@kehto/runtime 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,1259 @@
+import { NappletMessage, NostrEvent, NostrFilter } from '@napplet/core';
+export { NappletMessage } from '@napplet/core';
+import { Capability } from '@kehto/acl/capabilities';
+export { ALL_CAPABILITIES, Capability } from '@kehto/acl/capabilities';
+import { NubMessage } from '@kehto/acl';
+export { NubMessage, resolveCapabilitiesNub } from '@kehto/acl';
+
+/**
+ * types.ts — Runtime adapter interfaces and supporting types.
+ *
+ * RuntimeAdapter is the abstract contract any environment must implement
+ * to host napplets. No DOM types, no browser APIs.
+ */
+
+/**
+ * Event emitted on every ACL enforcement check.
+ *
+ * @param identity - The napplet identity being checked
+ * @param capability - The capability being checked
+ * @param decision - Whether the check passed or failed
+ *
+ * @example
+ * ```ts
+ * hooks.onAclCheck = (event: AclCheckEvent) => {
+ *   console.log(`${event.decision}: ${event.capability} for ${event.identity.pubkey}`);
+ * };
+ * ```
+ */
+interface AclCheckEvent {
+    /** The identity being checked. */
+    identity: {
+        pubkey: string;
+        dTag: string;
+        hash: string;
+    };
+    /** The capability being checked (e.g., 'relay:write', 'state:read'). */
+    capability: string;
+    /** The enforcement decision. */
+    decision: 'allow' | 'deny';
+    /** The triggering message, if available. Accepts NIP-01 arrays or NIP-5D NappletMessage envelopes. */
+    message?: unknown[] | NappletMessage;
+}
+/**
+ * Abstract message sender — the runtime calls this to send messages
+ * back to a specific napplet. The transport layer (postMessage, WebSocket,
+ * IPC channel, etc.) is the implementor's concern.
+ *
+ * Accepts both NIP-01 array format (legacy) and NIP-5D NappletMessage envelope format.
+ *
+ * @param windowId - Target napplet's identifier
+ * @param msg - NIP-01 message array (e.g., ['EVENT', subId, event]) or NIP-5D envelope
+ */
+type SendToNapplet = (windowId: string, msg: unknown[] | NappletMessage) => void;
+/** Handle returned by relay pool subscriptions. */
+interface RelaySubscriptionHandle {
+    unsubscribe(): void;
+}
+/**
+ * Abstract relay pool — runtime uses this to subscribe to and publish
+ * events on real Nostr relays. Implementor wraps their relay library.
+ */
+interface RelayPoolAdapter {
+    /**
+     * Subscribe to events from relays matching the given filters.
+     * The callback receives either 'EOSE' (end of stored events) or a NostrEvent.
+     * Returns a handle that can cancel the subscription.
+     */
+    subscribe(filters: NostrFilter[], callback: (item: NostrEvent | 'EOSE') => void, relayUrls?: string[]): RelaySubscriptionHandle;
+    /** Publish an event to relays. */
+    publish(event: NostrEvent): void;
+    /** Select relay URLs appropriate for the given filters. */
+    selectRelayTier(filters: NostrFilter[]): string[];
+    /** Track a subscription key for lifecycle management. */
+    trackSubscription(subKey: string, cleanup: () => void): void;
+    /** Untrack and clean up a subscription. */
+    untrackSubscription(subKey: string): void;
+    /** Open a scoped relay connection (NIP-29 groups). */
+    openScopedRelay(windowId: string, relayUrl: string, subId: string, filters: NostrFilter[], sendToNapplet: SendToNapplet): void;
+    /** Close a scoped relay connection. */
+    closeScopedRelay(windowId: string): void;
+    /** Publish to a scoped relay. Returns false if no active scoped relay. */
+    publishToScopedRelay(windowId: string, event: NostrEvent): boolean;
+    /** Whether a relay pool is available. */
+    isAvailable(): boolean;
+}
+/** Abstract local cache — query and store events. */
+interface CacheAdapter {
+    /** Query cached events. Returns matching events. */
+    query(filters: NostrFilter[]): Promise<NostrEvent[]>;
+    /** Store an event in cache. Best-effort, may silently fail. */
+    store(event: NostrEvent): void;
+    /** Whether cache is available. */
+    isAvailable(): boolean;
+}
+/** NIP-07 compatible signer interface — minimal methods the runtime needs. */
+interface Signer {
+    getPublicKey?(): string | Promise<string>;
+    signEvent?(event: NostrEvent): Promise<NostrEvent>;
+    getRelays?(): Record<string, {
+        read: boolean;
+        write: boolean;
+    }> | Promise<Record<string, {
+        read: boolean;
+        write: boolean;
+    }>>;
+    nip04?: {
+        encrypt(pubkey: string, plaintext: string): Promise<string>;
+        decrypt(pubkey: string, ciphertext: string): Promise<string>;
+    };
+    nip44?: {
+        encrypt(pubkey: string, plaintext: string): Promise<string>;
+        decrypt(pubkey: string, ciphertext: string): Promise<string>;
+    };
+}
+/** Auth adapter — user identity and signing. */
+interface AuthAdapter {
+    /** Get the current user's pubkey, or null if not logged in. */
+    getUserPubkey(): string | null;
+    /** Get the signer, or null if unavailable. */
+    getSigner(): Signer | null;
+}
+/** Config adapter — runtime behavior settings. */
+interface ConfigAdapter {
+    /** Get the napp update behavior policy. */
+    getNappUpdateBehavior(): 'auto-grant' | 'banner' | 'silent-reprompt';
+}
+/** Hotkey adapter — keyboard shortcut forwarding. */
+interface HotkeyAdapter {
+    /** Execute a forwarded hotkey from a napp. */
+    executeHotkeyFromForward(event: {
+        key: string;
+        code: string;
+        ctrlKey: boolean;
+        altKey: boolean;
+        shiftKey: boolean;
+        metaKey: boolean;
+    }): void;
+}
+/**
+ * ACL persistence — runtime calls these to save/load ACL state.
+ * Implementor decides storage backend (localStorage, file, DB, etc.).
+ */
+interface AclPersistence {
+    persist(data: string): void;
+    load(): string | null;
+}
+/**
+ * Manifest persistence — runtime calls these to save/load manifest cache.
+ * Implementor decides storage backend.
+ */
+interface ManifestPersistence {
+    persist(data: string): void;
+    load(): string | null;
+}
+/**
+ * Shell secret persistence — runtime calls these to save/load the per-shell secret
+ * used for deterministic keypair derivation. The secret is a 32-byte random value
+ * generated once on first use.
+ */
+interface ShellSecretPersistence {
+    /** Get the stored shell secret, or null if not yet generated. */
+    get(): Uint8Array | null;
+    /** Store the shell secret. */
+    set(secret: Uint8Array): void;
+}
+/**
+ * GUID persistence — runtime calls these to save/load per-iframe instance GUIDs.
+ * GUIDs survive page reloads: same iframe slot gets the same GUID.
+ * Implementor decides storage backend and keying strategy
+ * (e.g., localStorage keyed by iframe src or slot index).
+ */
+interface GuidPersistence {
+    /** Get a stored GUID for a window identifier, or null if none exists. */
+    get(windowId: string): string | null;
+    /** Store a GUID for a window identifier. */
+    set(windowId: string, guid: string): void;
+    /** Remove a stored GUID. */
+    remove(windowId: string): void;
+}
+/**
+ * State storage — runtime calls these for napplet-scoped key-value storage.
+ * All keys are pre-scoped by the runtime (dTag:hash:userKey).
+ */
+interface StatePersistence {
+    get(scopedKey: string): string | null;
+    set(scopedKey: string, value: string): boolean;
+    remove(scopedKey: string): void;
+    clear(prefix: string): void;
+    keys(prefix: string): string[];
+    calculateBytes(prefix: string, excludeKey?: string): number;
+}
+/** Crypto adapter — event verification. */
+interface CryptoAdapter {
+    /** Verify a nostr event's Schnorr signature. */
+    verifyEvent(event: NostrEvent): Promise<boolean>;
+    /** Generate a random UUID string (replaces crypto.randomUUID). */
+    randomUUID(): string;
+    /** Generate cryptographically secure random bytes. */
+    randomBytes(length: number): Uint8Array;
+}
+/**
+ * Hash verification adapter — runtime calls this to verify a napplet's
+ * declared aggregate hash against its actual file contents.
+ * Optional: if not provided, hash verification is skipped (dev mode).
+ */
+interface HashVerifierAdapter {
+    /**
+     * Compute aggregate hash from the napplet's served files.
+     * Returns the computed hash, or null if files cannot be fetched.
+     *
+     * @param nappletUrl - Base URL of the napplet (iframe src)
+     * @param manifestFiles - File paths and hashes from the manifest
+     * @returns Computed aggregate hash, or null on failure
+     */
+    computeHash(nappletUrl: string, manifestFiles: Array<{
+        path: string;
+        hash: string;
+    }>): Promise<string | null>;
+}
+/** Window management — create new napplet windows. */
+interface WindowManagerAdapter {
+    createWindow(options: {
+        title: string;
+        class: string;
+        iframeSrc?: string;
+    }): string | null;
+}
+/** Relay configuration — manage relay tiers. */
+interface RelayConfigAdapter {
+    addRelay(tier: string, url: string): void;
+    removeRelay(tier: string, url: string): void;
+    getRelayConfig(): {
+        discovery: string[];
+        super: string[];
+        outbox: string[];
+    };
+    getNip66Suggestions(): unknown;
+}
+/** DM adapter — send direct messages (NIP-17 gift-wrap). */
+interface DmAdapter {
+    sendDm(recipientPubkey: string, message: string): Promise<{
+        success: boolean;
+        eventId?: string;
+        error?: string;
+    }>;
+}
+/**
+ * A pending consent request — either for a destructive signing kind
+ * or for undeclared service usage.
+ *
+ * When type is 'destructive-signing' (or omitted for backwards compat):
+ *   Raised when a signer request arrives for kinds 0, 3, 5, 10002.
+ *
+ * When type is 'undeclared-service':
+ *   Raised when a napplet uses a service it did not declare in its manifest.
+ *   The serviceName field identifies which service was used without declaration.
+ *
+ * @example
+ * ```ts
+ * // Destructive signing consent (existing behavior)
+ * const signingConsent: ConsentRequest = {
+ *   type: 'destructive-signing',
+ *   windowId: 'win-1', pubkey: 'abc...', event: signingEvent,
+ *   resolve: (allowed) => { ... },
+ * };
+ *
+ * // Undeclared service consent (new)
+ * const serviceConsent: ConsentRequest = {
+ *   type: 'undeclared-service',
+ *   windowId: 'win-1', pubkey: 'abc...', event: serviceEvent,
+ *   serviceName: 'audio',
+ *   resolve: (allowed) => { ... },
+ * };
+ * ```
+ */
+interface ConsentRequest {
+    /** Consent type discriminator. Defaults to 'destructive-signing' if omitted. */
+    type?: 'destructive-signing' | 'undeclared-service';
+    windowId: string;
+    pubkey: string;
+    event: NostrEvent;
+    resolve: (allowed: boolean) => void;
+    /** Service name for undeclared-service consent. Only present when type is 'undeclared-service'. */
+    serviceName?: string;
+}
+/** Consent handler callback type. */
+type ConsentHandler = (request: ConsentRequest) => void;
+/**
+ * Metadata describing a service handler. Referenced by ServiceHandler.descriptor
+ * and the runtime's internal service registry.
+ *
+ * Relocated from the former @napplet/core compatibility shim (DRIFT-CORE-06
+ * deleted in Phase 24). Content unchanged from the v1.1-era definition; this
+ * is the canonical location going forward.
+ *
+ * @example
+ * ```ts
+ * const descriptor: ServiceDescriptor = {
+ *   name: 'audio',
+ *   version: '1.0.0',
+ *   description: 'Audio playback and mute control',
+ * };
+ * ```
+ */
+interface ServiceDescriptor {
+    /** Service identifier (e.g., 'audio', 'notifications'). */
+    name: string;
+    /** Semver version of the service. */
+    version: string;
+    /** Optional human-readable description. */
+    description?: string;
+}
+/**
+ * Information about an available service, as reported in discovery responses.
+ * Mirrors the ServiceDescriptor shape from @napplet/core.
+ *
+ * @example
+ * ```ts
+ * const info: ServiceInfo = {
+ *   name: 'audio',
+ *   version: '1.0.0',
+ *   description: 'Audio playback and mute control',
+ * };
+ * ```
+ */
+interface ServiceInfo {
+    /** Service identifier (e.g., 'audio', 'notifications'). */
+    name: string;
+    /** Semver version of the service. */
+    version: string;
+    /** Optional human-readable description. */
+    description?: string;
+}
+/**
+ * Result of checking a napplet's declared service requirements against
+ * the runtime's registered services.
+ *
+ * Surfaced via RuntimeAdapter.onCompatibilityIssue when compatible is false.
+ * In strict mode, the runtime blocks loading. In permissive mode (default),
+ * the runtime loads the napplet and the shell host decides UX.
+ *
+ * @example
+ * ```ts
+ * const report: CompatibilityReport = {
+ *   available: [{ name: 'audio', version: '1.0.0' }],
+ *   missing: ['notifications'],
+ *   compatible: false,
+ * };
+ * ```
+ */
+interface CompatibilityReport {
+    /** Services that the shell provides (full list from service registry). */
+    available: ServiceInfo[];
+    /** Service names declared in manifest requires but not registered in the runtime. */
+    missing: string[];
+    /** True if all required services are available (missing.length === 0). */
+    compatible: boolean;
+}
+/**
+ * Registry entry mapping a napplet's windowId to its runtime metadata.
+ * Created after a successful identity establishment (AUTH handshake or NIP-5D origin registration).
+ */
+interface SessionEntry {
+    /**
+     * @deprecated NIP-5D: AUTH keypair no longer exists. Empty string for NIP-5D sessions.
+     * Kept for backward compatibility during legacy support period.
+     */
+    pubkey: string;
+    windowId: string;
+    origin: string;
+    type: string;
+    dTag: string;
+    aggregateHash: string;
+    registeredAt: number;
+    /** Persistent GUID for this iframe instance, assigned by the runtime. Survives page reloads. */
+    instanceId: string;
+    /**
+     * How session identity was established.
+     * 'source' = NIP-5D (identity registered at iframe creation via originRegistry).
+     * 'auth' = legacy AUTH handshake (pubkey is the derived keypair pubkey).
+     */
+    identitySource: 'auth' | 'source';
+}
+/** @deprecated Use SessionEntry. Will be removed in v0.9.0. */
+type NappKeyEntry = SessionEntry;
+/**
+ * A pending napplet update — raised when a napplet reconnects with a different aggregateHash.
+ */
+interface PendingUpdate {
+    windowId: string;
+    pubkey: string;
+    dTag: string;
+    oldHash: string;
+    newHash: string;
+    resolve: (action: 'accept' | 'block') => void;
+}
+/** Callback invoked when a pending update is set or cleared. */
+type PendingUpdateNotifier = (windowId: string) => void;
+/**
+ * A cached manifest entry for a verified napplet build.
+ * Optionally stores the napplet's declared service requirements from its manifest.
+ */
+interface ManifestCacheEntry {
+    pubkey: string;
+    dTag: string;
+    aggregateHash: string;
+    verifiedAt: number;
+    /** Service names declared in the napplet's manifest requires tags. */
+    requires?: string[];
+}
+/**
+ * Cached verification result for an aggregate hash.
+ * Keyed by manifest event ID — immutable Nostr events mean same ID = same content.
+ */
+interface VerificationCacheEntry {
+    /** The computed aggregate hash. */
+    aggregateHash: string;
+    /** Whether the computed hash matched the declared hash. */
+    valid: boolean;
+    /** Timestamp when verification was performed. */
+    verifiedAt: number;
+}
+/** External ACL entry — used in shell commands (shell:acl-get etc.). */
+interface AclEntryExternal {
+    pubkey: string;
+    capabilities: Capability[];
+    blocked: boolean;
+    stateQuota?: number;
+}
+/**
+ * Handler for service-specific messages from napplets.
+ * Services receive NIP-5D NappletMessage envelopes and respond via the `send` callback.
+ * The same interface is used for all services regardless of what NUB domain they handle.
+ *
+ * @example
+ * ```ts
+ * const audioHandler: ServiceHandler = {
+ *   descriptor: { name: 'audio', version: '1.0.0' },
+ *   handleMessage(windowId, message, send) {
+ *     if (message.type === 'ifc.emit') {
+ *       // process audio ifc event...
+ *       send({ type: 'ifc.emit.result', id: (message as any).id });
+ *     }
+ *   },
+ * };
+ * ```
+ */
+interface ServiceHandler {
+    /** Metadata describing this service. */
+    descriptor: ServiceDescriptor;
+    /**
+     * Handle a NIP-5D envelope from a napplet.
+     *
+     * @param windowId - The requesting napplet's window identifier
+     * @param message - NappletMessage JSON envelope (e.g., { type: 'signer.signEvent', id, event })
+     * @param send - Callback to send NappletMessage responses back to the napplet
+     */
+    handleMessage(windowId: string, message: NappletMessage, send: (msg: NappletMessage) => void): void;
+    /**
+     * Called when a napplet window is destroyed. Services should clean up
+     * any state associated with the window.
+     *
+     * @param windowId - The destroyed napplet's window identifier
+     */
+    onWindowDestroyed?(windowId: string): void;
+}
+/**
+ * Registry of services available to napplets.
+ * Each key is a service name (e.g., 'audio', 'notifications').
+ * Napplets discover available services via kind 29010 service discovery events.
+ *
+ * @example
+ * ```ts
+ * const services: ServiceRegistry = {
+ *   audio: audioHandler,
+ *   notifications: notificationHandler,
+ * };
+ * ```
+ */
+type ServiceRegistry = Record<string, ServiceHandler>;
+/**
+ * Optional runtime configuration overrides. When provided via
+ * RuntimeAdapter.getConfigOverrides(), the runtime reads these
+ * instead of the module-level defaults. All fields are optional —
+ * unset fields use the built-in defaults.
+ *
+ * Intended for demo/debug use only.
+ *
+ * @example
+ * ```ts
+ * const overrides: RuntimeConfigOverrides = {
+ *   replayWindowSeconds: 60,
+ *   ringBufferSize: 500,
+ * };
+ * ```
+ */
+interface RuntimeConfigOverrides {
+    /** Override REPLAY_WINDOW_SECONDS (default: 30). */
+    replayWindowSeconds?: number;
+    /** Override RING_BUFFER_SIZE (default: 100). */
+    ringBufferSize?: number;
+}
+/**
+ * All adapters that the runtime requires from the host environment.
+ *
+ * This is the primary integration point. A browser shell implements these
+ * by wrapping postMessage, localStorage, and relay pool libraries.
+ * A CLI or server shell could implement them with IPC channels, file
+ * storage, and direct WebSocket connections.
+ *
+ * @example
+ * ```ts
+ * import { createRuntime, type RuntimeAdapter } from '@kehto/runtime';
+ *
+ * const hooks: RuntimeAdapter = {
+ *   sendToNapplet: (wid, msg) => iframeWindows.get(wid)?.postMessage(msg, '*'),
+ *   relayPool: myRelayPoolAdapter,
+ *   cache: myCacheAdapter,
+ *   auth: myAuthAdapter,
+ *   config: myConfigAdapter,
+ *   hotkeys: myHotkeyAdapter,
+ *   crypto: myCryptoAdapter,
+ *   aclPersistence: myAclPersistenceAdapter,
+ *   manifestPersistence: myManifestPersistenceAdapter,
+ *   statePersistence: myStatePersistenceAdapter,
+ *   windowManager: myWindowManagerAdapter,
+ *   relayConfig: myRelayConfigAdapter,
+ * };
+ *
+ * const runtime = createRuntime(hooks);
+ * ```
+ */
+interface RuntimeAdapter {
+    /** Send a NIP-01 message to a napplet by windowId. */
+    sendToNapplet: SendToNapplet;
+    /**
+     * Relay pool operations.
+     * Optional when a 'relay' or 'relay-pool' service is registered via
+     * RuntimeAdapter.services or runtime.registerService(). If neither adapter
+     * nor service are provided, relay functionality is unavailable.
+     */
+    relayPool?: RelayPoolAdapter;
+    /**
+     * Local event cache (worker relay).
+     * Optional when a 'cache' or 'relay' (coordinated) service is registered.
+     * If neither adapter nor service are provided, cache functionality is unavailable.
+     */
+    cache?: CacheAdapter;
+    /**
+     * Auth state and signing.
+     *
+     * NIP-5D path: getUserPubkey() provides the shell user's identity (not napplet's).
+     * getSigner() is the primary concern — used for proxied signing operations from napplets.
+     */
+    auth: AuthAdapter;
+    /** Runtime configuration. */
+    config: ConfigAdapter;
+    /** Hotkey dispatch. */
+    hotkeys: HotkeyAdapter;
+    /** Crypto operations (signature verification, random UUID). */
+    crypto: CryptoAdapter;
+    /** ACL persistence (save/load ACL state). */
+    aclPersistence: AclPersistence;
+    /** Manifest cache persistence. */
+    manifestPersistence: ManifestPersistence;
+    /** Napplet state storage. */
+    statePersistence: StatePersistence;
+    /** Window management. */
+    windowManager: WindowManagerAdapter;
+    /** Relay configuration. */
+    relayConfig: RelayConfigAdapter;
+    /** DM sending (optional). */
+    dm?: DmAdapter;
+    /**
+     * Shell secret persistence (for deterministic keypair derivation).
+     * @deprecated NIP-5D: Shell secrets are no longer needed when using the NIP-5D origin-based
+     * identity path. Kept for backward compatibility with legacy AUTH sessions.
+     */
+    shellSecretPersistence?: ShellSecretPersistence;
+    /** Hash verification (optional — if absent, hash verification is skipped). */
+    hashVerifier?: HashVerifierAdapter;
+    /** GUID persistence for iframe instance tracking (optional — if absent, GUIDs are in-memory only). */
+    guidPersistence?: GuidPersistence;
+    /**
+     * Called when aggregate hash verification fails (computed != declared).
+     * Host app should display a user-visible warning.
+     */
+    onHashMismatch?: (dTag: string, claimed: string, computed: string) => void;
+    /** Called on every ACL enforcement check (audit). */
+    onAclCheck?: (event: AclCheckEvent) => void;
+    /** Called when a pending napp update is set or cleared. */
+    onPendingUpdate?: PendingUpdateNotifier;
+    /**
+     * Called when a napplet's required services are not fully available.
+     * Receives a CompatibilityReport with available/missing services.
+     * In strict mode, the runtime blocks the napplet from loading.
+     * In permissive mode (default), the napplet loads and the host decides UX.
+     */
+    onCompatibilityIssue?: (report: CompatibilityReport) => void;
+    /**
+     * When true, missing required services block napplet loading.
+     * When false or omitted (default), napplets load with a warning.
+     */
+    strictMode?: boolean;
+    /**
+     * Optional service extensions. Shell/host registers service handlers here
+     * for static initialization. Services can also be added dynamically via
+     * runtime.registerService(). Each key is a service name (e.g., 'audio').
+     *
+     * @example
+     * ```ts
+     * const hooks: RuntimeAdapter = {
+     *   // ... required adapters ...
+     *   services: {
+     *     audio: myAudioServiceHandler,
+     *   },
+     * };
+     * ```
+     */
+    services?: ServiceRegistry;
+    /**
+     * Optional runtime behavior overrides — demo/debug use only.
+     * Called lazily on each relevant operation (replay check, buffer push),
+     * so changes take effect immediately without runtime recreation.
+     */
+    getConfigOverrides?(): RuntimeConfigOverrides;
+}
+
+/**
+ * enforce.ts — Single ACL enforcement gate for the NIP-5D runtime.
+ *
+ * All NIP-5D NappletMessage envelopes pass through createNubEnforceGate()
+ * before any handler acts. resolveCapabilitiesNub() (re-exported from
+ * @kehto/acl) maps NUB message types to required capabilities. No NIP-01
+ * dispatch path remains — v1.4 Phase 24 DRIFT-02 deleted the legacy
+ * capability-resolution function along with its dead kind + topic
+ * dispatch table.
+ */
+
+/**
+ * Result of an enforcement check.
+ *
+ * @param allowed - Whether the capability check passed
+ * @param capability - The capability that was checked (human-readable string)
+ */
+interface EnforceResult {
+    allowed: boolean;
+    capability: Capability;
+}
+/**
+ * Identity lookup function type — resolves a pubkey to its full identity.
+ * Provided by sessionRegistry at runtime.
+ */
+type IdentityResolver = (pubkey: string) => {
+    dTag: string;
+    aggregateHash: string;
+} | undefined;
+/**
+ * ACL check function type — performs the actual capability check.
+ * Provided by @kehto/acl's check() at runtime, or by the legacy aclStore.check().
+ */
+type AclChecker = (pubkey: string, dTag: string, aggregateHash: string, capability: Capability) => boolean;
+/**
+ * Enforcement gate configuration.
+ *
+ * @param checkAcl - The ACL check function (wraps @kehto/acl or legacy aclStore)
+ * @param resolveIdentity - Maps pubkey to full identity (dTag, aggregateHash)
+ * @param onAclCheck - Optional audit callback. Called on every enforce() check
+ *   with the identity, capability, and decision.
+ */
+interface EnforceConfig {
+    checkAcl: AclChecker;
+    resolveIdentity: IdentityResolver;
+    onAclCheck?: (event: AclCheckEvent) => void;
+}
+/**
+ * Create an enforcement gate with the given configuration.
+ *
+ * Returns a function that checks a single capability for a given pubkey.
+ * Every call is logged to the audit callback.
+ *
+ * @param config - Enforcement configuration with ACL checker, identity resolver, and audit hooks
+ * @returns An enforce function that checks capabilities and logs decisions
+ *
+ * @example
+ * ```ts
+ * const gate = createEnforceGate({
+ *   checkAcl: aclStore.check,
+ *   resolveIdentity: (pk) => nappKeyRegistry.getEntry(pk),
+ *   onAclCheck: hooks.onAclCheck,
+ * });
+ * const result = gate('abc123...', 'relay:write');
+ * // result.allowed === true | false
+ * ```
+ */
+declare function createEnforceGate(config: EnforceConfig): (pubkey: string, capability: Capability, message?: unknown[]) => EnforceResult;
+/**
+ * Enforcement gate configuration for NIP-5D NUB handlers.
+ * Uses windowId for identity resolution instead of pubkey (which is '' in NIP-5D sessions).
+ *
+ * @param checkAcl - The ACL check function
+ * @param resolveIdentityByWindowId - Maps windowId to identity (dTag, aggregateHash)
+ * @param onAclCheck - Optional audit callback, called on every enforceNub() check
+ */
+interface NubEnforceConfig {
+    checkAcl: AclChecker;
+    resolveIdentityByWindowId: (windowId: string) => {
+        dTag: string;
+        aggregateHash: string;
+    } | undefined;
+    onAclCheck?: (event: AclCheckEvent) => void;
+}
+/**
+ * Create an enforcement gate for NIP-5D NUB message handlers.
+ *
+ * Unlike createEnforceGate (which resolves identity by pubkey), this factory
+ * resolves identity by windowId — necessary for NIP-5D sessions where pubkey is ''.
+ *
+ * @param config - NUB enforcement configuration
+ * @returns An enforceNub function that resolves identity by windowId
+ *
+ * @example
+ * ```ts
+ * const gate = createNubEnforceGate({
+ *   checkAcl: aclStore.check,
+ *   resolveIdentityByWindowId: (wid) => sessionRegistry.getEntryByWindowId(wid),
+ *   onAclCheck: hooks.onAclCheck,
+ * });
+ * const result = gate('win-1', 'relay:write', { type: 'relay.publish' });
+ * // result.allowed === true | false
+ * ```
+ */
+declare function createNubEnforceGate(config: NubEnforceConfig): (windowId: string, capability: Capability, message?: NubMessage) => EnforceResult;
+/**
+ * Format a denial reason string with the standard 'denied:' prefix.
+ *
+ * @param capability - The denied capability name
+ * @returns Formatted denial string, e.g., 'denied: relay:write'
+ *
+ * @example
+ * ```ts
+ * formatDenialReason('relay:write')
+ * // => 'denied: relay:write'
+ * ```
+ */
+declare function formatDenialReason(capability: Capability): string;
+
+/**
+ * SessionRegistry — windowId to verified napplet pubkey bidirectional mapping.
+ *
+ * After a successful AUTH handshake, the runtime registers the napplet's
+ * verified pubkey here. Both mappings are kept in sync.
+ *
+ * Unlike the shell singleton version, this is a factory that accepts
+ * an optional notifier callback instead of using window.dispatchEvent.
+ */
+
+/**
+ * Bidirectional registry mapping windowIds to verified napplet pubkeys.
+ * Maintained by the runtime after successful AUTH handshakes.
+ *
+ * @example
+ * ```ts
+ * const registry = createSessionRegistry();
+ * registry.register('win-1', entry);
+ * const pubkey = registry.getPubkey('win-1');
+ * ```
+ */
+interface SessionRegistry {
+    /** Register a napplet entry, mapping windowId to pubkey and vice versa. */
+    register(windowId: string, entry: SessionEntry): void;
+    /** Unregister a napplet by windowId, removing both mappings. */
+    unregister(windowId: string): void;
+    /** Get the pubkey associated with a windowId. */
+    getPubkey(windowId: string): string | undefined;
+    /** Get the full entry for a napplet pubkey. */
+    getEntry(pubkey: string): SessionEntry | undefined;
+    /** Get the windowId for a napplet pubkey. */
+    getWindowId(pubkey: string): string | undefined;
+    /** Check if a windowId has a registered napplet. */
+    isRegistered(windowId: string): boolean;
+    /** Get all registered napplet entries. */
+    getAllEntries(): SessionEntry[];
+    /** Get the instance GUID for a window. */
+    getInstanceId(windowId: string): string | undefined;
+    /** Set a pending update for a window (napplet reconnected with different hash). */
+    setPendingUpdate(windowId: string, update: PendingUpdate): void;
+    /** Get a pending update for a window. */
+    getPendingUpdate(windowId: string): PendingUpdate | undefined;
+    /** Clear a pending update for a window. */
+    clearPendingUpdate(windowId: string): void;
+    /**
+     * Get the full entry for a napplet by windowId directly.
+     * NIP-5D: Required for sessions where pubkey is '' (identity established via originRegistry).
+     * Unlike getEntry(pubkey), this works when pubkey is empty.
+     */
+    getEntryByWindowId(windowId: string): SessionEntry | undefined;
+    /** Clear all registrations and pending updates. */
+    clear(): void;
+}
+/** @deprecated Use SessionRegistry. Will be removed in v0.9.0. */
+type NappKeyRegistry = SessionRegistry;
+/**
+ * Create a new SessionRegistry instance.
+ *
+ * @param notifier - Optional callback invoked when pending updates change
+ * @returns A SessionRegistry instance
+ *
+ * @example
+ * ```ts
+ * const registry = createSessionRegistry((windowId) => {
+ *   console.log('Pending update changed for', windowId);
+ * });
+ * ```
+ */
+declare function createSessionRegistry(notifier?: PendingUpdateNotifier): SessionRegistry;
+/** @deprecated Use createSessionRegistry. Will be removed in v0.9.0. */
+declare const createNappKeyRegistry: typeof createSessionRegistry;
+
+/**
+ * acl-state.ts — ACL state container with persistence hooks.
+ *
+ * Wraps @kehto/acl's pure functions with persistence via
+ * AclPersistence. No localStorage or DOM references.
+ */
+
+/**
+ * ACL state container — wraps @kehto/acl's pure functions with
+ * persistence and a convenient imperative API.
+ *
+ * @example
+ * ```ts
+ * const aclState = createAclState(persistence);
+ * aclState.load();
+ * const allowed = aclState.check(pubkey, dTag, hash, 'relay:read');
+ * ```
+ */
+interface AclStateContainer {
+    check(pubkey: string, dTag: string, aggregateHash: string, capability: Capability): boolean;
+    grant(pubkey: string, dTag: string, aggregateHash: string, capability: Capability): void;
+    revoke(pubkey: string, dTag: string, aggregateHash: string, capability: Capability): void;
+    block(pubkey: string, dTag: string, aggregateHash: string): void;
+    unblock(pubkey: string, dTag: string, aggregateHash: string): void;
+    isBlocked(pubkey: string, dTag: string, aggregateHash: string): boolean;
+    getEntry(pubkey: string, dTag: string, aggregateHash: string): AclEntryExternal | undefined;
+    getAllEntries(): AclEntryExternal[];
+    getStateQuota(pubkey: string, dTag: string, aggregateHash: string): number;
+    persist(): void;
+    load(): void;
+    clear(): void;
+}
+/**
+ * Create an ACL state container backed by @kehto/acl and persisted
+ * via the given persistence hooks.
+ *
+ * @param persistence - Storage backend for ACL state
+ * @param defaultPolicy - Default ACL policy for unknown identities
+ * @returns An AclStateContainer instance
+ *
+ * @example
+ * ```ts
+ * const aclState = createAclState(persistence, 'permissive');
+ * aclState.load();
+ * ```
+ */
+declare function createAclState(persistence: AclPersistence, defaultPolicy?: 'permissive' | 'restrictive'): AclStateContainer;
+
+/**
+ * manifest-cache.ts — Manifest cache with persistence hooks.
+ *
+ * Caches NIP-5A manifest data (aggregate hashes) per napplet identity.
+ * Delegates storage to ManifestPersistence — no localStorage.
+ */
+
+/**
+ * Cache for verified napplet manifest entries.
+ * Used to detect napplet updates (aggregateHash changes) across sessions.
+ *
+ * @example
+ * ```ts
+ * const cache = createManifestCache(persistence);
+ * cache.load();
+ * cache.set({ pubkey: 'abc...', dTag: 'chat', aggregateHash: 'dead', verifiedAt: Date.now() });
+ * ```
+ */
+interface ManifestCache {
+    /** Get a cached manifest entry by pubkey and dTag. */
+    get(pubkey: string, dTag: string): ManifestCacheEntry | undefined;
+    /** Set (upsert) a manifest cache entry and persist. */
+    set(entry: ManifestCacheEntry): void;
+    /** Check if a specific hash is cached for a pubkey/dTag combination. */
+    has(pubkey: string, dTag: string, hash: string): boolean;
+    /** Get the requires list for a cached manifest, or empty array if not found. */
+    getRequires(pubkey: string, dTag: string): string[];
+    /** Remove a cached entry for a pubkey/dTag and persist. */
+    remove(pubkey: string, dTag: string): void;
+    /** Load the cache from persistence. */
+    load(): void;
+    /** Persist the cache to storage. */
+    persist(): void;
+    /** Clear all cached entries. */
+    clear(): void;
+    /** Get a cached verification result by manifest event ID. */
+    getVerification(eventId: string): VerificationCacheEntry | undefined;
+    /** Cache a verification result keyed by manifest event ID. */
+    setVerification(eventId: string, result: VerificationCacheEntry): void;
+    /** Check if a manifest event ID has been verified. */
+    hasVerification(eventId: string): boolean;
+    /** Clear all verification cache entries. */
+    clearVerifications(): void;
+}
+/**
+ * Create a manifest cache backed by the given persistence hooks.
+ *
+ * @param persistence - Storage backend for manifest data
+ * @returns A ManifestCache instance
+ *
+ * @example
+ * ```ts
+ * import { createManifestCache } from '@kehto/runtime';
+ *
+ * const cache = createManifestCache(manifestPersistence);
+ * cache.load();
+ * cache.set({ pubkey: 'abc...', dTag: 'chat', aggregateHash: 'dead', verifiedAt: Date.now() });
+ * cache.has('abc...', 'chat', 'dead'); // true
+ * ```
+ */
+declare function createManifestCache(persistence: ManifestPersistence): ManifestCache;
+
+/**
+ * replay.ts — Replay detection module.
+ *
+ * Tracks seen event IDs and validates timestamps to prevent
+ * duplicate event processing and replay attacks.
+ */
+
+/**
+ * Replay detection engine. Tracks seen event IDs and validates timestamps.
+ *
+ * @example
+ * ```ts
+ * const detector = createReplayDetector();
+ * const reason = detector.check(event);
+ * if (reason !== null) { // reject event }
+ * ```
+ */
+interface ReplayDetector {
+    /**
+     * Check if an event should be rejected as a replay.
+     * Returns null if event is valid, or a string reason if it should be rejected.
+     */
+    check(event: NostrEvent): string | null;
+    /** Clear all tracked event IDs. */
+    clear(): void;
+}
+/**
+ * Create a replay detector that rejects duplicate events and events
+ * with timestamps outside the replay window.
+ *
+ * @param getReplayWindow - Optional getter for a dynamic replay window override.
+ *   When provided, its return value is used instead of the module-level constant.
+ *   Called on every check, so changes take effect immediately.
+ * @returns A ReplayDetector instance
+ *
+ * @example
+ * ```ts
+ * import { createReplayDetector } from '@kehto/runtime';
+ *
+ * const detector = createReplayDetector();
+ * const reason = detector.check(event);
+ * if (reason !== null) {
+ *   // Reject — duplicate, stale, or future-dated
+ * }
+ * ```
+ */
+declare function createReplayDetector(getReplayWindow?: () => number | undefined): ReplayDetector;
+
+/**
+ * event-buffer.ts — Ring buffer and subscription delivery engine.
+ *
+ * Buffers events in a fixed-size ring buffer and delivers matching
+ * events to subscribed napplets via the abstract sendToNapplet transport.
+ */
+
+/** Default ring buffer size. */
+declare const RING_BUFFER_SIZE = 100;
+/** Subscription entry — tracks a subscription for a specific napplet window. */
+interface SubscriptionEntry {
+    windowId: string;
+    filters: NostrFilter[];
+}
+/**
+ * Check if an event matches a single NIP-01 filter.
+ * Pure function — no side effects.
+ *
+ * @param event - The event to check
+ * @param filter - The filter to match against
+ * @returns True if the event matches the filter
+ *
+ * @example
+ * ```ts
+ * import { matchesFilter } from '@kehto/runtime';
+ *
+ * matchesFilter(event, { kinds: [1], authors: ['abc'] });
+ * // true if event.kind === 1 and event.pubkey starts with 'abc'
+ * ```
+ */
+declare function matchesFilter(event: NostrEvent, filter: NostrFilter): boolean;
+/**
+ * Check if an event matches any filter in a list.
+ * Returns true for empty filter lists.
+ *
+ * @param event - The event to check
+ * @param filters - The filters to match against
+ * @returns True if the event matches any filter (or if filters is empty)
+ *
+ * @example
+ * ```ts
+ * import { matchesAnyFilter } from '@kehto/runtime';
+ *
+ * matchesAnyFilter(event, [{ kinds: [1] }, { kinds: [7] }]);
+ * // true if event is kind 1 or kind 7
+ * ```
+ */
+declare function matchesAnyFilter(event: NostrEvent, filters: NostrFilter[]): boolean;
+/** Event buffer and subscription delivery engine. */
+interface EventBuffer {
+    /** Add an event to the ring buffer and deliver to matching subscriptions. */
+    bufferAndDeliver(event: NostrEvent, senderId: string | null): void;
+    /** Deliver an event to matching subscriptions without buffering. */
+    deliverToSubscriptions(event: NostrEvent, senderId: string | null): void;
+    /** Get the current subscription map (for REQ handler to register subs). */
+    getSubscriptions(): Map<string, SubscriptionEntry>;
+    /** Get buffered events (for REQ replay). */
+    getBufferedEvents(): readonly NostrEvent[];
+    /** Clear the buffer. */
+    clear(): void;
+}
+/**
+ * Create an event buffer with subscription delivery.
+ *
+ * @param sendToNapplet - Transport function to send messages to napplets
+ * @param sessionRegistry - Identity registry for looking up napplet pubkeys
+ * @param enforce - Enforcement function for checking relay:read on recipients
+ * @param subscriptions - Shared subscription map (owned by the runtime)
+ * @param getBufferSize - Optional getter for a dynamic buffer size override.
+ *   When provided, its return value is used instead of RING_BUFFER_SIZE.
+ *   Called on every bufferAndDeliver, so changes take effect immediately.
+ * @returns An EventBuffer instance
+ *
+ * @example
+ * ```ts
+ * import { createEventBuffer } from '@kehto/runtime';
+ *
+ * const buffer = createEventBuffer(sendToNapplet, sessionRegistry, enforce, subscriptions);
+ * buffer.bufferAndDeliver(event, senderWindowId);
+ * ```
+ */
+declare function createEventBuffer(sendToNapplet: SendToNapplet, sessionRegistry: SessionRegistry, enforce: (pubkey: string, capability: Capability, message?: unknown[]) => EnforceResult, subscriptions: Map<string, SubscriptionEntry>, getBufferSize?: () => number): EventBuffer;
+
+/**
+ * runtime.ts — The napplet protocol engine factory.
+ *
+ * createRuntime(hooks) creates the complete protocol engine that handles
+ * NIP-5D NUB domain dispatch, ACL enforcement, subscription lifecycle,
+ * signer proxying, and shell command routing.
+ *
+ * No browser APIs. No DOM. No localStorage. No postMessage.
+ * All I/O is delegated to RuntimeAdapter.
+ */
+
+/**
+ * The napplet protocol engine — handles NIP-5D NUB domain dispatch,
+ * ACL enforcement, subscription lifecycle.
+ *
+ * @example
+ * ```ts
+ * import { createRuntime } from '@kehto/runtime';
+ *
+ * const runtime = createRuntime(hooks);
+ * runtime.handleMessage('window-1', { type: 'relay.req', id: 'sub1', filters: [{ kinds: [1] }] });
+ * ```
+ */
+interface Runtime {
+    /**
+     * Handle an incoming NIP-5D NappletMessage envelope from a napplet.
+     * The caller is responsible for identifying the source (windowId).
+     * Legacy NIP-01 arrays are silently dropped (clean break — no dual-mode).
+     *
+     * @param windowId - The identifier of the napplet that sent the message
+     * @param msg - The raw message (NappletMessage envelopes are processed; other types dropped)
+     */
+    handleMessage(windowId: string, msg: unknown): void;
+    /**
+     * Inject a shell-originated event into subscription delivery.
+     *
+     * @param topic - The event topic tag value
+     * @param payload - The event content
+     */
+    injectEvent(topic: string, payload: unknown): void;
+    /** Destroy the runtime, persisting state and clearing all internal state. */
+    destroy(): void;
+    /** Register a handler for consent requests on destructive signing kinds. */
+    registerConsentHandler(handler: ConsentHandler): void;
+    /**
+     * Register a service handler dynamically after runtime creation.
+     * If a handler is already registered for this name, it is replaced.
+     *
+     * @param name - Service name (e.g., 'audio', 'notifications')
+     * @param handler - The service handler implementation
+     */
+    registerService(name: string, handler: ServiceHandler): void;
+    /**
+     * Unregister a service handler by name. No-op if the name is not registered.
+     *
+     * @param name - Service name to remove
+     */
+    unregisterService(name: string): void;
+    /**
+     * Clean up all state associated with a napplet window.
+     * Removes subscriptions, pending state, and notifies service handlers.
+     *
+     * @param windowId - The window to clean up
+     */
+    destroyWindow(windowId: string): void;
+    /** Access the identity registry (for shell adapter to read napplet session state). */
+    readonly sessionRegistry: SessionRegistry;
+    /** Access the ACL state container. */
+    readonly aclState: AclStateContainer;
+    /** Access the manifest cache. */
+    readonly manifestCache: ManifestCache;
+}
+/**
+ * Create a runtime instance with dependency injection via hooks.
+ *
+ * @param hooks - Host application provides relay pool, auth, config, etc.
+ * @returns A Runtime instance ready to handle napplet messages
+ *
+ * @example
+ * ```ts
+ * const runtime = createRuntime(hooks);
+ * // On incoming message from napplet:
+ * runtime.handleMessage(windowId, { type: 'relay.req', id: 'sub1', filters: [] });
+ * ```
+ */
+declare function createRuntime(hooks: RuntimeAdapter): Runtime;
+
+/**
+ * state-handler.ts — Storage NUB request handler using persistence hooks.
+ *
+ * Handles napplet storage operations (get, set, remove, keys) via the
+ * canonical `@napplet/nub-storage` NIP-5D envelope surface. Delegates
+ * storage to StatePersistence. No localStorage, no legacy NIP-01 dispatch.
+ */
+
+/**
+ * Handle a NIP-5D NUB storage message from a napplet.
+ * Routes to the canonical four `@napplet/nub-storage` actions:
+ *   - `storage.get`    → `storage.get.result`    `{ value: string | null }`
+ *   - `storage.set`    → `storage.set.result`    `{ ok: boolean }` (canonical only checks `error`)
+ *   - `storage.remove` → `storage.remove.result` `{ ok: boolean }`
+ *   - `storage.keys`   → `storage.keys.result`   `{ keys: string[] }`
+ *
+ * `storage.clear` is NOT in the canonical `@napplet/nub-storage` union (it was a
+ * kehto unilateral extension); it now produces a `storage.clear.error` envelope.
+ * Internal lifecycle cleanup still uses the `cleanupNappState()` helper below —
+ * it is not napplet-reachable.
+ *
+ * **Deviation note (Phase 15 to decide):** Set/remove results emit both `ok`
+ * (legacy compat) and an `error` field on failure. Canonical `@napplet/nub-storage`
+ * only specifies the optional `error`; napplets check `!result.error` for success.
+ * Emitting `ok` preserves backward compatibility with existing in-tree callers.
+ * Phase 15 (v1.2 release prep) decides whether to drop `ok` pre-release.
+ *
+ * @param windowId - The window identifier of the requesting napplet
+ * @param msg - The NappletMessage containing the storage request
+ * @param sendToNapplet - Transport function to send responses
+ * @param sessionRegistry - Identity registry for looking up napplet session identity
+ * @param aclState - ACL state for quota checks
+ * @param statePersistence - State storage backend
+ *
+ * @example
+ * ```ts
+ * import { handleStorageNub } from '@kehto/runtime';
+ *
+ * handleStorageNub(windowId, { type: 'storage.get', id: 'q1', key: 'draft' },
+ *   sendToNapplet, sessionRegistry, aclState, statePersistence);
+ * ```
+ */
+declare function handleStorageNub(windowId: string, msg: NappletMessage, sendToNapplet: SendToNapplet, sessionRegistry: SessionRegistry, aclState: AclStateContainer, statePersistence: StatePersistence): void;
+/**
+ * Remove all state entries for a napplet identity.
+ * Clears both new-format and legacy-format keys for completeness.
+ * Used during napplet cleanup when a window is closed.
+ *
+ * @param pubkey - The napplet's pubkey (needed for legacy key cleanup)
+ * @param dTag - The napplet's dTag
+ * @param aggregateHash - The napplet's build hash
+ * @param statePersistence - State storage backend
+ *
+ * @example
+ * ```ts
+ * import { cleanupNappState } from '@kehto/runtime';
+ *
+ * cleanupNappState(pubkey, dTag, aggregateHash, statePersistence);
+ * ```
+ */
+declare function cleanupNappState(pubkey: string, dTag: string, aggregateHash: string, statePersistence: StatePersistence): void;
+
+/**
+ * service-dispatch.ts — NIP-5D envelope routing for registered services.
+ *
+ * Routes NappletMessage envelopes to the correct ServiceHandler based on the
+ * message type domain prefix. NUB-domain services (signer.*, relay.*, storage.*)
+ * are routed by the domain part of message.type. IFC-routed services (audio,
+ * notifications) receive ifc.emit messages and are routed by topic prefix.
+ */
+
+/**
+ * Route a NappletMessage envelope to the matching service handler.
+ *
+ * NUB-domain services are routed by the domain prefix of message.type
+ * (e.g., 'signer.signEvent' -> 'signer' service).
+ *
+ * IFC-routed services receive ifc.emit messages and are routed by the
+ * topic prefix before ':' (e.g., topic 'audio:play' -> 'audio' service).
+ *
+ * Returns true if a service handled the message, false otherwise.
+ *
+ * @param windowId - The napplet window that sent the message
+ * @param message - The NappletMessage envelope to route
+ * @param services - The service registry to look up handlers
+ * @param sendToNapplet - Callback to send messages back to the napplet
+ * @returns true if a service handled the message, false if no matching service
+ *
+ * @example
+ * ```ts
+ * const handled = routeServiceMessage(windowId, msg, services, sendToNapplet);
+ * if (!handled) { // fallback handling }
+ * ```
+ */
+declare function routeServiceMessage(windowId: string, message: NappletMessage, services: ServiceRegistry, sendToNapplet: SendToNapplet): boolean;
+/**
+ * Notify all registered service handlers that a napplet window was destroyed.
+ * Calls onWindowDestroyed() on every handler that implements it.
+ * Errors in individual handlers are caught and silently ignored to prevent
+ * one service's cleanup failure from blocking others.
+ *
+ * @param windowId - The destroyed napplet's window identifier
+ * @param services - The service registry containing all handlers
+ *
+ * @example
+ * ```ts
+ * notifyServiceWindowDestroyed('window-1', services);
+ * ```
+ */
+declare function notifyServiceWindowDestroyed(windowId: string, services: ServiceRegistry): void;
+
+export { type AclCheckEvent, type AclChecker, type AclEntryExternal, type AclPersistence, type AclStateContainer, type AuthAdapter, type CacheAdapter, type CompatibilityReport, type ConfigAdapter, type ConsentHandler, type ConsentRequest, type CryptoAdapter, type DmAdapter, type EnforceConfig, type EnforceResult, type EventBuffer, type GuidPersistence, type HashVerifierAdapter, type HotkeyAdapter, type IdentityResolver, type ManifestCache, type ManifestCacheEntry, type ManifestPersistence, type NappKeyEntry, type NappKeyRegistry, type NubEnforceConfig, type PendingUpdate, type PendingUpdateNotifier, RING_BUFFER_SIZE, type RelayConfigAdapter, type RelayPoolAdapter, type RelaySubscriptionHandle, type ReplayDetector, type Runtime, type RuntimeAdapter, type RuntimeConfigOverrides, type SendToNapplet, type ServiceDescriptor, type ServiceHandler, type ServiceInfo, type ServiceRegistry, type SessionEntry, type SessionRegistry, type ShellSecretPersistence, type Signer, type StatePersistence, type SubscriptionEntry, type VerificationCacheEntry, type WindowManagerAdapter, cleanupNappState, createAclState, createEnforceGate, createEventBuffer, createManifestCache, createNappKeyRegistry, createNubEnforceGate, createReplayDetector, createRuntime, createSessionRegistry, formatDenialReason, handleStorageNub, matchesAnyFilter, matchesFilter, notifyServiceWindowDestroyed, routeServiceMessage };