@intentproof/sdk 0.1.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 The IntentProof Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,443 @@
+# @intentproof/sdk
+
+**IntentProof** turns function calls into **verifiable records** of what your system **meant** to do and what **actually happened**—**intent**, **action**, and **outcome** on the same wire. That is not another log stream: logs narrate; **IntentProof** gives you **proof** you can reconcile, attest to, or feed a verifier, because every record is tied to a real invocation with structured inputs, a stable label pair, and a completed result or error snapshot.
+
+This package is the Node.js / TypeScript SDK: **`IntentProofClient.wrap`** is the bridge from your code to those records. You keep your functions; each call through the wrapper emits one canonical **`ExecutionEvent`** for export.
+
+## What this SDK does
+
+Each such invocation produces one **`ExecutionEvent`**: **`intent`** / **`action`** (what you declared this call represents), JSON-safe **`inputs`** and **`output`** (or an **`error`** snapshot for what occurred), **`startedAt`** / **`completedAt`**, **`durationMs`**, a unique **`id`**, optional **`correlationId`** (async context or wrap options), and merged **`attributes`**. Serialization is configurable (`snapshot`, redaction, custom capture hooks) so the proof stays bounded and policy-aware.
+
+Events are delivered to every configured **`Exporter`** (`export(event)`). Built-ins cover an in-memory ring buffer, HTTP ingest, and a bounded async queue. If an exporter throws or rejects, **`onExporterError`** is notified; the wrapped function’s return value or thrown error is unchanged—your runtime behavior stays authoritative; the record is best-effort delivery.
+
+The wire shape stays small and canonical so verifiers and ingest paths reason about **intent / action / outcome**, not ad hoc log lines or internal object graphs.
+
+## Requirements
+
+- **Node.js** 22 or newer
+
+## Install
+
+```bash
+npm install @intentproof/sdk
+```
+
+## Quick start
+
+Below, the object printed from **`getEvents()`** is the **proof artifact** for a single call: intent and action you chose at wrap time, inputs and output the runtime saw, plus timing and id.
+
+Use a **`MemoryExporter`** so you can inspect that record immediately (the default singleton client also uses memory, but you need your own instance to call **`getEvents()`**).
+
+```ts
+import { createIntentProofClient, MemoryExporter } from "@intentproof/sdk";
+
+const memory = new MemoryExporter({ maxEvents: 50 });
+const client = createIntentProofClient({ exporters: [memory] });
+
+const add = client.wrap(
+  { intent: "demo", action: "math.add" },
+  (a: number, b: number) => a + b,
+);
+
+const sum = add(2, 3);
+console.assert(sum === 5);
+
+const [event] = memory.getEvents();
+console.log(event);
+```
+
+Calling **`add(2, 3)`** runs your original function and, after it returns, emits one event per exporter. A typical emitted object looks like this (values vary at runtime):
+
+```json
+{
+  "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
+  "intent": "demo",
+  "action": "math.add",
+  "inputs": [2, 3],
+  "status": "ok",
+  "output": 5,
+  "startedAt": "2026-05-02T12:00:00.000Z",
+  "completedAt": "2026-05-02T12:00:00.003Z",
+  "durationMs": 3
+}
+```
+
+- **`id`** — Random UUID for this invocation.
+- **`inputs` / `output`** — Produced via **`snapshot()`** (see `SerializeOptions` / `WrapOptions`) unless you override with **`captureInput`** / **`captureOutput`**.
+- **`correlationId`** — Omitted here; present when async context or wrap options supply one (see examples below).
+- **`attributes`** — Omitted when empty; otherwise merged from client **`defaultAttributes`** and per-wrap **`attributes`**.
+
+## `IntentProofClient` API
+
+| Member                        | Description                                                                                                                                                                               |
+| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **`constructor(config?)`**    | Creates a client. Default exporters: a single **`MemoryExporter`** if you omit **`config.exporters`**.                                                                                    |
+| **`configure(config)`**       | Re-applies **`IntentProofConfig`** fields (exporters, error hook, defaults, stack policy).                                                                                                |
+| **`wrap(options, fn)`**       | Returns a function that records one **`ExecutionEvent`** per call (sync or async). **`options`** must satisfy **`assertWrapOptionsShape`** (`intent` / `action` non-empty strings, etc.). |
+| **`flush()`**                 | Awaits optional **`Exporter.flush`** on all exporters in parallel.                                                                                                                        |
+| **`shutdown()`**              | Awaits **`Exporter.shutdown`** when defined, otherwise **`flush`**.                                                                                                                       |
+| **`getCorrelationId()`**      | Returns the correlation id from **`AsyncLocalStorage`**, if any.                                                                                                                          |
+| **`withCorrelation(fn)`**     | Runs **`fn`** with a **fresh UUID** as correlation id for nested wraps.                                                                                                                   |
+| **`withCorrelation(id, fn)`** | Runs **`fn`** with **`id`** trimmed; blank / whitespace-only **`id`** falls back to a UUID.                                                                                               |
+
+### Module-level helpers (same module as the client)
+
+These use the same async correlation store as **`IntentProofClient`** instances:
+
+| Export                                 | Description                                                            |
+| -------------------------------------- | ---------------------------------------------------------------------- |
+| **`createIntentProofClient(config?)`** | New isolated client (tests, workers, multi-tenant).                    |
+| **`getIntentProofClient()`**           | Lazy singleton used by **`client`**.                                   |
+| **`client`**                           | Default singleton instance.                                            |
+| **`getCorrelationId()`**               | Same behavior as the instance method.                                  |
+| **`runWithCorrelationId(id, fn)`**     | Requires a **non-empty** correlation id after trim; throws if invalid. |
+| **`assertCorrelationId(id)`**          | Runtime assertion for correlation id shape.                            |
+| **`assertWrapOptionsShape(options)`**  | Runtime validation for **`WrapOptions`**.                              |
+
+## `ExecutionEvent` fields
+
+| Field               | Type                     | When present | Meaning                                                                                                                          |
+| ------------------- | ------------------------ | ------------ | -------------------------------------------------------------------------------------------------------------------------------- |
+| **`id`**            | `string`                 | always       | Unique event id (UUID).                                                                                                          |
+| **`correlationId`** | `string`                 | optional     | Request / trace id from context or wrap options.                                                                                 |
+| **`intent`**        | `string`                 | always       | Human-readable label for what this invocation is meant to prove (outcome, policy goal, or domain).                               |
+| **`action`**        | `string`                 | always       | Stable operation id for this step (often dotted or namespaced).                                                                  |
+| **`inputs`**        | `unknown`                | always       | JSON-safe snapshot of call arguments (default) or **`captureInput`** result.                                                     |
+| **`output`**        | `unknown`                | success      | JSON-safe return value or **`captureOutput`** result. On **`status: "error"`**, set only if **`captureError`** returned a value. |
+| **`error`**         | `ExecutionErrorSnapshot` | failure      | **`name`**, **`message`**, optional **`stack`** (see **`includeErrorStack`**).                                                   |
+| **`status`**        | `"ok" \| "error"`        | always       | Outcome of the wrapped invocation.                                                                                               |
+| **`startedAt`**     | ISO string               | always       | Start timestamp.                                                                                                                 |
+| **`completedAt`**   | ISO string               | always       | Completion timestamp.                                                                                                            |
+| **`durationMs`**    | `number`                 | always       | Wall time between start and completion.                                                                                          |
+| **`attributes`**    | plain record             | optional     | String / number / boolean values only; merged from client defaults and wrap options.                                             |
+
+## `WrapOptions` and `IntentProofConfig`
+
+### `WrapOptions` (passed to **`wrap`**)
+
+| Field                                                                  | Description                                                                                                             |
+| ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
+| **`intent`**, **`action`**                                             | Required, non-empty after trim.                                                                                         |
+| **`correlationId`**                                                    | Optional; when set, non-empty after trim. Otherwise the active context id is used if any.                               |
+| **`attributes`**                                                       | Per-invocation dimensions merged over **`defaultAttributes`**.                                                          |
+| **`captureInput`**, **`captureOutput`**, **`captureError`**            | Optional hooks to replace default **`snapshot`** behavior for inputs, success output, or error-side extra **`output`**. |
+| **`includeErrorStack`**                                                | When `false`, omit **`error.stack`** for this wrap (overrides client default).                                          |
+| **`maxDepth`**, **`maxKeys`**, **`redactKeys`**, **`maxStringLength`** | Forwarded to **`snapshot`** for inputs and outputs (see **`SerializeOptions`** in types).                               |
+
+### `IntentProofConfig` (constructor / **`configure`**)
+
+| Field                   | Description                                                                                     |
+| ----------------------- | ----------------------------------------------------------------------------------------------- |
+| **`exporters`**         | Ordered list of **`Exporter`** instances; each receives every event.                            |
+| **`onExporterError`**   | Called when **`export`** throws or returns a rejected promise. Defaults to **`console.error`**. |
+| **`defaultAttributes`** | Merged into every event’s **`attributes`** (wrap-specific attributes win on key collision).     |
+| **`includeErrorStack`** | Default `true`; set `false` in production if stacks must not leave the trust zone.              |
+
+---
+
+## Examples
+
+### 1 — Refund saga: money back, customer notified, ops alerted (one correlation id)
+
+Support approves **order `ORD-1042`**. Your service runs one cohesive workflow: create the **Stripe refund**, email the customer a receipt, post to **Slack** so billing ops see it. **`runWithCorrelationId`** ties all three calls to **`req_refund_ord_1042`**. Each wrap has its own **`intent`** (the outcome you are proving for that step) and **`action`** (how it is done); **`correlationId`** is what stitches the saga together.
+
+**`captureInput` / `captureOutput`** trim each record to the fields you want in proof (refund id, amounts, message id, Slack metadata)—not full vendor payloads.
+
+```ts
+const createRefund = client.wrap(
+  {
+    intent: "Return captured funds to the customer's original card network",
+    action: "stripe.refund.create",
+    attributes: { vendor: "stripe", step: "refund_money" },
+    captureInput: (args) => {
+      const [input] = args as [
+        {
+          paymentIntentId: string;
+          amountCents: number;
+          reason?: "requested_by_customer" | "duplicate";
+        },
+      ];
+      return {
+        paymentIntentId: input.paymentIntentId,
+        amountCents: input.amountCents,
+        reason: input.reason,
+      };
+    },
+    captureOutput: (result) => {
+      const r = result as {
+        id: string;
+        status: "succeeded";
+        amountCents: number;
+      };
+      return {
+        refundId: r.id,
+        status: r.status,
+        amountCents: r.amountCents,
+      };
+    },
+  },
+  (input: {
+    paymentIntentId: string;
+    amountCents: number;
+    reason?: "requested_by_customer" | "duplicate";
+  }) => ({
+    id: "re_3SAMPLEabcdefghijklmnop",
+    status: "succeeded" as const,
+    amountCents: input.amountCents,
+  }),
+);
+
+const sendRefundReceipt = client.wrap(
+  {
+    intent: "Deliver a customer-visible refund confirmation for the ledger entry",
+    action: "email.customer.refund_receipt",
+    attributes: { channel: "email", step: "notify_customer" },
+    captureInput: (args) => {
+      const [p] = args as [
+        {
+          customerId: string;
+          orderId: string;
+          refundId: string;
+          amountCents: number;
+        },
+      ];
+      return {
+        customerId: p.customerId,
+        orderId: p.orderId,
+        refundId: p.refundId,
+        amountCents: p.amountCents,
+      };
+    },
+    captureOutput: (result) => {
+      const r = result as { messageId: string; status: "queued" };
+      return { messageId: r.messageId, status: r.status };
+    },
+  },
+  (p: {
+    customerId: string;
+    orderId: string;
+    refundId: string;
+    amountCents: number;
+  }) => ({ messageId: "msg_49401_sample", status: "queued" as const }),
+);
+
+const notifyOpsRefund = client.wrap(
+  {
+    intent: "Surface the completed refund to billing operations for review",
+    action: "slack.operations.refund_posted",
+    attributes: { channel: "slack", step: "notify_ops" },
+    captureInput: (args) => {
+      const [p] = args as [{ refundId: string; orderId: string; amountCents: number }];
+      return {
+        refundId: p.refundId,
+        orderId: p.orderId,
+        amountCents: p.amountCents,
+      };
+    },
+    captureOutput: (result) => {
+      const r = result as {
+        ok: boolean;
+        channel: string;
+        ts: string;
+      };
+      return { ok: r.ok, channel: r.channel, ts: r.ts };
+    },
+  },
+  (p: { refundId: string; orderId: string; amountCents: number }) => ({
+    ok: true,
+    channel: "#billing-alerts",
+    ts: "1714648800.000100",
+  }),
+);
+
+await runWithCorrelationId("req_refund_ord_1042", async () => {
+  const refund = createRefund({
+    paymentIntentId: "pi_3SAMPLEabcdefghijklmnop",
+    amountCents: 4999,
+    reason: "requested_by_customer",
+  });
+  await Promise.resolve(
+    sendRefundReceipt({
+      customerId: "cus_SAMPLEabcdefghijkl",
+      orderId: "ORD-1042",
+      refundId: refund.id,
+      amountCents: refund.amountCents,
+    }),
+  );
+  await Promise.resolve(
+    notifyOpsRefund({
+      refundId: refund.id,
+      orderId: "ORD-1042",
+      amountCents: refund.amountCents,
+    }),
+  );
+});
+```
+
+Emitted events (same **`correlationId`** on each; distinct **`intent`** per step; **`id`** / timestamps omitted):
+
+```json
+[
+  {
+    "correlationId": "req_refund_ord_1042",
+    "intent": "Return captured funds to the customer's original card network",
+    "action": "stripe.refund.create",
+    "inputs": {
+      "paymentIntentId": "pi_3SAMPLEabcdefghijklmnop",
+      "amountCents": 4999,
+      "reason": "requested_by_customer"
+    },
+    "status": "ok",
+    "output": {
+      "refundId": "re_3SAMPLEabcdefghijklmnop",
+      "status": "succeeded",
+      "amountCents": 4999
+    },
+    "attributes": {
+      "service": "billing-api",
+      "env": "test",
+      "vendor": "stripe",
+      "step": "refund_money"
+    }
+  },
+  {
+    "correlationId": "req_refund_ord_1042",
+    "intent": "Deliver a customer-visible refund confirmation for the ledger entry",
+    "action": "email.customer.refund_receipt",
+    "inputs": {
+      "customerId": "cus_SAMPLEabcdefghijkl",
+      "orderId": "ORD-1042",
+      "refundId": "re_3SAMPLEabcdefghijklmnop",
+      "amountCents": 4999
+    },
+    "status": "ok",
+    "output": { "messageId": "msg_49401_sample", "status": "queued" },
+    "attributes": {
+      "service": "billing-api",
+      "env": "test",
+      "channel": "email",
+      "step": "notify_customer"
+    }
+  },
+  {
+    "correlationId": "req_refund_ord_1042",
+    "intent": "Surface the completed refund to billing operations for review",
+    "action": "slack.operations.refund_posted",
+    "inputs": {
+      "refundId": "re_3SAMPLEabcdefghijklmnop",
+      "orderId": "ORD-1042",
+      "amountCents": 4999
+    },
+    "status": "ok",
+    "output": {
+      "ok": true,
+      "channel": "#billing-alerts",
+      "ts": "1714648800.000100"
+    },
+    "attributes": {
+      "service": "billing-api",
+      "env": "test",
+      "channel": "slack",
+      "step": "notify_ops"
+    }
+  }
+]
+```
+
+### 2 — Payment failure with operator metadata (`captureError`)
+
+When a capture **throws**, the record still carries **`status: "error"`** and **`error.message`** for proof of failure. **`captureError`** adds a small, JSON-safe **`output`** for dashboards (e.g. decline code) without pretending the business call succeeded.
+
+```ts
+const capturePayment = client.wrap(
+  {
+    intent: "Capture authorized funds",
+    action: "stripe.payment_intent.capture",
+    captureInput: (args) => {
+      const [{ paymentIntentId }] = args as [{ paymentIntentId: string }];
+      return { paymentIntentId };
+    },
+    captureError: () => ({ code: "card_declined", retryable: false }),
+  },
+  async (_input: { paymentIntentId: string }) => {
+    throw new Error("Your card was declined.");
+  },
+);
+
+try {
+  await capturePayment({ paymentIntentId: "pi_3SAMPLEabcdefghijklmnop" });
+} catch {
+  /* card declined — expected */
+}
+```
+
+```json
+{
+  "intent": "Capture authorized funds",
+  "action": "stripe.payment_intent.capture",
+  "inputs": { "paymentIntentId": "pi_3SAMPLEabcdefghijklmnop" },
+  "status": "error",
+  "error": {
+    "name": "Error",
+    "message": "Your card was declined."
+  },
+  "output": { "code": "card_declined", "retryable": false }
+}
+```
+
+### 3 — Proof delivery over HTTP (same event shape)
+
+**`HttpExporter`** POSTs the same **`ExecutionEvent`** your verifiers see in memory—here alongside **`MemoryExporter`** so tests can assert the wire without a real collector. The request uses **`credentials: "omit"`**; the body is **`{ intentproof: "1", event: … }`** (see exporter implementation). For authenticated collectors, pass **`headers`** (e.g. **`Authorization`**, API keys) — see [Security](#security).
+
+```ts
+const runProbe = client.wrap({ intent: "HTTP test", action: "test.http" }, () => 42);
+runProbe();
+```
+
+```json
+{
+  "intent": "HTTP test",
+  "action": "test.http",
+  "inputs": [],
+  "status": "ok",
+  "output": 42
+}
+```
+
+---
+
+## Security
+
+**IntentProof events are data you ship off-process.** Treat **`ExecutionEvent`** like structured logs or audit payloads: they can include PII, secrets, stack traces, and business identifiers depending on your **`snapshot`** / **`capture*`** hooks.
+
+- **Minimize payload:** Use **`redactKeys`**, **`maxDepth` / `maxKeys` / `maxStringLength`**, and narrow **`captureInput` / `captureOutput` / `captureError`** so proof records contain only what verifiers need.
+- **Stacks:** Set **`includeErrorStack: false`** on the client (or per wrap) when traces must not leave your trust zone.
+- **HTTP ingest:** Keep collector **`url`** and any redirect behavior under **trusted configuration** (avoid SSRF if URLs were ever influenced by untrusted input). Prefer **HTTPS** and **short-lived credentials** end-to-end.
+- **`HttpExporter` auth:** Pass credentials in **`headers`** (for example **`Authorization: Bearer …`**, **`x-api-key`**, or whatever your collector expects). The SDK does **not** log header values; use short-lived tokens and scope them to ingest only.
+- **Browser vs server:** This package targets **Node**; if you wrap code in a browser, treat the ingest endpoint and headers as you would any cross-origin credential (CORS, CSP, token storage policies are your app’s responsibility).
+- **Delivery semantics:** Exporter failures invoke **`onExporterError`** and do **not** roll back the wrapped function’s side effects—design compensating controls if you need strict “delivered exactly once” guarantees.
+
+Custom **`body`** serializers: if **`body(event)`** throws, **`HttpExporter`** notifies **`onError`** and falls back to the same **JSON envelope** path as the default serializer (full event, then a partial envelope, then a minimal `eventSerializeFailed` payload) so **`export()`** still completes and **`fetch`** runs when possible.
+
+---
+
+## Related exports
+
+- **`MemoryExporter`**, **`HttpExporter`**, **`BoundedQueueExporter`** — Delivery implementations; each implements **`Exporter`**.
+- **`snapshot`** — Same JSON-safe serializer the client uses internally, if you build custom tooling.
+- **`VERSION`** — Package version string injected at build time.
+
+## Monorepo development
+
+This repository is an npm workspace; the publishable package is [`packages/sdk`](packages/sdk).
+
+Requires **Node.js 22+** (see `.nvmrc` and workspace `engines`).
+
+```bash
+npm ci
+npm run ci
+```
+
+## License
+
+Apache-2.0 (see `LICENSE` at the repository root and in the published npm package).