@hesohq/verify-wasm 0.4.3-dev.35 → 0.5.0-dev.71

package/heso_wasm.d.ts

@@ -94,6 +94,168 @@ export class ChainResult {
     set seq(value: number | null | undefined);
 }
 
+/**
+ * The kind-tagged verdict of [`verify_commitment_wasm`]. `verdict` is one of
+ * `"Valid"`, `"InvalidSignature"`, `"FingerprintMismatch"`, `"WrongAlgorithm"`,
+ * `"Malformed"`; a recipient accepts the commitment ONLY on `"Valid"`.
+ * `signer_fpr` carries the recomputed `blake3(pubkey)` fingerprint (only
+ * meaningful on `"Valid"`).
+ */
+export class CommitmentVerdict {
+    private constructor();
+    free(): void;
+    [Symbol.dispose](): void;
+    /**
+     * The recomputed `blake3(pubkey)` fingerprint (only set on `"Valid"`).
+     */
+    signer_fpr: string;
+    /**
+     * The verdict tag.
+     */
+    verdict: string;
+}
+
+/**
+ * The base verdict + the rendered signed metrics + the offline-recomputed cost.
+ *
+ * `verdict` / `trust_level` are exactly what [`verify_action_receipt_wasm`]
+ * returns. The metric fields are the SIGNED values (the closed `status` /
+ * `token_source` enums rendered to their wire snake_case strings). `cost_display`
+ * / `recomputed_cost_micros` are RECOMPUTED from the rate card the caller passed
+ * in — `priced == false` (and both `None`) when that card does not price the
+ * model; never a guessed figure. `card_id_matches` tells the reader whether the
+ * card handed in is the one the receipt actually named.
+ */
+export class MetricsVerdict {
+    private constructor();
+    free(): void;
+    [Symbol.dispose](): void;
+    /**
+     * Request bytes sent, when the transport exposed it.
+     */
+    get bytes_in(): number | undefined;
+    /**
+     * Request bytes sent, when the transport exposed it.
+     */
+    set bytes_in(value: number | null | undefined);
+    /**
+     * Response bytes received, when the transport exposed it.
+     */
+    get bytes_out(): number | undefined;
+    /**
+     * Response bytes received, when the transport exposed it.
+     */
+    set bytes_out(value: number | null | undefined);
+    /**
+     * Whether the passed-in card is the one the receipt named.
+     */
+    card_id_matches: boolean;
+    /**
+     * Recomputed cost as a 6-decimal display string; `None` when not priced.
+     */
+    get cost_display(): string | undefined;
+    /**
+     * Recomputed cost as a 6-decimal display string; `None` when not priced.
+     */
+    set cost_display(value: string | null | undefined);
+    /**
+     * Wall-clock duration in whole milliseconds.
+     */
+    get duration_ms(): number | undefined;
+    /**
+     * Wall-clock duration in whole milliseconds.
+     */
+    set duration_ms(value: number | null | undefined);
+    /**
+     * Whether the receipt carried a signed `metrics` block.
+     */
+    has_metrics: boolean;
+    /**
+     * The `provider/model` key derived from the signed `action.fields`.
+     */
+    get model_key(): string | undefined;
+    /**
+     * The `provider/model` key derived from the signed `action.fields`.
+     */
+    set model_key(value: string | null | undefined);
+    /**
+     * `true` iff the model is priced by the passed-in card.
+     */
+    priced: boolean;
+    /**
+     * The rate-card id AS NAMED in the signed receipt.
+     */
+    get rate_card_id(): string | undefined;
+    /**
+     * The rate-card id AS NAMED in the signed receipt.
+     */
+    set rate_card_id(value: string | null | undefined);
+    /**
+     * Recomputed cost in micro-USD (`BigInt`); `None` when not priced.
+     */
+    get recomputed_cost_micros(): bigint | undefined;
+    /**
+     * Recomputed cost in micro-USD (`BigInt`); `None` when not priced.
+     */
+    set recomputed_cost_micros(value: bigint | null | undefined);
+    /**
+     * Transport-level retries before this outcome.
+     */
+    get retries(): number | undefined;
+    /**
+     * Transport-level retries before this outcome.
+     */
+    set retries(value: number | null | undefined);
+    /**
+     * Transport status code, when one applied.
+     */
+    get status_code(): number | undefined;
+    /**
+     * Transport status code, when one applied.
+     */
+    set status_code(value: number | null | undefined);
+    /**
+     * Execution-outcome class, wire snake_case (`"ok"`, `"server_error"`, …).
+     */
+    get status(): string | undefined;
+    /**
+     * Execution-outcome class, wire snake_case (`"ok"`, `"server_error"`, …).
+     */
+    set status(value: string | null | undefined);
+    /**
+     * Token-count source, wire snake_case (`"provider_reported"`/`"estimated"`).
+     */
+    get token_source(): string | undefined;
+    /**
+     * Token-count source, wire snake_case (`"provider_reported"`/`"estimated"`).
+     */
+    set token_source(value: string | null | undefined);
+    /**
+     * Provider-reported (or estimated) input tokens.
+     */
+    get tokens_in(): number | undefined;
+    /**
+     * Provider-reported (or estimated) input tokens.
+     */
+    set tokens_in(value: number | null | undefined);
+    /**
+     * Provider-reported (or estimated) output tokens.
+     */
+    get tokens_out(): number | undefined;
+    /**
+     * Provider-reported (or estimated) output tokens.
+     */
+    set tokens_out(value: number | null | undefined);
+    /**
+     * The re-derived trust level (`"L0"`/`"L1"`); `""` unless `verdict == "Valid"`.
+     */
+    trust_level: string;
+    /**
+     * The base `ActionOutcome` verdict tag (`"Valid"`, `"HashMismatch"`, …).
+     */
+    verdict: string;
+}
+
 /**
  * The verified, decoded result of a delegation envelope.
  */
@@ -136,12 +298,71 @@ export function actionCanonicalBytes(content_json: string): Uint8Array;
  */
 export function anchoredContentHash(content_json: string): string;
 
+/**
+ * Assemble the on-the-wire approval-token frame from the detached signature the
+ * in-browser approver key produced over [`approval_token_payload_wasm`]. Pure
+ * assemble, no key. The base64 of these bytes is the bearer `token_b64`.
+ *
+ * Byte order (see [`heso_action::domain::approval_token_frame`], the ONE source —
+ * the kernel verifier parses EXACTLY this and rejects trailing bytes):
+ * `nonce(32) ++ expiry(BE8) ++ decision_tag(1) ++ scope_len(BE4) ++ scope
+ *   ++ signature(64) ++ pubkey(32)`
+ *
+ * `nonce`          — 32 raw bytes (Uint8Array); MUST equal the nonce signed over.
+ * `expiryUnixSecs` — token expiry as BigInt Unix seconds.
+ * `decision`       — `"approved"` or `"rejected"`.
+ * `scope`          — the UTF-8 scope string.
+ * `signature`      — 64 raw Ed25519 signature bytes (Uint8Array).
+ * `pubkey`         — 32 raw Ed25519 public-key bytes (Uint8Array).
+ */
+export function approvalTokenFrame(nonce: Uint8Array, expiry_unix_secs: bigint, decision: string, scope: string, signature: Uint8Array, pubkey: Uint8Array): Uint8Array;
+
+/**
+ * Return the EXACT bytes the approver's Ed25519 key must sign for an approval
+ * token (the Option-C in-browser minter signs THESE, never any hand-rolled
+ * bytes). Mirrors [`l1_cosign_payload_wasm`]: pure assemble, no OsRng, no key —
+ * the browser holds the key, this only produces the payload a detached signer
+ * covers.
+ *
+ * Byte order (see [`heso_action::domain::approval_token_signed_payload`], the ONE
+ * source — the kernel verifier recomputes the identical bytes):
+ * `APPROVAL_TOKEN_SIGNING_DOMAIN ++ nonce(32) ++ expiry(BE8) ++ decision_tag(1)
+ *   ++ scope_len(BE4) ++ scope ++ action_canonical_bytes`
+ *
+ * `contentJson`       — the `ActionContent` JSON; canonicalized through the SAME
+ *                       RFC-8785 path as [`action_canonical_bytes_wasm`] (the
+ *                       browser MUST NOT hand-roll JCS).
+ * `nonce`             — 32 raw replay-prevention bytes (Uint8Array).
+ * `expiryUnixSecs`    — token expiry as BigInt Unix seconds.
+ * `decision`          — `"approved"` or `"rejected"` (the SEC-02 decision binding).
+ * `scope`             — the UTF-8 scope string.
+ */
+export function approvalTokenPayload(content_json: string, nonce: Uint8Array, expiry_unix_secs: bigint, decision: string, scope: string): Uint8Array;
+
 /**
  * Compute a domain-separated BLAKE3 chain-link digest from two 64-hex hashes.
  * Replaces the `@noble`-backed chain helper in `crypto.ts`.
  */
 export function chainHashHex(prev_hex: string, action_hex: string): string;
 
+/**
+ * PURE. Return the RFC-8785 (JCS) canonical bytes of a commitment envelope JSON
+ * string — the exact bytes the detached operator signature is computed over
+ * (after the `COMMITMENT_SIGNING_DOMAIN` prefix). Delegates to the single kernel
+ * JCS impl; never re-canonicalizes. Throws `[MALFORMED]` if the JSON does not
+ * parse as a `CommitmentEnvelope` and `[CANON]` if it cannot be canonicalized.
+ */
+export function commitmentEnvelopeCanonicalBytes(envelope_json: string): Uint8Array;
+
+/**
+ * The **commitment fingerprint** of an Ed25519 public key: `blake3(raw_pubkey)`,
+ * the full 32-byte digest, lowercase 64-hex, NO prefix — the value the producer
+ * puts in the wire `signer_fpr`. DISTINCT from the `heso:`-prefixed Grade-0
+ * signer fingerprint. Throws `[MALFORMED]` if `pubkey_b64` is not base64 of
+ * exactly 32 bytes.
+ */
+export function commitmentFingerprint(pubkey_b64: string): string;
+
 /**
  * BLAKE3 (64-hex) of the canonical bytes — the value that goes into
  * `action_hash`. Replaces `@noble/hashes` blake3 usage in `crypto.ts`.
@@ -193,6 +414,13 @@ export function l1CosignPayload(suspended_content_json: string, approver_record_
  */
 export function parsePolicy(toml_src: string): void;
 
+/**
+ * Parse a C2SP signed-note checkpoint and return its `{origin, size, root_hex,
+ * text}` as a JSON string. Does NO signature verification — call
+ * `verifyNoteAgainstKey` for that. Throws `[NOTE]` on a malformed note.
+ */
+export function parseSignedNote(note: string): string;
+
 /**
  * Parse + validate policy TOML and return the rules as a JSON array of
  * [`PolicyRule`] (the Rust wire shape) so the web renders a pulled policy via the
@@ -244,6 +472,14 @@ export function ruleToSentence(rule_json: string): string;
  */
 export function shortHash(hex: string, prefix?: string | null): string;
 
+/**
+ * The frozen top-tree leaf VALUE committing one org's epoch snapshot:
+ * `SHA-256(TOP_LEAF_DOMAIN || org_id(16) || epoch(BE8) || org_root(32))`,
+ * 64-hex. The stage-2 commitment a two-stage inclusion proof rides. Throws
+ * `[ORG]`/`[ROOT]` on malformed inputs.
+ */
+export function topLeafValue(org_id_hyphenated: string, epoch: bigint, org_root_hex: string): string;
+
 /**
  * Floor pre-check over a candidate ruleset (JSON array of [`PolicyRule`]) WITHOUT
  * serializing to TOML — the live check the builder runs as the user edits.
@@ -267,6 +503,25 @@ export function validateNoFloorBypass(rules_json: string): void;
  */
 export function verifyActionReceipt(receipt_bytes: Uint8Array): ActionVerdict;
 
+/**
+ * Verify a single `ActionReceipt` AND render its signed metrics + recompute cost
+ * from the passed-in public rate card.
+ *
+ * Runs the EXISTING [`verify_action_receipt`] for the base outcome + trust level
+ * (so that path is byte-for-byte unchanged), then — when the receipt parses —
+ * renders the signed metrics and recomputes the cost via the pure
+ * `heso_action::metrics_view::metrics_view`. Never panics:
+ *
+ * - receipt fails to PARSE  ⇒ base verdict + `has_metrics: false` (no metrics).
+ * - rate card fails to PARSE ⇒ base verdict + rendered metrics, but `priced:
+ *   false` and `cost_display: None` (cost cannot be recomputed without a card).
+ * - everything parses        ⇒ full metrics + recomputed cost.
+ *
+ * `receipt_bytes`   — the raw `ActionReceipt` JSON bytes (`Uint8Array`).
+ * `rate_card_json`  — the public rate-card JSON the cost is recomputed from.
+ */
+export function verifyActionReceiptWithRates(receipt_bytes: Uint8Array, rate_card_json: string): MetricsVerdict;
+
 /**
  * Verify a serialized approval token and return its decoded claims.
  *
@@ -292,6 +547,20 @@ export function verifyApprovalToken(token: Uint8Array, action_canonical: Uint8Ar
  */
 export function verifyChain(receipts_bytes: Uint8Array): ChainResult;
 
+/**
+ * REJECT-MORE-ONLY. Verify a detached commitment-envelope signature in the
+ * browser — the recipient independently confirms a commitment the same way the
+ * cloud does.
+ *
+ * Parses `envelope_bytes` as a `CommitmentEnvelope`, re-canonicalizes VIA THE
+ * KERNEL, `verify_strict`-checks the detached Ed25519 signature under
+ * `COMMITMENT_SIGNING_DOMAIN`, and confirms the recomputed commitment
+ * fingerprint (`blake3(pubkey)`) equals `claimed_signer_fpr`. Produces ZERO new
+ * canonical/signed bytes. Never throws — every outcome is a kind-tagged
+ * [`CommitmentVerdict`].
+ */
+export function verifyCommitment(envelope_bytes: Uint8Array, operator_pubkey_b64: string, detached_sig_b64: string, claimed_signer_fpr: string): CommitmentVerdict;
+
 /**
  * RFC-6962 consistency proof verification.
  *
@@ -329,6 +598,31 @@ export function verifyDelegation(wire: Uint8Array, registered_operator_key: Uint
  */
 export function verifyInclusion(leaf_value_hex: string, index: number, size: number, root_hex: string, proof_hashes_json: string): boolean;
 
+/**
+ * Verify a parsed C2SP signed-note checkpoint against a PINNED Ed25519 log
+ * public key (base64, raw 32 bytes). Returns `true` iff at least one signature
+ * line is from the pinned key AND `verify_strict`s over the note text.
+ *
+ * The pinned key is supplied by the caller (trusted out of band, CT-style) — a
+ * note signed by any non-pinned key returns `false`. Throws `[NOTE]` if the
+ * note is malformed or `[KEY]` if the pubkey is not base64 of 32 bytes.
+ */
+export function verifyNoteAgainstKey(note: string, log_pubkey_b64: string): boolean;
+
+/**
+ * Verify a single commit-and-reveal field reveal against its signed redaction
+ * marker — recompute `BLAKE3(salt ++ field_path ++ value)` and check equality
+ * with `marker.commitment`. The browser/offline counterpart to the Node
+ * `verifyRevealJs`: the missing half that lets a web auditor reveal-and-prove a
+ * redacted field with only the receipt + the customer-supplied sidecar.
+ *
+ * `reveal_json` — a `FieldReveal`: `{ field_path, salt_hex, value_json }`.
+ * `marker_json` — the matching `RedactionMarker` from the signed receipt.
+ *
+ * Returns `true` iff the reveal recomputes the marker's commitment.
+ */
+export function verifyReveal(reveal_json: string, marker_json: string): boolean;
+
 /**
  * Verify a session chain (lifecycle role + transition checks).
  */
@@ -347,68 +641,118 @@ export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembl
 export interface InitOutput {
     readonly memory: WebAssembly.Memory;
     readonly __wbg_actionverdict_free: (a: number, b: number) => void;
-    readonly __wbg_get_actionverdict_verdict: (a: number) => [number, number];
+    readonly __wbg_get_actionverdict_verdict: (a: number, b: number) => void;
     readonly __wbg_set_actionverdict_verdict: (a: number, b: number, c: number) => void;
-    readonly __wbg_get_actionverdict_trust_level: (a: number) => [number, number];
+    readonly __wbg_get_actionverdict_trust_level: (a: number, b: number) => void;
     readonly __wbg_set_actionverdict_trust_level: (a: number, b: number, c: number) => void;
     readonly __wbg_chainresult_free: (a: number, b: number) => void;
     readonly __wbg_get_chainresult_ok: (a: number) => number;
     readonly __wbg_set_chainresult_ok: (a: number, b: number) => void;
     readonly __wbg_get_chainresult_length: (a: number) => number;
     readonly __wbg_set_chainresult_length: (a: number, b: number) => void;
-    readonly __wbg_get_chainresult_error: (a: number) => [number, number];
+    readonly __wbg_get_chainresult_error: (a: number, b: number) => void;
     readonly __wbg_set_chainresult_error: (a: number, b: number, c: number) => void;
     readonly __wbg_get_chainresult_seq: (a: number) => number;
     readonly __wbg_set_chainresult_seq: (a: number, b: number) => void;
-    readonly __wbg_get_chainresult_detail: (a: number) => [number, number];
+    readonly __wbg_get_chainresult_detail: (a: number, b: number) => void;
     readonly __wbg_set_chainresult_detail: (a: number, b: number, c: number) => void;
     readonly __wbg_approvaltokenclaims_free: (a: number, b: number) => void;
-    readonly __wbg_get_approvaltokenclaims_nonce: (a: number) => any;
-    readonly __wbg_set_approvaltokenclaims_nonce: (a: number, b: any) => void;
-    readonly __wbg_get_approvaltokenclaims_expiry_unix_secs: (a: number) => any;
-    readonly __wbg_set_approvaltokenclaims_expiry_unix_secs: (a: number, b: any) => void;
-    readonly __wbg_get_approvaltokenclaims_decision: (a: number) => [number, number];
-    readonly __wbg_get_approvaltokenclaims_scope: (a: number) => [number, number];
-    readonly __wbg_get_approvaltokenclaims_approver_public_key: (a: number) => [number, number];
+    readonly __wbg_get_approvaltokenclaims_nonce: (a: number) => number;
+    readonly __wbg_set_approvaltokenclaims_nonce: (a: number, b: number) => void;
+    readonly __wbg_get_approvaltokenclaims_expiry_unix_secs: (a: number) => number;
+    readonly __wbg_set_approvaltokenclaims_expiry_unix_secs: (a: number, b: number) => void;
+    readonly __wbg_get_approvaltokenclaims_approver_public_key: (a: number, b: number) => void;
     readonly __wbg_set_approvaltokenclaims_approver_public_key: (a: number, b: number, c: number) => void;
     readonly __wbg_verifieddelegation_free: (a: number, b: number) => void;
-    readonly __wbg_get_verifieddelegation_authorized_key: (a: number) => any;
-    readonly __wbg_set_verifieddelegation_authorized_key: (a: number, b: any) => void;
-    readonly __wbg_get_verifieddelegation_sub: (a: number) => [number, number];
-    readonly __wbg_get_verifieddelegation_scope: (a: number) => [number, number];
-    readonly __wbg_get_verifieddelegation_expiry_unix_secs: (a: number) => any;
-    readonly __wbg_set_verifieddelegation_expiry_unix_secs: (a: number, b: any) => void;
-    readonly __wbg_get_verifieddelegation_not_before_unix_secs: (a: number) => any;
-    readonly __wbg_set_verifieddelegation_not_before_unix_secs: (a: number, b: any) => void;
+    readonly __wbg_get_verifieddelegation_authorized_key: (a: number) => number;
+    readonly __wbg_set_verifieddelegation_authorized_key: (a: number, b: number) => void;
+    readonly __wbg_get_verifieddelegation_expiry_unix_secs: (a: number) => number;
+    readonly __wbg_set_verifieddelegation_expiry_unix_secs: (a: number, b: number) => void;
+    readonly __wbg_get_verifieddelegation_not_before_unix_secs: (a: number) => number;
+    readonly __wbg_set_verifieddelegation_not_before_unix_secs: (a: number, b: number) => void;
     readonly verifyActionReceipt: (a: number, b: number) => number;
-    readonly actionCanonicalBytes: (a: number, b: number) => [number, number, number];
-    readonly l1CosignPayload: (a: number, b: number, c: number, d: number) => [number, number, number];
-    readonly quorumCosignPayload: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => [number, number, number];
-    readonly contentHash: (a: number, b: number) => [number, number, number, number];
-    readonly anchoredContentHash: (a: number, b: number) => [number, number, number, number];
-    readonly shortHash: (a: number, b: number, c: number, d: number) => [number, number, number, number];
-    readonly chainHashHex: (a: number, b: number, c: number, d: number) => [number, number, number, number];
-    readonly verifyApprovalToken: (a: number, b: number, c: number, d: number, e: any, f: any, g: number, h: number, i: number, j: number, k: any) => [number, number, number];
-    readonly verifyDelegation: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: number, l: number, m: any) => [number, number, number];
-    readonly verifyChain: (a: number, b: number) => [number, number, number];
-    readonly verifySessionChain: (a: number, b: number) => [number, number, number];
-    readonly verifySessionChainWithRotation: (a: number, b: number, c: number, d: number, e: number, f: number) => [number, number, number];
-    readonly verifyInclusion: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number) => [number, number, number];
-    readonly verifyConsistency: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number) => [number, number, number];
-    readonly parsePolicy: (a: number, b: number) => [number, number];
-    readonly ruleToSentence: (a: number, b: number) => [number, number, number, number];
-    readonly policyRulesFromToml: (a: number, b: number) => [number, number, number, number];
-    readonly validateNoFloorBypass: (a: number, b: number) => [number, number];
+    readonly actionCanonicalBytes: (a: number, b: number, c: number) => void;
+    readonly l1CosignPayload: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly quorumCosignPayload: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number) => void;
+    readonly contentHash: (a: number, b: number, c: number) => void;
+    readonly anchoredContentHash: (a: number, b: number, c: number) => void;
+    readonly shortHash: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly chainHashHex: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly verifyApprovalToken: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: number, l: number) => void;
+    readonly approvalTokenPayload: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number) => void;
+    readonly approvalTokenFrame: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: number, l: number) => void;
+    readonly verifyDelegation: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number, j: number, k: number, l: number, m: number, n: number) => void;
+    readonly verifyCommitment: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number) => number;
+    readonly commitmentEnvelopeCanonicalBytes: (a: number, b: number, c: number) => void;
+    readonly commitmentFingerprint: (a: number, b: number, c: number) => void;
+    readonly parseSignedNote: (a: number, b: number, c: number) => void;
+    readonly verifyNoteAgainstKey: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly topLeafValue: (a: number, b: number, c: number, d: bigint, e: number, f: number) => void;
+    readonly verifyChain: (a: number, b: number, c: number) => void;
+    readonly verifySessionChain: (a: number, b: number, c: number) => void;
+    readonly verifySessionChainWithRotation: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => void;
+    readonly verifyInclusion: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
+    readonly verifyConsistency: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
+    readonly verifyReveal: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly parsePolicy: (a: number, b: number, c: number) => void;
+    readonly ruleToSentence: (a: number, b: number, c: number) => void;
+    readonly policyRulesFromToml: (a: number, b: number, c: number) => void;
+    readonly validateNoFloorBypass: (a: number, b: number, c: number) => void;
+    readonly __wbg_metricsverdict_free: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_verdict: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_verdict: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_metricsverdict_trust_level: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_trust_level: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_metricsverdict_has_metrics: (a: number) => number;
+    readonly __wbg_set_metricsverdict_has_metrics: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_duration_ms: (a: number) => number;
+    readonly __wbg_set_metricsverdict_duration_ms: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_status: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_status: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_metricsverdict_status_code: (a: number) => number;
+    readonly __wbg_set_metricsverdict_status_code: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_tokens_in: (a: number) => number;
+    readonly __wbg_set_metricsverdict_tokens_in: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_tokens_out: (a: number) => number;
+    readonly __wbg_set_metricsverdict_tokens_out: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_token_source: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_token_source: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_metricsverdict_bytes_in: (a: number) => number;
+    readonly __wbg_set_metricsverdict_bytes_in: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_bytes_out: (a: number) => number;
+    readonly __wbg_set_metricsverdict_bytes_out: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_retries: (a: number) => number;
+    readonly __wbg_set_metricsverdict_retries: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_rate_card_id: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_rate_card_id: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_metricsverdict_model_key: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_model_key: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_metricsverdict_recomputed_cost_micros: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_recomputed_cost_micros: (a: number, b: number, c: bigint) => void;
+    readonly __wbg_get_metricsverdict_cost_display: (a: number, b: number) => void;
+    readonly __wbg_set_metricsverdict_cost_display: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_metricsverdict_priced: (a: number) => number;
+    readonly __wbg_set_metricsverdict_priced: (a: number, b: number) => void;
+    readonly __wbg_get_metricsverdict_card_id_matches: (a: number) => number;
+    readonly __wbg_set_metricsverdict_card_id_matches: (a: number, b: number) => void;
+    readonly verifyActionReceiptWithRates: (a: number, b: number, c: number, d: number) => number;
     readonly __wbg_set_approvaltokenclaims_decision: (a: number, b: number, c: number) => void;
     readonly __wbg_set_approvaltokenclaims_scope: (a: number, b: number, c: number) => void;
     readonly __wbg_set_verifieddelegation_sub: (a: number, b: number, c: number) => void;
     readonly __wbg_set_verifieddelegation_scope: (a: number, b: number, c: number) => void;
-    readonly __wbindgen_malloc: (a: number, b: number) => number;
-    readonly __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number;
-    readonly __wbindgen_externrefs: WebAssembly.Table;
-    readonly __externref_table_dealloc: (a: number) => void;
-    readonly __wbindgen_free: (a: number, b: number, c: number) => void;
-    readonly __wbindgen_start: () => void;
+    readonly __wbg_set_commitmentverdict_verdict: (a: number, b: number, c: number) => void;
+    readonly __wbg_set_commitmentverdict_signer_fpr: (a: number, b: number, c: number) => void;
+    readonly __wbg_commitmentverdict_free: (a: number, b: number) => void;
+    readonly __wbg_get_approvaltokenclaims_decision: (a: number, b: number) => void;
+    readonly __wbg_get_approvaltokenclaims_scope: (a: number, b: number) => void;
+    readonly __wbg_get_verifieddelegation_sub: (a: number, b: number) => void;
+    readonly __wbg_get_verifieddelegation_scope: (a: number, b: number) => void;
+    readonly __wbg_get_commitmentverdict_verdict: (a: number, b: number) => void;
+    readonly __wbg_get_commitmentverdict_signer_fpr: (a: number, b: number) => void;
+    readonly __wbindgen_export: (a: number, b: number) => number;
+    readonly __wbindgen_export2: (a: number, b: number, c: number, d: number) => number;
+    readonly __wbindgen_add_to_stack_pointer: (a: number) => number;
+    readonly __wbindgen_export3: (a: number, b: number, c: number) => void;
 }
 
 export type SyncInitInput = BufferSource | WebAssembly.Module;