@kya-os/checkpoint-wasm-runtime 1.2.0 → 1.4.0

package/dist/orchestrator-node.d.ts

@@ -1,4 +1,4 @@
-import { d as DidDocument, D as Decision, E as EnforcementMode, V as VerifyResult, A as AgentRequest } from './types-ByrdPLL2.js';
+import { d as DidDocument, D as Decision, E as EnforcementMode, A as AgentRequest, C as ContextSpec, V as VerifyResult, e as EngineConfig } from './types-KPEcVvac.js';
 import '@kya-os/checkpoint-shared';
 
 /**
@@ -116,15 +116,6 @@ interface ClockAdapter {
     nowUnix(): number;
 }
 
-/**
- * Orchestrator-layer types — Phase C, host-side only.
- *
- * Nothing here crosses the WASM boundary. The engine ABI types live
- * in `../types.ts`; the adapter interfaces live in
- * `../adapters/index.ts`. This file is the host-wrapper-facing
- * surface — what Phase D (Next.js) and Phase E (Express) import.
- */
-
 /**
  * Framework-agnostic HTTP request shape.
  *
@@ -181,6 +172,29 @@ interface VerifyRequestOpts {
     argusUrl?: string;
     /** Injectable for the once-only Argus configuration warning. */
     logger?: (msg: string) => void;
+    /**
+     * Override the engine WASM-bridge function used during the sync
+     * `verify()` call. Defaults to the wasm-bindgen `--target bundler`
+     * variant imported by `./verify-request.ts` from `'../index'`.
+     *
+     * The `./orchestrator/node` subpath (SDK-Next.js-Integration-Audit-1
+     * / #2618 safety net) injects the `--target nodejs` variant here so
+     * Webpack-without-asyncWebAssembly consumers don't transitively pull
+     * the bundler artifact through the orchestrator's verify call.
+     */
+    engineVerifyFn?: (input: AgentRequest, ctx: ContextSpec) => VerifyResult;
+    /**
+     * Engine-default behaviour knobs forwarded onto every composed
+     * `ContextSpec`. Defaults to `{ tier3Action: 'monitor' }` so a host
+     * installing `@kya-os/checkpoint-*` with minimal config preserves
+     * 1.3.0 behaviour — tenant policy is the arbiter, the engine does
+     * not short-circuit known-agent UAs with an engine-default Block.
+     *
+     * Host wrappers that want the calibrated engine-default block opt
+     * into `{ tier3Action: 'block' }`. The bench harness is the
+     * canonical opt-in consumer. See the wasm-runtime 1.4.0 CHANGELOG.
+     */
+    engineConfig?: EngineConfig;
 }
 /**
  * Transport-agnostic response shape `renderDecisionAsResponse`
@@ -199,48 +213,6 @@ interface RenderedResponse {
     body?: string | object;
 }
 
-/**
- * `verifyRequest` async orchestrator — Phase C.2.
- *
- * The single entry point Phase D (Next.js) and Phase E (Express)
- * compose. Async pre-fetch on the host side; one sync `engineVerify`
- * call across the WASM boundary. Sync-engine / async-host invariant
- * (H-1 § 4.5) preserved.
- *
- * Orchestration:
- *   1. Translate HTTP → AgentRequest (no engine I/O).
- *   2. Extract identifiers (issuer DID, agent DID, status-list URL).
- *   3. Conditional Promise.all over the *applicable* adapters —
- *      anonymous PlainHttp gets no network calls; signed MCP-I gets
- *      DID + status-list + reputation in parallel.
- *   4. Translate adapter errors to verdicts where the architect-
- *      ratified posture says so:
- *        - DidResolver throw  → Block(ParseError) verdict
- *        - StatusListCache throw → re-throw (host renders 503)
- *        - Reputation throw   → impossible (Phase B § 4.5)
- *   5. Compute the tenant Decision via PolicyEvaluator over the
- *      resolved reputation.
- *   6. Build ContextSpec, call `engineVerify`, return VerifyResult.
- *
- * Cedar-1 forward-compat: step (5) is the only place the
- * PolicyEvaluator interface gets exercised. When Cedar-1 swaps
- * implementations, this orchestrator does not change.
- */
-
-/**
- * Factory — constructs a `verifyRequest` closure that remembers the
- * one-shot Argus-not-configured warning state. Use this when the
- * host wrapper wants the startup log; call `verifyRequest` directly
- * (the loose function below) if you don't.
- */
-declare function makeVerifyRequest(opts: VerifyRequestOpts): (req: IncomingHttpLike) => Promise<VerifyResult>;
-/**
- * Single-shot async entry. Use [`makeVerifyRequest`] in long-lived
- * hosts (so the Argus warning is one-shot per process); use this
- * loose form in tests + one-off invocations.
- */
-declare function verifyRequest(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
-
 /**
  * HTTP-to-`AgentRequest` translator — Phase C.1.
  *
@@ -354,4 +326,40 @@ declare function extractCredentialStatusUrl(request: AgentRequest): string | nul
 
 declare function renderDecisionAsResponse(result: VerifyResult): RenderedResponse;
 
+/**
+ * Node-runtime orchestrator entry — SDK-Next.js-Integration-Audit-1
+ * (#2618) safety net.
+ *
+ * Bundler-safe variant of `./index.ts` (the runtime-agnostic barrel)
+ * for consumers running Webpack-class bundlers WITHOUT the
+ * `experiments.asyncWebAssembly` flag — or raw Node ESM without any
+ * bundler.
+ *
+ * **Why this exists:** `./index.ts` binds `verifyRequest` /
+ * `makeVerifyRequest` to the wasm-bindgen `--target bundler`
+ * `engineVerify`. The bundler artifact's `.wasm` entry uses
+ * `import * as wasm from "./*.wasm"` which Turbopack, Vite, esbuild,
+ * and Webpack-with-asyncWebAssembly handle natively — but legacy
+ * Webpack setups parse the static `.wasm` import as JavaScript and
+ * fail with `Unexpected character`. This entry binds the
+ * `--target nodejs` `engineVerify` instead (CJS `fs.readFileSync`
+ * inside the glue, no bundler involvement) so legacy Webpack
+ * consumers + raw Node ESM both work.
+ *
+ * **Routing:** the package's `exports` map's `"node"` condition on
+ * `./orchestrator` routes here for any bundler that respects the
+ * standard Node export condition (Next.js + Turbopack ≥16, webpack
+ * ≥5, esbuild, Vite, Bun). Consumers under the `"edge-runtime"` /
+ * `"browser"` conditions continue to route to `orchestrator-edge.mjs`
+ * (unchanged).
+ *
+ * **Public surface preserved.** Every export Node consumers actually
+ * use is re-exported here. The Edge-only exports (`verifyRequestEdge`,
+ * `makeVerifyRequestEdge`, `initEngineEdge`) are NOT included — Node
+ * consumers that explicitly need the Edge variant should import from
+ * `@kya-os/checkpoint-wasm-runtime/orchestrator/edge` directly.
+ */
+declare const verifyRequest: (req: IncomingHttpLike, opts: VerifyRequestOpts) => Promise<VerifyResult>;
+declare const makeVerifyRequest: (opts: VerifyRequestOpts) => (req: IncomingHttpLike) => Promise<VerifyResult>;
+
 export { type BuildAgentRequestOpts, type IncomingHttpLike, type RenderedResponse, type VerifyRequestOpts, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest };