@kya-os/checkpoint-wasm-runtime 1.3.0 → 1.4.1

package/dist/{types-ByrdPLL2.d.ts → types-C3RniIOM.d.mts}

@@ -80,6 +80,34 @@ type BlockReason = {
 } | {
     kind: 'ParseError';
     detail: string;
+}
+/**
+ * Tier-2 IP+UA cross-match against the vendor SSOT (AIVF-1 Path B
+ * / agent-shield#2639). Emitted by `TieredPolicy` when the request
+ * carries both a vendor-published IP and a matching UA pattern.
+ * `tier` is the tier ordinal (`2` for IP+UA cross-match today;
+ * reserved for future Tier-1 cryptographic attribution).
+ * `confidence` is f32 in `[0.0, 1.0]`.
+ */
+ | {
+    kind: 'AgentAttribution';
+    vendor: string;
+    tier: number;
+    confidence: number;
+}
+/**
+ * Tier-3 UA-only pattern match short-circuit (Engine-Tier3-
+ * Ruleset-Wiring-1 / agent-shield#2641). Emitted at Stage 1b when
+ * `EngineConfig.tier3_action == Block` and the request classifies
+ * as KnownAiAgent / AiCrawler / HeadlessBrowser. **Field names are
+ * snake_case on the wire** (no `rename_all` on the Rust enum) —
+ * they mirror the Rust struct field names verbatim.
+ */
+ | {
+    kind: 'Tier3UAMatch';
+    pattern_id: string;
+    pattern_kind: string;
+    confidence: number;
 };
 interface ChallengeParams {
     nonce: string;
@@ -159,6 +187,36 @@ interface ContextSpec {
     tenantDecision: Decision;
     nowUnix: number;
     enforcementMode: EnforcementMode;
+    /**
+     * Engine-default behaviour knobs. Omit, or pass `{}`, to take the
+     * customer-onboarding-safe defaults (Tier-3 in Monitor mode —
+     * tenant policy is the arbiter). See [`EngineConfig`].
+     */
+    config?: EngineConfig;
 }
+/**
+ * Engine-default behaviour knobs the host can opt into. Mirrors the
+ * Rust `kya_os_engine::EngineConfig` shape; deserialised by the WASM
+ * glue with `#[serde(default)]` so an absent / empty `config` resolves
+ * to the safe defaults.
+ */
+interface EngineConfig {
+    /**
+     * Tier-3 (UA-only pattern match) engine-default action. Defaults to
+     * `'monitor'` — Stage 1 classification flows through to the tenant
+     * policy evaluator, but the engine does NOT short-circuit with its
+     * own `Block { Tier3UAMatch }`. Set to `'block'` when the host
+     * wants the engine to emit an engine-default block for known-agent
+     * UAs before the tenant policy seam (e.g., the bench harness or
+     * customers who've reviewed their traffic and want the calibrated
+     * block without writing a tenant-policy rule).
+     */
+    tier3Action?: Tier3Action;
+}
+/**
+ * Tier-3 default action — `'monitor'` (default) lets tenant policy
+ * decide; `'block'` opts into the engine-default short-circuit.
+ */
+type Tier3Action = 'monitor' | 'block';
 
-export type { AgentRequest as A, BlockReason as B, ContextSpec as C, Decision as D, EnforcementMode as E, HttpSignedRequest as H, InstructPayload as I, KeyType as K, McpIRequest as M, PlainHttpRequest as P, RedirectTarget as R, SuggestedAction as S, VerifyResult as V, A2ARequest as a, A2PRequest as b, ChallengeParams as c, DidDocument as d, EngineInfo as e, VerificationMethod as f };
+export type { AgentRequest as A, BlockReason as B, ContextSpec as C, Decision as D, EnforcementMode as E, HttpSignedRequest as H, InstructPayload as I, KeyType as K, McpIRequest as M, PlainHttpRequest as P, RedirectTarget as R, SuggestedAction as S, Tier3Action as T, VerifyResult as V, A2ARequest as a, A2PRequest as b, ChallengeParams as c, DidDocument as d, EngineConfig as e, EngineInfo as f, VerificationMethod as g };

package/dist/{types-ByrdPLL2.d.mts → types-C3RniIOM.d.ts}

@@ -80,6 +80,34 @@ type BlockReason = {
 } | {
     kind: 'ParseError';
     detail: string;
+}
+/**
+ * Tier-2 IP+UA cross-match against the vendor SSOT (AIVF-1 Path B
+ * / agent-shield#2639). Emitted by `TieredPolicy` when the request
+ * carries both a vendor-published IP and a matching UA pattern.
+ * `tier` is the tier ordinal (`2` for IP+UA cross-match today;
+ * reserved for future Tier-1 cryptographic attribution).
+ * `confidence` is f32 in `[0.0, 1.0]`.
+ */
+ | {
+    kind: 'AgentAttribution';
+    vendor: string;
+    tier: number;
+    confidence: number;
+}
+/**
+ * Tier-3 UA-only pattern match short-circuit (Engine-Tier3-
+ * Ruleset-Wiring-1 / agent-shield#2641). Emitted at Stage 1b when
+ * `EngineConfig.tier3_action == Block` and the request classifies
+ * as KnownAiAgent / AiCrawler / HeadlessBrowser. **Field names are
+ * snake_case on the wire** (no `rename_all` on the Rust enum) —
+ * they mirror the Rust struct field names verbatim.
+ */
+ | {
+    kind: 'Tier3UAMatch';
+    pattern_id: string;
+    pattern_kind: string;
+    confidence: number;
 };
 interface ChallengeParams {
     nonce: string;
@@ -159,6 +187,36 @@ interface ContextSpec {
     tenantDecision: Decision;
     nowUnix: number;
     enforcementMode: EnforcementMode;
+    /**
+     * Engine-default behaviour knobs. Omit, or pass `{}`, to take the
+     * customer-onboarding-safe defaults (Tier-3 in Monitor mode —
+     * tenant policy is the arbiter). See [`EngineConfig`].
+     */
+    config?: EngineConfig;
 }
+/**
+ * Engine-default behaviour knobs the host can opt into. Mirrors the
+ * Rust `kya_os_engine::EngineConfig` shape; deserialised by the WASM
+ * glue with `#[serde(default)]` so an absent / empty `config` resolves
+ * to the safe defaults.
+ */
+interface EngineConfig {
+    /**
+     * Tier-3 (UA-only pattern match) engine-default action. Defaults to
+     * `'monitor'` — Stage 1 classification flows through to the tenant
+     * policy evaluator, but the engine does NOT short-circuit with its
+     * own `Block { Tier3UAMatch }`. Set to `'block'` when the host
+     * wants the engine to emit an engine-default block for known-agent
+     * UAs before the tenant policy seam (e.g., the bench harness or
+     * customers who've reviewed their traffic and want the calibrated
+     * block without writing a tenant-policy rule).
+     */
+    tier3Action?: Tier3Action;
+}
+/**
+ * Tier-3 default action — `'monitor'` (default) lets tenant policy
+ * decide; `'block'` opts into the engine-default short-circuit.
+ */
+type Tier3Action = 'monitor' | 'block';
 
-export type { AgentRequest as A, BlockReason as B, ContextSpec as C, Decision as D, EnforcementMode as E, HttpSignedRequest as H, InstructPayload as I, KeyType as K, McpIRequest as M, PlainHttpRequest as P, RedirectTarget as R, SuggestedAction as S, VerifyResult as V, A2ARequest as a, A2PRequest as b, ChallengeParams as c, DidDocument as d, EngineInfo as e, VerificationMethod as f };
+export type { AgentRequest as A, BlockReason as B, ContextSpec as C, Decision as D, EnforcementMode as E, HttpSignedRequest as H, InstructPayload as I, KeyType as K, McpIRequest as M, PlainHttpRequest as P, RedirectTarget as R, SuggestedAction as S, Tier3Action as T, VerifyResult as V, A2ARequest as a, A2PRequest as b, ChallengeParams as c, DidDocument as d, EngineConfig as e, EngineInfo as f, VerificationMethod as g };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/checkpoint-wasm-runtime",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "description": "Checkpoint WASM runtime for AI agent detection across all environments (formerly @kya-os/agentshield-wasm-runtime)",
   "keywords": [
     "ai",
@@ -66,6 +66,11 @@
       "import": "./dist/engine-edge.mjs",
       "require": "./dist/engine-edge.js"
     },
+    "./engine/node": {
+      "types": "./dist/engine-node.d.ts",
+      "import": "./dist/engine-node.mjs",
+      "require": "./dist/engine-node.js"
+    },
     "./orchestrator": {
       "edge-runtime": {
         "types": "./dist/orchestrator-edge.d.ts",
@@ -104,6 +109,8 @@
     "./wasm/agentshield_wasm_bg.wasm": "./wasm/agentshield_wasm_bg.wasm",
     "./wasm/kya-os-engine/kya_os_engine_bg.wasm": "./wasm/kya-os-engine/kya_os_engine_bg.wasm",
     "./wasm/kya-os-engine-web/kya_os_engine_bg.wasm": "./wasm/kya-os-engine-web/kya_os_engine_bg.wasm",
+    "./wasm/kya-os-engine-bundler/kya_os_engine_bg.wasm": "./wasm/kya-os-engine-bundler/kya_os_engine_bg.wasm",
+    "./wasm/*": "./wasm/*",
     "./package.json": "./package.json"
   },
   "files": [
@@ -125,6 +132,8 @@
     "rimraf": "^5.0.5",
     "tsup": "^8.0.2",
     "typescript": "^5.4.2",
+    "vite-plugin-top-level-await": "^1.6.0",
+    "vite-plugin-wasm": "^3.6.0",
     "vitest": "^1.3.1"
   },
   "publishConfig": {
@@ -148,6 +157,8 @@
     "format:check": "prettier --check \"src/**/*.{ts,tsx,json,md}\"",
     "copy-wasm": "mkdir -p ./wasm && cp ../../rust/crates/agentshield-wasm/pkg/agentshield_wasm_bg.wasm ./wasm/",
     "copy-engine-wasm": "mkdir -p ./wasm/kya-os-engine && cp ../../rust/crates/kya-os-engine/pkg/kya_os_engine_bg.wasm ../../rust/crates/kya-os-engine/pkg/kya_os_engine_bg.wasm.d.ts ../../rust/crates/kya-os-engine/pkg/kya_os_engine.d.ts ../../rust/crates/kya-os-engine/pkg/kya_os_engine.js ./wasm/kya-os-engine/",
-    "copy-engine-wasm-web": "mkdir -p ./wasm/kya-os-engine-web && cp ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine_bg.wasm ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine_bg.wasm.d.ts ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine.d.ts ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine.js ./wasm/kya-os-engine-web/"
+    "copy-engine-wasm-web": "mkdir -p ./wasm/kya-os-engine-web && cp ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine_bg.wasm ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine_bg.wasm.d.ts ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine.d.ts ../../rust/crates/kya-os-engine/pkg-web/kya_os_engine.js ./wasm/kya-os-engine-web/",
+    "copy-engine-wasm-bundler": "mkdir -p ./wasm/kya-os-engine-bundler && cp ../../rust/crates/kya-os-engine/pkg-bundler/kya_os_engine_bg.wasm ../../rust/crates/kya-os-engine/pkg-bundler/kya_os_engine_bg.wasm.d.ts ../../rust/crates/kya-os-engine/pkg-bundler/kya_os_engine_bg.js ../../rust/crates/kya-os-engine/pkg-bundler/kya_os_engine.d.ts ../../rust/crates/kya-os-engine/pkg-bundler/kya_os_engine.js ./wasm/kya-os-engine-bundler/",
+    "wasm:rebuild": "bash ../../rust/scripts/build-engine-wasm.sh"
   }
 }

package/wasm/kya-os-engine/README.md

@@ -0,0 +1,26 @@
+# kya-os-engine
+
+Verification engine for the KYA-OS ecosystem. Every TS / .NET / Go / Python /
+Cloudflare-Workers host wrapper is a thin shim around the WASM or WASI build of
+this crate. ADR-001 (Engine-Centric Consolidation) is the architectural
+decision; the locked public API contract is tracked in D-design
+([issue #2484][issue]) and mirrored at
+[`docs/architecture/D-design-ratification.md`][ratification].
+
+`kya-os-engine` is the root of the dependency graph. It depends on
+nothing from `@kya-os/*`, `agentshield-*`, or `checkpoint-*`; the
+direction is the other way.
+
+The public surface is one function (`verify`), one decision vocabulary (`Decision`
+with five variants — `Permit`, `Block`, `Challenge`, `Redirect`, `Instruct`),
+five dependency-injection traits (`DidResolver`, `StatusListCache`,
+`ReputationOracle`, `PolicyEvaluator`, `Clock`), and one canonical-signing-payload
+helper (`canonical_signing_payload`, RFC 8785 / JCS).
+
+This is the **Layer 1 API lock** (D-design, [issue #2484][issue]). The body of
+`verify()` is `todo!()`; trait methods are stubbed. D-impl
+([issue #2485][impl]) satisfies the contract.
+
+[issue]: https://github.com/Know-That-Ai/agent-shield/issues/2484
+[impl]: https://github.com/Know-That-Ai/agent-shield/issues/2485
+[ratification]: ../../../docs/architecture/D-design-ratification.md

package/wasm/kya-os-engine-bundler/kya_os_engine.js

@@ -0,0 +1,4 @@
+import * as wasm from "./kya_os_engine_bg.wasm";
+export * from "./kya_os_engine_bg.js";
+import { __wbg_set_wasm } from "./kya_os_engine_bg.js";
+__wbg_set_wasm(wasm);

package/wasm/{kya-os-engine/kya_os_engine.js → kya-os-engine-bundler/kya_os_engine_bg.js}

@@ -1,6 +1,8 @@
+let wasm;
+export function __wbg_set_wasm(val) {
+    wasm = val;
+}
 
-let imports = {};
-imports['__wbindgen_placeholder__'] = module.exports;
 
 let cachedUint8ArrayMemory0 = null;
 
@@ -15,7 +17,15 @@ let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true
 
 cachedTextDecoder.decode();
 
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
 function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
     return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
 }
 
@@ -221,7 +231,7 @@ function takeObject(idx) {
  * @param {any} ctx_js
  * @returns {any}
  */
-exports.verify = function(input_js, ctx_js) {
+export function verify(input_js, ctx_js) {
     try {
         const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
         wasm.verify(retptr, addHeapObject(input_js), addHeapObject(ctx_js));
@@ -235,19 +245,19 @@ exports.verify = function(input_js, ctx_js) {
     } finally {
         wasm.__wbindgen_add_to_stack_pointer(16);
     }
-};
+}
 
-exports.__wbg_Error_e83987f665cf5504 = function(arg0, arg1) {
+export function __wbg_Error_e83987f665cf5504(arg0, arg1) {
     const ret = Error(getStringFromWasm0(arg0, arg1));
     return addHeapObject(ret);
 };
 
-exports.__wbg_Number_bb48ca12f395cd08 = function(arg0) {
+export function __wbg_Number_bb48ca12f395cd08(arg0) {
     const ret = Number(getObject(arg0));
     return ret;
 };
 
-exports.__wbg_String_8f0eb39a4a4c2f66 = function(arg0, arg1) {
+export function __wbg_String_8f0eb39a4a4c2f66(arg0, arg1) {
     const ret = String(getObject(arg1));
     const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
     const len1 = WASM_VECTOR_LEN;
@@ -255,20 +265,20 @@ exports.__wbg_String_8f0eb39a4a4c2f66 = function(arg0, arg1) {
     getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
 };
 
-exports.__wbg___wbindgen_bigint_get_as_i64_f3ebc5a755000afd = function(arg0, arg1) {
+export function __wbg___wbindgen_bigint_get_as_i64_f3ebc5a755000afd(arg0, arg1) {
     const v = getObject(arg1);
     const ret = typeof(v) === 'bigint' ? v : undefined;
     getDataViewMemory0().setBigInt64(arg0 + 8 * 1, isLikeNone(ret) ? BigInt(0) : ret, true);
     getDataViewMemory0().setInt32(arg0 + 4 * 0, !isLikeNone(ret), true);
 };
 
-exports.__wbg___wbindgen_boolean_get_6d5a1ee65bab5f68 = function(arg0) {
+export function __wbg___wbindgen_boolean_get_6d5a1ee65bab5f68(arg0) {
     const v = getObject(arg0);
     const ret = typeof(v) === 'boolean' ? v : undefined;
     return isLikeNone(ret) ? 0xFFFFFF : ret ? 1 : 0;
 };
 
-exports.__wbg___wbindgen_debug_string_df47ffb5e35e6763 = function(arg0, arg1) {
+export function __wbg___wbindgen_debug_string_df47ffb5e35e6763(arg0, arg1) {
     const ret = debugString(getObject(arg1));
     const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
     const len1 = WASM_VECTOR_LEN;
@@ -276,55 +286,55 @@ exports.__wbg___wbindgen_debug_string_df47ffb5e35e6763 = function(arg0, arg1) {
     getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
 };
 
-exports.__wbg___wbindgen_in_bb933bd9e1b3bc0f = function(arg0, arg1) {
+export function __wbg___wbindgen_in_bb933bd9e1b3bc0f(arg0, arg1) {
     const ret = getObject(arg0) in getObject(arg1);
     return ret;
 };
 
-exports.__wbg___wbindgen_is_bigint_cb320707dcd35f0b = function(arg0) {
+export function __wbg___wbindgen_is_bigint_cb320707dcd35f0b(arg0) {
     const ret = typeof(getObject(arg0)) === 'bigint';
     return ret;
 };
 
-exports.__wbg___wbindgen_is_function_ee8a6c5833c90377 = function(arg0) {
+export function __wbg___wbindgen_is_function_ee8a6c5833c90377(arg0) {
     const ret = typeof(getObject(arg0)) === 'function';
     return ret;
 };
 
-exports.__wbg___wbindgen_is_object_c818261d21f283a4 = function(arg0) {
+export function __wbg___wbindgen_is_object_c818261d21f283a4(arg0) {
     const val = getObject(arg0);
     const ret = typeof(val) === 'object' && val !== null;
     return ret;
 };
 
-exports.__wbg___wbindgen_is_string_fbb76cb2940daafd = function(arg0) {
+export function __wbg___wbindgen_is_string_fbb76cb2940daafd(arg0) {
     const ret = typeof(getObject(arg0)) === 'string';
     return ret;
 };
 
-exports.__wbg___wbindgen_is_undefined_2d472862bd29a478 = function(arg0) {
+export function __wbg___wbindgen_is_undefined_2d472862bd29a478(arg0) {
     const ret = getObject(arg0) === undefined;
     return ret;
 };
 
-exports.__wbg___wbindgen_jsval_eq_6b13ab83478b1c50 = function(arg0, arg1) {
+export function __wbg___wbindgen_jsval_eq_6b13ab83478b1c50(arg0, arg1) {
     const ret = getObject(arg0) === getObject(arg1);
     return ret;
 };
 
-exports.__wbg___wbindgen_jsval_loose_eq_b664b38a2f582147 = function(arg0, arg1) {
+export function __wbg___wbindgen_jsval_loose_eq_b664b38a2f582147(arg0, arg1) {
     const ret = getObject(arg0) == getObject(arg1);
     return ret;
 };
 
-exports.__wbg___wbindgen_number_get_a20bf9b85341449d = function(arg0, arg1) {
+export function __wbg___wbindgen_number_get_a20bf9b85341449d(arg0, arg1) {
     const obj = getObject(arg1);
     const ret = typeof(obj) === 'number' ? obj : undefined;
     getDataViewMemory0().setFloat64(arg0 + 8 * 1, isLikeNone(ret) ? 0 : ret, true);
     getDataViewMemory0().setInt32(arg0 + 4 * 0, !isLikeNone(ret), true);
 };
 
-exports.__wbg___wbindgen_string_get_e4f06c90489ad01b = function(arg0, arg1) {
+export function __wbg___wbindgen_string_get_e4f06c90489ad01b(arg0, arg1) {
     const obj = getObject(arg1);
     const ret = typeof(obj) === 'string' ? obj : undefined;
     var ptr1 = isLikeNone(ret) ? 0 : passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
@@ -333,41 +343,41 @@ exports.__wbg___wbindgen_string_get_e4f06c90489ad01b = function(arg0, arg1) {
     getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
 };
 
-exports.__wbg___wbindgen_throw_b855445ff6a94295 = function(arg0, arg1) {
+export function __wbg___wbindgen_throw_b855445ff6a94295(arg0, arg1) {
     throw new Error(getStringFromWasm0(arg0, arg1));
 };
 
-exports.__wbg_call_e762c39fa8ea36bf = function() { return handleError(function (arg0, arg1) {
+export function __wbg_call_e762c39fa8ea36bf() { return handleError(function (arg0, arg1) {
     const ret = getObject(arg0).call(getObject(arg1));
     return addHeapObject(ret);
 }, arguments) };
 
-exports.__wbg_done_2042aa2670fb1db1 = function(arg0) {
+export function __wbg_done_2042aa2670fb1db1(arg0) {
     const ret = getObject(arg0).done;
     return ret;
 };
 
-exports.__wbg_entries_e171b586f8f6bdbf = function(arg0) {
+export function __wbg_entries_e171b586f8f6bdbf(arg0) {
     const ret = Object.entries(getObject(arg0));
     return addHeapObject(ret);
 };
 
-exports.__wbg_get_7bed016f185add81 = function(arg0, arg1) {
+export function __wbg_get_7bed016f185add81(arg0, arg1) {
     const ret = getObject(arg0)[arg1 >>> 0];
     return addHeapObject(ret);
 };
 
-exports.__wbg_get_efcb449f58ec27c2 = function() { return handleError(function (arg0, arg1) {
+export function __wbg_get_efcb449f58ec27c2() { return handleError(function (arg0, arg1) {
     const ret = Reflect.get(getObject(arg0), getObject(arg1));
     return addHeapObject(ret);
 }, arguments) };
 
-exports.__wbg_get_with_ref_key_1dc361bd10053bfe = function(arg0, arg1) {
+export function __wbg_get_with_ref_key_1dc361bd10053bfe(arg0, arg1) {
     const ret = getObject(arg0)[getObject(arg1)];
     return addHeapObject(ret);
 };
 
-exports.__wbg_instanceof_ArrayBuffer_70beb1189ca63b38 = function(arg0) {
+export function __wbg_instanceof_ArrayBuffer_70beb1189ca63b38(arg0) {
     let result;
     try {
         result = getObject(arg0) instanceof ArrayBuffer;
@@ -378,7 +388,7 @@ exports.__wbg_instanceof_ArrayBuffer_70beb1189ca63b38 = function(arg0) {
     return ret;
 };
 
-exports.__wbg_instanceof_Map_8579b5e2ab5437c7 = function(arg0) {
+export function __wbg_instanceof_Map_8579b5e2ab5437c7(arg0) {
     let result;
     try {
         result = getObject(arg0) instanceof Map;
@@ -389,7 +399,7 @@ exports.__wbg_instanceof_Map_8579b5e2ab5437c7 = function(arg0) {
     return ret;
 };
 
-exports.__wbg_instanceof_Uint8Array_20c8e73002f7af98 = function(arg0) {
+export function __wbg_instanceof_Uint8Array_20c8e73002f7af98(arg0) {
     let result;
     try {
         result = getObject(arg0) instanceof Uint8Array;
@@ -400,118 +410,113 @@ exports.__wbg_instanceof_Uint8Array_20c8e73002f7af98 = function(arg0) {
     return ret;
 };
 
-exports.__wbg_isArray_96e0af9891d0945d = function(arg0) {
+export function __wbg_isArray_96e0af9891d0945d(arg0) {
     const ret = Array.isArray(getObject(arg0));
     return ret;
 };
 
-exports.__wbg_isSafeInteger_d216eda7911dde36 = function(arg0) {
+export function __wbg_isSafeInteger_d216eda7911dde36(arg0) {
     const ret = Number.isSafeInteger(getObject(arg0));
     return ret;
 };
 
-exports.__wbg_iterator_e5822695327a3c39 = function() {
+export function __wbg_iterator_e5822695327a3c39() {
     const ret = Symbol.iterator;
     return addHeapObject(ret);
 };
 
-exports.__wbg_length_69bca3cb64fc8748 = function(arg0) {
+export function __wbg_length_69bca3cb64fc8748(arg0) {
     const ret = getObject(arg0).length;
     return ret;
 };
 
-exports.__wbg_length_cdd215e10d9dd507 = function(arg0) {
+export function __wbg_length_cdd215e10d9dd507(arg0) {
     const ret = getObject(arg0).length;
     return ret;
 };
 
-exports.__wbg_new_1acc0b6eea89d040 = function() {
+export function __wbg_new_1acc0b6eea89d040() {
     const ret = new Object();
     return addHeapObject(ret);
 };
 
-exports.__wbg_new_5a79be3ab53b8aa5 = function(arg0) {
+export function __wbg_new_5a79be3ab53b8aa5(arg0) {
     const ret = new Uint8Array(getObject(arg0));
     return addHeapObject(ret);
 };
 
-exports.__wbg_new_68651c719dcda04e = function() {
+export function __wbg_new_68651c719dcda04e() {
     const ret = new Map();
     return addHeapObject(ret);
 };
 
-exports.__wbg_new_e17d9f43105b08be = function() {
+export function __wbg_new_e17d9f43105b08be() {
     const ret = new Array();
     return addHeapObject(ret);
 };
 
-exports.__wbg_next_020810e0ae8ebcb0 = function() { return handleError(function (arg0) {
+export function __wbg_next_020810e0ae8ebcb0() { return handleError(function (arg0) {
     const ret = getObject(arg0).next();
     return addHeapObject(ret);
 }, arguments) };
 
-exports.__wbg_next_2c826fe5dfec6b6a = function(arg0) {
+export function __wbg_next_2c826fe5dfec6b6a(arg0) {
     const ret = getObject(arg0).next;
     return addHeapObject(ret);
 };
 
-exports.__wbg_prototypesetcall_2a6620b6922694b2 = function(arg0, arg1, arg2) {
+export function __wbg_prototypesetcall_2a6620b6922694b2(arg0, arg1, arg2) {
     Uint8Array.prototype.set.call(getArrayU8FromWasm0(arg0, arg1), getObject(arg2));
 };
 
-exports.__wbg_set_3f1d0b984ed272ed = function(arg0, arg1, arg2) {
+export function __wbg_set_3f1d0b984ed272ed(arg0, arg1, arg2) {
     getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
 };
 
-exports.__wbg_set_907fb406c34a251d = function(arg0, arg1, arg2) {
+export function __wbg_set_907fb406c34a251d(arg0, arg1, arg2) {
     const ret = getObject(arg0).set(getObject(arg1), getObject(arg2));
     return addHeapObject(ret);
 };
 
-exports.__wbg_set_c213c871859d6500 = function(arg0, arg1, arg2) {
+export function __wbg_set_c213c871859d6500(arg0, arg1, arg2) {
     getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
 };
 
-exports.__wbg_value_692627309814bb8c = function(arg0) {
+export function __wbg_value_692627309814bb8c(arg0) {
     const ret = getObject(arg0).value;
     return addHeapObject(ret);
 };
 
-exports.__wbindgen_cast_2241b6af4c4b2941 = function(arg0, arg1) {
+export function __wbindgen_cast_2241b6af4c4b2941(arg0, arg1) {
     // Cast intrinsic for `Ref(String) -> Externref`.
     const ret = getStringFromWasm0(arg0, arg1);
     return addHeapObject(ret);
 };
 
-exports.__wbindgen_cast_4625c577ab2ec9ee = function(arg0) {
+export function __wbindgen_cast_4625c577ab2ec9ee(arg0) {
     // Cast intrinsic for `U64 -> Externref`.
     const ret = BigInt.asUintN(64, arg0);
     return addHeapObject(ret);
 };
 
-exports.__wbindgen_cast_9ae0607507abb057 = function(arg0) {
+export function __wbindgen_cast_9ae0607507abb057(arg0) {
     // Cast intrinsic for `I64 -> Externref`.
     const ret = arg0;
     return addHeapObject(ret);
 };
 
-exports.__wbindgen_cast_d6cd19b81560fd6e = function(arg0) {
+export function __wbindgen_cast_d6cd19b81560fd6e(arg0) {
     // Cast intrinsic for `F64 -> Externref`.
     const ret = arg0;
     return addHeapObject(ret);
 };
 
-exports.__wbindgen_object_clone_ref = function(arg0) {
+export function __wbindgen_object_clone_ref(arg0) {
     const ret = getObject(arg0);
     return addHeapObject(ret);
 };
 
-exports.__wbindgen_object_drop_ref = function(arg0) {
+export function __wbindgen_object_drop_ref(arg0) {
     takeObject(arg0);
 };
 
-const wasmPath = `${__dirname}/kya_os_engine_bg.wasm`;
-const wasmBytes = require('fs').readFileSync(wasmPath);
-const wasmModule = new WebAssembly.Module(wasmBytes);
-const wasm = exports.__wasm = new WebAssembly.Instance(wasmModule, imports).exports;
-

package/wasm/kya-os-engine-web/README.md

@@ -0,0 +1,26 @@
+# kya-os-engine
+
+Verification engine for the KYA-OS ecosystem. Every TS / .NET / Go / Python /
+Cloudflare-Workers host wrapper is a thin shim around the WASM or WASI build of
+this crate. ADR-001 (Engine-Centric Consolidation) is the architectural
+decision; the locked public API contract is tracked in D-design
+([issue #2484][issue]) and mirrored at
+[`docs/architecture/D-design-ratification.md`][ratification].
+
+`kya-os-engine` is the root of the dependency graph. It depends on
+nothing from `@kya-os/*`, `agentshield-*`, or `checkpoint-*`; the
+direction is the other way.
+
+The public surface is one function (`verify`), one decision vocabulary (`Decision`
+with five variants — `Permit`, `Block`, `Challenge`, `Redirect`, `Instruct`),
+five dependency-injection traits (`DidResolver`, `StatusListCache`,
+`ReputationOracle`, `PolicyEvaluator`, `Clock`), and one canonical-signing-payload
+helper (`canonical_signing_payload`, RFC 8785 / JCS).
+
+This is the **Layer 1 API lock** (D-design, [issue #2484][issue]). The body of
+`verify()` is `todo!()`; trait methods are stubbed. D-impl
+([issue #2485][impl]) satisfies the contract.
+
+[issue]: https://github.com/Know-That-Ai/agent-shield/issues/2484
+[impl]: https://github.com/Know-That-Ai/agent-shield/issues/2485
+[ratification]: ../../../docs/architecture/D-design-ratification.md