@kya-os/checkpoint-wasm-runtime 1.5.0 → 1.6.0

package/wasm/kya-os-engine-cedar/kya_os_engine.js

@@ -0,0 +1,636 @@
+let imports = {};
+imports['__wbindgen_placeholder__'] = module.exports;
+
+let cachedUint8ArrayMemory0 = null;
+
+function getUint8ArrayMemory0() {
+  if (cachedUint8ArrayMemory0 === null || cachedUint8ArrayMemory0.byteLength === 0) {
+    cachedUint8ArrayMemory0 = new Uint8Array(wasm.memory.buffer);
+  }
+  return cachedUint8ArrayMemory0;
+}
+
+let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+
+cachedTextDecoder.decode();
+
+function decodeText(ptr, len) {
+  return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
+function getStringFromWasm0(ptr, len) {
+  ptr = ptr >>> 0;
+  return decodeText(ptr, len);
+}
+
+let heap = new Array(128).fill(undefined);
+
+heap.push(undefined, null, true, false);
+
+let heap_next = heap.length;
+
+function addHeapObject(obj) {
+  if (heap_next === heap.length) heap.push(heap.length + 1);
+  const idx = heap_next;
+  heap_next = heap[idx];
+
+  heap[idx] = obj;
+  return idx;
+}
+
+function getObject(idx) {
+  return heap[idx];
+}
+
+let WASM_VECTOR_LEN = 0;
+
+const cachedTextEncoder = new TextEncoder();
+
+if (!('encodeInto' in cachedTextEncoder)) {
+  cachedTextEncoder.encodeInto = function (arg, view) {
+    const buf = cachedTextEncoder.encode(arg);
+    view.set(buf);
+    return {
+      read: arg.length,
+      written: buf.length,
+    };
+  };
+}
+
+function passStringToWasm0(arg, malloc, realloc) {
+  if (realloc === undefined) {
+    const buf = cachedTextEncoder.encode(arg);
+    const ptr = malloc(buf.length, 1) >>> 0;
+    getUint8ArrayMemory0()
+      .subarray(ptr, ptr + buf.length)
+      .set(buf);
+    WASM_VECTOR_LEN = buf.length;
+    return ptr;
+  }
+
+  let len = arg.length;
+  let ptr = malloc(len, 1) >>> 0;
+
+  const mem = getUint8ArrayMemory0();
+
+  let offset = 0;
+
+  for (; offset < len; offset++) {
+    const code = arg.charCodeAt(offset);
+    if (code > 0x7f) break;
+    mem[ptr + offset] = code;
+  }
+
+  if (offset !== len) {
+    if (offset !== 0) {
+      arg = arg.slice(offset);
+    }
+    ptr = realloc(ptr, len, (len = offset + arg.length * 3), 1) >>> 0;
+    const view = getUint8ArrayMemory0().subarray(ptr + offset, ptr + len);
+    const ret = cachedTextEncoder.encodeInto(arg, view);
+
+    offset += ret.written;
+    ptr = realloc(ptr, len, offset, 1) >>> 0;
+  }
+
+  WASM_VECTOR_LEN = offset;
+  return ptr;
+}
+
+let cachedDataViewMemory0 = null;
+
+function getDataViewMemory0() {
+  if (
+    cachedDataViewMemory0 === null ||
+    cachedDataViewMemory0.buffer.detached === true ||
+    (cachedDataViewMemory0.buffer.detached === undefined &&
+      cachedDataViewMemory0.buffer !== wasm.memory.buffer)
+  ) {
+    cachedDataViewMemory0 = new DataView(wasm.memory.buffer);
+  }
+  return cachedDataViewMemory0;
+}
+
+function isLikeNone(x) {
+  return x === undefined || x === null;
+}
+
+function debugString(val) {
+  // primitive types
+  const type = typeof val;
+  if (type == 'number' || type == 'boolean' || val == null) {
+    return `${val}`;
+  }
+  if (type == 'string') {
+    return `"${val}"`;
+  }
+  if (type == 'symbol') {
+    const description = val.description;
+    if (description == null) {
+      return 'Symbol';
+    } else {
+      return `Symbol(${description})`;
+    }
+  }
+  if (type == 'function') {
+    const name = val.name;
+    if (typeof name == 'string' && name.length > 0) {
+      return `Function(${name})`;
+    } else {
+      return 'Function';
+    }
+  }
+  // objects
+  if (Array.isArray(val)) {
+    const length = val.length;
+    let debug = '[';
+    if (length > 0) {
+      debug += debugString(val[0]);
+    }
+    for (let i = 1; i < length; i++) {
+      debug += ', ' + debugString(val[i]);
+    }
+    debug += ']';
+    return debug;
+  }
+  // Test for built-in
+  const builtInMatches = /\[object ([^\]]+)\]/.exec(toString.call(val));
+  let className;
+  if (builtInMatches && builtInMatches.length > 1) {
+    className = builtInMatches[1];
+  } else {
+    // Failed to match the standard '[object ClassName]'
+    return toString.call(val);
+  }
+  if (className == 'Object') {
+    // we're a user defined class or Object
+    // JSON.stringify avoids problems with cycles, and is generally much
+    // easier than looping through ownProperties of `val`.
+    try {
+      return 'Object(' + JSON.stringify(val) + ')';
+    } catch (_) {
+      return 'Object';
+    }
+  }
+  // errors
+  if (val instanceof Error) {
+    return `${val.name}: ${val.message}\n${val.stack}`;
+  }
+  // TODO we could test for more things here, like `Set`s and `Map`s.
+  return className;
+}
+
+function handleError(f, args) {
+  try {
+    return f.apply(this, args);
+  } catch (e) {
+    wasm.__wbindgen_export3(addHeapObject(e));
+  }
+}
+
+function getArrayU8FromWasm0(ptr, len) {
+  ptr = ptr >>> 0;
+  return getUint8ArrayMemory0().subarray(ptr / 1, ptr / 1 + len);
+}
+
+function dropObject(idx) {
+  if (idx < 132) return;
+  heap[idx] = heap_next;
+  heap_next = idx;
+}
+
+function takeObject(idx) {
+  const ret = getObject(idx);
+  dropObject(idx);
+  return ret;
+}
+/**
+ * Cross-boundary `verify` wrapper. The JS host calls `engine.verify(input,
+ * ctxSpec)`; on success it gets a [`VerifyResult`] JSON object; on
+ * infrastructure failure (or malformed input) it gets a thrown JS error
+ * whose message names the failure mode.
+ *
+ * **Error semantics**:
+ *
+ * - Verification *verdicts* (Block/Challenge/etc.) surface inside the
+ *   returned `VerifyResult` — they are not thrown.
+ * - Engine [`VerifyError`][crate::error::VerifyError] (resolver / cache /
+ *   reputation / policy infra failures) surface as thrown JS errors.
+ * - Serde deserialisation failures (malformed JS input) surface as thrown
+ *   JS errors too, mirroring the typed-vs-thrown split.
+ *
+ * # JS signature
+ *
+ * ```ts
+ * function verify(input: AgentRequest, ctx: ContextSpec): VerifyResult;
+ * ```
+ * @param {any} input_js
+ * @param {any} ctx_js
+ * @returns {any}
+ */
+exports.verify = function (input_js, ctx_js) {
+  try {
+    const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+    wasm.verify(retptr, addHeapObject(input_js), addHeapObject(ctx_js));
+    var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+    var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+    var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+    if (r2) {
+      throw takeObject(r1);
+    }
+    return takeObject(r0);
+  } finally {
+    wasm.__wbindgen_add_to_stack_pointer(16);
+  }
+};
+
+const PolicyEvaluatorFinalization =
+  typeof FinalizationRegistry === 'undefined'
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry((ptr) => wasm.__wbg_policyevaluator_free(ptr >>> 0, 1));
+/**
+ * Cross-boundary handle to a compiled Cedar policy bundle.
+ *
+ * Wraps a [`CedarPolicyEvaluator`] so a JS host can compile a tenant
+ * policy once and authorize many requests against it. Construction
+ * compiles the bundle; each [`authorize`][Self::authorize] call evaluates
+ * a single owned request and never re-parses policy text.
+ */
+class PolicyEvaluator {
+  __destroy_into_raw() {
+    const ptr = this.__wbg_ptr;
+    this.__wbg_ptr = 0;
+    PolicyEvaluatorFinalization.unregister(this);
+    return ptr;
+  }
+
+  free() {
+    const ptr = this.__destroy_into_raw();
+    wasm.__wbg_policyevaluator_free(ptr, 0);
+  }
+  /**
+   * Compile `policy_text` into a reusable evaluator.
+   *
+   * The Cedar policy bundle is parsed and compiled exactly once here;
+   * the resulting evaluator is held for the lifetime of the handle and
+   * reused by every [`authorize`][Self::authorize] call.
+   *
+   * # Errors
+   *
+   * Returns a thrown JS error whose message names the failure when
+   * `policy_text` is not syntactically valid Cedar
+   * ([`PolicyEvaluationError::Malformed`][crate::error::PolicyEvaluationError::Malformed]).
+   * A malformed bundle is an infrastructure fault surfaced at
+   * construction, never as a per-request deny.
+   * @param {string} policy_text
+   */
+  constructor(policy_text) {
+    try {
+      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+      const ptr0 = passStringToWasm0(policy_text, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+      const len0 = WASM_VECTOR_LEN;
+      wasm.policyevaluator_new(retptr, ptr0, len0);
+      var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+      var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+      var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+      if (r2) {
+        throw takeObject(r1);
+      }
+      this.__wbg_ptr = r0 >>> 0;
+      PolicyEvaluatorFinalization.register(this, this.__wbg_ptr, this);
+      return this;
+    } finally {
+      wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+  }
+  /**
+   * Authorize one owned request against the compiled policy bundle.
+   *
+   * The JS host calls `evaluator.authorize(input)` with an
+   * [`AuthorizeInput`]-shaped object (camelCase keys); it gets back a
+   * [`Decision`][crate::types::Decision] JSON object. The evaluator owns
+   * the fail-closed posture — a request it cannot marshal, or one
+   * matching no `permit`, comes back as a
+   * [`Decision::Block`][crate::types::Decision::Block], not a thrown
+   * error.
+   *
+   * # Errors
+   *
+   * Returns a thrown JS error only for boundary faults: a malformed
+   * `input_js` that fails [`AuthorizeInput`] deserialisation, or a
+   * failure serialising the resulting `Decision`. Authorization
+   * *verdicts* never throw — they surface inside the returned value.
+   *
+   * # JS signature
+   *
+   * ```ts
+   * authorize(input: AuthorizeInput): Decision;
+   * ```
+   * @param {any} input_js
+   * @returns {any}
+   */
+  authorize(input_js) {
+    try {
+      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+      wasm.policyevaluator_authorize(retptr, this.__wbg_ptr, addHeapObject(input_js));
+      var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+      var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+      var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+      if (r2) {
+        throw takeObject(r1);
+      }
+      return takeObject(r0);
+    } finally {
+      wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+  }
+}
+if (Symbol.dispose) PolicyEvaluator.prototype[Symbol.dispose] = PolicyEvaluator.prototype.free;
+
+exports.PolicyEvaluator = PolicyEvaluator;
+
+exports.__wbg_Error_e83987f665cf5504 = function (arg0, arg1) {
+  const ret = Error(getStringFromWasm0(arg0, arg1));
+  return addHeapObject(ret);
+};
+
+exports.__wbg_Number_bb48ca12f395cd08 = function (arg0) {
+  const ret = Number(getObject(arg0));
+  return ret;
+};
+
+exports.__wbg_String_8f0eb39a4a4c2f66 = function (arg0, arg1) {
+  const ret = String(getObject(arg1));
+  const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  const len1 = WASM_VECTOR_LEN;
+  getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
+  getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
+};
+
+exports.__wbg___wbindgen_bigint_get_as_i64_f3ebc5a755000afd = function (arg0, arg1) {
+  const v = getObject(arg1);
+  const ret = typeof v === 'bigint' ? v : undefined;
+  getDataViewMemory0().setBigInt64(arg0 + 8 * 1, isLikeNone(ret) ? BigInt(0) : ret, true);
+  getDataViewMemory0().setInt32(arg0 + 4 * 0, !isLikeNone(ret), true);
+};
+
+exports.__wbg___wbindgen_boolean_get_6d5a1ee65bab5f68 = function (arg0) {
+  const v = getObject(arg0);
+  const ret = typeof v === 'boolean' ? v : undefined;
+  return isLikeNone(ret) ? 0xffffff : ret ? 1 : 0;
+};
+
+exports.__wbg___wbindgen_debug_string_df47ffb5e35e6763 = function (arg0, arg1) {
+  const ret = debugString(getObject(arg1));
+  const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  const len1 = WASM_VECTOR_LEN;
+  getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
+  getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
+};
+
+exports.__wbg___wbindgen_in_bb933bd9e1b3bc0f = function (arg0, arg1) {
+  const ret = getObject(arg0) in getObject(arg1);
+  return ret;
+};
+
+exports.__wbg___wbindgen_is_bigint_cb320707dcd35f0b = function (arg0) {
+  const ret = typeof getObject(arg0) === 'bigint';
+  return ret;
+};
+
+exports.__wbg___wbindgen_is_function_ee8a6c5833c90377 = function (arg0) {
+  const ret = typeof getObject(arg0) === 'function';
+  return ret;
+};
+
+exports.__wbg___wbindgen_is_object_c818261d21f283a4 = function (arg0) {
+  const val = getObject(arg0);
+  const ret = typeof val === 'object' && val !== null;
+  return ret;
+};
+
+exports.__wbg___wbindgen_is_string_fbb76cb2940daafd = function (arg0) {
+  const ret = typeof getObject(arg0) === 'string';
+  return ret;
+};
+
+exports.__wbg___wbindgen_is_undefined_2d472862bd29a478 = function (arg0) {
+  const ret = getObject(arg0) === undefined;
+  return ret;
+};
+
+exports.__wbg___wbindgen_jsval_eq_6b13ab83478b1c50 = function (arg0, arg1) {
+  const ret = getObject(arg0) === getObject(arg1);
+  return ret;
+};
+
+exports.__wbg___wbindgen_jsval_loose_eq_b664b38a2f582147 = function (arg0, arg1) {
+  const ret = getObject(arg0) == getObject(arg1);
+  return ret;
+};
+
+exports.__wbg___wbindgen_number_get_a20bf9b85341449d = function (arg0, arg1) {
+  const obj = getObject(arg1);
+  const ret = typeof obj === 'number' ? obj : undefined;
+  getDataViewMemory0().setFloat64(arg0 + 8 * 1, isLikeNone(ret) ? 0 : ret, true);
+  getDataViewMemory0().setInt32(arg0 + 4 * 0, !isLikeNone(ret), true);
+};
+
+exports.__wbg___wbindgen_string_get_e4f06c90489ad01b = function (arg0, arg1) {
+  const obj = getObject(arg1);
+  const ret = typeof obj === 'string' ? obj : undefined;
+  var ptr1 = isLikeNone(ret)
+    ? 0
+    : passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  var len1 = WASM_VECTOR_LEN;
+  getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
+  getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
+};
+
+exports.__wbg___wbindgen_throw_b855445ff6a94295 = function (arg0, arg1) {
+  throw new Error(getStringFromWasm0(arg0, arg1));
+};
+
+exports.__wbg_call_e762c39fa8ea36bf = function () {
+  return handleError(function (arg0, arg1) {
+    const ret = getObject(arg0).call(getObject(arg1));
+    return addHeapObject(ret);
+  }, arguments);
+};
+
+exports.__wbg_done_2042aa2670fb1db1 = function (arg0) {
+  const ret = getObject(arg0).done;
+  return ret;
+};
+
+exports.__wbg_entries_e171b586f8f6bdbf = function (arg0) {
+  const ret = Object.entries(getObject(arg0));
+  return addHeapObject(ret);
+};
+
+exports.__wbg_get_7bed016f185add81 = function (arg0, arg1) {
+  const ret = getObject(arg0)[arg1 >>> 0];
+  return addHeapObject(ret);
+};
+
+exports.__wbg_get_efcb449f58ec27c2 = function () {
+  return handleError(function (arg0, arg1) {
+    const ret = Reflect.get(getObject(arg0), getObject(arg1));
+    return addHeapObject(ret);
+  }, arguments);
+};
+
+exports.__wbg_get_with_ref_key_1dc361bd10053bfe = function (arg0, arg1) {
+  const ret = getObject(arg0)[getObject(arg1)];
+  return addHeapObject(ret);
+};
+
+exports.__wbg_instanceof_ArrayBuffer_70beb1189ca63b38 = function (arg0) {
+  let result;
+  try {
+    result = getObject(arg0) instanceof ArrayBuffer;
+  } catch (_) {
+    result = false;
+  }
+  const ret = result;
+  return ret;
+};
+
+exports.__wbg_instanceof_Map_8579b5e2ab5437c7 = function (arg0) {
+  let result;
+  try {
+    result = getObject(arg0) instanceof Map;
+  } catch (_) {
+    result = false;
+  }
+  const ret = result;
+  return ret;
+};
+
+exports.__wbg_instanceof_Uint8Array_20c8e73002f7af98 = function (arg0) {
+  let result;
+  try {
+    result = getObject(arg0) instanceof Uint8Array;
+  } catch (_) {
+    result = false;
+  }
+  const ret = result;
+  return ret;
+};
+
+exports.__wbg_isArray_96e0af9891d0945d = function (arg0) {
+  const ret = Array.isArray(getObject(arg0));
+  return ret;
+};
+
+exports.__wbg_isSafeInteger_d216eda7911dde36 = function (arg0) {
+  const ret = Number.isSafeInteger(getObject(arg0));
+  return ret;
+};
+
+exports.__wbg_iterator_e5822695327a3c39 = function () {
+  const ret = Symbol.iterator;
+  return addHeapObject(ret);
+};
+
+exports.__wbg_length_69bca3cb64fc8748 = function (arg0) {
+  const ret = getObject(arg0).length;
+  return ret;
+};
+
+exports.__wbg_length_cdd215e10d9dd507 = function (arg0) {
+  const ret = getObject(arg0).length;
+  return ret;
+};
+
+exports.__wbg_new_1acc0b6eea89d040 = function () {
+  const ret = new Object();
+  return addHeapObject(ret);
+};
+
+exports.__wbg_new_5a79be3ab53b8aa5 = function (arg0) {
+  const ret = new Uint8Array(getObject(arg0));
+  return addHeapObject(ret);
+};
+
+exports.__wbg_new_68651c719dcda04e = function () {
+  const ret = new Map();
+  return addHeapObject(ret);
+};
+
+exports.__wbg_new_e17d9f43105b08be = function () {
+  const ret = new Array();
+  return addHeapObject(ret);
+};
+
+exports.__wbg_next_020810e0ae8ebcb0 = function () {
+  return handleError(function (arg0) {
+    const ret = getObject(arg0).next();
+    return addHeapObject(ret);
+  }, arguments);
+};
+
+exports.__wbg_next_2c826fe5dfec6b6a = function (arg0) {
+  const ret = getObject(arg0).next;
+  return addHeapObject(ret);
+};
+
+exports.__wbg_prototypesetcall_2a6620b6922694b2 = function (arg0, arg1, arg2) {
+  Uint8Array.prototype.set.call(getArrayU8FromWasm0(arg0, arg1), getObject(arg2));
+};
+
+exports.__wbg_set_3f1d0b984ed272ed = function (arg0, arg1, arg2) {
+  getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
+};
+
+exports.__wbg_set_907fb406c34a251d = function (arg0, arg1, arg2) {
+  const ret = getObject(arg0).set(getObject(arg1), getObject(arg2));
+  return addHeapObject(ret);
+};
+
+exports.__wbg_set_c213c871859d6500 = function (arg0, arg1, arg2) {
+  getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
+};
+
+exports.__wbg_value_692627309814bb8c = function (arg0) {
+  const ret = getObject(arg0).value;
+  return addHeapObject(ret);
+};
+
+exports.__wbindgen_cast_2241b6af4c4b2941 = function (arg0, arg1) {
+  // Cast intrinsic for `Ref(String) -> Externref`.
+  const ret = getStringFromWasm0(arg0, arg1);
+  return addHeapObject(ret);
+};
+
+exports.__wbindgen_cast_4625c577ab2ec9ee = function (arg0) {
+  // Cast intrinsic for `U64 -> Externref`.
+  const ret = BigInt.asUintN(64, arg0);
+  return addHeapObject(ret);
+};
+
+exports.__wbindgen_cast_9ae0607507abb057 = function (arg0) {
+  // Cast intrinsic for `I64 -> Externref`.
+  const ret = arg0;
+  return addHeapObject(ret);
+};
+
+exports.__wbindgen_cast_d6cd19b81560fd6e = function (arg0) {
+  // Cast intrinsic for `F64 -> Externref`.
+  const ret = arg0;
+  return addHeapObject(ret);
+};
+
+exports.__wbindgen_object_clone_ref = function (arg0) {
+  const ret = getObject(arg0);
+  return addHeapObject(ret);
+};
+
+exports.__wbindgen_object_drop_ref = function (arg0) {
+  takeObject(arg0);
+};
+
+const wasmPath = `${__dirname}/kya_os_engine_bg.wasm`;
+const wasmBytes = require('fs').readFileSync(wasmPath);
+const wasmModule = new WebAssembly.Module(wasmBytes);
+const wasm = (exports.__wasm = new WebAssembly.Instance(wasmModule, imports).exports);

package/wasm/kya-os-engine-cedar/kya_os_engine_bg.wasm.d.ts

@@ -0,0 +1,11 @@
+/* tslint:disable */
+/* eslint-disable */
+export const memory: WebAssembly.Memory;
+export const __wbg_policyevaluator_free: (a: number, b: number) => void;
+export const policyevaluator_authorize: (a: number, b: number, c: number) => void;
+export const policyevaluator_new: (a: number, b: number, c: number) => void;
+export const verify: (a: number, b: number, c: number) => void;
+export const __wbindgen_export: (a: number, b: number) => number;
+export const __wbindgen_export2: (a: number, b: number, c: number, d: number) => number;
+export const __wbindgen_export3: (a: number) => void;
+export const __wbindgen_add_to_stack_pointer: (a: number) => number;

package/wasm/kya-os-engine-cedar/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "kya-os-engine",
+  "collaborators": [
+    "KnowThat.ai Team"
+  ],
+  "description": "Verification engine for the KYA-OS ecosystem. The single source of truth for detection, identity, scope, revocation, policy, and reputation across every host runtime. See ADR-001.",
+  "version": "0.1.0",
+  "license": "MIT OR Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/knowthat-ai/agentshield"
+  },
+  "files": [
+    "kya_os_engine_bg.wasm",
+    "kya_os_engine.js",
+    "kya_os_engine.d.ts"
+  ],
+  "main": "kya_os_engine.js",
+  "types": "kya_os_engine.d.ts",
+  "keywords": [
+    "kya-os",
+    "verification",
+    "mcp-i",
+    "agent",
+    "did"
+  ],
+  "type": "commonjs",
+  "_note": "wasm-bindgen --target nodejs output: uses module.exports + require('fs') at module load. The parent wasm/package.json says type:module (for the older agentshield_wasm.js ESM file), which would make Node mis-classify this CJS file and throw ERR_REQUIRE_ESM. This nested package.json overrides per Node's nearest-package.json resolution algorithm. See SDK-WASM-Bundler-Loader-1 (#2613) for the original incident; AIVF-1 Path B (#2639) re-instated this override after a wasm-pack regen silently dropped it, plus a regen-pipeline patcher (rust/scripts/build-engine-wasm.sh) + an integrity test (packages/checkpoint-wasm-runtime/src/__tests__/wasm-artifact-integrity.test.ts) so the next regen can't silently break Node consumers again. Engine-Pattern-Codegen-Retirement-1 extended the patcher to also restore the types/`files` .d.ts references that --no-typescript drops. This is the cedar-feature variant built by rust/scripts/build-engine-cedar-wasm.sh; same guards apply."
+}

package/wasm/kya-os-engine-cedar-web/README.md

@@ -0,0 +1,26 @@
+# kya-os-engine
+
+Verification engine for the KYA-OS ecosystem. Every TS / .NET / Go / Python /
+Cloudflare-Workers host wrapper is a thin shim around the WASM or WASI build of
+this crate. ADR-001 (Engine-Centric Consolidation) is the architectural
+decision; the locked public API contract is tracked in D-design
+([issue #2484][issue]) and mirrored at
+[`docs/architecture/D-design-ratification.md`][ratification].
+
+`kya-os-engine` is the root of the dependency graph. It depends on
+nothing from `@kya-os/*`, `agentshield-*`, or `checkpoint-*`; the
+direction is the other way.
+
+The public surface is one function (`verify`), one decision vocabulary (`Decision`
+with five variants — `Permit`, `Block`, `Challenge`, `Redirect`, `Instruct`),
+five dependency-injection traits (`DidResolver`, `StatusListCache`,
+`ReputationOracle`, `PolicyEvaluator`, `Clock`), and one canonical-signing-payload
+helper (`canonical_signing_payload`, RFC 8785 / JCS).
+
+This is the **Layer 1 API lock** (D-design, [issue #2484][issue]). The body of
+`verify()` is `todo!()`; trait methods are stubbed. D-impl
+([issue #2485][impl]) satisfies the contract.
+
+[issue]: https://github.com/Know-That-Ai/agent-shield/issues/2484
+[impl]: https://github.com/Know-That-Ai/agent-shield/issues/2485
+[ratification]: ../../../docs/architecture/D-design-ratification.md