm', import.meta.url);
+    }
+    const imports = __wbg_get_imports();
+    if (typeof module_or_path === 'string' || (typeof Request === 'function' && module_or_path instanceof Request) || (typeof URL === 'function' && module_or_path instanceof URL)) {
+        module_or_path = fetch(module_or_path);
+    }
+    const { instance, module } = await __wbg_load(await module_or_path, imports);
+    return __wbg_finalize_init(instance, module);
+}
+export { initSync, __wbg_init as default };