@hesohq/verify-wasm 0.5.0-dev.71 → 0.5.0-dev.85

package/heso_wasm.d.ts

@@ -94,6 +94,76 @@ export class ChainResult {
     set seq(value: number | null | undefined);
 }
 
+/**
+ * The result of an offline CloudTrail feed-completeness check.
+ */
+export class CloudTrailFeedVerdict {
+    private constructor();
+    free(): void;
+    [Symbol.dispose](): void;
+    /**
+     * 0-based head-first index at which the chain broke / a digest was rejected;
+     * `None` for `Complete`.
+     */
+    get broken_at(): number | undefined;
+    /**
+     * 0-based head-first index at which the chain broke / a digest was rejected;
+     * `None` for `Complete`.
+     */
+    set broken_at(value: number | null | undefined);
+    /**
+     * Number of hourly digests whose signature + chain link verified.
+     */
+    digests_verified: number;
+    /**
+     * `true` ONLY when an unbroken signed chain proved completeness back to the
+     * starting (genesis) digest — the single state that earns a third-party
+     * `feed_complete` claim. A `ChainGap` (disclosed gap) reports `false`.
+     */
+    feed_complete: boolean;
+    /**
+     * The kind tag of the outcome: `"Complete"`, `"ChainGap"`, `"Empty"`,
+     * `"Malformed"`, `"NoMatchingKey"`, `"SignatureInvalid"`,
+     * `"PreviousHashMismatch"`, `"PreviousSignatureMismatch"`,
+     * `"PreviousObjectMismatch"`.
+     */
+    kind: string;
+    /**
+     * Number of signed log files the verified digests committed to across the
+     * window. For `Complete` this is the SIGNED, COMPLETE inventory the window
+     * provably covers (no log file could have been added, removed, or modified
+     * without breaking the chain). `0` for non-window outcomes.
+     */
+    signed_log_files_count: number;
+    /**
+     * The signed log-file inventory as a JSON array of
+     * `{s3_bucket, s3_object, hash_value, …}` — the proof page renders these so a
+     * third party can confirm WHICH files the window covers. `"[]"` for
+     * non-window outcomes.
+     */
+    signed_log_files_json: string;
+    /**
+     * `digestEndTime` of the head digest (window upper bound). `None` unless the
+     * outcome carries a window.
+     */
+    get window_end(): string | undefined;
+    /**
+     * `digestEndTime` of the head digest (window upper bound). `None` unless the
+     * outcome carries a window.
+     */
+    set window_end(value: string | null | undefined);
+    /**
+     * `digestEndTime` of the starting digest reached (`Complete`) or the last
+     * verified digest before the gap (`ChainGap`). `None` otherwise.
+     */
+    get window_start(): string | undefined;
+    /**
+     * `digestEndTime` of the starting digest reached (`Complete`) or the last
+     * verified digest before the gap (`ChainGap`). `None` otherwise.
+     */
+    set window_start(value: string | null | undefined);
+}
+
 /**
  * The kind-tagged verdict of [`verify_commitment_wasm`]. `verdict` is one of
  * `"Valid"`, `"InvalidSignature"`, `"FingerprintMismatch"`, `"WrongAlgorithm"`,
@@ -547,6 +617,28 @@ export function verifyApprovalToken(token: Uint8Array, action_canonical: Uint8Ar
  */
 export function verifyChain(receipts_bytes: Uint8Array): ChainResult;
 
+/**
+ * **REJECT-MORE-ONLY.** Verify an AWS CloudTrail signed digest-file chain
+ * **offline**, proving feed completeness from the frozen bundle bytes + the
+ * PINNED AWS public keys alone — no network, no AWS call, no HESO endpoint.
+ *
+ * `proof_json` is a [`heso_action::cloudtrail::CloudTrailFeedProof`] JSON: the
+ * digest chain (HEAD FIRST), the head's out-of-band `x-amz-meta-signature`, and
+ * the pinned per-Region AWS public keys (PKCS#1 DER, base64 — exactly as
+ * `ListPublicKeys` returns them; this verifier wraps them into SPKI internally,
+ * the #1 implementation trap handled once in the kernel).
+ *
+ * The AWS key is trusted **out of band** (CT pin-the-key model): a digest whose
+ * `digestPublicKeyFingerprint` matches no pinned key FAILS with
+ * `kind = "NoMatchingKey"`. The verdict separates `feed_complete` (window
+ * completeness, claimable to a third party for this STRONG rail) from a
+ * disclosed `ChainGap` — never collapsing a gap into a green badge.
+ *
+ * Throws `[CT_PARSE]` only if `proof_json` is not a valid `CloudTrailFeedProof`;
+ * every cryptographic / chain failure is a non-throwing kind tag instead.
+ */
+export function verifyCloudTrailFeed(proof_json: string): CloudTrailFeedVerdict;
+
 /**
  * REJECT-MORE-ONLY. Verify a detached commitment-envelope signature in the
  * browser — the recipient independently confirms a commitment the same way the
@@ -736,12 +828,30 @@ export interface InitOutput {
     readonly __wbg_get_metricsverdict_card_id_matches: (a: number) => number;
     readonly __wbg_set_metricsverdict_card_id_matches: (a: number, b: number) => void;
     readonly verifyActionReceiptWithRates: (a: number, b: number, c: number, d: number) => number;
+    readonly __wbg_cloudtrailfeedverdict_free: (a: number, b: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_feed_complete: (a: number) => number;
+    readonly __wbg_set_cloudtrailfeedverdict_feed_complete: (a: number, b: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_kind: (a: number, b: number) => void;
+    readonly __wbg_set_cloudtrailfeedverdict_kind: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_digests_verified: (a: number) => number;
+    readonly __wbg_set_cloudtrailfeedverdict_digests_verified: (a: number, b: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_window_end: (a: number, b: number) => void;
+    readonly __wbg_set_cloudtrailfeedverdict_window_end: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_window_start: (a: number, b: number) => void;
+    readonly __wbg_set_cloudtrailfeedverdict_window_start: (a: number, b: number, c: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_signed_log_files_count: (a: number) => number;
+    readonly __wbg_set_cloudtrailfeedverdict_signed_log_files_count: (a: number, b: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_signed_log_files_json: (a: number, b: number) => void;
+    readonly __wbg_set_cloudtrailfeedverdict_signed_log_files_json: (a: number, b: number, c: number) => void;
+    readonly verifyCloudTrailFeed: (a: number, b: number, c: number) => void;
     readonly __wbg_set_approvaltokenclaims_decision: (a: number, b: number, c: number) => void;
     readonly __wbg_set_approvaltokenclaims_scope: (a: number, b: number, c: number) => void;
     readonly __wbg_set_verifieddelegation_sub: (a: number, b: number, c: number) => void;
     readonly __wbg_set_verifieddelegation_scope: (a: number, b: number, c: number) => void;
     readonly __wbg_set_commitmentverdict_verdict: (a: number, b: number, c: number) => void;
     readonly __wbg_set_commitmentverdict_signer_fpr: (a: number, b: number, c: number) => void;
+    readonly __wbg_set_cloudtrailfeedverdict_broken_at: (a: number, b: number) => void;
+    readonly __wbg_get_cloudtrailfeedverdict_broken_at: (a: number) => number;
     readonly __wbg_commitmentverdict_free: (a: number, b: number) => void;
     readonly __wbg_get_approvaltokenclaims_decision: (a: number, b: number) => void;
     readonly __wbg_get_approvaltokenclaims_scope: (a: number, b: number) => void;

package/heso_wasm.js

@@ -351,6 +351,233 @@ export class ChainResult {
 }
 if (Symbol.dispose) ChainResult.prototype[Symbol.dispose] = ChainResult.prototype.free;
 
+/**
+ * The result of an offline CloudTrail feed-completeness check.
+ */
+export class CloudTrailFeedVerdict {
+    static __wrap(ptr) {
+        const obj = Object.create(CloudTrailFeedVerdict.prototype);
+        obj.__wbg_ptr = ptr;
+        CloudTrailFeedVerdictFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        CloudTrailFeedVerdictFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_cloudtrailfeedverdict_free(ptr, 0);
+    }
+    /**
+     * 0-based head-first index at which the chain broke / a digest was rejected;
+     * `None` for `Complete`.
+     * @returns {number | undefined}
+     */
+    get broken_at() {
+        const ret = wasm.__wbg_get_cloudtrailfeedverdict_broken_at(this.__wbg_ptr);
+        return ret === Number.MAX_SAFE_INTEGER ? undefined : ret;
+    }
+    /**
+     * Number of hourly digests whose signature + chain link verified.
+     * @returns {number}
+     */
+    get digests_verified() {
+        const ret = wasm.__wbg_get_cloudtrailfeedverdict_digests_verified(this.__wbg_ptr);
+        return ret >>> 0;
+    }
+    /**
+     * `true` ONLY when an unbroken signed chain proved completeness back to the
+     * starting (genesis) digest — the single state that earns a third-party
+     * `feed_complete` claim. A `ChainGap` (disclosed gap) reports `false`.
+     * @returns {boolean}
+     */
+    get feed_complete() {
+        const ret = wasm.__wbg_get_cloudtrailfeedverdict_feed_complete(this.__wbg_ptr);
+        return ret !== 0;
+    }
+    /**
+     * The kind tag of the outcome: `"Complete"`, `"ChainGap"`, `"Empty"`,
+     * `"Malformed"`, `"NoMatchingKey"`, `"SignatureInvalid"`,
+     * `"PreviousHashMismatch"`, `"PreviousSignatureMismatch"`,
+     * `"PreviousObjectMismatch"`.
+     * @returns {string}
+     */
+    get kind() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+            wasm.__wbg_get_cloudtrailfeedverdict_kind(retptr, this.__wbg_ptr);
+            var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+            var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+            deferred1_0 = r0;
+            deferred1_1 = r1;
+            return getStringFromWasm0(r0, r1);
+        } finally {
+            wasm.__wbindgen_add_to_stack_pointer(16);
+            wasm.__wbindgen_export3(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * Number of signed log files the verified digests committed to across the
+     * window. For `Complete` this is the SIGNED, COMPLETE inventory the window
+     * provably covers (no log file could have been added, removed, or modified
+     * without breaking the chain). `0` for non-window outcomes.
+     * @returns {number}
+     */
+    get signed_log_files_count() {
+        const ret = wasm.__wbg_get_cloudtrailfeedverdict_signed_log_files_count(this.__wbg_ptr);
+        return ret >>> 0;
+    }
+    /**
+     * The signed log-file inventory as a JSON array of
+     * `{s3_bucket, s3_object, hash_value, …}` — the proof page renders these so a
+     * third party can confirm WHICH files the window covers. `"[]"` for
+     * non-window outcomes.
+     * @returns {string}
+     */
+    get signed_log_files_json() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+            wasm.__wbg_get_cloudtrailfeedverdict_signed_log_files_json(retptr, this.__wbg_ptr);
+            var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+            var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+            deferred1_0 = r0;
+            deferred1_1 = r1;
+            return getStringFromWasm0(r0, r1);
+        } finally {
+            wasm.__wbindgen_add_to_stack_pointer(16);
+            wasm.__wbindgen_export3(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * `digestEndTime` of the head digest (window upper bound). `None` unless the
+     * outcome carries a window.
+     * @returns {string | undefined}
+     */
+    get window_end() {
+        try {
+            const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+            wasm.__wbg_get_cloudtrailfeedverdict_window_end(retptr, this.__wbg_ptr);
+            var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+            var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+            let v1;
+            if (r0 !== 0) {
+                v1 = getStringFromWasm0(r0, r1).slice();
+                wasm.__wbindgen_export3(r0, r1 * 1, 1);
+            }
+            return v1;
+        } finally {
+            wasm.__wbindgen_add_to_stack_pointer(16);
+        }
+    }
+    /**
+     * `digestEndTime` of the starting digest reached (`Complete`) or the last
+     * verified digest before the gap (`ChainGap`). `None` otherwise.
+     * @returns {string | undefined}
+     */
+    get window_start() {
+        try {
+            const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+            wasm.__wbg_get_cloudtrailfeedverdict_window_start(retptr, this.__wbg_ptr);
+            var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+            var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+            let v1;
+            if (r0 !== 0) {
+                v1 = getStringFromWasm0(r0, r1).slice();
+                wasm.__wbindgen_export3(r0, r1 * 1, 1);
+            }
+            return v1;
+        } finally {
+            wasm.__wbindgen_add_to_stack_pointer(16);
+        }
+    }
+    /**
+     * 0-based head-first index at which the chain broke / a digest was rejected;
+     * `None` for `Complete`.
+     * @param {number | null} [arg0]
+     */
+    set broken_at(arg0) {
+        wasm.__wbg_set_cloudtrailfeedverdict_broken_at(this.__wbg_ptr, isLikeNone(arg0) ? Number.MAX_SAFE_INTEGER : (arg0) >>> 0);
+    }
+    /**
+     * Number of hourly digests whose signature + chain link verified.
+     * @param {number} arg0
+     */
+    set digests_verified(arg0) {
+        wasm.__wbg_set_cloudtrailfeedverdict_digests_verified(this.__wbg_ptr, arg0);
+    }
+    /**
+     * `true` ONLY when an unbroken signed chain proved completeness back to the
+     * starting (genesis) digest — the single state that earns a third-party
+     * `feed_complete` claim. A `ChainGap` (disclosed gap) reports `false`.
+     * @param {boolean} arg0
+     */
+    set feed_complete(arg0) {
+        wasm.__wbg_set_cloudtrailfeedverdict_feed_complete(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The kind tag of the outcome: `"Complete"`, `"ChainGap"`, `"Empty"`,
+     * `"Malformed"`, `"NoMatchingKey"`, `"SignatureInvalid"`,
+     * `"PreviousHashMismatch"`, `"PreviousSignatureMismatch"`,
+     * `"PreviousObjectMismatch"`.
+     * @param {string} arg0
+     */
+    set kind(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_cloudtrailfeedverdict_kind(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * Number of signed log files the verified digests committed to across the
+     * window. For `Complete` this is the SIGNED, COMPLETE inventory the window
+     * provably covers (no log file could have been added, removed, or modified
+     * without breaking the chain). `0` for non-window outcomes.
+     * @param {number} arg0
+     */
+    set signed_log_files_count(arg0) {
+        wasm.__wbg_set_cloudtrailfeedverdict_signed_log_files_count(this.__wbg_ptr, arg0);
+    }
+    /**
+     * The signed log-file inventory as a JSON array of
+     * `{s3_bucket, s3_object, hash_value, …}` — the proof page renders these so a
+     * third party can confirm WHICH files the window covers. `"[]"` for
+     * non-window outcomes.
+     * @param {string} arg0
+     */
+    set signed_log_files_json(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_cloudtrailfeedverdict_signed_log_files_json(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * `digestEndTime` of the head digest (window upper bound). `None` unless the
+     * outcome carries a window.
+     * @param {string | null} [arg0]
+     */
+    set window_end(arg0) {
+        var ptr0 = isLikeNone(arg0) ? 0 : passStringToWasm0(arg0, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        var len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_cloudtrailfeedverdict_window_end(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * `digestEndTime` of the starting digest reached (`Complete`) or the last
+     * verified digest before the gap (`ChainGap`). `None` otherwise.
+     * @param {string | null} [arg0]
+     */
+    set window_start(arg0) {
+        var ptr0 = isLikeNone(arg0) ? 0 : passStringToWasm0(arg0, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        var len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_cloudtrailfeedverdict_window_start(this.__wbg_ptr, ptr0, len0);
+    }
+}
+if (Symbol.dispose) CloudTrailFeedVerdict.prototype[Symbol.dispose] = CloudTrailFeedVerdict.prototype.free;
+
 /**
  * The kind-tagged verdict of [`verify_commitment_wasm`]. `verdict` is one of
  * `"Valid"`, `"InvalidSignature"`, `"FingerprintMismatch"`, `"WrongAlgorithm"`,
@@ -1719,6 +1946,46 @@ export function verifyChain(receipts_bytes) {
     }
 }
 
+/**
+ * **REJECT-MORE-ONLY.** Verify an AWS CloudTrail signed digest-file chain
+ * **offline**, proving feed completeness from the frozen bundle bytes + the
+ * PINNED AWS public keys alone — no network, no AWS call, no HESO endpoint.
+ *
+ * `proof_json` is a [`heso_action::cloudtrail::CloudTrailFeedProof`] JSON: the
+ * digest chain (HEAD FIRST), the head's out-of-band `x-amz-meta-signature`, and
+ * the pinned per-Region AWS public keys (PKCS#1 DER, base64 — exactly as
+ * `ListPublicKeys` returns them; this verifier wraps them into SPKI internally,
+ * the #1 implementation trap handled once in the kernel).
+ *
+ * The AWS key is trusted **out of band** (CT pin-the-key model): a digest whose
+ * `digestPublicKeyFingerprint` matches no pinned key FAILS with
+ * `kind = "NoMatchingKey"`. The verdict separates `feed_complete` (window
+ * completeness, claimable to a third party for this STRONG rail) from a
+ * disclosed `ChainGap` — never collapsing a gap into a green badge.
+ *
+ * Throws `[CT_PARSE]` only if `proof_json` is not a valid `CloudTrailFeedProof`;
+ * every cryptographic / chain failure is a non-throwing kind tag instead.
+ * @param {string} proof_json
+ * @returns {CloudTrailFeedVerdict}
+ */
+export function verifyCloudTrailFeed(proof_json) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(proof_json, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.verifyCloudTrailFeed(retptr, ptr0, len0);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return CloudTrailFeedVerdict.__wrap(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+}
+
 /**
  * REJECT-MORE-ONLY. Verify a detached commitment-envelope signature in the
  * browser — the recipient independently confirms a commitment the same way the
@@ -2075,6 +2342,9 @@ const ApprovalTokenClaimsFinalization = (typeof FinalizationRegistry === 'undefi
 const ChainResultFinalization = (typeof FinalizationRegistry === 'undefined')
     ? { register: () => {}, unregister: () => {} }
     : new FinalizationRegistry(ptr => wasm.__wbg_chainresult_free(ptr, 1));
+const CloudTrailFeedVerdictFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_cloudtrailfeedverdict_free(ptr, 1));
 const CommitmentVerdictFinalization = (typeof FinalizationRegistry === 'undefined')
     ? { register: () => {}, unregister: () => {} }
     : new FinalizationRegistry(ptr => wasm.__wbg_commitmentverdict_free(ptr, 1));

package/heso_wasm_bg.wasm.d.ts

@@ -97,12 +97,30 @@ export const __wbg_set_metricsverdict_priced: (a: number, b: number) => void;
 export const __wbg_get_metricsverdict_card_id_matches: (a: number) => number;
 export const __wbg_set_metricsverdict_card_id_matches: (a: number, b: number) => void;
 export const verifyActionReceiptWithRates: (a: number, b: number, c: number, d: number) => number;
+export const __wbg_cloudtrailfeedverdict_free: (a: number, b: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_feed_complete: (a: number) => number;
+export const __wbg_set_cloudtrailfeedverdict_feed_complete: (a: number, b: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_kind: (a: number, b: number) => void;
+export const __wbg_set_cloudtrailfeedverdict_kind: (a: number, b: number, c: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_digests_verified: (a: number) => number;
+export const __wbg_set_cloudtrailfeedverdict_digests_verified: (a: number, b: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_window_end: (a: number, b: number) => void;
+export const __wbg_set_cloudtrailfeedverdict_window_end: (a: number, b: number, c: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_window_start: (a: number, b: number) => void;
+export const __wbg_set_cloudtrailfeedverdict_window_start: (a: number, b: number, c: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_signed_log_files_count: (a: number) => number;
+export const __wbg_set_cloudtrailfeedverdict_signed_log_files_count: (a: number, b: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_signed_log_files_json: (a: number, b: number) => void;
+export const __wbg_set_cloudtrailfeedverdict_signed_log_files_json: (a: number, b: number, c: number) => void;
+export const verifyCloudTrailFeed: (a: number, b: number, c: number) => void;
 export const __wbg_set_approvaltokenclaims_decision: (a: number, b: number, c: number) => void;
 export const __wbg_set_approvaltokenclaims_scope: (a: number, b: number, c: number) => void;
 export const __wbg_set_verifieddelegation_sub: (a: number, b: number, c: number) => void;
 export const __wbg_set_verifieddelegation_scope: (a: number, b: number, c: number) => void;
 export const __wbg_set_commitmentverdict_verdict: (a: number, b: number, c: number) => void;
 export const __wbg_set_commitmentverdict_signer_fpr: (a: number, b: number, c: number) => void;
+export const __wbg_set_cloudtrailfeedverdict_broken_at: (a: number, b: number) => void;
+export const __wbg_get_cloudtrailfeedverdict_broken_at: (a: number) => number;
 export const __wbg_commitmentverdict_free: (a: number, b: number) => void;
 export const __wbg_get_approvaltokenclaims_decision: (a: number, b: number) => void;
 export const __wbg_get_approvaltokenclaims_scope: (a: number, b: number) => void;

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@hesohq/verify-wasm",
-  "version": "0.5.0-dev.71",
+  "version": "0.5.0-dev.85",
   "description": "HESO Enterprise trust layer — browser WASM verify-only surface (ESM)",
   "type": "module",
   "scripts": {
-    "prepublishOnly": "for sym in l1CosignPayload quorumCosignPayload verifyActionReceipt verifyInclusion verifyConsistency verifyReveal; do for f in heso_wasm.js heso_wasm.d.ts heso_wasm_bg.wasm.d.ts heso_wasm_bg.wasm; do grep -aq \"$sym\" \"$f\" || { echo \"prepublishOnly: $sym missing from $f — stale artifact, run \\`just wasm\\` from heso-enterprise root\" >&2; exit 1; }; done; done; echo \"prepublishOnly: l1CosignPayload + quorumCosignPayload + verifyActionReceipt + verifyInclusion + verifyConsistency + verifyReveal present in all artifacts\"",
+    "prepublishOnly": "for sym in l1CosignPayload quorumCosignPayload verifyActionReceipt verifyInclusion verifyConsistency verifyReveal verifyCloudTrailFeed; do for f in heso_wasm.js heso_wasm.d.ts heso_wasm_bg.wasm.d.ts heso_wasm_bg.wasm; do grep -aq \"$sym\" \"$f\" || { echo \"prepublishOnly: $sym missing from $f — stale artifact, run \\`just wasm\\` from heso-enterprise root\" >&2; exit 1; }; done; done; echo \"prepublishOnly: l1CosignPayload + quorumCosignPayload + verifyActionReceipt + verifyInclusion + verifyConsistency + verifyReveal + verifyCloudTrailFeed present in all artifacts\"",
     "bundle:make": "node scripts/make-bundle.mjs",
     "verify:offline": "node scripts/assert-no-network-runtime.mjs",
     "verify:offline:docker": "bash scripts/verify-offline-docker.sh",