@kya-os/checkpoint-wasm-runtime 1.1.1 → 1.1.2

package/dist/orchestrator-node.d.mts

@@ -1,8 +1,203 @@
-import { V as VerifyResult } from './types-D0j85fF0.mjs';
-import { V as VerifyRequestOpts, I as IncomingHttpLike } from './render-decision-C1a-iuiW.mjs';
-export { B as BuildAgentRequestOpts, R as RenderedResponse, b as buildAgentRequest, e as extractAgentDid, a as extractCredentialStatusUrl, c as extractIssuer, h as hasMalformedJwsBody, r as renderDecisionAsResponse } from './render-decision-C1a-iuiW.mjs';
+import { d as DidDocument, D as Decision, E as EnforcementMode, V as VerifyResult, A as AgentRequest } from './types-D0j85fF0.mjs';
 import '@kya-os/checkpoint-shared';
-import './adapters.mjs';
+
+/**
+ * DidResolver adapter — sub-phase B.1.
+ *
+ * Resolves `did:key:*` (in-memory multibase decode) and `did:web:*`
+ * (HTTPS fetch of `.well-known/did.json`) into the engine's
+ * `DidDocument` shape. The async half does any required I/O; the
+ * adapter's output is plain data that the host wrapper bundles into
+ * `ContextSpec.didDocs` before calling `engineVerify`.
+ *
+ * Phase 1 supports only Ed25519 verification methods (the engine's
+ * `KeyType` is `#[non_exhaustive]` with `Ed25519` as its single
+ * variant). Non-Ed25519 methods on a resolved doc are silently
+ * filtered out — the engine wouldn't accept them as a valid Stage 2
+ * key match anyway.
+ *
+ * **`kid` for `did:key`**: the verification-method id is
+ * `<did>#<multibase>` per mcp-i-core PR #16. **NOT** `<did>#keys-1`.
+ * H-1's `stage2_did_key_fragment_resolution` test pins this.
+ */
+
+interface DidResolverAdapter {
+    resolve(did: string): Promise<DidDocument>;
+}
+
+interface StatusListCacheAdapter {
+    /**
+     * Fetch the status list at `url`, decode it, and return the sorted
+     * set of revoked credential indices.
+     *
+     * @throws {StatusListUnavailable} on transport / non-2xx response.
+     * @throws {StatusListTimeout} when the fetch budget is exceeded.
+     * @throws {MalformedStatusList} when the VC is unparseable.
+     */
+    fetch(url: string): Promise<number[]>;
+}
+
+/**
+ * ReputationOracle adapter — sub-phase B.3.
+ *
+ * Resolves a per-DID reputation score in `[0.0, 1.0]`. Phase 1 wires
+ * an optional HTTP endpoint (Argus). Unavailable / misconfigured /
+ * out-of-range responses degrade to a baseline score so infrastructure
+ * blips can't silently DOS Adobe-class traffic. The engine's Stage 6
+ * compares the returned score against the tenant-configured threshold
+ * (Phase B.4 builds the threshold via `PolicyEvaluator`).
+ *
+ * **Degrade-to-trust** (Phase B § 4.5). Reputation is best-effort;
+ * Argus outages do not block traffic. The adapter returns the
+ * configured baseline (default 1.0 = "no signal, treat as trusted")
+ * and logs loudly. The engine's `LowReputation` block fires only
+ * when score < threshold from tenant policy; baseline-1.0 ensures
+ * no traffic is silently rejected just because Argus went down.
+ */
+interface ReputationOracleAdapter {
+    /**
+     * Return the agent's reputation in `[0.0, 1.0]`. Higher is better.
+     *
+     * **Does not throw.** Network / parse / range failures degrade to
+     * the baseline + log; the engine should never see a thrown error
+     * from this adapter.
+     */
+    score(agentDid: string): Promise<number>;
+}
+
+/**
+ * PolicyEvaluator adapter — sub-phase B.4.
+ *
+ * Computes the **tenant verdict** on the JS side and hands the engine
+ * a constant `Decision` for the WASM `WasmConstantPolicy` to echo as
+ * Stage 7's contribution. The engine's cross-stage priority order
+ * (locked in D-design § 6 row 4) handles how Stage 7 interacts with
+ * Stages 2 / 3 / 4 / 5.
+ *
+ * **Sync-engine / async-host invariant.** The JS adapter is async (it
+ * fetches tenant policy from the Checkpoint dashboard); the engine
+ * sees only the resolved `Decision`. Cedar-1 will replace this
+ * adapter's implementation without touching the surrounding orchestrator.
+ *
+ * **Cedar-1 forward-compat.** [`PolicyEvaluatorAdapter`] is the
+ * Cedar-swappable interface: `(input) → Decision`. The Phase 1 stub
+ * is a reputation-threshold check; Cedar-1 will replace the
+ * implementation, not the surface. Don't bake Cedar internals into
+ * this seam.
+ *
+ * **Degrade-to-permit.** Per Phase B § 4.5: when the dashboard policy
+ * endpoint is unreachable, fall back to `defaultPolicy` (caller-supplied)
+ * or `permit-by-default`. Loud log; no silent block.
+ */
+
+/**
+ * Pre-fetched inputs the JS host knows before calling the engine.
+ * Phase 1's evaluator only consumes `reputation` + `tenantHost`; later
+ * implementations (Cedar-1) may extend.
+ */
+interface PolicyEvalInput {
+    tenantHost: string;
+    reputation: number;
+}
+interface PolicyEvaluatorAdapter {
+    evaluate(input: PolicyEvalInput): Promise<Decision>;
+}
+
+/**
+ * Clock adapter — sub-phase B.5.
+ *
+ * Provides the Unix-seconds timestamp the engine's `Clock` trait needs
+ * for Stage 4 expiration checks. Trivial; the trait shape exists so
+ * tests can inject a frozen clock (and so the engine's sync-trait
+ * surface is satisfied without a JS callback crossing the WASM
+ * boundary — `ContextSpec.nowUnix` carries the value).
+ */
+interface ClockAdapter {
+    nowUnix(): number;
+}
+
+/**
+ * Orchestrator-layer types — Phase C, host-side only.
+ *
+ * Nothing here crosses the WASM boundary. The engine ABI types live
+ * in `../types.ts`; the adapter interfaces live in
+ * `../adapters/index.ts`. This file is the host-wrapper-facing
+ * surface — what Phase D (Next.js) and Phase E (Express) import.
+ */
+
+/**
+ * Framework-agnostic HTTP request shape.
+ *
+ * Next.js / Express / Cloudflare Workers / Hono adapters marshal
+ * their native request type into this shape before calling
+ * `verifyRequest`. The shape is intentionally minimal — only what
+ * the engine needs to make a verdict.
+ */
+interface IncomingHttpLike {
+    method: string;
+    /** Path + query string (no scheme + host). */
+    url: string;
+    headers: Record<string, string | string[] | undefined>;
+    /**
+     * Parsed body if the framework has already parsed it (Next.js
+     * with `await req.json()`, Express with `body-parser`). Falsy if
+     * the caller hasn't materialised the body — the orchestrator
+     * treats that as "no MCP-I envelope present" and routes to
+     * PlainHttp.
+     */
+    body?: Buffer | string | object | null;
+    /** Client IP if the framework surfaces one (Express `req.ip`). */
+    remoteAddress?: string;
+}
+/**
+ * Options the host wrapper passes per-`verifyRequest`-construction.
+ * The five adapters + clock + tenant identifier + enforcement mode.
+ */
+interface VerifyRequestOpts {
+    didResolver: DidResolverAdapter;
+    statusListCache: StatusListCacheAdapter;
+    reputationOracle: ReputationOracleAdapter;
+    policyEvaluator: PolicyEvaluatorAdapter;
+    clock: ClockAdapter;
+    /** Tenant identifier — the host customer this request targets. */
+    tenantHost: string;
+    enforcementMode: EnforcementMode;
+    /** Returned to the PolicyEvaluator when the request has no agent DID. Default 1.0. */
+    reputationBaseline?: number;
+    /**
+     * **Envelope-1 (#2537) coordination flag.** Pre-Envelope-1 the TS
+     * bouncer ships MCP-I proofs as `{protected,payload,signature}` JSON
+     * in a `KYA-Delegation` header. Post-Envelope-1 they ship compact
+     * JWS in `_meta.proof.jws` of the body. When this flag is true the
+     * orchestrator also accepts the legacy header form. **Default off.**
+     * Delete this flag once Envelope-1 ships end-to-end.
+     */
+    legacyEnvelopeFallback?: boolean;
+    /**
+     * Argus URL — passed only so the orchestrator can detect "Argus
+     * not configured" at construction time and log the one-shot
+     * warning. The actual reputation fetch goes through `reputationOracle`.
+     */
+    argusUrl?: string;
+    /** Injectable for the once-only Argus configuration warning. */
+    logger?: (msg: string) => void;
+}
+/**
+ * Transport-agnostic response shape `renderDecisionAsResponse`
+ * produces. Host wrappers adapt this to their framework's response
+ * type (NextResponse / Express `res` / Cloudflare Response).
+ *
+ * `status === null` means "pass through" — the request continues to
+ * the next handler. Happens in two cases:
+ *   1. `Decision::Permit` (no block in Enforce mode).
+ *   2. **Any verdict in Observe mode** — Observe never blocks, but
+ *      the response headers still carry the would-have-been verdict.
+ */
+interface RenderedResponse {
+    status: number | null;
+    headers: Record<string, string>;
+    body?: string | object;
+}
 
 /**
  * `verifyRequest` async orchestrator — Phase C.2.
@@ -46,4 +241,117 @@ declare function makeVerifyRequest(opts: VerifyRequestOpts): (req: IncomingHttpL
  */
 declare function verifyRequest(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
 
-export { IncomingHttpLike, VerifyRequestOpts, makeVerifyRequest, verifyRequest };
+/**
+ * HTTP-to-`AgentRequest` translator — Phase C.1.
+ *
+ * Detects which engine protocol the request belongs to and builds
+ * the typed `AgentRequest` the WASM consumes. Conservative
+ * detection: never escalates an ambiguous request into a higher
+ * verification tier. Anonymous PlainHttp is the default.
+ *
+ * **What this layer parses and what it doesn't.** It parses *only
+ * what's needed to drive conditional pre-fetch* — header presence,
+ * the MCP-I envelope's payload segment (to extract `iss` + `sub` +
+ * optional credentialStatus URL). It does **not** verify
+ * signatures, decode VC chains for revocation bits, or evaluate
+ * scope. Those live in the engine (H-1's parser + Stages 2-5).
+ *
+ * **Buffer-portability note.** This module uses `Buffer.from(...)` and
+ * `Buffer.isBuffer(...)` at multiple call sites (the JWS preflight
+ * `hasMalformedJwsBody`, both `tryBuildMcpIFromBody` variants, the
+ * legacy-header reconstitution path, and `bodyAsBytes`). All of these
+ * assume the Node `Buffer` global is available — provided natively by
+ * the Node runtime, polyfilled on Vercel Edge, and gated behind
+ * `nodejs_compat` on Cloudflare Workers. Bare-Edge and pure-browser
+ * embedders would need a `Buffer` polyfill or a refactor to
+ * `TextEncoder` / `Uint8Array.from`. Tracked as a follow-up since
+ * Phase D's Vercel Node + Vercel Edge targets are both covered today.
+ */
+
+interface BuildAgentRequestOpts {
+    /** See `VerifyRequestOpts.legacyEnvelopeFallback`. */
+    legacyEnvelopeFallback?: boolean;
+}
+/**
+ * Translate an HTTP-like request into the engine's `AgentRequest`.
+ *
+ * Detection order (conservative — never escalate ambiguous input):
+ *   1. MCP-I L2 detached proof in `_meta.proof.jws` (spec form).
+ *   2. (Legacy, opt-in) MCP-I in `KYA-Delegation` header
+ *      (Envelope-1 #2537 transition window only).
+ *   3. RFC 9421 HTTP Message Signatures (`Signature-Input` header).
+ *   4. PlainHttp (default — anonymous traffic).
+ */
+declare function buildAgentRequest(req: IncomingHttpLike, opts?: BuildAgentRequestOpts): AgentRequest;
+/**
+ * Preflight check — does the request body carry a `_meta.proof.jws`
+ * string that `parseJwsPayloadStruct` cannot project into a typed
+ * `McpIPayload`?
+ *
+ * The caller declared intent (an MCP-I envelope) by including the
+ * JWS field; structural failure to extract the payload means the
+ * envelope is malformed, not absent. Without this preflight, the
+ * orchestrator would silently fall through to PlainHttp — pre-#2560
+ * that happened to also Block (engine returned `Block(ParseError)`
+ * for every PlainHttp), so the regression was invisible; post-#2560
+ * the engine's Stage 1 + stub policy returns `Permit` for anonymous
+ * PlainHttp and tampered envelopes would be silently accepted.
+ *
+ * Returns `true` when the orchestrator should synthesize
+ * `Block(ParseError)` BEFORE calling `buildAgentRequest`.
+ */
+declare function hasMalformedJwsBody(req: IncomingHttpLike): boolean;
+/**
+ * Issuer DID — Stage 1 (identity resolution) targets this. `null`
+ * for PlainHttp (anonymous → no DID to resolve).
+ */
+declare function extractIssuer(request: AgentRequest): string | null;
+/**
+ * Agent DID — used by ReputationOracle. Defaults to `payload.sub`
+ * for MCP-I (subject = the agent the proof is *about*).
+ */
+declare function extractAgentDid(request: AgentRequest): string | null;
+/**
+ * Status-list URL for revocation pre-fetch. Pulled from the JWS
+ * payload's `vc.credentialStatus.id` (W3C VC Data Model 1.1).
+ * `null` when the envelope is L1 (no VC chain) — Stage 3 will skip.
+ */
+declare function extractCredentialStatusUrl(request: AgentRequest): string | null;
+
+/**
+ * Transport-agnostic `Decision` → HTTP renderer — Phase C.3.
+ *
+ * Translates a `VerifyResult` into a framework-neutral
+ * `{ status, headers, body }` shape. Phase D (Next.js) adapts this
+ * to `NextResponse`; Phase E (Express) adapts it to `res.status().set().send()`.
+ * One source of truth for the verdict→HTTP mapping.
+ *
+ * Mapping table (§ 4.5 of Phase C kickoff):
+ *
+ * | Decision                          | HTTP | Notes                                   |
+ * |-----------------------------------|------|-----------------------------------------|
+ * | Permit                            | null | Pass through to next handler            |
+ * | Block(Unauthenticated)            | 401  | WWW-Authenticate header                 |
+ * | Block(InvalidSignature)           | 403  |                                          |
+ * | Block(Revoked)                    | 403  |                                          |
+ * | Block(Expired)                    | 401  | Refresh-the-credential semantics        |
+ * | Block(OutOfScope)                 | 403  | Body carries requested + granted        |
+ * | Block(LowReputation)              | 403  | Body carries score + threshold          |
+ * | Block(PolicyDenied)               | 403  | Body carries detail                     |
+ * | Block(ParseError)                 | 400  | Body carries detail                     |
+ * | Challenge                         | 401  | Body carries ChallengeParams            |
+ * | Redirect                          | 302  | Location header                         |
+ * | Instruct                          | 422  | application/problem+json body           |
+ *
+ * Observe mode overrides: every verdict renders as `status: null`
+ * (pass through) with an `X-Checkpoint-Would-Have-Been` header
+ * carrying the verdict kind, plus the standard attribution headers.
+ *
+ * Every response carries the Phase 0.1 attribution headers:
+ * `X-Checkpoint-Engine`, `X-Checkpoint-Engine-Version`, and
+ * (when present) `X-Checkpoint-Ruleset-Hash`.
+ */
+
+declare function renderDecisionAsResponse(result: VerifyResult): RenderedResponse;
+
+export { type BuildAgentRequestOpts, type IncomingHttpLike, type RenderedResponse, type VerifyRequestOpts, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest };

package/dist/orchestrator-node.d.ts

@@ -1,8 +1,203 @@
-import { V as VerifyResult } from './types-D0j85fF0.js';
-import { V as VerifyRequestOpts, I as IncomingHttpLike } from './render-decision-Dsjwt96g.js';
-export { B as BuildAgentRequestOpts, R as RenderedResponse, b as buildAgentRequest, e as extractAgentDid, a as extractCredentialStatusUrl, c as extractIssuer, h as hasMalformedJwsBody, r as renderDecisionAsResponse } from './render-decision-Dsjwt96g.js';
+import { d as DidDocument, D as Decision, E as EnforcementMode, V as VerifyResult, A as AgentRequest } from './types-D0j85fF0.js';
 import '@kya-os/checkpoint-shared';
-import './adapters.js';
+
+/**
+ * DidResolver adapter — sub-phase B.1.
+ *
+ * Resolves `did:key:*` (in-memory multibase decode) and `did:web:*`
+ * (HTTPS fetch of `.well-known/did.json`) into the engine's
+ * `DidDocument` shape. The async half does any required I/O; the
+ * adapter's output is plain data that the host wrapper bundles into
+ * `ContextSpec.didDocs` before calling `engineVerify`.
+ *
+ * Phase 1 supports only Ed25519 verification methods (the engine's
+ * `KeyType` is `#[non_exhaustive]` with `Ed25519` as its single
+ * variant). Non-Ed25519 methods on a resolved doc are silently
+ * filtered out — the engine wouldn't accept them as a valid Stage 2
+ * key match anyway.
+ *
+ * **`kid` for `did:key`**: the verification-method id is
+ * `<did>#<multibase>` per mcp-i-core PR #16. **NOT** `<did>#keys-1`.
+ * H-1's `stage2_did_key_fragment_resolution` test pins this.
+ */
+
+interface DidResolverAdapter {
+    resolve(did: string): Promise<DidDocument>;
+}
+
+interface StatusListCacheAdapter {
+    /**
+     * Fetch the status list at `url`, decode it, and return the sorted
+     * set of revoked credential indices.
+     *
+     * @throws {StatusListUnavailable} on transport / non-2xx response.
+     * @throws {StatusListTimeout} when the fetch budget is exceeded.
+     * @throws {MalformedStatusList} when the VC is unparseable.
+     */
+    fetch(url: string): Promise<number[]>;
+}
+
+/**
+ * ReputationOracle adapter — sub-phase B.3.
+ *
+ * Resolves a per-DID reputation score in `[0.0, 1.0]`. Phase 1 wires
+ * an optional HTTP endpoint (Argus). Unavailable / misconfigured /
+ * out-of-range responses degrade to a baseline score so infrastructure
+ * blips can't silently DOS Adobe-class traffic. The engine's Stage 6
+ * compares the returned score against the tenant-configured threshold
+ * (Phase B.4 builds the threshold via `PolicyEvaluator`).
+ *
+ * **Degrade-to-trust** (Phase B § 4.5). Reputation is best-effort;
+ * Argus outages do not block traffic. The adapter returns the
+ * configured baseline (default 1.0 = "no signal, treat as trusted")
+ * and logs loudly. The engine's `LowReputation` block fires only
+ * when score < threshold from tenant policy; baseline-1.0 ensures
+ * no traffic is silently rejected just because Argus went down.
+ */
+interface ReputationOracleAdapter {
+    /**
+     * Return the agent's reputation in `[0.0, 1.0]`. Higher is better.
+     *
+     * **Does not throw.** Network / parse / range failures degrade to
+     * the baseline + log; the engine should never see a thrown error
+     * from this adapter.
+     */
+    score(agentDid: string): Promise<number>;
+}
+
+/**
+ * PolicyEvaluator adapter — sub-phase B.4.
+ *
+ * Computes the **tenant verdict** on the JS side and hands the engine
+ * a constant `Decision` for the WASM `WasmConstantPolicy` to echo as
+ * Stage 7's contribution. The engine's cross-stage priority order
+ * (locked in D-design § 6 row 4) handles how Stage 7 interacts with
+ * Stages 2 / 3 / 4 / 5.
+ *
+ * **Sync-engine / async-host invariant.** The JS adapter is async (it
+ * fetches tenant policy from the Checkpoint dashboard); the engine
+ * sees only the resolved `Decision`. Cedar-1 will replace this
+ * adapter's implementation without touching the surrounding orchestrator.
+ *
+ * **Cedar-1 forward-compat.** [`PolicyEvaluatorAdapter`] is the
+ * Cedar-swappable interface: `(input) → Decision`. The Phase 1 stub
+ * is a reputation-threshold check; Cedar-1 will replace the
+ * implementation, not the surface. Don't bake Cedar internals into
+ * this seam.
+ *
+ * **Degrade-to-permit.** Per Phase B § 4.5: when the dashboard policy
+ * endpoint is unreachable, fall back to `defaultPolicy` (caller-supplied)
+ * or `permit-by-default`. Loud log; no silent block.
+ */
+
+/**
+ * Pre-fetched inputs the JS host knows before calling the engine.
+ * Phase 1's evaluator only consumes `reputation` + `tenantHost`; later
+ * implementations (Cedar-1) may extend.
+ */
+interface PolicyEvalInput {
+    tenantHost: string;
+    reputation: number;
+}
+interface PolicyEvaluatorAdapter {
+    evaluate(input: PolicyEvalInput): Promise<Decision>;
+}
+
+/**
+ * Clock adapter — sub-phase B.5.
+ *
+ * Provides the Unix-seconds timestamp the engine's `Clock` trait needs
+ * for Stage 4 expiration checks. Trivial; the trait shape exists so
+ * tests can inject a frozen clock (and so the engine's sync-trait
+ * surface is satisfied without a JS callback crossing the WASM
+ * boundary — `ContextSpec.nowUnix` carries the value).
+ */
+interface ClockAdapter {
+    nowUnix(): number;
+}
+
+/**
+ * Orchestrator-layer types — Phase C, host-side only.
+ *
+ * Nothing here crosses the WASM boundary. The engine ABI types live
+ * in `../types.ts`; the adapter interfaces live in
+ * `../adapters/index.ts`. This file is the host-wrapper-facing
+ * surface — what Phase D (Next.js) and Phase E (Express) import.
+ */
+
+/**
+ * Framework-agnostic HTTP request shape.
+ *
+ * Next.js / Express / Cloudflare Workers / Hono adapters marshal
+ * their native request type into this shape before calling
+ * `verifyRequest`. The shape is intentionally minimal — only what
+ * the engine needs to make a verdict.
+ */
+interface IncomingHttpLike {
+    method: string;
+    /** Path + query string (no scheme + host). */
+    url: string;
+    headers: Record<string, string | string[] | undefined>;
+    /**
+     * Parsed body if the framework has already parsed it (Next.js
+     * with `await req.json()`, Express with `body-parser`). Falsy if
+     * the caller hasn't materialised the body — the orchestrator
+     * treats that as "no MCP-I envelope present" and routes to
+     * PlainHttp.
+     */
+    body?: Buffer | string | object | null;
+    /** Client IP if the framework surfaces one (Express `req.ip`). */
+    remoteAddress?: string;
+}
+/**
+ * Options the host wrapper passes per-`verifyRequest`-construction.
+ * The five adapters + clock + tenant identifier + enforcement mode.
+ */
+interface VerifyRequestOpts {
+    didResolver: DidResolverAdapter;
+    statusListCache: StatusListCacheAdapter;
+    reputationOracle: ReputationOracleAdapter;
+    policyEvaluator: PolicyEvaluatorAdapter;
+    clock: ClockAdapter;
+    /** Tenant identifier — the host customer this request targets. */
+    tenantHost: string;
+    enforcementMode: EnforcementMode;
+    /** Returned to the PolicyEvaluator when the request has no agent DID. Default 1.0. */
+    reputationBaseline?: number;
+    /**
+     * **Envelope-1 (#2537) coordination flag.** Pre-Envelope-1 the TS
+     * bouncer ships MCP-I proofs as `{protected,payload,signature}` JSON
+     * in a `KYA-Delegation` header. Post-Envelope-1 they ship compact
+     * JWS in `_meta.proof.jws` of the body. When this flag is true the
+     * orchestrator also accepts the legacy header form. **Default off.**
+     * Delete this flag once Envelope-1 ships end-to-end.
+     */
+    legacyEnvelopeFallback?: boolean;
+    /**
+     * Argus URL — passed only so the orchestrator can detect "Argus
+     * not configured" at construction time and log the one-shot
+     * warning. The actual reputation fetch goes through `reputationOracle`.
+     */
+    argusUrl?: string;
+    /** Injectable for the once-only Argus configuration warning. */
+    logger?: (msg: string) => void;
+}
+/**
+ * Transport-agnostic response shape `renderDecisionAsResponse`
+ * produces. Host wrappers adapt this to their framework's response
+ * type (NextResponse / Express `res` / Cloudflare Response).
+ *
+ * `status === null` means "pass through" — the request continues to
+ * the next handler. Happens in two cases:
+ *   1. `Decision::Permit` (no block in Enforce mode).
+ *   2. **Any verdict in Observe mode** — Observe never blocks, but
+ *      the response headers still carry the would-have-been verdict.
+ */
+interface RenderedResponse {
+    status: number | null;
+    headers: Record<string, string>;
+    body?: string | object;
+}
 
 /**
  * `verifyRequest` async orchestrator — Phase C.2.
@@ -46,4 +241,117 @@ declare function makeVerifyRequest(opts: VerifyRequestOpts): (req: IncomingHttpL
  */
 declare function verifyRequest(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
 
-export { IncomingHttpLike, VerifyRequestOpts, makeVerifyRequest, verifyRequest };
+/**
+ * HTTP-to-`AgentRequest` translator — Phase C.1.
+ *
+ * Detects which engine protocol the request belongs to and builds
+ * the typed `AgentRequest` the WASM consumes. Conservative
+ * detection: never escalates an ambiguous request into a higher
+ * verification tier. Anonymous PlainHttp is the default.
+ *
+ * **What this layer parses and what it doesn't.** It parses *only
+ * what's needed to drive conditional pre-fetch* — header presence,
+ * the MCP-I envelope's payload segment (to extract `iss` + `sub` +
+ * optional credentialStatus URL). It does **not** verify
+ * signatures, decode VC chains for revocation bits, or evaluate
+ * scope. Those live in the engine (H-1's parser + Stages 2-5).
+ *
+ * **Buffer-portability note.** This module uses `Buffer.from(...)` and
+ * `Buffer.isBuffer(...)` at multiple call sites (the JWS preflight
+ * `hasMalformedJwsBody`, both `tryBuildMcpIFromBody` variants, the
+ * legacy-header reconstitution path, and `bodyAsBytes`). All of these
+ * assume the Node `Buffer` global is available — provided natively by
+ * the Node runtime, polyfilled on Vercel Edge, and gated behind
+ * `nodejs_compat` on Cloudflare Workers. Bare-Edge and pure-browser
+ * embedders would need a `Buffer` polyfill or a refactor to
+ * `TextEncoder` / `Uint8Array.from`. Tracked as a follow-up since
+ * Phase D's Vercel Node + Vercel Edge targets are both covered today.
+ */
+
+interface BuildAgentRequestOpts {
+    /** See `VerifyRequestOpts.legacyEnvelopeFallback`. */
+    legacyEnvelopeFallback?: boolean;
+}
+/**
+ * Translate an HTTP-like request into the engine's `AgentRequest`.
+ *
+ * Detection order (conservative — never escalate ambiguous input):
+ *   1. MCP-I L2 detached proof in `_meta.proof.jws` (spec form).
+ *   2. (Legacy, opt-in) MCP-I in `KYA-Delegation` header
+ *      (Envelope-1 #2537 transition window only).
+ *   3. RFC 9421 HTTP Message Signatures (`Signature-Input` header).
+ *   4. PlainHttp (default — anonymous traffic).
+ */
+declare function buildAgentRequest(req: IncomingHttpLike, opts?: BuildAgentRequestOpts): AgentRequest;
+/**
+ * Preflight check — does the request body carry a `_meta.proof.jws`
+ * string that `parseJwsPayloadStruct` cannot project into a typed
+ * `McpIPayload`?
+ *
+ * The caller declared intent (an MCP-I envelope) by including the
+ * JWS field; structural failure to extract the payload means the
+ * envelope is malformed, not absent. Without this preflight, the
+ * orchestrator would silently fall through to PlainHttp — pre-#2560
+ * that happened to also Block (engine returned `Block(ParseError)`
+ * for every PlainHttp), so the regression was invisible; post-#2560
+ * the engine's Stage 1 + stub policy returns `Permit` for anonymous
+ * PlainHttp and tampered envelopes would be silently accepted.
+ *
+ * Returns `true` when the orchestrator should synthesize
+ * `Block(ParseError)` BEFORE calling `buildAgentRequest`.
+ */
+declare function hasMalformedJwsBody(req: IncomingHttpLike): boolean;
+/**
+ * Issuer DID — Stage 1 (identity resolution) targets this. `null`
+ * for PlainHttp (anonymous → no DID to resolve).
+ */
+declare function extractIssuer(request: AgentRequest): string | null;
+/**
+ * Agent DID — used by ReputationOracle. Defaults to `payload.sub`
+ * for MCP-I (subject = the agent the proof is *about*).
+ */
+declare function extractAgentDid(request: AgentRequest): string | null;
+/**
+ * Status-list URL for revocation pre-fetch. Pulled from the JWS
+ * payload's `vc.credentialStatus.id` (W3C VC Data Model 1.1).
+ * `null` when the envelope is L1 (no VC chain) — Stage 3 will skip.
+ */
+declare function extractCredentialStatusUrl(request: AgentRequest): string | null;
+
+/**
+ * Transport-agnostic `Decision` → HTTP renderer — Phase C.3.
+ *
+ * Translates a `VerifyResult` into a framework-neutral
+ * `{ status, headers, body }` shape. Phase D (Next.js) adapts this
+ * to `NextResponse`; Phase E (Express) adapts it to `res.status().set().send()`.
+ * One source of truth for the verdict→HTTP mapping.
+ *
+ * Mapping table (§ 4.5 of Phase C kickoff):
+ *
+ * | Decision                          | HTTP | Notes                                   |
+ * |-----------------------------------|------|-----------------------------------------|
+ * | Permit                            | null | Pass through to next handler            |
+ * | Block(Unauthenticated)            | 401  | WWW-Authenticate header                 |
+ * | Block(InvalidSignature)           | 403  |                                          |
+ * | Block(Revoked)                    | 403  |                                          |
+ * | Block(Expired)                    | 401  | Refresh-the-credential semantics        |
+ * | Block(OutOfScope)                 | 403  | Body carries requested + granted        |
+ * | Block(LowReputation)              | 403  | Body carries score + threshold          |
+ * | Block(PolicyDenied)               | 403  | Body carries detail                     |
+ * | Block(ParseError)                 | 400  | Body carries detail                     |
+ * | Challenge                         | 401  | Body carries ChallengeParams            |
+ * | Redirect                          | 302  | Location header                         |
+ * | Instruct                          | 422  | application/problem+json body           |
+ *
+ * Observe mode overrides: every verdict renders as `status: null`
+ * (pass through) with an `X-Checkpoint-Would-Have-Been` header
+ * carrying the verdict kind, plus the standard attribution headers.
+ *
+ * Every response carries the Phase 0.1 attribution headers:
+ * `X-Checkpoint-Engine`, `X-Checkpoint-Engine-Version`, and
+ * (when present) `X-Checkpoint-Ruleset-Hash`.
+ */
+
+declare function renderDecisionAsResponse(result: VerifyResult): RenderedResponse;
+
+export { type BuildAgentRequestOpts, type IncomingHttpLike, type RenderedResponse, type VerifyRequestOpts, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest };