@motebit/protocol 2.0.1 → 3.1.0

package/dist/credential-anchor.d.ts

@@ -5,6 +5,7 @@
  * for credential anchoring. Any implementation can produce and verify anchor
  * proofs using these types.
  */
+import type { MerkleTreeVersion } from "./merkle-tree-hash.js";
 /** A batch of credential hashes anchored as a Merkle tree. */
 export interface CredentialAnchorBatch {
     /** UUID v4 batch identifier. */
@@ -79,6 +80,17 @@ export interface CredentialAnchorProof {
     batch_signature: string;
     /** Onchain anchor metadata, or null if not yet submitted. */
     anchor: CredentialChainAnchor | null;
+    /**
+     * Tree-hash recipe for the Merkle path (leaf-domain / node-domain tags +
+     * hash). A `MerkleTreeVersion` from `merkle-tree-hash.ts`. **Absent ⇒
+     * `merkle-sha256-plain-v1`** — every proof minted before this axis existed
+     * still verifies offline. Verifiers resolve absent to the default and reject
+     * an unknown value fail-closed (never silently downgrade); a v2 producer MUST
+     * emit it rather than rely on the default. Separate axis from `suite` (the
+     * batch-signature recipe). See
+     * `docs/doctrine/merkle-tree-hash-versioning.md`.
+     */
+    tree_hash_version?: MerkleTreeVersion;
 }
 /**
  * Chain-agnostic interface for submitting Merkle roots onchain.

package/dist/credential-anchor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credential-anchor.d.ts","sourceRoot":"","sources":["../src/credential-anchor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,8DAA8D;AAC9D,MAAM,WAAW,qBAAqB;IACpC,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,cAAc,EAAE,MAAM,CAAC;IACvB;;;;;OAKG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,sEAAsE;IACtE,SAAS,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,MAAM,EAAE,qBAAqB,GAAG,IAAI,CAAC;CACtC;AAED,iDAAiD;AACjD,MAAM,WAAW,qBAAqB;IACpC,yCAAyC;IACzC,KAAK,EAAE,MAAM,CAAC;IACd,mFAAmF;IACnF,OAAO,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;CACrB;AAID,oFAAoF;AACpF,MAAM,WAAW,qBAAqB;IACpC,6BAA6B;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,yEAAyE;IACzE,eAAe,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,+EAA+E;IAC/E,UAAU,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,cAAc,EAAE,MAAM,CAAC;IACvB,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,oDAAoD;IACpD,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;OAKG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,sEAAsE;IACtE,eAAe,EAAE,MAAM,CAAC;IACxB,6DAA6D;IAC7D,MAAM,EAAE,qBAAqB,GAAG,IAAI,CAAC;CACtC;AAID;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,mDAAmD;IACnD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,iCAAiC;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,kEAAkE;IAClE,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAChG,8EAA8E;IAC9E,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACjC"}
+{"version":3,"file":"credential-anchor.d.ts","sourceRoot":"","sources":["../src/credential-anchor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAI/D,8DAA8D;AAC9D,MAAM,WAAW,qBAAqB;IACpC,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,cAAc,EAAE,MAAM,CAAC;IACvB;;;;;OAKG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,sEAAsE;IACtE,SAAS,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,MAAM,EAAE,qBAAqB,GAAG,IAAI,CAAC;CACtC;AAED,iDAAiD;AACjD,MAAM,WAAW,qBAAqB;IACpC,yCAAyC;IACzC,KAAK,EAAE,MAAM,CAAC;IACd,mFAAmF;IACnF,OAAO,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;CACrB;AAID,oFAAoF;AACpF,MAAM,WAAW,qBAAqB;IACpC,6BAA6B;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,yEAAyE;IACzE,eAAe,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,+EAA+E;IAC/E,UAAU,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,cAAc,EAAE,MAAM,CAAC;IACvB,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,oDAAoD;IACpD,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;OAKG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,sEAAsE;IACtE,eAAe,EAAE,MAAM,CAAC;IACxB,6DAA6D;IAC7D,MAAM,EAAE,qBAAqB,GAAG,IAAI,CAAC;IACrC;;;;;;;;;OASG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;CACvC;AAID;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,mDAAmD;IACnD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,iCAAiC;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,kEAAkE;IAClE,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAChG,8EAA8E;IAC9E,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACjC"}

package/dist/federation-settlement-anchor.d.ts

@@ -0,0 +1,140 @@
+/**
+ * Federation settlement anchor types — motebit/relay-federation@1.2 §7.6.
+ *
+ * Permissive floor (Apache-2.0): these types define the interoperable format
+ * for inter-relay settlement anchoring — peer audit between federated relays.
+ *
+ * Audience-distinct from per-agent settlement anchoring (agent-settlement-anchor-v1.md,
+ * worker audit of relay-as-counterparty) and credential anchoring
+ * (credential-anchor-v1.md, agent reputation portability). Same Merkle
+ * primitive, different proof endpoint and source table — see
+ * spec/agent-settlement-anchor-v1.md §9.
+ *
+ * Convergence (spec/agent-settlement-anchor-v1.md §9.1, the arc-closer): the
+ * federation leaf is now `canonicalLeaf(the WHOLE signed FederationSettlementRecord)`
+ * — the verbatim-artifact hash the per-agent and credential streams already
+ * use — never a hand-typed column projection. The relay signs a canonical
+ * record of each settlement it books, persists it verbatim, and anchors the
+ * exact bytes; a peer who holds that signed record reproduces the leaf with
+ * `@motebit/crypto` alone (`verifyFederationSettlementAnchor`).
+ */
+import type { MerkleTreeVersion } from "./merkle-tree-hash.js";
+/**
+ * A relay's signed record of one federation settlement it booked — the exact
+ * artifact whose canonical bytes become the Merkle leaf (the "verbatim-leaf"
+ * shape per spec/agent-settlement-anchor-v1.md §9.1). Each relay signs and
+ * anchors its OWN copy of a settlement (the issuer is whichever relay booked
+ * the row), so the leaf reproduces from the bytes a peer holds — no
+ * re-projection of a sibling's database.
+ *
+ * The signing "floor" mirrors the per-agent `SettlementRecord` (settlement-v1.md
+ * §3): the issuing relay commits to the (gross, fee, net, rate) tuple, so it
+ * cannot issue inconsistent records to different observers. The Merkle anchor
+ * (relay-federation-v1.md §7.6) is the "ceiling" on top.
+ */
+export interface FederationSettlementRecord {
+    /** UUID settlement identifier (unique per booking relay). */
+    settlement_id: string;
+    /** Task this settlement pays for. */
+    task_id: string;
+    /** MotebitId of the upstream (origin) relay in the federation hop. */
+    upstream_relay_id: string;
+    /** MotebitId of the downstream relay, or null when this relay is the origin. */
+    downstream_relay_id: string | null;
+    /** MotebitId of the executing agent, or null when not attributed. */
+    agent_id: string | null;
+    /** Gross amount in micro-units before the platform fee. */
+    gross_amount: number;
+    /** Platform fee extracted by the relay, in micro-units. */
+    fee_amount: number;
+    /** Net amount forwarded, in micro-units (`gross_amount - fee_amount`). */
+    net_amount: number;
+    /** Fee rate applied (e.g. 0.05 = 5%). Recorded per-settlement for auditability. */
+    fee_rate: number;
+    /** Hash of the execution receipt this settlement pays against. */
+    receipt_hash: string;
+    /** Millisecond timestamp when this relay booked the settlement. */
+    settled_at: number;
+    /** x402 payment transaction hash (when paid on-chain). */
+    x402_tx_hash?: string;
+    /** x402 network used for payment (CAIP-2 identifier). */
+    x402_network?: string;
+    /** MotebitId of the relay that signed this record (the booking relay). */
+    issuer_relay_id: string;
+    /**
+     * Cryptosuite discriminator for `signature`. Always
+     * `"motebit-jcs-ed25519-b64-v1"` — JCS canonicalization of the unsigned
+     * record, Ed25519 primitive, base64url signature encoding (matching the
+     * per-agent `SettlementRecord` suite). Verifiers reject missing or unknown
+     * suite values fail-closed.
+     */
+    suite: "motebit-jcs-ed25519-b64-v1";
+    /** Base64url-encoded Ed25519 signature over the canonical unsigned record. */
+    signature: string;
+}
+/** Onchain anchor reference — chain-agnostic. */
+export interface FederationSettlementChainAnchor {
+    /** Chain identifier (e.g., "eip155"). */
+    chain: string;
+    /** CAIP-2 network identifier (e.g., "eip155:8453" for Base). */
+    network: string;
+    /** Transaction hash on the target chain. */
+    tx_hash: string;
+    /** Millisecond timestamp when the anchor was confirmed. */
+    anchored_at: number;
+}
+/** Self-verifiable Merkle inclusion proof for a federation settlement in an anchored batch. */
+export interface FederationSettlementAnchorProof {
+    /** Settlement identifier. */
+    settlement_id: string;
+    /**
+     * Hex-encoded SHA-256 hash of the canonical signed `FederationSettlementRecord`
+     * (the exact bytes a peer holds, signature included) — the verbatim-artifact
+     * leaf per spec/agent-settlement-anchor-v1.md §9.1.
+     */
+    settlement_hash: string;
+    /** Batch containing this settlement. */
+    batch_id: string;
+    /** Hex-encoded Merkle root of the batch. */
+    merkle_root: string;
+    /** Number of settlements in this batch (needed for batch signature verification). */
+    leaf_count: number;
+    /** Millisecond timestamp of the earliest settlement in the batch. */
+    first_settled_at: number;
+    /** Millisecond timestamp of the latest settlement in the batch. */
+    last_settled_at: number;
+    /** Position of this settlement's leaf in the sorted array. */
+    leaf_index: number;
+    /** Hex-encoded sibling hashes for Merkle path verification. */
+    siblings: string[];
+    /** Layer sizes for odd-leaf promotion detection. */
+    layer_sizes: number[];
+    /** MotebitId of the relay that created the batch. */
+    relay_id: string;
+    /** Hex-encoded Ed25519 public key of the relay (for batch_signature verification). */
+    relay_public_key: string;
+    /**
+     * Cryptosuite discriminator for `batch_signature`. Always
+     * `"motebit-jcs-ed25519-hex-v1"` — JCS canonicalization of the batch
+     * payload, Ed25519 primitive, hex signature encoding, hex public-key
+     * encoding. Suite-bound (cryptosuite-agility: part of the signed payload).
+     * Verifiers reject missing or unknown suite values fail-closed.
+     */
+    suite: "motebit-jcs-ed25519-hex-v1";
+    /** Hex-encoded Ed25519 signature over the canonical batch payload. */
+    batch_signature: string;
+    /** Onchain anchor metadata, or null if not yet submitted. */
+    anchor: FederationSettlementChainAnchor | null;
+    /**
+     * Tree-hash recipe for the Merkle path (leaf-domain / node-domain tags +
+     * hash). A `MerkleTreeVersion` from `merkle-tree-hash.ts`. **Absent ⇒
+     * `merkle-sha256-plain-v1`** — every proof minted before this axis existed
+     * still verifies offline. Verifiers resolve absent to the default and reject
+     * an unknown value fail-closed (never silently downgrade); a v2 producer MUST
+     * emit it rather than rely on the default. Separate axis from `suite` (the
+     * batch-signature recipe). See
+     * `docs/doctrine/merkle-tree-hash-versioning.md`.
+     */
+    tree_hash_version?: MerkleTreeVersion;
+}
+//# sourceMappingURL=federation-settlement-anchor.d.ts.map

package/dist/federation-settlement-anchor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"federation-settlement-anchor.d.ts","sourceRoot":"","sources":["../src/federation-settlement-anchor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAI/D;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,0BAA0B;IACzC,6DAA6D;IAC7D,aAAa,EAAE,MAAM,CAAC;IACtB,qCAAqC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,sEAAsE;IACtE,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gFAAgF;IAChF,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,qEAAqE;IACrE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,2DAA2D;IAC3D,UAAU,EAAE,MAAM,CAAC;IACnB,0EAA0E;IAC1E,UAAU,EAAE,MAAM,CAAC;IACnB,mFAAmF;IACnF,QAAQ,EAAE,MAAM,CAAC;IACjB,kEAAkE;IAClE,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0EAA0E;IAC1E,eAAe,EAAE,MAAM,CAAC;IACxB;;;;;;OAMG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,8EAA8E;IAC9E,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,iDAAiD;AACjD,MAAM,WAAW,+BAA+B;IAC9C,yCAAyC;IACzC,KAAK,EAAE,MAAM,CAAC;IACd,gEAAgE;IAChE,OAAO,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,+FAA+F;AAC/F,MAAM,WAAW,+BAA+B;IAC9C,6BAA6B;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,qFAAqF;IACrF,UAAU,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,gBAAgB,EAAE,MAAM,CAAC;IACzB,mEAAmE;IACnE,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,oDAAoD;IACpD,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB,sFAAsF;IACtF,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;;OAMG;IACH,KAAK,EAAE,4BAA4B,CAAC;IACpC,sEAAsE;IACtE,eAAe,EAAE,MAAM,CAAC;IACxB,6DAA6D;IAC7D,MAAM,EAAE,+BAA+B,GAAG,IAAI,CAAC;IAC/C;;;;;;;;;OASG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;CACvC"}

package/dist/federation-settlement-anchor.js

@@ -0,0 +1,22 @@
+/**
+ * Federation settlement anchor types — motebit/relay-federation@1.2 §7.6.
+ *
+ * Permissive floor (Apache-2.0): these types define the interoperable format
+ * for inter-relay settlement anchoring — peer audit between federated relays.
+ *
+ * Audience-distinct from per-agent settlement anchoring (agent-settlement-anchor-v1.md,
+ * worker audit of relay-as-counterparty) and credential anchoring
+ * (credential-anchor-v1.md, agent reputation portability). Same Merkle
+ * primitive, different proof endpoint and source table — see
+ * spec/agent-settlement-anchor-v1.md §9.
+ *
+ * Convergence (spec/agent-settlement-anchor-v1.md §9.1, the arc-closer): the
+ * federation leaf is now `canonicalLeaf(the WHOLE signed FederationSettlementRecord)`
+ * — the verbatim-artifact hash the per-agent and credential streams already
+ * use — never a hand-typed column projection. The relay signs a canonical
+ * record of each settlement it books, persists it verbatim, and anchors the
+ * exact bytes; a peer who holds that signed record reproduces the leaf with
+ * `@motebit/crypto` alone (`verifyFederationSettlementAnchor`).
+ */
+export {};
+//# sourceMappingURL=federation-settlement-anchor.js.map

package/dist/federation-settlement-anchor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"federation-settlement-anchor.js","sourceRoot":"","sources":["../src/federation-settlement-anchor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG"}

package/dist/index.d.ts

@@ -1,3 +1,4 @@
+import type { MerkleTreeVersion } from "./merkle-tree-hash.js";
 declare const __brand: unique symbol;
 type Brand<T, B extends string> = T & {
     readonly [__brand]?: B;
@@ -81,6 +82,14 @@ export interface AgentTrustRecord {
     successful_tasks?: number;
     failed_tasks?: number;
     notes?: string;
+    /**
+     * First-person local nickname for this peer — what *I* call them, in my own
+     * namespace. Local-only: never on the wire, never sent to a peer or the relay.
+     * Naming is first-person (the petname resolution to Zooko's triangle — see
+     * `docs/doctrine/agents-as-first-person-trust-graph.md` §3), distinct from the
+     * peer's squattable self-asserted listing name. Optional; absent ⇒ no petname.
+     */
+    petname?: string;
     /** Exponential moving average of result quality [0, 1]. */
     avg_quality?: number;
     /** Number of quality samples collected. */
@@ -849,6 +858,74 @@ export interface ToolInvocationReceipt {
     suite: "motebit-jcs-ed25519-b64-v1";
     signature: string;
 }
+/**
+ * Signed human-consent decision over a tool call that governance gated for
+ * approval (the middle band: `require_approval_above < risk <= deny_above`).
+ *
+ * The third governance band made verifiable. The auto band proves itself with
+ * a `ToolInvocationReceipt`; the deny band proves itself with an agent-signed
+ * `ExecutionReceipt{status:"denied"}` (the delegation policy refusal path). The
+ * approve band was the only one whose decision was unsigned — a plaintext DB
+ * row + event. This artifact closes that asymmetry: when a human approves (or
+ * denies) a gated act, the verdict becomes a self-verifiable fact — "this
+ * approver consented to THIS tool call with THESE args at THIS time" — that any
+ * third party can check offline with the approver's public key, no relay
+ * contact required.
+ *
+ * Signed by the APPROVER's device key (the human consenting), mirroring how the
+ * worker signs its own refusal: consent is the approver's assertion, not the
+ * system's word for it. Prior art for signed approval votes: the key-rotation
+ * guardian quorum (`relay_approval_votes.signature`) — this lifts that shape
+ * from the narrow key-rotation case to the general agentic tool-consent path.
+ *
+ * Privacy: commits to `args_hash` (SHA-256 of the canonical args), never the
+ * raw args — same discipline as `ToolInvocationReceipt`. A verifier holding the
+ * raw args recomputes and matches; one holding only the decision still proves a
+ * verdict was rendered over *some* call at *some* time.
+ *
+ * Member of the JCS + Ed25519 + suite-dispatch signed-artifact family
+ * (`docs/doctrine/receipts-unified.md`). Verify with `verifyApprovalDecision`.
+ */
+export interface ApprovalDecision {
+    /**
+     * Binds the decision to the specific gated call — the `tool_call_id` from the
+     * `approval_request`. Part of the signed body, so a verdict cannot be
+     * replayed onto a different call (the binding breaks the signature).
+     */
+    approval_id: string;
+    /** The motebit whose governance gated the call (the executor being approved). */
+    motebit_id: MotebitId;
+    /** Signer's (approver's) Ed25519 public key (hex). Enables offline verification without a key lookup. */
+    public_key?: string;
+    /** The approver's device that rendered the verdict and holds the signing key. */
+    device_id: DeviceId;
+    /** Tool the verdict authorizes (or refuses). */
+    tool_name: string;
+    /**
+     * SHA-256 hex of the canonical JSON of the tool's arguments — never the raw
+     * args. Binds consent to the exact call shape the approver saw.
+     */
+    args_hash: string;
+    /** The `RiskLevel` numeric that triggered the approval gate. */
+    risk_level: number;
+    /** The human's verdict. `denied` carries an optional `denied_reason`. */
+    verdict: "approved" | "denied";
+    /** Unix ms when the approval was requested (the gate fired). */
+    requested_at: number;
+    /** Unix ms when the human rendered the verdict. */
+    resolved_at: number;
+    /** Free-text reason, present only on `denied`. */
+    denied_reason?: string;
+    /** The turn/run the gated call belongs to, when known. */
+    run_id?: string;
+    /**
+     * Cryptosuite discriminator. Always `"motebit-jcs-ed25519-b64-v1"` today.
+     * Widening requires a `SuiteId` registry change + a new dispatch arm in
+     * `@motebit/crypto`, not a wire-format break.
+     */
+    suite: "motebit-jcs-ed25519-b64-v1";
+    signature: string;
+}
 /**
  * Signed proof that the motebit performed a consolidation cycle. The
  * receipt commits to structural facts only — counts of memories merged,
@@ -962,6 +1039,16 @@ export interface ConsolidationAnchor {
      *  `"solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp"` for mainnet). Paired
      *  with `tx_hash` — absent when `tx_hash` is absent. */
     network?: string;
+    /**
+     * Tree-hash recipe for the receipts' Merkle root (leaf-domain / node-domain
+     * tags + hash). A `MerkleTreeVersion`. **Absent ⇒ `merkle-sha256-plain-v1`** —
+     * every anchor produced before this axis existed still recomputes offline.
+     * Verifiers resolve absent to the default and reject an unknown value
+     * fail-closed (never silently downgrade); a v2 producer MUST emit it rather
+     * than rely on the default. See
+     * `docs/doctrine/merkle-tree-hash-versioning.md`.
+     */
+    tree_hash_version?: MerkleTreeVersion;
 }
 /**
  * Provenance discriminator on `ExecutionReceipt.invocation_origin` and on
@@ -1381,6 +1468,18 @@ export declare const PLATFORM_FEE_RATE = 0.05;
 export interface SettlementRecord {
     settlement_id: SettlementId;
     allocation_id: AllocationId;
+    /**
+     * The payee — the `motebit_id` of the worker this settlement pays. A
+     * settlement receipt names *who was paid* in its signed body, not only
+     * the relay-internal `allocation_id` (which is an opaque bookkeeping
+     * handle a sovereign verifier cannot resolve offline). This makes the
+     * receipt self-contained: a worker proves "I (W) was paid X for receipt
+     * H by relay R" from the signed bytes alone, with no relay-side
+     * allocation→payee join. Carried in the signed body so the payee is part
+     * of the relay's attestation and cannot be re-pointed after the fact.
+     * Equals the executing agent's `ExecutionReceipt.motebit_id`.
+     */
+    motebit_id: MotebitId;
     receipt_hash: string;
     ledger_hash: string | null;
     /** Amount paid to the executing agent (after platform fee deduction). */
@@ -1684,6 +1783,74 @@ export interface SovereignRail extends SettlementRail {
     /** Current balance in micro-units (1e6 = 1 unit of asset). */
     getBalance(): Promise<bigint>;
 }
+/**
+ * Outcome of a sovereign-rail value transfer. Chain-neutral shape — a tx
+ * identifier, the slot/height it landed in (0 if not yet confirmed), and
+ * whether the configured commitment level was reached.
+ */
+export interface SovereignSendResult {
+    /** Transaction identifier (base58 signature on Solana). */
+    signature: string;
+    /** Slot / block height the transaction landed in (0 if not yet confirmed). */
+    slot: number;
+    /** Whether the network reached the configured commitment level. */
+    confirmed: boolean;
+}
+/**
+ * The sovereign wallet rail as the interior CONSUMES it — the port the runtime
+ * depends on, not the concrete rail. Extends `SovereignRail` (address +
+ * getBalance) with the send + liveness operations the runtime invokes. A
+ * concrete rail (`@motebit/wallet-solana`'s `SolanaWalletRail`) satisfies this
+ * structurally; the runtime imports this port, never the provider. "The interior
+ * defines the port; the provider implements it" — the adapter principle as a type.
+ */
+/**
+ * A request to build a sovereign P2P payment proof — the delegator's atomic
+ * multi-leg onchain settlement that lets a PAID direct delegation satisfy the
+ * relay's P2P-proof gate (`requiresP2pProof`, Arc 3.5). The interior assembles
+ * this from discovery (the worker's `settlement_address`, the relay's treasury
+ * address) plus fee math (`computeGrossAmount` in `@motebit/market`); the rail
+ * broadcasts the legs in ONE transaction and returns the verifiable
+ * `P2pPaymentProof`.
+ *
+ * Single-operator P2P uses the worker + relay-fee legs only. Cross-operator
+ * federated P2P adds the executor-relay (B) fee leg — see `P2pPaymentProof`'s
+ * `b_fee_*` fields.
+ */
+export interface SovereignP2pPaymentRequest {
+    /** Worker's declared settlement address (base58 for Solana). */
+    workerAddress: string;
+    /** Worker leg amount in micro-units — the listing unit_cost, what the worker earns net. */
+    amountMicro: number;
+    /** Relay treasury address (base58) — `deriveSolanaAddress(relayPublicKey)`. */
+    treasuryAddress: string;
+    /** Fee leg amount in micro-units — `computeGrossAmount(amountMicro) - amountMicro`. */
+    feeAmountMicro: number;
+    /** Executor-relay (B) treasury address (base58) — cross-operator federated P2P only. */
+    executorTreasuryAddress?: string;
+    /** Executor-relay (B) fee leg amount in micro-units — federated P2P only. */
+    executorFeeAmountMicro?: number;
+    /** CAIP-2 network identifier (defaults to the rail's chain mainnet). */
+    network?: string;
+}
+export interface SovereignWalletRail extends SovereignRail {
+    /** Send `microAmount` (micro-units) of the rail's asset to `toAddress`. */
+    send(toAddress: string, microAmount: bigint): Promise<SovereignSendResult>;
+    /** Whether the rail can currently reach its chain (RPC liveness). */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Build a P2P payment proof by broadcasting the delegator's atomic
+     * multi-leg settlement (worker leg + relay-fee leg[s]) in a SINGLE
+     * transaction and returning the verifiable `P2pPaymentProof`.
+     *
+     * OPTIONAL: a rail that cannot atomically pay multiple recipients omits
+     * this, and the interior degrades honestly (paid direct delegation is
+     * unavailable on that rail) — it MUST NOT split the legs across separate
+     * transactions, because the relay verifier walks ONE `tx_hash`. The
+     * reference `SolanaWalletRail` implements it via `buildP2pPaymentProof`.
+     */
+    buildP2pPayment?(request: SovereignP2pPaymentRequest): Promise<P2pPaymentProof>;
+}
 export interface CollaborativePlanProposal {
     proposal_id: ProposalId;
     plan_id: PlanId;
@@ -2136,9 +2303,10 @@ export { TrustSemiring, CostSemiring, LatencySemiring, BottleneckSemiring, Relia
 export type { Edge } from "./graph.js";
 export { WeightedDigraph } from "./graph.js";
 export { optimalPaths, optimalPath, transitiveClosure, optimalPathTrace } from "./traversal.js";
-export { TRUST_LEVEL_SCORES, trustLevelToScore, TRUST_ZERO, TRUST_ONE, trustAdd, trustMultiply, composeTrustChain, joinParallelRoutes, REFERENCE_TRUST_THRESHOLDS, DEFAULT_TRUST_THRESHOLDS, } from "./trust-algebra.js";
+export { TRUST_LEVEL_SCORES, trustLevelToScore, TRUST_ZERO, TRUST_ONE, trustAdd, trustMultiply, composeTrustChain, joinParallelRoutes, REFERENCE_TRUST_THRESHOLDS, } from "./trust-algebra.js";
 export type { CredentialAnchorBatch, CredentialChainAnchor, CredentialAnchorProof, ChainAnchorSubmitter, } from "./credential-anchor.js";
 export type { AgentSettlementAnchorBatch, AgentSettlementChainAnchor, AgentSettlementAnchorProof, } from "./agent-settlement-anchor.js";
+export type { FederationSettlementRecord, FederationSettlementChainAnchor, FederationSettlementAnchorProof, } from "./federation-settlement-anchor.js";
 export type { RelayMetadata, RelayMetadataPeer, AgentResolutionResult } from "./discovery.js";
 export type { MigrationState, MigrationRequest, MigrationToken, DepartureAttestation, CredentialBundle, BalanceWaiver, MigrationPresentation, } from "./migration.js";
 export type { DisputeState, DisputeOutcome, DisputeCategory, DisputeFundAction, DisputeRequest, DisputeEvidence, DisputeEvidenceType, AdjudicatorVote, VoteRequest, DisputeResolution, DisputeAppeal, WitnessOmissionDispute, WitnessOmissionEvidence, WitnessOmissionInclusionProofEvidence, WitnessOmissionAlternativePeeringEvidence, } from "./dispute.js";
@@ -2146,8 +2314,11 @@ export type { SettlementMode, WritableSettlementMode, P2pPaymentProof, PaymentVe
 export { ALL_SETTLEMENT_MODES, isSettlementMode } from "./settlement-mode.js";
 export type { SettlementAsset } from "./settlement-asset.js";
 export { ALL_SETTLEMENT_ASSETS, isSettlementAsset } from "./settlement-asset.js";
+export { base58Encode } from "./base58.js";
 export type { SuiteId, SuiteEntry, SuiteStatus, SuiteAlgorithm, SuiteCanonicalization, SuiteSignatureEncoding, SuitePublicKeyEncoding, } from "./crypto-suite.js";
 export { SUITE_REGISTRY, ALL_SUITE_IDS, isSuiteId, getSuiteEntry } from "./crypto-suite.js";
+export type { MerkleTreeVersion, MerkleTreeVersionEntry, MerkleTreeVersionStatus, MerkleHashFunction, } from "./merkle-tree-hash.js";
+export { MERKLE_TREE_VERSION_REGISTRY, ALL_MERKLE_TREE_VERSIONS, DEFAULT_MERKLE_TREE_VERSION, isMerkleTreeVersion, getMerkleTreeVersionEntry, } from "./merkle-tree-hash.js";
 export { MAX_RETENTION_DAYS_BY_SENSITIVITY, REFERENCE_RETENTION_DAYS_BY_SENSITIVITY, RUNTIME_RETENTION_REGISTRY, EMPTY_FEDERATION_GRAPH_ANCHOR, } from "./retention-policy.js";
 export type { RetentionCeilingDays, RetentionShape, RetentionShapeDeclaration, RetentionStoreDeclaration, RetentionManifest, RuntimeStoreId, DeletionCertificate, DeletionReason, HorizonSubject, HorizonWitness, HorizonWitnessRequestBody, WitnessSolicitationRequest, WitnessSolicitationResponse, FederationGraphAnchor, MerkleAlgo, MerkleInclusionProof, SubjectSignature, OperatorSignature, DelegateSignature, GuardianSignature, SensitivityLevelString, } from "./retention-policy.js";
 export type { MemoryDecayedPayload, MemoryFormedPayload, MemoryAccessedPayload, MemoryPinnedPayload, MemoryDeletedPayload, MemoryConsolidatedPayload, MemoryAuditPayload, MemoryPromotedPayload, } from "./memory-events.js";
@@ -2164,17 +2335,21 @@ export { resolveDropTarget } from "./perception.js";
 export { rankSensitivity, maxSensitivity, sensitivityPermits, ALL_SENSITIVITY_LEVELS, isSensitivityLevel, } from "./sensitivity.js";
 export type { SensitivityCleared } from "./sensitivity.js";
 export { ALL_EVENT_TYPES, isEventType } from "./event-type.js";
-export { MICRO, CENTS, toMicro, fromMicro, toCents, fromCents } from "./money.js";
+export { MICRO, CENTS, toMicro, fromMicro, toCents, fromCents, computeP2pFeeMicro, computeFederatedFeeSplit, } from "./money.js";
+export type { FederatedFeeSplit } from "./money.js";
 export type { InferenceHost, ModelLab, Jurisdiction, TaskShape, ProviderCapability, RoutingConstraint, RoutingDecision, } from "./routing.js";
 export { ALL_TASK_SHAPES, isTaskShape, QUICK_TASK_SHAPE, CHAT_TASK_SHAPE, REASONING_TASK_SHAPE, CODE_TASK_SHAPE, RESEARCH_TASK_SHAPE, CREATIVE_TASK_SHAPE, MATH_TASK_SHAPE, } from "./routing.js";
 export type { TokenAudience } from "./audience.js";
 export { ALL_TOKEN_AUDIENCES, isTokenAudience, SYNC_AUDIENCE, DEVICE_AUTH_AUDIENCE, PAIR_AUDIENCE, ROTATE_KEY_AUDIENCE, PUSH_REGISTER_AUDIENCE, TASK_SUBMIT_AUDIENCE, ADMIN_QUERY_AUDIENCE, PROPOSAL_AUDIENCE, ACCOUNT_BALANCE_AUDIENCE, ACCOUNT_DEPOSIT_AUDIENCE, ACCOUNT_WITHDRAW_AUDIENCE, ACCOUNT_WITHDRAWALS_AUDIENCE, ACCOUNT_CHECKOUT_AUDIENCE, BROWSER_SANDBOX_GRANT_AUDIENCE, BROWSER_SANDBOX_AUDIENCE, } from "./audience.js";
 export type { ContentArtifactType } from "./artifact-type.js";
-export { ALL_CONTENT_ARTIFACT_TYPES, isContentArtifactType, STATE_SNAPSHOT_ARTIFACT, MEMORY_EXPORT_ARTIFACT, GOAL_LIST_ARTIFACT, CONVERSATION_LIST_ARTIFACT, CONVERSATION_MESSAGES_ARTIFACT, DEVICE_LIST_ARTIFACT, AUDIT_TRAIL_ARTIFACT, PLAN_LIST_ARTIFACT, PLAN_DETAIL_ARTIFACT, GRADIENT_HISTORY_ARTIFACT, SYNC_PULL_ARTIFACT, EXECUTION_LEDGER_ARTIFACT, GOAL_RESULT_ARTIFACT, } from "./artifact-type.js";
+export { ALL_CONTENT_ARTIFACT_TYPES, isContentArtifactType, STATE_SNAPSHOT_ARTIFACT, MEMORY_EXPORT_ARTIFACT, GOAL_LIST_ARTIFACT, CONVERSATION_LIST_ARTIFACT, CONVERSATION_MESSAGES_ARTIFACT, DEVICE_LIST_ARTIFACT, AUDIT_TRAIL_ARTIFACT, PLAN_LIST_ARTIFACT, PLAN_DETAIL_ARTIFACT, GRADIENT_HISTORY_ARTIFACT, SYNC_PULL_ARTIFACT, EXECUTION_LEDGER_ARTIFACT, GOAL_RESULT_ARTIFACT, SETTLEMENT_SUMMARY_ARTIFACT, } from "./artifact-type.js";
+export type { SettlementSummaryExport, SettlementSummaryPeer, SettlementSummaryUnattributed, } from "./settlement-summary.js";
 export type { SignedTransparencyDeclaration, TransparencySignedPayload, TransparencyAnchorRecord, } from "./transparency.js";
 export { TRANSPARENCY_SUITE, TRANSPARENCY_ANCHOR_MEMO_PREFIX, TRANSPARENCY_SPEC_ID, isSignedTransparencyDeclaration, } from "./transparency.js";
+export type { AgentRevocationReason, AgentRevocationActor, AgentRevocationRecord, AgentRevocationSignedPayload, AgentRevocationFeed, } from "./agent-revocation.js";
+export { ALL_AGENT_REVOCATION_REASONS, isAgentRevocationReason, AGENT_REVOCATION_SUITE, AGENT_REVOCATION_SPEC_ID, } from "./agent-revocation.js";
 import type { ToolMode } from "./tool-mode.js";
-import type { SettlementMode } from "./settlement-mode.js";
+import type { SettlementMode, P2pPaymentProof } from "./settlement-mode.js";
 import type { SettlementAsset } from "./settlement-asset.js";
 export type { SkillSensitivity, SkillPlatform, SkillHardwareAttestationGate, SkillSignature, SkillManifestMetadata, SkillManifestMotebit, SkillManifest, SkillEnvelopeFile, SkillEnvelopeSkillRef, SkillEnvelope, SkillLoadPayload, } from "./skills.js";
 export { SKILL_SENSITIVITY_TIERS, SKILL_AUTO_LOADABLE_TIERS, SKILL_PLATFORMS } from "./skills.js";