@hesohq/verify-wasm 0.1.0 → 0.1.1-dev.19

package/heso_wasm.d.ts

@@ -31,6 +31,10 @@ export class ApprovalTokenClaims {
      * Base64-encoded Ed25519 public key of the approver.
      */
     approver_public_key: string;
+    /**
+     * The verdict the human signed into the token: `"approved"` or `"rejected"`.
+     */
+    decision: string;
     /**
      * Expiry as Unix seconds (`BigInt`).
      */
@@ -144,6 +148,43 @@ export function chainHashHex(prev_hex: string, action_hex: string): string;
  */
 export function contentHash(content_json: string): string;
 
+/**
+ * Return the EXACT bytes a hosted approver must sign to co-sign a suspended
+ * (L0) action into an L1 receipt: `APPROVAL_SIGNING_DOMAIN` (17 bytes) ++
+ * `action_canonical_bytes` of the promoted L1 body.
+ *
+ * The browser promotes the suspended L0 body to its L1 form with the same pure
+ * builder the operator process uses
+ * ([`heso_action::receipt::build_l1_content_anchored`]), then derives the
+ * approval payload ([`approval_cosign_payload`]). This compiles under
+ * heso-wasm's DEFAULT heso-action features (NO `sign`) precisely because both
+ * builders live in the always-compiled `receipt.rs`; the wasm surface never
+ * holds a key, so it only ASSEMBLES the bytes a remote signer returns a detached
+ * signature over.
+ *
+ * ANCHORED BODIES: unlike the bare [`build_l1_content`] path (which fails closed
+ * on any present anchor), this browser export ACCEPTS a suspended body that
+ * already carries a relayed `time_anchor`. The operator will later sign over
+ * that same full anchored body, so the approver must co-sign the anchored
+ * canonical too. We lift the anchor off the suspended input and thread it
+ * through `build_l1_content_anchored` as the relayed-anchor argument: the
+ * `AnchorOnAsyncL1Path` guard (which only fires on the SUSPENDED INPUT) no longer
+ * rejects, and the anchor is stamped BEFORE the final `action_hash` so the
+ * resulting body — and therefore the approver payload — is byte-identical to
+ * what the operator signs. An anchorless body promotes EXACTLY as before
+ * (`anchor = None`), so the f599f21b single-approver L1 golden never moves.
+ *
+ * `suspendedContentJson` — the suspended L0 `ActionContent` JSON (optionally
+ *                          already carrying a relayed `time_anchor`).
+ * `approverRecordJson`   — the human's `ApproverRecord` (decision, identity,
+ *                          reason, decided_at, sla_minutes) as JSON.
+ *
+ * Throws a `JsError` with a stable `[CODE]` prefix per [`BuildL1Error`]:
+ * `[AlreadyDecided]` (the body is already decided or is not a clean L0). The
+ * `[AnchorOnAsyncL1Path]` reject is RELAXED here — a present anchor is accepted.
+ */
+export function l1CosignPayload(suspended_content_json: string, approver_record_json: string): Uint8Array;
+
 /**
  * Parse + validate policy TOML, running the load-time dangerous-lane floor check.
  * Throws a `[PARSE]` or `[FLOOR_BYPASS]` `JsError` on failure; returns nothing on
@@ -161,6 +202,35 @@ export function parsePolicy(toml_src: string): void;
  */
 export function policyRulesFromToml(toml_src: string): string;
 
+/**
+ * Return the EXACT bytes ONE approver must sign to co-sign a suspended (L0)
+ * action under the multi-approver k-of-n QUORUM lane:
+ * `APPROVAL_SIGNING_DOMAIN` (17 bytes) ++ `multi_approver_canonical` of the quorum
+ * body with `approvers = [thisRecord]` ONLY. (A quorum receipt derives L1 WITH a
+ * multi_approval block — not a higher level.)
+ *
+ * Per the two-canonical (M-B) rule each approver vouches ONLY their own record,
+ * never the assembled set: the browser promotes the suspended L0 body to the
+ * quorum base ([`build_quorum_base`] — `multi_approval = {threshold, roster,
+ * approvers: []}`), folds in this single record, and derives the per-record
+ * approval payload ([`multi_approval_cosign_payload`]). Both builders live in the
+ * always-compiled `receipt.rs`, so this compiles under heso-wasm's DEFAULT
+ * heso-action features (NO `sign`); the wasm surface never holds a key, it only
+ * ASSEMBLES the bytes a remote signer returns a detached signature over. The
+ * key-holding assembler [`heso_action::sign::assemble_quorum_from_parts`] verifies
+ * each returned signature over exactly these bytes.
+ *
+ * `suspendedContentJson` — the suspended L0 `ActionContent` JSON.
+ * `threshold`            — the k-of-n approval threshold (`>= 1`).
+ * `rosterJson`           — JSON array of base64 admissible approver public keys.
+ * `approverRecordJson`   — THIS approver's `ApproverRecord` as JSON.
+ *
+ * Throws a `JsError` with a stable `[CODE]` prefix per [`BuildQuorumError`]:
+ * `[AnchorOnAsyncL1Path]`, `[AlreadyDecided]`, `[ThresholdZero]`, or
+ * `[EmptyRoster]`.
+ */
+export function quorumCosignPayload(suspended_content_json: string, threshold: number, roster_json: string, approver_record_json: string): Uint8Array;
+
 /**
  * Render a single rule (JSON [`PolicyRule`]) into the canonical English sentence
  * — the SAME `rule_display` stamped on signed receipts. Replaces the drifting JS
@@ -189,8 +259,11 @@ export function validateNoFloorBypass(rules_json: string): void;
  *
  * Never panics — structural failures return an `ActionVerdict` with
  * `verdict = "Malformed:…"`. This is the browser replacement for the
- * `verifyReceipt` function in `crypto.ts`, backed by the identical Rust
- * JCS + BLAKE3 + Ed25519 path so Node and browser get byte-identical results.
+ * `verifyReceipt` function in `crypto.ts`, backed by the SAME Rust JCS +
+ * BLAKE3 + Ed25519 core as Node for canonicalization, hashing, and signature
+ * verification. NOTE: this is NOT byte-identical to Node for EVERY receipt —
+ * the `tsa` feature is OFF here, so a TIME-ANCHORED receipt that Node verifies
+ * against its TSA stack is handled differently on the browser surface.
  */
 export function verifyActionReceipt(receipt_bytes: Uint8Array): ActionVerdict;
 
@@ -206,9 +279,11 @@ export function verifyActionReceipt(receipt_bytes: Uint8Array): ActionVerdict;
  * `now_unix_secs`     — current time as BigInt Unix seconds
  * `seen_nonces`       — array of already-seen 32-byte nonces (Uint8Array each)
  * `required_scope`    — the required scope string
+ * `required_decision` — the verdict the token must carry ("approved"/"rejected"),
+ *                       NON-DEFAULTED (the SEC-02 decision binding)
  * `registered_keys_b64` — array of base64 Ed25519 public keys on the allowlist
  */
-export function verifyApprovalToken(token: Uint8Array, action_canonical: Uint8Array, now_unix_secs: bigint, seen_nonces: Array<any>, required_scope: string, registered_keys_b64: Array<any>): ApprovalTokenClaims;
+export function verifyApprovalToken(token: Uint8Array, action_canonical: Uint8Array, now_unix_secs: bigint, seen_nonces: Array<any>, required_scope: string, required_decision: string, registered_keys_b64: Array<any>): ApprovalTokenClaims;
 
 /**
  * Verify an ordered array of `ActionReceipt`s as a tamper-evident chain.
@@ -236,9 +311,11 @@ export function verifyConsistency(old_size: number, old_root_hex: string, new_si
  * `action_hash`             — the raw 32-byte BLAKE3 action digest being authorized
  * `approval_token`          — the human co-sign bearer token presented by K
  * `required_scope`          — the required scope string
+ * `required_decision`       — the verdict the co-sign must carry ("approved"/"rejected"),
+ *                             NON-DEFAULTED (the SEC-02 decision binding)
  * `now_unix_secs`           — current time as BigInt Unix seconds
  */
-export function verifyDelegation(wire: Uint8Array, registered_operator_key: Uint8Array, action_hash: Uint8Array, approval_token: Uint8Array, required_scope: string, now_unix_secs: bigint): VerifiedDelegation;
+export function verifyDelegation(wire: Uint8Array, registered_operator_key: Uint8Array, action_hash: Uint8Array, approval_token: Uint8Array, required_scope: string, required_decision: string, now_unix_secs: bigint): VerifiedDelegation;
 
 /**
  * RFC-6962 inclusion proof verification (SHA-256 Merkle tree).
@@ -290,21 +367,29 @@ export interface InitOutput {
     readonly __wbg_set_approvaltokenclaims_nonce: (a: number, b: any) => void;
     readonly __wbg_get_approvaltokenclaims_expiry_unix_secs: (a: number) => any;
     readonly __wbg_set_approvaltokenclaims_expiry_unix_secs: (a: number, b: any) => void;
+    readonly __wbg_get_approvaltokenclaims_decision: (a: number) => [number, number];
     readonly __wbg_get_approvaltokenclaims_scope: (a: number) => [number, number];
     readonly __wbg_get_approvaltokenclaims_approver_public_key: (a: number) => [number, number];
+    readonly __wbg_set_approvaltokenclaims_approver_public_key: (a: number, b: number, c: number) => void;
     readonly __wbg_verifieddelegation_free: (a: number, b: number) => void;
+    readonly __wbg_get_verifieddelegation_authorized_key: (a: number) => any;
+    readonly __wbg_set_verifieddelegation_authorized_key: (a: number, b: any) => void;
     readonly __wbg_get_verifieddelegation_sub: (a: number) => [number, number];
     readonly __wbg_get_verifieddelegation_scope: (a: number) => [number, number];
+    readonly __wbg_get_verifieddelegation_expiry_unix_secs: (a: number) => any;
+    readonly __wbg_set_verifieddelegation_expiry_unix_secs: (a: number, b: any) => void;
     readonly __wbg_get_verifieddelegation_not_before_unix_secs: (a: number) => any;
     readonly __wbg_set_verifieddelegation_not_before_unix_secs: (a: number, b: any) => void;
     readonly verifyActionReceipt: (a: number, b: number) => number;
     readonly actionCanonicalBytes: (a: number, b: number) => [number, number, number];
+    readonly l1CosignPayload: (a: number, b: number, c: number, d: number) => [number, number, number];
+    readonly quorumCosignPayload: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => [number, number, number];
     readonly contentHash: (a: number, b: number) => [number, number, number, number];
     readonly anchoredContentHash: (a: number, b: number) => [number, number, number, number];
     readonly shortHash: (a: number, b: number, c: number, d: number) => [number, number, number, number];
     readonly chainHashHex: (a: number, b: number, c: number, d: number) => [number, number, number, number];
-    readonly verifyApprovalToken: (a: number, b: number, c: number, d: number, e: any, f: any, g: number, h: number, i: any) => [number, number, number];
-    readonly verifyDelegation: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: any) => [number, number, number];
+    readonly verifyApprovalToken: (a: number, b: number, c: number, d: number, e: any, f: any, g: number, h: number, i: number, j: number, k: any) => [number, number, number];
+    readonly verifyDelegation: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: number, l: number, m: any) => [number, number, number];
     readonly verifyChain: (a: number, b: number) => [number, number, number];
     readonly verifySessionChain: (a: number, b: number) => [number, number, number];
     readonly verifySessionChainWithRotation: (a: number, b: number, c: number, d: number, e: number, f: number) => [number, number, number];
@@ -314,12 +399,8 @@ export interface InitOutput {
     readonly ruleToSentence: (a: number, b: number) => [number, number, number, number];
     readonly policyRulesFromToml: (a: number, b: number) => [number, number, number, number];
     readonly validateNoFloorBypass: (a: number, b: number) => [number, number];
-    readonly __wbg_set_verifieddelegation_authorized_key: (a: number, b: any) => void;
-    readonly __wbg_set_verifieddelegation_expiry_unix_secs: (a: number, b: any) => void;
-    readonly __wbg_get_verifieddelegation_authorized_key: (a: number) => any;
-    readonly __wbg_get_verifieddelegation_expiry_unix_secs: (a: number) => any;
+    readonly __wbg_set_approvaltokenclaims_decision: (a: number, b: number, c: number) => void;
     readonly __wbg_set_approvaltokenclaims_scope: (a: number, b: number, c: number) => void;
-    readonly __wbg_set_approvaltokenclaims_approver_public_key: (a: number, b: number, c: number) => void;
     readonly __wbg_set_verifieddelegation_sub: (a: number, b: number, c: number) => void;
     readonly __wbg_set_verifieddelegation_scope: (a: number, b: number, c: number) => void;
     readonly __wbindgen_malloc: (a: number, b: number) => number;

package/heso_wasm.js

@@ -113,6 +113,22 @@ export class ApprovalTokenClaims {
             wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
         }
     }
+    /**
+     * The verdict the human signed into the token: `"approved"` or `"rejected"`.
+     * @returns {string}
+     */
+    get decision() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_approvaltokenclaims_decision(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
     /**
      * Expiry as Unix seconds (`BigInt`).
      * @returns {bigint}
@@ -154,6 +170,15 @@ export class ApprovalTokenClaims {
         const len0 = WASM_VECTOR_LEN;
         wasm.__wbg_set_approvaltokenclaims_approver_public_key(this.__wbg_ptr, ptr0, len0);
     }
+    /**
+     * The verdict the human signed into the token: `"approved"` or `"rejected"`.
+     * @param {string} arg0
+     */
+    set decision(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_approvaltokenclaims_decision(this.__wbg_ptr, ptr0, len0);
+    }
     /**
      * Expiry as Unix seconds (`BigInt`).
      * @param {bigint} arg0
@@ -511,6 +536,56 @@ export function contentHash(content_json) {
     }
 }
 
+/**
+ * Return the EXACT bytes a hosted approver must sign to co-sign a suspended
+ * (L0) action into an L1 receipt: `APPROVAL_SIGNING_DOMAIN` (17 bytes) ++
+ * `action_canonical_bytes` of the promoted L1 body.
+ *
+ * The browser promotes the suspended L0 body to its L1 form with the same pure
+ * builder the operator process uses
+ * ([`heso_action::receipt::build_l1_content_anchored`]), then derives the
+ * approval payload ([`approval_cosign_payload`]). This compiles under
+ * heso-wasm's DEFAULT heso-action features (NO `sign`) precisely because both
+ * builders live in the always-compiled `receipt.rs`; the wasm surface never
+ * holds a key, so it only ASSEMBLES the bytes a remote signer returns a detached
+ * signature over.
+ *
+ * ANCHORED BODIES: unlike the bare [`build_l1_content`] path (which fails closed
+ * on any present anchor), this browser export ACCEPTS a suspended body that
+ * already carries a relayed `time_anchor`. The operator will later sign over
+ * that same full anchored body, so the approver must co-sign the anchored
+ * canonical too. We lift the anchor off the suspended input and thread it
+ * through `build_l1_content_anchored` as the relayed-anchor argument: the
+ * `AnchorOnAsyncL1Path` guard (which only fires on the SUSPENDED INPUT) no longer
+ * rejects, and the anchor is stamped BEFORE the final `action_hash` so the
+ * resulting body — and therefore the approver payload — is byte-identical to
+ * what the operator signs. An anchorless body promotes EXACTLY as before
+ * (`anchor = None`), so the f599f21b single-approver L1 golden never moves.
+ *
+ * `suspendedContentJson` — the suspended L0 `ActionContent` JSON (optionally
+ *                          already carrying a relayed `time_anchor`).
+ * `approverRecordJson`   — the human's `ApproverRecord` (decision, identity,
+ *                          reason, decided_at, sla_minutes) as JSON.
+ *
+ * Throws a `JsError` with a stable `[CODE]` prefix per [`BuildL1Error`]:
+ * `[AlreadyDecided]` (the body is already decided or is not a clean L0). The
+ * `[AnchorOnAsyncL1Path]` reject is RELAXED here — a present anchor is accepted.
+ * @param {string} suspended_content_json
+ * @param {string} approver_record_json
+ * @returns {Uint8Array}
+ */
+export function l1CosignPayload(suspended_content_json, approver_record_json) {
+    const ptr0 = passStringToWasm0(suspended_content_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(approver_record_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ret = wasm.l1CosignPayload(ptr0, len0, ptr1, len1);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return takeFromExternrefTable0(ret[0]);
+}
+
 /**
  * Parse + validate policy TOML, running the load-time dangerous-lane floor check.
  * Throws a `[PARSE]` or `[FLOOR_BYPASS]` `JsError` on failure; returns nothing on
@@ -557,6 +632,52 @@ export function policyRulesFromToml(toml_src) {
     }
 }
 
+/**
+ * Return the EXACT bytes ONE approver must sign to co-sign a suspended (L0)
+ * action under the multi-approver k-of-n QUORUM lane:
+ * `APPROVAL_SIGNING_DOMAIN` (17 bytes) ++ `multi_approver_canonical` of the quorum
+ * body with `approvers = [thisRecord]` ONLY. (A quorum receipt derives L1 WITH a
+ * multi_approval block — not a higher level.)
+ *
+ * Per the two-canonical (M-B) rule each approver vouches ONLY their own record,
+ * never the assembled set: the browser promotes the suspended L0 body to the
+ * quorum base ([`build_quorum_base`] — `multi_approval = {threshold, roster,
+ * approvers: []}`), folds in this single record, and derives the per-record
+ * approval payload ([`multi_approval_cosign_payload`]). Both builders live in the
+ * always-compiled `receipt.rs`, so this compiles under heso-wasm's DEFAULT
+ * heso-action features (NO `sign`); the wasm surface never holds a key, it only
+ * ASSEMBLES the bytes a remote signer returns a detached signature over. The
+ * key-holding assembler [`heso_action::sign::assemble_quorum_from_parts`] verifies
+ * each returned signature over exactly these bytes.
+ *
+ * `suspendedContentJson` — the suspended L0 `ActionContent` JSON.
+ * `threshold`            — the k-of-n approval threshold (`>= 1`).
+ * `rosterJson`           — JSON array of base64 admissible approver public keys.
+ * `approverRecordJson`   — THIS approver's `ApproverRecord` as JSON.
+ *
+ * Throws a `JsError` with a stable `[CODE]` prefix per [`BuildQuorumError`]:
+ * `[AnchorOnAsyncL1Path]`, `[AlreadyDecided]`, `[ThresholdZero]`, or
+ * `[EmptyRoster]`.
+ * @param {string} suspended_content_json
+ * @param {number} threshold
+ * @param {string} roster_json
+ * @param {string} approver_record_json
+ * @returns {Uint8Array}
+ */
+export function quorumCosignPayload(suspended_content_json, threshold, roster_json, approver_record_json) {
+    const ptr0 = passStringToWasm0(suspended_content_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(roster_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(approver_record_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.quorumCosignPayload(ptr0, len0, threshold, ptr1, len1, ptr2, len2);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return takeFromExternrefTable0(ret[0]);
+}
+
 /**
  * Render a single rule (JSON [`PolicyRule`]) into the canonical English sentence
  * — the SAME `rule_display` stamped on signed receipts. Replaces the drifting JS
@@ -638,8 +759,11 @@ export function validateNoFloorBypass(rules_json) {
  *
  * Never panics — structural failures return an `ActionVerdict` with
  * `verdict = "Malformed:…"`. This is the browser replacement for the
- * `verifyReceipt` function in `crypto.ts`, backed by the identical Rust
- * JCS + BLAKE3 + Ed25519 path so Node and browser get byte-identical results.
+ * `verifyReceipt` function in `crypto.ts`, backed by the SAME Rust JCS +
+ * BLAKE3 + Ed25519 core as Node for canonicalization, hashing, and signature
+ * verification. NOTE: this is NOT byte-identical to Node for EVERY receipt —
+ * the `tsa` feature is OFF here, so a TIME-ANCHORED receipt that Node verifies
+ * against its TSA stack is handled differently on the browser surface.
  * @param {Uint8Array} receipt_bytes
  * @returns {ActionVerdict}
  */
@@ -662,23 +786,28 @@ export function verifyActionReceipt(receipt_bytes) {
  * `now_unix_secs`     — current time as BigInt Unix seconds
  * `seen_nonces`       — array of already-seen 32-byte nonces (Uint8Array each)
  * `required_scope`    — the required scope string
+ * `required_decision` — the verdict the token must carry ("approved"/"rejected"),
+ *                       NON-DEFAULTED (the SEC-02 decision binding)
  * `registered_keys_b64` — array of base64 Ed25519 public keys on the allowlist
  * @param {Uint8Array} token
  * @param {Uint8Array} action_canonical
  * @param {bigint} now_unix_secs
  * @param {Array<any>} seen_nonces
  * @param {string} required_scope
+ * @param {string} required_decision
  * @param {Array<any>} registered_keys_b64
  * @returns {ApprovalTokenClaims}
  */
-export function verifyApprovalToken(token, action_canonical, now_unix_secs, seen_nonces, required_scope, registered_keys_b64) {
+export function verifyApprovalToken(token, action_canonical, now_unix_secs, seen_nonces, required_scope, required_decision, registered_keys_b64) {
     const ptr0 = passArray8ToWasm0(token, wasm.__wbindgen_malloc);
     const len0 = WASM_VECTOR_LEN;
     const ptr1 = passArray8ToWasm0(action_canonical, wasm.__wbindgen_malloc);
     const len1 = WASM_VECTOR_LEN;
     const ptr2 = passStringToWasm0(required_scope, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len2 = WASM_VECTOR_LEN;
-    const ret = wasm.verifyApprovalToken(ptr0, len0, ptr1, len1, now_unix_secs, seen_nonces, ptr2, len2, registered_keys_b64);
+    const ptr3 = passStringToWasm0(required_decision, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len3 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyApprovalToken(ptr0, len0, ptr1, len1, now_unix_secs, seen_nonces, ptr2, len2, ptr3, len3, registered_keys_b64);
     if (ret[2]) {
         throw takeFromExternrefTable0(ret[1]);
     }
@@ -739,16 +868,19 @@ export function verifyConsistency(old_size, old_root_hex, new_size, new_root_hex
  * `action_hash`             — the raw 32-byte BLAKE3 action digest being authorized
  * `approval_token`          — the human co-sign bearer token presented by K
  * `required_scope`          — the required scope string
+ * `required_decision`       — the verdict the co-sign must carry ("approved"/"rejected"),
+ *                             NON-DEFAULTED (the SEC-02 decision binding)
  * `now_unix_secs`           — current time as BigInt Unix seconds
  * @param {Uint8Array} wire
  * @param {Uint8Array} registered_operator_key
  * @param {Uint8Array} action_hash
  * @param {Uint8Array} approval_token
  * @param {string} required_scope
+ * @param {string} required_decision
  * @param {bigint} now_unix_secs
  * @returns {VerifiedDelegation}
  */
-export function verifyDelegation(wire, registered_operator_key, action_hash, approval_token, required_scope, now_unix_secs) {
+export function verifyDelegation(wire, registered_operator_key, action_hash, approval_token, required_scope, required_decision, now_unix_secs) {
     const ptr0 = passArray8ToWasm0(wire, wasm.__wbindgen_malloc);
     const len0 = WASM_VECTOR_LEN;
     const ptr1 = passArray8ToWasm0(registered_operator_key, wasm.__wbindgen_malloc);
@@ -759,7 +891,9 @@ export function verifyDelegation(wire, registered_operator_key, action_hash, app
     const len3 = WASM_VECTOR_LEN;
     const ptr4 = passStringToWasm0(required_scope, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len4 = WASM_VECTOR_LEN;
-    const ret = wasm.verifyDelegation(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, ptr4, len4, now_unix_secs);
+    const ptr5 = passStringToWasm0(required_decision, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len5 = WASM_VECTOR_LEN;
+    const ret = wasm.verifyDelegation(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, ptr4, len4, ptr5, len5, now_unix_secs);
     if (ret[2]) {
         throw takeFromExternrefTable0(ret[1]);
     }

package/heso_wasm_bg.wasm.d.ts

@@ -22,21 +22,29 @@ export const __wbg_get_approvaltokenclaims_nonce: (a: number) => any;
 export const __wbg_set_approvaltokenclaims_nonce: (a: number, b: any) => void;
 export const __wbg_get_approvaltokenclaims_expiry_unix_secs: (a: number) => any;
 export const __wbg_set_approvaltokenclaims_expiry_unix_secs: (a: number, b: any) => void;
+export const __wbg_get_approvaltokenclaims_decision: (a: number) => [number, number];
 export const __wbg_get_approvaltokenclaims_scope: (a: number) => [number, number];
 export const __wbg_get_approvaltokenclaims_approver_public_key: (a: number) => [number, number];
+export const __wbg_set_approvaltokenclaims_approver_public_key: (a: number, b: number, c: number) => void;
 export const __wbg_verifieddelegation_free: (a: number, b: number) => void;
+export const __wbg_get_verifieddelegation_authorized_key: (a: number) => any;
+export const __wbg_set_verifieddelegation_authorized_key: (a: number, b: any) => void;
 export const __wbg_get_verifieddelegation_sub: (a: number) => [number, number];
 export const __wbg_get_verifieddelegation_scope: (a: number) => [number, number];
+export const __wbg_get_verifieddelegation_expiry_unix_secs: (a: number) => any;
+export const __wbg_set_verifieddelegation_expiry_unix_secs: (a: number, b: any) => void;
 export const __wbg_get_verifieddelegation_not_before_unix_secs: (a: number) => any;
 export const __wbg_set_verifieddelegation_not_before_unix_secs: (a: number, b: any) => void;
 export const verifyActionReceipt: (a: number, b: number) => number;
 export const actionCanonicalBytes: (a: number, b: number) => [number, number, number];
+export const l1CosignPayload: (a: number, b: number, c: number, d: number) => [number, number, number];
+export const quorumCosignPayload: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => [number, number, number];
 export const contentHash: (a: number, b: number) => [number, number, number, number];
 export const anchoredContentHash: (a: number, b: number) => [number, number, number, number];
 export const shortHash: (a: number, b: number, c: number, d: number) => [number, number, number, number];
 export const chainHashHex: (a: number, b: number, c: number, d: number) => [number, number, number, number];
-export const verifyApprovalToken: (a: number, b: number, c: number, d: number, e: any, f: any, g: number, h: number, i: any) => [number, number, number];
-export const verifyDelegation: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: any) => [number, number, number];
+export const verifyApprovalToken: (a: number, b: number, c: number, d: number, e: any, f: any, g: number, h: number, i: number, j: number, k: any) => [number, number, number];
+export const verifyDelegation: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: number, l: number, m: any) => [number, number, number];
 export const verifyChain: (a: number, b: number) => [number, number, number];
 export const verifySessionChain: (a: number, b: number) => [number, number, number];
 export const verifySessionChainWithRotation: (a: number, b: number, c: number, d: number, e: number, f: number) => [number, number, number];
@@ -46,12 +54,8 @@ export const parsePolicy: (a: number, b: number) => [number, number];
 export const ruleToSentence: (a: number, b: number) => [number, number, number, number];
 export const policyRulesFromToml: (a: number, b: number) => [number, number, number, number];
 export const validateNoFloorBypass: (a: number, b: number) => [number, number];
-export const __wbg_set_verifieddelegation_authorized_key: (a: number, b: any) => void;
-export const __wbg_set_verifieddelegation_expiry_unix_secs: (a: number, b: any) => void;
-export const __wbg_get_verifieddelegation_authorized_key: (a: number) => any;
-export const __wbg_get_verifieddelegation_expiry_unix_secs: (a: number) => any;
+export const __wbg_set_approvaltokenclaims_decision: (a: number, b: number, c: number) => void;
 export const __wbg_set_approvaltokenclaims_scope: (a: number, b: number, c: number) => void;
-export const __wbg_set_approvaltokenclaims_approver_public_key: (a: number, b: number, c: number) => void;
 export const __wbg_set_verifieddelegation_sub: (a: number, b: number, c: number) => void;
 export const __wbg_set_verifieddelegation_scope: (a: number, b: number, c: number) => void;
 export const __wbindgen_malloc: (a: number, b: number) => number;

package/package.json

@@ -1,8 +1,11 @@
 {
   "name": "@hesohq/verify-wasm",
-  "version": "0.1.0",
+  "version": "0.1.1-dev.19",
   "description": "HESO Enterprise trust layer — browser WASM verify-only surface (ESM)",
   "type": "module",
+  "scripts": {
+    "prepublishOnly": "for sym in l1CosignPayload quorumCosignPayload; do for f in heso_wasm.js heso_wasm.d.ts heso_wasm_bg.wasm.d.ts heso_wasm_bg.wasm; do grep -aq \"$sym\" \"$f\" || { echo \"prepublishOnly: $sym missing from $f — stale artifact, run \\`just wasm\\` from heso-enterprise root\" >&2; exit 1; }; done; done; echo \"prepublishOnly: l1CosignPayload + quorumCosignPayload present in all 4 artifacts\""
+  },
   "exports": {
     ".": {
       "import": "./heso_wasm.js",