@kya-os/checkpoint-wasm-runtime 1.0.0 → 1.1.0

package/CHANGELOG.md

@@ -1,5 +1,75 @@
 # @kya-os/checkpoint-wasm-runtime
 
+## 1.1.0 — 2026-05-17
+
+**SDK-WASM-Bundler-Loader-1 fix.** Surfaced during Bench-Before-After-1
+sub-phase 3 follow-up: the `./orchestrator` barrel bundled both the
+Node-target and Web-target wasm-bindgen outputs, and the Web-target's
+`new URL("kya_os_engine_bg.wasm", import.meta.url)` browser-style
+fallback failed static analysis in Next.js 16's Turbopack (and
+webpack ≥5) even when the runtime branch was unreachable. Net result:
+`@kya-os/checkpoint-nextjs`'s `withCheckpoint` couldn't be deployed
+under Next.js's Node runtime at all — middleware imports died at
+build time.
+
+### New (additive, zero customer-visible change)
+
+- **`./orchestrator/node` subpath export** — Node-only orchestrator
+  entry that omits the Edge-variant import chain. Re-exports the same
+  `verifyRequest`, `buildAgentRequest`, `renderDecisionAsResponse`,
+  and types as the main barrel. No URL trick in the bundle.
+- **`"node"` export condition** on the `./orchestrator` entry — routes
+  Node-runtime bundlers (Next.js Node runtime, Express, AWS Lambda,
+  long-lived Node servers) to `orchestrator-node.mjs` automatically.
+  Edge consumers continue routing to `orchestrator-edge.mjs` via
+  the pre-existing `"edge-runtime"` and `"browser"` conditions.
+
+### What this means for consumers
+
+**Zero migration required.** Existing imports of
+`@kya-os/checkpoint-wasm-runtime/orchestrator` route to the correct
+per-runtime variant via the package's `exports` map. The runtime
+selection is invisible at the call site:
+
+```typescript
+// Unchanged — runtime-conditional resolution happens at bundle time
+import { verifyRequest } from '@kya-os/checkpoint-wasm-runtime/orchestrator';
+```
+
+Power users who want to lock to a specific variant can import
+explicitly:
+
+```typescript
+import { verifyRequest } from '@kya-os/checkpoint-wasm-runtime/orchestrator/node';
+// or
+import { verifyRequestEdge } from '@kya-os/checkpoint-wasm-runtime/orchestrator/edge';
+```
+
+### Bundle verification
+
+```
+$ grep -c 'kya_os_engine_bg.wasm' dist/orchestrator-node.mjs   # 0
+$ grep -c 'kya_os_engine_bg.wasm' dist/orchestrator.mjs        # 1 (barrel — unchanged for back-compat)
+$ grep -c 'kya_os_engine_bg.wasm' dist/orchestrator-edge.mjs   # 1 (Edge — expected, runtime handles URL)
+```
+
+### Coordinated release
+
+Shipped alongside `@kya-os/checkpoint-{nextjs,express}@1.1.x` to
+unblock the `withCheckpoint` factory's Next.js Node-runtime deploy
+path. See `docs/benchmarks/bench-before-after-1.md` §3.7 + the
+SDK-Envelope-Plumbing-1 ticket (#2594) for the surfacing context.
+
+### Why this wasn't caught earlier
+
+No Next.js end-to-end CI for `withCheckpoint` — the package's unit
+tests mock `verifyRequest`, so the wasm-runtime import chain never
+actually loads in the test harness. The factory contract is tested;
+the bundled artifact's bundler behavior isn't. Adding a sites-driven
+build-CI gate is filed as a follow-up.
+
+---
+
 ## 1.0.0 — 2026-05-15
 
 E-tracks Phase D — package rename + orchestrator edge variant. **BREAKING.**

package/dist/adapters.js

@@ -599,5 +599,3 @@ exports.makePolicyEvaluator = makePolicyEvaluator;
 exports.makeReputationOracle = makeReputationOracle;
 exports.makeStatusListCache = makeStatusListCache;
 exports.makeSystemClock = makeSystemClock;
-//# sourceMappingURL=adapters.js.map
-//# sourceMappingURL=adapters.js.map

package/dist/adapters.mjs

@@ -582,5 +582,3 @@ function makeFixedClock(unixSeconds) {
 }
 
 export { DidNotFound, DidResolverError, DidResolverTimeout, MalformedDid, MalformedStatusList, StatusListTimeout, StatusListUnavailable, UnsupportedDidMethod, UnsupportedKeyType, decodeDidKey, makeDidResolver, makeFixedClock, makePolicyEvaluator, makeReputationOracle, makeStatusListCache, makeSystemClock };
-//# sourceMappingURL=adapters.mjs.map
-//# sourceMappingURL=adapters.mjs.map

package/dist/edge.js

@@ -1399,5 +1399,3 @@ exports.createPolicyLoader = createPolicyLoader;
 exports.createRulesDetector = createRulesDetector;
 exports.createStaticLoader = createStaticLoader;
 exports.extractInputFromRequest = extractInputFromRequest;
-//# sourceMappingURL=edge.js.map
-//# sourceMappingURL=edge.js.map

package/dist/edge.mjs

@@ -1387,5 +1387,3 @@ function extractInputFromRequest(request) {
 }
 
 export { CONFIDENCE, PolicyLoader, RulesDetector, StaticWasmLoader, WasmDetector, createEdgeDetector, createFallbackDetector, createPolicyLoader, createRulesDetector, createStaticLoader, extractInputFromRequest };
-//# sourceMappingURL=edge.mjs.map
-//# sourceMappingURL=edge.mjs.map

package/dist/engine-edge.js

@@ -533,5 +533,3 @@ async function engineVerifyEdge(input, ctx) {
 
 exports.engineVerifyEdge = engineVerifyEdge;
 exports.initEngineEdge = initEngineEdge;
-//# sourceMappingURL=engine-edge.js.map
-//# sourceMappingURL=engine-edge.js.map

package/dist/engine-edge.mjs

@@ -529,5 +529,3 @@ async function engineVerifyEdge(input, ctx) {
 }
 
 export { engineVerifyEdge, initEngineEdge };
-//# sourceMappingURL=engine-edge.mjs.map
-//# sourceMappingURL=engine-edge.mjs.map

package/dist/engine.js

@@ -7,5 +7,3 @@ function engineVerify(input, ctx) {
 }
 
 exports.engineVerify = engineVerify;
-//# sourceMappingURL=engine.js.map
-//# sourceMappingURL=engine.js.map

package/dist/engine.mjs

@@ -5,5 +5,3 @@ function engineVerify(input, ctx) {
 }
 
 export { engineVerify };
-//# sourceMappingURL=engine.mjs.map
-//# sourceMappingURL=engine.mjs.map

package/dist/index.js

@@ -1648,5 +1648,3 @@ exports.createFallbackDetector = createFallbackDetector;
 exports.createPolicyLoader = createPolicyLoader;
 exports.createRulesDetector = createRulesDetector;
 exports.createStaticLoader = createStaticLoader;
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map

package/dist/index.mjs

@@ -1633,5 +1633,3 @@ function createFallbackDetector() {
 }
 
 export { CONFIDENCE, DynamicWasmLoader, PolicyLoadError, PolicyLoader, RulesDetector, StaticWasmLoader, WasmDetector, createDetector, createDynamicLoader, createEdgeDetector, createFallbackDetector, createPolicyLoader, createRulesDetector, createStaticLoader };
-//# sourceMappingURL=index.mjs.map
-//# sourceMappingURL=index.mjs.map

package/dist/node.js

@@ -968,5 +968,3 @@ exports.createNodeDetector = createNodeDetector;
 exports.createPolicyLoader = createPolicyLoader;
 exports.createRulesDetector = createRulesDetector;
 exports.extractInputFromExpressRequest = extractInputFromExpressRequest;
-//# sourceMappingURL=node.js.map
-//# sourceMappingURL=node.js.map

package/dist/node.mjs

@@ -956,5 +956,3 @@ function extractInputFromExpressRequest(req) {
 }
 
 export { CONFIDENCE, DynamicWasmLoader, PolicyLoader, RulesDetector, WasmDetector, createDynamicLoader, createFallbackDetector, createNodeDetector, createPolicyLoader, createRulesDetector, extractInputFromExpressRequest };
-//# sourceMappingURL=node.mjs.map
-//# sourceMappingURL=node.mjs.map

package/dist/orchestrator-edge.d.mts

@@ -1,203 +1,9 @@
 export { initEngineEdge } from './engine-edge.mjs';
-import { E as EnforcementMode, A as AgentRequest, V as VerifyResult } from './types-D0j85fF0.mjs';
-import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter, ClockAdapter } from './adapters.mjs';
+import { V as VerifyResult } from './types-D0j85fF0.mjs';
+import { V as VerifyRequestOpts, I as IncomingHttpLike } from './render-decision-C1a-iuiW.mjs';
+export { B as BuildAgentRequestOpts, R as RenderedResponse, b as buildAgentRequest, e as extractAgentDid, a as extractCredentialStatusUrl, c as extractIssuer, h as hasMalformedJwsBody, r as renderDecisionAsResponse } from './render-decision-C1a-iuiW.mjs';
 import '@kya-os/checkpoint-shared';
-
-/**
- * Orchestrator-layer types — Phase C, host-side only.
- *
- * Nothing here crosses the WASM boundary. The engine ABI types live
- * in `../types.ts`; the adapter interfaces live in
- * `../adapters/index.ts`. This file is the host-wrapper-facing
- * surface — what Phase D (Next.js) and Phase E (Express) import.
- */
-
-/**
- * Framework-agnostic HTTP request shape.
- *
- * Next.js / Express / Cloudflare Workers / Hono adapters marshal
- * their native request type into this shape before calling
- * `verifyRequest`. The shape is intentionally minimal — only what
- * the engine needs to make a verdict.
- */
-interface IncomingHttpLike {
-    method: string;
-    /** Path + query string (no scheme + host). */
-    url: string;
-    headers: Record<string, string | string[] | undefined>;
-    /**
-     * Parsed body if the framework has already parsed it (Next.js
-     * with `await req.json()`, Express with `body-parser`). Falsy if
-     * the caller hasn't materialised the body — the orchestrator
-     * treats that as "no MCP-I envelope present" and routes to
-     * PlainHttp.
-     */
-    body?: Buffer | string | object | null;
-    /** Client IP if the framework surfaces one (Express `req.ip`). */
-    remoteAddress?: string;
-}
-/**
- * Options the host wrapper passes per-`verifyRequest`-construction.
- * The five adapters + clock + tenant identifier + enforcement mode.
- */
-interface VerifyRequestOpts {
-    didResolver: DidResolverAdapter;
-    statusListCache: StatusListCacheAdapter;
-    reputationOracle: ReputationOracleAdapter;
-    policyEvaluator: PolicyEvaluatorAdapter;
-    clock: ClockAdapter;
-    /** Tenant identifier — the host customer this request targets. */
-    tenantHost: string;
-    enforcementMode: EnforcementMode;
-    /** Returned to the PolicyEvaluator when the request has no agent DID. Default 1.0. */
-    reputationBaseline?: number;
-    /**
-     * **Envelope-1 (#2537) coordination flag.** Pre-Envelope-1 the TS
-     * bouncer ships MCP-I proofs as `{protected,payload,signature}` JSON
-     * in a `KYA-Delegation` header. Post-Envelope-1 they ship compact
-     * JWS in `_meta.proof.jws` of the body. When this flag is true the
-     * orchestrator also accepts the legacy header form. **Default off.**
-     * Delete this flag once Envelope-1 ships end-to-end.
-     */
-    legacyEnvelopeFallback?: boolean;
-    /**
-     * Argus URL — passed only so the orchestrator can detect "Argus
-     * not configured" at construction time and log the one-shot
-     * warning. The actual reputation fetch goes through `reputationOracle`.
-     */
-    argusUrl?: string;
-    /** Injectable for the once-only Argus configuration warning. */
-    logger?: (msg: string) => void;
-}
-/**
- * Transport-agnostic response shape `renderDecisionAsResponse`
- * produces. Host wrappers adapt this to their framework's response
- * type (NextResponse / Express `res` / Cloudflare Response).
- *
- * `status === null` means "pass through" — the request continues to
- * the next handler. Happens in two cases:
- *   1. `Decision::Permit` (no block in Enforce mode).
- *   2. **Any verdict in Observe mode** — Observe never blocks, but
- *      the response headers still carry the would-have-been verdict.
- */
-interface RenderedResponse {
-    status: number | null;
-    headers: Record<string, string>;
-    body?: string | object;
-}
-
-/**
- * HTTP-to-`AgentRequest` translator — Phase C.1.
- *
- * Detects which engine protocol the request belongs to and builds
- * the typed `AgentRequest` the WASM consumes. Conservative
- * detection: never escalates an ambiguous request into a higher
- * verification tier. Anonymous PlainHttp is the default.
- *
- * **What this layer parses and what it doesn't.** It parses *only
- * what's needed to drive conditional pre-fetch* — header presence,
- * the MCP-I envelope's payload segment (to extract `iss` + `sub` +
- * optional credentialStatus URL). It does **not** verify
- * signatures, decode VC chains for revocation bits, or evaluate
- * scope. Those live in the engine (H-1's parser + Stages 2-5).
- *
- * **Buffer-portability note.** This module uses `Buffer.from(...)` and
- * `Buffer.isBuffer(...)` at multiple call sites (the JWS preflight
- * `hasMalformedJwsBody`, both `tryBuildMcpIFromBody` variants, the
- * legacy-header reconstitution path, and `bodyAsBytes`). All of these
- * assume the Node `Buffer` global is available — provided natively by
- * the Node runtime, polyfilled on Vercel Edge, and gated behind
- * `nodejs_compat` on Cloudflare Workers. Bare-Edge and pure-browser
- * embedders would need a `Buffer` polyfill or a refactor to
- * `TextEncoder` / `Uint8Array.from`. Tracked as a follow-up since
- * Phase D's Vercel Node + Vercel Edge targets are both covered today.
- */
-
-interface BuildAgentRequestOpts {
-    /** See `VerifyRequestOpts.legacyEnvelopeFallback`. */
-    legacyEnvelopeFallback?: boolean;
-}
-/**
- * Translate an HTTP-like request into the engine's `AgentRequest`.
- *
- * Detection order (conservative — never escalate ambiguous input):
- *   1. MCP-I L2 detached proof in `_meta.proof.jws` (spec form).
- *   2. (Legacy, opt-in) MCP-I in `KYA-Delegation` header
- *      (Envelope-1 #2537 transition window only).
- *   3. RFC 9421 HTTP Message Signatures (`Signature-Input` header).
- *   4. PlainHttp (default — anonymous traffic).
- */
-declare function buildAgentRequest(req: IncomingHttpLike, opts?: BuildAgentRequestOpts): AgentRequest;
-/**
- * Preflight check — does the request body carry a `_meta.proof.jws`
- * string that `parseJwsPayloadStruct` cannot project into a typed
- * `McpIPayload`?
- *
- * The caller declared intent (an MCP-I envelope) by including the
- * JWS field; structural failure to extract the payload means the
- * envelope is malformed, not absent. Without this preflight, the
- * orchestrator would silently fall through to PlainHttp — pre-#2560
- * that happened to also Block (engine returned `Block(ParseError)`
- * for every PlainHttp), so the regression was invisible; post-#2560
- * the engine's Stage 1 + stub policy returns `Permit` for anonymous
- * PlainHttp and tampered envelopes would be silently accepted.
- *
- * Returns `true` when the orchestrator should synthesize
- * `Block(ParseError)` BEFORE calling `buildAgentRequest`.
- */
-declare function hasMalformedJwsBody(req: IncomingHttpLike): boolean;
-/**
- * Issuer DID — Stage 1 (identity resolution) targets this. `null`
- * for PlainHttp (anonymous → no DID to resolve).
- */
-declare function extractIssuer(request: AgentRequest): string | null;
-/**
- * Agent DID — used by ReputationOracle. Defaults to `payload.sub`
- * for MCP-I (subject = the agent the proof is *about*).
- */
-declare function extractAgentDid(request: AgentRequest): string | null;
-/**
- * Status-list URL for revocation pre-fetch. Pulled from the JWS
- * payload's `vc.credentialStatus.id` (W3C VC Data Model 1.1).
- * `null` when the envelope is L1 (no VC chain) — Stage 3 will skip.
- */
-declare function extractCredentialStatusUrl(request: AgentRequest): string | null;
-
-/**
- * Transport-agnostic `Decision` → HTTP renderer — Phase C.3.
- *
- * Translates a `VerifyResult` into a framework-neutral
- * `{ status, headers, body }` shape. Phase D (Next.js) adapts this
- * to `NextResponse`; Phase E (Express) adapts it to `res.status().set().send()`.
- * One source of truth for the verdict→HTTP mapping.
- *
- * Mapping table (§ 4.5 of Phase C kickoff):
- *
- * | Decision                          | HTTP | Notes                                   |
- * |-----------------------------------|------|-----------------------------------------|
- * | Permit                            | null | Pass through to next handler            |
- * | Block(Unauthenticated)            | 401  | WWW-Authenticate header                 |
- * | Block(InvalidSignature)           | 403  |                                          |
- * | Block(Revoked)                    | 403  |                                          |
- * | Block(Expired)                    | 401  | Refresh-the-credential semantics        |
- * | Block(OutOfScope)                 | 403  | Body carries requested + granted        |
- * | Block(LowReputation)              | 403  | Body carries score + threshold          |
- * | Block(PolicyDenied)               | 403  | Body carries detail                     |
- * | Block(ParseError)                 | 400  | Body carries detail                     |
- * | Challenge                         | 401  | Body carries ChallengeParams            |
- * | Redirect                          | 302  | Location header                         |
- * | Instruct                          | 422  | application/problem+json body           |
- *
- * Observe mode overrides: every verdict renders as `status: null`
- * (pass through) with an `X-Checkpoint-Would-Have-Been` header
- * carrying the verdict kind, plus the standard attribution headers.
- *
- * Every response carries the Phase 0.1 attribution headers:
- * `X-Checkpoint-Engine`, `X-Checkpoint-Engine-Version`, and
- * (when present) `X-Checkpoint-Ruleset-Hash`.
- */
-
-declare function renderDecisionAsResponse(result: VerifyResult): RenderedResponse;
+import './adapters.mjs';
 
 /**
  * `verifyRequestEdge` async-init orchestrator — Edge-WASM-2 (folded into
@@ -240,4 +46,4 @@ declare function makeVerifyRequestEdge(opts: VerifyRequestOpts): (req: IncomingH
  */
 declare function verifyRequestEdge(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
 
-export { type BuildAgentRequestOpts, type IncomingHttpLike, type RenderedResponse, type VerifyRequestOpts, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequestEdge, renderDecisionAsResponse, verifyRequestEdge };
+export { IncomingHttpLike, VerifyRequestOpts, makeVerifyRequestEdge, verifyRequestEdge };

package/dist/orchestrator-edge.d.ts

@@ -1,203 +1,9 @@
 export { initEngineEdge } from './engine-edge.js';
-import { E as EnforcementMode, A as AgentRequest, V as VerifyResult } from './types-D0j85fF0.js';
-import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter, ClockAdapter } from './adapters.js';
+import { V as VerifyResult } from './types-D0j85fF0.js';
+import { V as VerifyRequestOpts, I as IncomingHttpLike } from './render-decision-Dsjwt96g.js';
+export { B as BuildAgentRequestOpts, R as RenderedResponse, b as buildAgentRequest, e as extractAgentDid, a as extractCredentialStatusUrl, c as extractIssuer, h as hasMalformedJwsBody, r as renderDecisionAsResponse } from './render-decision-Dsjwt96g.js';
 import '@kya-os/checkpoint-shared';
-
-/**
- * Orchestrator-layer types — Phase C, host-side only.
- *
- * Nothing here crosses the WASM boundary. The engine ABI types live
- * in `../types.ts`; the adapter interfaces live in
- * `../adapters/index.ts`. This file is the host-wrapper-facing
- * surface — what Phase D (Next.js) and Phase E (Express) import.
- */
-
-/**
- * Framework-agnostic HTTP request shape.
- *
- * Next.js / Express / Cloudflare Workers / Hono adapters marshal
- * their native request type into this shape before calling
- * `verifyRequest`. The shape is intentionally minimal — only what
- * the engine needs to make a verdict.
- */
-interface IncomingHttpLike {
-    method: string;
-    /** Path + query string (no scheme + host). */
-    url: string;
-    headers: Record<string, string | string[] | undefined>;
-    /**
-     * Parsed body if the framework has already parsed it (Next.js
-     * with `await req.json()`, Express with `body-parser`). Falsy if
-     * the caller hasn't materialised the body — the orchestrator
-     * treats that as "no MCP-I envelope present" and routes to
-     * PlainHttp.
-     */
-    body?: Buffer | string | object | null;
-    /** Client IP if the framework surfaces one (Express `req.ip`). */
-    remoteAddress?: string;
-}
-/**
- * Options the host wrapper passes per-`verifyRequest`-construction.
- * The five adapters + clock + tenant identifier + enforcement mode.
- */
-interface VerifyRequestOpts {
-    didResolver: DidResolverAdapter;
-    statusListCache: StatusListCacheAdapter;
-    reputationOracle: ReputationOracleAdapter;
-    policyEvaluator: PolicyEvaluatorAdapter;
-    clock: ClockAdapter;
-    /** Tenant identifier — the host customer this request targets. */
-    tenantHost: string;
-    enforcementMode: EnforcementMode;
-    /** Returned to the PolicyEvaluator when the request has no agent DID. Default 1.0. */
-    reputationBaseline?: number;
-    /**
-     * **Envelope-1 (#2537) coordination flag.** Pre-Envelope-1 the TS
-     * bouncer ships MCP-I proofs as `{protected,payload,signature}` JSON
-     * in a `KYA-Delegation` header. Post-Envelope-1 they ship compact
-     * JWS in `_meta.proof.jws` of the body. When this flag is true the
-     * orchestrator also accepts the legacy header form. **Default off.**
-     * Delete this flag once Envelope-1 ships end-to-end.
-     */
-    legacyEnvelopeFallback?: boolean;
-    /**
-     * Argus URL — passed only so the orchestrator can detect "Argus
-     * not configured" at construction time and log the one-shot
-     * warning. The actual reputation fetch goes through `reputationOracle`.
-     */
-    argusUrl?: string;
-    /** Injectable for the once-only Argus configuration warning. */
-    logger?: (msg: string) => void;
-}
-/**
- * Transport-agnostic response shape `renderDecisionAsResponse`
- * produces. Host wrappers adapt this to their framework's response
- * type (NextResponse / Express `res` / Cloudflare Response).
- *
- * `status === null` means "pass through" — the request continues to
- * the next handler. Happens in two cases:
- *   1. `Decision::Permit` (no block in Enforce mode).
- *   2. **Any verdict in Observe mode** — Observe never blocks, but
- *      the response headers still carry the would-have-been verdict.
- */
-interface RenderedResponse {
-    status: number | null;
-    headers: Record<string, string>;
-    body?: string | object;
-}
-
-/**
- * HTTP-to-`AgentRequest` translator — Phase C.1.
- *
- * Detects which engine protocol the request belongs to and builds
- * the typed `AgentRequest` the WASM consumes. Conservative
- * detection: never escalates an ambiguous request into a higher
- * verification tier. Anonymous PlainHttp is the default.
- *
- * **What this layer parses and what it doesn't.** It parses *only
- * what's needed to drive conditional pre-fetch* — header presence,
- * the MCP-I envelope's payload segment (to extract `iss` + `sub` +
- * optional credentialStatus URL). It does **not** verify
- * signatures, decode VC chains for revocation bits, or evaluate
- * scope. Those live in the engine (H-1's parser + Stages 2-5).
- *
- * **Buffer-portability note.** This module uses `Buffer.from(...)` and
- * `Buffer.isBuffer(...)` at multiple call sites (the JWS preflight
- * `hasMalformedJwsBody`, both `tryBuildMcpIFromBody` variants, the
- * legacy-header reconstitution path, and `bodyAsBytes`). All of these
- * assume the Node `Buffer` global is available — provided natively by
- * the Node runtime, polyfilled on Vercel Edge, and gated behind
- * `nodejs_compat` on Cloudflare Workers. Bare-Edge and pure-browser
- * embedders would need a `Buffer` polyfill or a refactor to
- * `TextEncoder` / `Uint8Array.from`. Tracked as a follow-up since
- * Phase D's Vercel Node + Vercel Edge targets are both covered today.
- */
-
-interface BuildAgentRequestOpts {
-    /** See `VerifyRequestOpts.legacyEnvelopeFallback`. */
-    legacyEnvelopeFallback?: boolean;
-}
-/**
- * Translate an HTTP-like request into the engine's `AgentRequest`.
- *
- * Detection order (conservative — never escalate ambiguous input):
- *   1. MCP-I L2 detached proof in `_meta.proof.jws` (spec form).
- *   2. (Legacy, opt-in) MCP-I in `KYA-Delegation` header
- *      (Envelope-1 #2537 transition window only).
- *   3. RFC 9421 HTTP Message Signatures (`Signature-Input` header).
- *   4. PlainHttp (default — anonymous traffic).
- */
-declare function buildAgentRequest(req: IncomingHttpLike, opts?: BuildAgentRequestOpts): AgentRequest;
-/**
- * Preflight check — does the request body carry a `_meta.proof.jws`
- * string that `parseJwsPayloadStruct` cannot project into a typed
- * `McpIPayload`?
- *
- * The caller declared intent (an MCP-I envelope) by including the
- * JWS field; structural failure to extract the payload means the
- * envelope is malformed, not absent. Without this preflight, the
- * orchestrator would silently fall through to PlainHttp — pre-#2560
- * that happened to also Block (engine returned `Block(ParseError)`
- * for every PlainHttp), so the regression was invisible; post-#2560
- * the engine's Stage 1 + stub policy returns `Permit` for anonymous
- * PlainHttp and tampered envelopes would be silently accepted.
- *
- * Returns `true` when the orchestrator should synthesize
- * `Block(ParseError)` BEFORE calling `buildAgentRequest`.
- */
-declare function hasMalformedJwsBody(req: IncomingHttpLike): boolean;
-/**
- * Issuer DID — Stage 1 (identity resolution) targets this. `null`
- * for PlainHttp (anonymous → no DID to resolve).
- */
-declare function extractIssuer(request: AgentRequest): string | null;
-/**
- * Agent DID — used by ReputationOracle. Defaults to `payload.sub`
- * for MCP-I (subject = the agent the proof is *about*).
- */
-declare function extractAgentDid(request: AgentRequest): string | null;
-/**
- * Status-list URL for revocation pre-fetch. Pulled from the JWS
- * payload's `vc.credentialStatus.id` (W3C VC Data Model 1.1).
- * `null` when the envelope is L1 (no VC chain) — Stage 3 will skip.
- */
-declare function extractCredentialStatusUrl(request: AgentRequest): string | null;
-
-/**
- * Transport-agnostic `Decision` → HTTP renderer — Phase C.3.
- *
- * Translates a `VerifyResult` into a framework-neutral
- * `{ status, headers, body }` shape. Phase D (Next.js) adapts this
- * to `NextResponse`; Phase E (Express) adapts it to `res.status().set().send()`.
- * One source of truth for the verdict→HTTP mapping.
- *
- * Mapping table (§ 4.5 of Phase C kickoff):
- *
- * | Decision                          | HTTP | Notes                                   |
- * |-----------------------------------|------|-----------------------------------------|
- * | Permit                            | null | Pass through to next handler            |
- * | Block(Unauthenticated)            | 401  | WWW-Authenticate header                 |
- * | Block(InvalidSignature)           | 403  |                                          |
- * | Block(Revoked)                    | 403  |                                          |
- * | Block(Expired)                    | 401  | Refresh-the-credential semantics        |
- * | Block(OutOfScope)                 | 403  | Body carries requested + granted        |
- * | Block(LowReputation)              | 403  | Body carries score + threshold          |
- * | Block(PolicyDenied)               | 403  | Body carries detail                     |
- * | Block(ParseError)                 | 400  | Body carries detail                     |
- * | Challenge                         | 401  | Body carries ChallengeParams            |
- * | Redirect                          | 302  | Location header                         |
- * | Instruct                          | 422  | application/problem+json body           |
- *
- * Observe mode overrides: every verdict renders as `status: null`
- * (pass through) with an `X-Checkpoint-Would-Have-Been` header
- * carrying the verdict kind, plus the standard attribution headers.
- *
- * Every response carries the Phase 0.1 attribution headers:
- * `X-Checkpoint-Engine`, `X-Checkpoint-Engine-Version`, and
- * (when present) `X-Checkpoint-Ruleset-Hash`.
- */
-
-declare function renderDecisionAsResponse(result: VerifyResult): RenderedResponse;
+import './adapters.js';
 
 /**
  * `verifyRequestEdge` async-init orchestrator — Edge-WASM-2 (folded into
@@ -240,4 +46,4 @@ declare function makeVerifyRequestEdge(opts: VerifyRequestOpts): (req: IncomingH
  */
 declare function verifyRequestEdge(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
 
-export { type BuildAgentRequestOpts, type IncomingHttpLike, type RenderedResponse, type VerifyRequestOpts, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequestEdge, renderDecisionAsResponse, verifyRequestEdge };
+export { IncomingHttpLike, VerifyRequestOpts, makeVerifyRequestEdge, verifyRequestEdge };

package/dist/orchestrator-edge.js

@@ -1072,5 +1072,3 @@ exports.initEngineEdge = initEngineEdge;
 exports.makeVerifyRequestEdge = makeVerifyRequestEdge;
 exports.renderDecisionAsResponse = renderDecisionAsResponse;
 exports.verifyRequestEdge = verifyRequestEdge;
-//# sourceMappingURL=orchestrator-edge.js.map
-//# sourceMappingURL=orchestrator-edge.js.map

package/dist/orchestrator-edge.mjs

@@ -1061,5 +1061,3 @@ function defaultLogger(msg) {
 }
 
 export { buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, initEngineEdge, makeVerifyRequestEdge, renderDecisionAsResponse, verifyRequestEdge };
-//# sourceMappingURL=orchestrator-edge.mjs.map
-//# sourceMappingURL=orchestrator-edge.mjs.map

package/dist/orchestrator-node.d.mts

@@ -0,0 +1,49 @@
+import { V as VerifyResult } from './types-D0j85fF0.mjs';
+import { V as VerifyRequestOpts, I as IncomingHttpLike } from './render-decision-C1a-iuiW.mjs';
+export { B as BuildAgentRequestOpts, R as RenderedResponse, b as buildAgentRequest, e as extractAgentDid, a as extractCredentialStatusUrl, c as extractIssuer, h as hasMalformedJwsBody, r as renderDecisionAsResponse } from './render-decision-C1a-iuiW.mjs';
+import '@kya-os/checkpoint-shared';
+import './adapters.mjs';
+
+/**
+ * `verifyRequest` async orchestrator — Phase C.2.
+ *
+ * The single entry point Phase D (Next.js) and Phase E (Express)
+ * compose. Async pre-fetch on the host side; one sync `engineVerify`
+ * call across the WASM boundary. Sync-engine / async-host invariant
+ * (H-1 § 4.5) preserved.
+ *
+ * Orchestration:
+ *   1. Translate HTTP → AgentRequest (no engine I/O).
+ *   2. Extract identifiers (issuer DID, agent DID, status-list URL).
+ *   3. Conditional Promise.all over the *applicable* adapters —
+ *      anonymous PlainHttp gets no network calls; signed MCP-I gets
+ *      DID + status-list + reputation in parallel.
+ *   4. Translate adapter errors to verdicts where the architect-
+ *      ratified posture says so:
+ *        - DidResolver throw  → Block(ParseError) verdict
+ *        - StatusListCache throw → re-throw (host renders 503)
+ *        - Reputation throw   → impossible (Phase B § 4.5)
+ *   5. Compute the tenant Decision via PolicyEvaluator over the
+ *      resolved reputation.
+ *   6. Build ContextSpec, call `engineVerify`, return VerifyResult.
+ *
+ * Cedar-1 forward-compat: step (5) is the only place the
+ * PolicyEvaluator interface gets exercised. When Cedar-1 swaps
+ * implementations, this orchestrator does not change.
+ */
+
+/**
+ * Factory — constructs a `verifyRequest` closure that remembers the
+ * one-shot Argus-not-configured warning state. Use this when the
+ * host wrapper wants the startup log; call `verifyRequest` directly
+ * (the loose function below) if you don't.
+ */
+declare function makeVerifyRequest(opts: VerifyRequestOpts): (req: IncomingHttpLike) => Promise<VerifyResult>;
+/**
+ * Single-shot async entry. Use [`makeVerifyRequest`] in long-lived
+ * hosts (so the Argus warning is one-shot per process); use this
+ * loose form in tests + one-off invocations.
+ */
+declare function verifyRequest(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
+
+export { IncomingHttpLike, VerifyRequestOpts, makeVerifyRequest, verifyRequest };