@nexart/ai-execution 0.3.0 → 0.4.0

package/README.md

@@ -1,4 +1,4 @@
-# @nexart/ai-execution v0.3.0
+# @nexart/ai-execution v0.4.0
 
 Tamper-evident records and Certified Execution Records (CER) for AI operations.
 
@@ -21,7 +21,7 @@ These records can be verified offline to prove the execution happened as recorde
 
 ## Compatibility Guarantees
 
-- **v0.1.0 and v0.2.0 bundles verify forever.** Any CER bundle produced by any prior version will pass `verify()` in v0.3.0 and all future versions.
+- **v0.1.0, v0.2.0, and v0.3.0 bundles verify forever.** Any CER bundle produced by any prior version will pass `verify()` in v0.4.0 and all future versions.
 - **Hashing rules are frozen for `cer.ai.execution.v1`.** The canonicalization, SHA-256 computation, and certificate hash inputs (bundleType, version, createdAt, snapshot) are unchanged.
 - **New optional snapshot fields** (runId, stepId, stepIndex, etc.) default to undefined and are excluded from legacy snapshots. They participate in the certificate hash only when present.
 - **Canonicalization is frozen for v1.** Number-to-string conversion uses `JSON.stringify()`, which is consistent across JavaScript engines but does not implement RFC 8785 (JCS) for edge cases like `-0`. If stricter canonicalization is required, it will ship as a new bundle type (`cer.ai.execution.v2`), never as a modification to v1.
@@ -139,7 +139,7 @@ const restored = importCer(json);     // parse + verify (throws on tamper)
 | `modelVersion` | Optional | `string \| null` | Defaults to `null` |
 | `parameters.topP` | Optional | `number \| null` | Defaults to `null` |
 | `parameters.seed` | Optional | `number \| null` | Defaults to `null` |
-| `sdkVersion` | Optional | `string \| null` | Defaults to `"0.3.0"` |
+| `sdkVersion` | Optional | `string \| null` | Defaults to `"0.4.0"` |
 | `appId` | Optional | `string \| null` | Defaults to `null` |
 | `runId` | Optional | `string \| null` | Workflow run ID |
 | `stepId` | Optional | `string \| null` | Step identifier within a run |
@@ -172,7 +172,7 @@ The `certificateHash` is SHA-256 of the UTF-8 bytes of the canonical JSON of exa
 Endpoint: `POST {nodeUrl}/api/attest`
 
 - Authorization: `Bearer {apiKey}`
-- Body: the full CER bundle as JSON
+- Body: the full CER bundle as JSON (auto-sanitized via `sanitizeForAttestation` in v0.4.0+)
 - Returns: `AttestationResult` with `attestationId`, `nodeRuntimeHash`, `certificateHash`, `protocolVersion`
 - Default timeout: 10 seconds (configurable via `timeoutMs`)
 - Validates: response `certificateHash` matches submitted bundle; all hashes in `sha256:<64hex>` format
@@ -180,6 +180,17 @@ Endpoint: `POST {nodeUrl}/api/attest`
 
 Attestation verifies internal integrity only. It does not re-run the model or validate the correctness of the AI output.
 
+### Sanitization and Redaction
+
+`sanitizeForAttestation(bundle)` returns a JSON-safe deep clone:
+- Removes keys with `undefined` values at all nesting levels
+- Rejects `BigInt`, functions, and symbols (throws)
+- Safe to serialize with `JSON.stringify` or canonical JSON
+
+**Recommended redaction pattern:** delete keys or set them to `null` — never set to `undefined`, which is not valid JSON. Call `sanitizeForAttestation` before archiving or attesting if your bundle may contain `undefined` values.
+
+**Skip re-attestation:** use `hasAttestation(bundle)` to check if a bundle already includes attestation fields before calling `attest()` again.
+
 ## Canonical JSON Constraints
 
 1. Object keys sorted lexicographically (Unicode codepoint order) at every nesting level.
@@ -226,7 +237,9 @@ Fixtures at `fixtures/vectors/` and `fixtures/golden/`. Cross-language implement
 
 | Function | Description |
 |---|---|
-| `attest(bundle, options)` | Post CER to canonical node |
+| `attest(bundle, options)` | Post CER to canonical node (auto-sanitizes) |
+| `sanitizeForAttestation(bundle)` | Remove `undefined` keys, reject BigInt/functions/symbols |
+| `hasAttestation(bundle)` | Check if bundle already has attestation fields |
 | `exportCer(bundle)` | Serialize to canonical JSON string |
 | `importCer(json)` | Parse + verify from JSON string |
 
@@ -244,7 +257,8 @@ Fixtures at `fixtures/vectors/` and `fixtures/golden/`. Cross-language implement
 |---|---|
 | v0.1.0 | Core snapshot + CER + verify + OpenAI adapter |
 | v0.2.0 | certifyDecision, RunBuilder, attest, archive, Anthropic, wrapProvider, typed errors, workflow fields |
-| **v0.3.0** | Attestation hardening (hash validation, timeout), `verify` alias, `CerAttestationError.details`, release hygiene |
+| v0.3.0 | Attestation hardening (hash validation, timeout), `verify` alias, `CerAttestationError.details`, release hygiene |
+| **v0.4.0** | Dual ESM/CJS build, `sanitizeForAttestation`, `hasAttestation`, auto-sanitize in `attest()`, fixed `ERR_PACKAGE_PATH_NOT_EXPORTED` |
 | v1.0.0 | Planned: API stabilization, freeze public API surface |
 
 ## Releasing

package/dist/index.cjs

@@ -0,0 +1,607 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  CerAttestationError: () => CerAttestationError,
+  CerVerificationError: () => CerVerificationError,
+  RunBuilder: () => RunBuilder,
+  attest: () => attest,
+  certifyDecision: () => certifyDecision,
+  computeInputHash: () => computeInputHash,
+  computeOutputHash: () => computeOutputHash,
+  createSnapshot: () => createSnapshot,
+  exportCer: () => exportCer,
+  hasAttestation: () => hasAttestation,
+  hashCanonicalJson: () => hashCanonicalJson,
+  hashUtf8: () => hashUtf8,
+  importCer: () => importCer,
+  sanitizeForAttestation: () => sanitizeForAttestation,
+  sealCer: () => sealCer,
+  sha256Hex: () => sha256Hex,
+  toCanonicalJson: () => toCanonicalJson,
+  verify: () => verifyCer,
+  verifyCer: () => verifyCer,
+  verifySnapshot: () => verifySnapshot,
+  wrapProvider: () => wrapProvider
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/errors.ts
+var CerVerificationError = class extends Error {
+  errors;
+  constructor(errors) {
+    super(`CER verification failed: ${errors.join("; ")}`);
+    this.name = "CerVerificationError";
+    this.errors = errors;
+  }
+};
+var CerAttestationError = class extends Error {
+  statusCode;
+  responseBody;
+  details;
+  constructor(message, statusCode, responseBody, details) {
+    super(message);
+    this.name = "CerAttestationError";
+    this.statusCode = statusCode;
+    this.responseBody = responseBody;
+    this.details = details;
+  }
+};
+
+// src/canonicalJson.ts
+function toCanonicalJson(value) {
+  return canonicalize(value);
+}
+function canonicalize(value) {
+  if (value === null) {
+    return "null";
+  }
+  if (typeof value === "boolean") {
+    return value ? "true" : "false";
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(`Non-finite number not allowed in canonical JSON: ${value}`);
+    }
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    const items = value.map((item) => canonicalize(item));
+    return "[" + items.join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    const entries = keys.map((key) => {
+      const val = obj[key];
+      if (val === void 0) {
+        return null;
+      }
+      return JSON.stringify(key) + ":" + canonicalize(val);
+    }).filter((e) => e !== null);
+    return "{" + entries.join(",") + "}";
+  }
+  throw new Error(`Unsupported type for canonical JSON: ${typeof value}`);
+}
+
+// src/hash.ts
+var crypto = __toESM(require("crypto"), 1);
+function sha256Hex(data) {
+  const hash = crypto.createHash("sha256");
+  if (typeof data === "string") {
+    hash.update(data, "utf-8");
+  } else {
+    hash.update(data);
+  }
+  return hash.digest("hex");
+}
+function hashUtf8(value) {
+  return `sha256:${sha256Hex(value)}`;
+}
+function hashCanonicalJson(value) {
+  const canonical = toCanonicalJson(value);
+  return `sha256:${sha256Hex(canonical)}`;
+}
+function computeInputHash(input) {
+  if (typeof input === "string") {
+    return hashUtf8(input);
+  }
+  return hashCanonicalJson(input);
+}
+function computeOutputHash(output) {
+  if (typeof output === "string") {
+    return hashUtf8(output);
+  }
+  return hashCanonicalJson(output);
+}
+
+// src/snapshot.ts
+var PACKAGE_VERSION = "0.4.0";
+function validateParameters(params) {
+  const errors = [];
+  if (typeof params.temperature !== "number" || !Number.isFinite(params.temperature)) {
+    errors.push(`parameters.temperature must be a finite number, got: ${params.temperature}`);
+  }
+  if (typeof params.maxTokens !== "number" || !Number.isFinite(params.maxTokens)) {
+    errors.push(`parameters.maxTokens must be a finite number, got: ${params.maxTokens}`);
+  }
+  if (params.topP !== null && (typeof params.topP !== "number" || !Number.isFinite(params.topP))) {
+    errors.push(`parameters.topP must be a finite number or null, got: ${params.topP}`);
+  }
+  if (params.seed !== null && (typeof params.seed !== "number" || !Number.isFinite(params.seed))) {
+    errors.push(`parameters.seed must be a finite number or null, got: ${params.seed}`);
+  }
+  return errors;
+}
+function createSnapshot(params) {
+  const paramErrors = validateParameters(params.parameters);
+  if (paramErrors.length > 0) {
+    throw new Error(`Invalid parameters: ${paramErrors.join("; ")}`);
+  }
+  const inputHash = computeInputHash(params.input);
+  const outputHash = computeOutputHash(params.output);
+  const snapshot = {
+    type: "ai.execution.v1",
+    protocolVersion: "1.2.0",
+    executionSurface: "ai",
+    executionId: params.executionId,
+    timestamp: params.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    provider: params.provider,
+    model: params.model,
+    modelVersion: params.modelVersion ?? null,
+    prompt: params.prompt,
+    input: params.input,
+    inputHash,
+    parameters: {
+      temperature: params.parameters.temperature,
+      maxTokens: params.parameters.maxTokens,
+      topP: params.parameters.topP ?? null,
+      seed: params.parameters.seed ?? null
+    },
+    output: params.output,
+    outputHash,
+    sdkVersion: params.sdkVersion ?? PACKAGE_VERSION,
+    appId: params.appId ?? null
+  };
+  if (params.runId !== void 0) snapshot.runId = params.runId ?? null;
+  if (params.stepId !== void 0) snapshot.stepId = params.stepId ?? null;
+  if (params.stepIndex !== void 0) snapshot.stepIndex = params.stepIndex ?? null;
+  if (params.workflowId !== void 0) snapshot.workflowId = params.workflowId ?? null;
+  if (params.conversationId !== void 0) snapshot.conversationId = params.conversationId ?? null;
+  if (params.prevStepHash !== void 0) snapshot.prevStepHash = params.prevStepHash ?? null;
+  return snapshot;
+}
+function verifySnapshot(snapshot) {
+  const errors = [];
+  if (snapshot.type !== "ai.execution.v1") {
+    errors.push(`Expected type "ai.execution.v1", got "${snapshot.type}"`);
+  }
+  if (snapshot.protocolVersion !== "1.2.0") {
+    errors.push(`Expected protocolVersion "1.2.0", got "${snapshot.protocolVersion}"`);
+  }
+  if (snapshot.executionSurface !== "ai") {
+    errors.push(`Expected executionSurface "ai", got "${snapshot.executionSurface}"`);
+  }
+  if (!snapshot.executionId || typeof snapshot.executionId !== "string") {
+    errors.push("executionId must be a non-empty string");
+  }
+  if (!snapshot.timestamp || typeof snapshot.timestamp !== "string") {
+    errors.push("timestamp must be a non-empty string");
+  }
+  if (!snapshot.provider || typeof snapshot.provider !== "string") {
+    errors.push("provider must be a non-empty string");
+  }
+  if (!snapshot.model || typeof snapshot.model !== "string") {
+    errors.push("model must be a non-empty string");
+  }
+  if (!snapshot.prompt || typeof snapshot.prompt !== "string") {
+    errors.push("prompt must be a non-empty string");
+  }
+  if (snapshot.input === void 0 || snapshot.input === null) {
+    errors.push("input must be a string or object");
+  }
+  if (snapshot.output === void 0 || snapshot.output === null) {
+    errors.push("output must be a string or object");
+  }
+  const paramErrors = validateParameters(snapshot.parameters);
+  errors.push(...paramErrors);
+  if (!snapshot.inputHash || !snapshot.inputHash.startsWith("sha256:")) {
+    errors.push(`inputHash must start with "sha256:", got "${snapshot.inputHash}"`);
+  }
+  if (!snapshot.outputHash || !snapshot.outputHash.startsWith("sha256:")) {
+    errors.push(`outputHash must start with "sha256:", got "${snapshot.outputHash}"`);
+  }
+  const expectedInputHash = computeInputHash(snapshot.input);
+  if (snapshot.inputHash !== expectedInputHash) {
+    errors.push(`inputHash mismatch: expected ${expectedInputHash}, got ${snapshot.inputHash}`);
+  }
+  const expectedOutputHash = computeOutputHash(snapshot.output);
+  if (snapshot.outputHash !== expectedOutputHash) {
+    errors.push(`outputHash mismatch: expected ${expectedOutputHash}, got ${snapshot.outputHash}`);
+  }
+  return { ok: errors.length === 0, errors };
+}
+
+// src/cer.ts
+function computeCertificateHash(payload) {
+  const canonical = toCanonicalJson(payload);
+  return `sha256:${sha256Hex(canonical)}`;
+}
+function sealCer(snapshot, options) {
+  const createdAt = options?.createdAt ?? (/* @__PURE__ */ new Date()).toISOString();
+  const payload = {
+    bundleType: "cer.ai.execution.v1",
+    createdAt,
+    snapshot,
+    version: "0.1"
+  };
+  const certificateHash = computeCertificateHash(payload);
+  const bundle = {
+    bundleType: "cer.ai.execution.v1",
+    certificateHash,
+    createdAt,
+    version: "0.1",
+    snapshot
+  };
+  if (options?.meta) {
+    bundle.meta = options.meta;
+  }
+  return bundle;
+}
+function verifyCer(bundle) {
+  const errors = [];
+  if (bundle.bundleType !== "cer.ai.execution.v1") {
+    errors.push(`Expected bundleType "cer.ai.execution.v1", got "${bundle.bundleType}"`);
+  }
+  if (bundle.version !== "0.1") {
+    errors.push(`Expected version "0.1", got "${bundle.version}"`);
+  }
+  if (!bundle.createdAt || typeof bundle.createdAt !== "string") {
+    errors.push("createdAt must be a non-empty string");
+  }
+  if (!bundle.certificateHash || !bundle.certificateHash.startsWith("sha256:")) {
+    errors.push(`certificateHash must start with "sha256:", got "${bundle.certificateHash}"`);
+  }
+  if (!bundle.snapshot) {
+    errors.push("snapshot is required");
+    return { ok: false, errors };
+  }
+  const snapshotResult = verifySnapshot(bundle.snapshot);
+  errors.push(...snapshotResult.errors);
+  const payload = {
+    bundleType: "cer.ai.execution.v1",
+    createdAt: bundle.createdAt,
+    snapshot: bundle.snapshot,
+    version: "0.1"
+  };
+  const expectedHash = computeCertificateHash(payload);
+  if (bundle.certificateHash !== expectedHash) {
+    errors.push(`certificateHash mismatch: expected ${expectedHash}, got ${bundle.certificateHash}`);
+  }
+  return { ok: errors.length === 0, errors };
+}
+
+// src/certify.ts
+var crypto2 = __toESM(require("crypto"), 1);
+function certifyDecision(params) {
+  const executionId = params.executionId ?? crypto2.randomUUID();
+  const snapshot = createSnapshot({
+    executionId,
+    timestamp: params.timestamp,
+    provider: params.provider,
+    model: params.model,
+    modelVersion: params.modelVersion,
+    prompt: params.prompt,
+    input: params.input,
+    parameters: params.parameters,
+    output: params.output,
+    sdkVersion: params.sdkVersion,
+    appId: params.appId,
+    runId: params.runId,
+    stepId: params.stepId,
+    stepIndex: params.stepIndex,
+    workflowId: params.workflowId,
+    conversationId: params.conversationId,
+    prevStepHash: params.prevStepHash
+  });
+  return sealCer(snapshot, { meta: params.meta });
+}
+
+// src/run.ts
+var crypto3 = __toESM(require("crypto"), 1);
+var RunBuilder = class {
+  runId;
+  workflowId;
+  conversationId;
+  appId;
+  stepIndex = 0;
+  prevStepHash = null;
+  steps = [];
+  constructor(options) {
+    this.runId = options?.runId ?? crypto3.randomUUID();
+    this.workflowId = options?.workflowId ?? null;
+    this.conversationId = options?.conversationId ?? null;
+    this.appId = options?.appId ?? null;
+  }
+  step(params) {
+    const stepId = params.stepId ?? crypto3.randomUUID();
+    const executionId = `${this.runId}-step-${this.stepIndex}`;
+    const snapshot = createSnapshot({
+      executionId,
+      timestamp: params.timestamp,
+      provider: params.provider,
+      model: params.model,
+      modelVersion: params.modelVersion,
+      prompt: params.prompt,
+      input: params.input,
+      parameters: params.parameters,
+      output: params.output,
+      appId: this.appId,
+      runId: this.runId,
+      stepId,
+      stepIndex: this.stepIndex,
+      workflowId: this.workflowId,
+      conversationId: this.conversationId,
+      prevStepHash: this.prevStepHash
+    });
+    const bundle = sealCer(snapshot, { meta: params.meta });
+    this.steps.push({
+      stepIndex: this.stepIndex,
+      stepId,
+      executionId,
+      certificateHash: bundle.certificateHash,
+      prevStepHash: this.prevStepHash
+    });
+    this.prevStepHash = bundle.certificateHash;
+    this.stepIndex++;
+    return bundle;
+  }
+  finalize() {
+    return {
+      runId: this.runId,
+      workflowId: this.workflowId,
+      conversationId: this.conversationId,
+      stepCount: this.steps.length,
+      steps: [...this.steps],
+      finalStepHash: this.prevStepHash
+    };
+  }
+};
+
+// src/sanitize.ts
+function deepRemoveUndefined(value) {
+  if (value === null || value === void 0) return value;
+  if (typeof value === "bigint") {
+    throw new Error("BigInt values are not JSON-safe and cannot be sanitized");
+  }
+  if (typeof value === "function") {
+    throw new Error("Function values are not JSON-safe and cannot be sanitized");
+  }
+  if (typeof value === "symbol") {
+    throw new Error("Symbol values are not JSON-safe and cannot be sanitized");
+  }
+  if (Array.isArray(value)) {
+    return value.map(deepRemoveUndefined);
+  }
+  if (typeof value === "object") {
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      if (val === void 0) continue;
+      result[key] = deepRemoveUndefined(val);
+    }
+    return result;
+  }
+  return value;
+}
+function sanitizeForAttestation(bundle) {
+  return deepRemoveUndefined(bundle);
+}
+function hasAttestation(bundle) {
+  if (typeof bundle !== "object" || bundle === null) return false;
+  const b = bundle;
+  if (typeof b.attestationId === "string" && b.attestationId.length > 0) return true;
+  if (typeof b.nodeRuntimeHash === "string" && b.nodeRuntimeHash.length > 0) return true;
+  if (typeof b.attestation === "object" && b.attestation !== null) {
+    const att = b.attestation;
+    if (typeof att.attestationId === "string" && att.attestationId.length > 0) return true;
+    if (typeof att.nodeRuntimeHash === "string" && att.nodeRuntimeHash.length > 0) return true;
+  }
+  return false;
+}
+
+// src/attest.ts
+var SHA256_PATTERN = /^sha256:[0-9a-f]{64}$/;
+var DEFAULT_TIMEOUT_MS = 1e4;
+function validateHashFormat(value, fieldName) {
+  if (typeof value !== "string") return null;
+  if (!SHA256_PATTERN.test(value)) {
+    return `${fieldName} is not in sha256:<64hex> format: "${value}"`;
+  }
+  return null;
+}
+async function attest(bundle, options) {
+  const url = `${options.nodeUrl.replace(/\/+$/, "")}/api/attest`;
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const sanitized = sanitizeForAttestation(bundle);
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  let response;
+  try {
+    response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${options.apiKey}`
+      },
+      body: JSON.stringify(sanitized),
+      signal: controller.signal
+    });
+  } catch (err) {
+    clearTimeout(timer);
+    const error = err;
+    if (error.name === "AbortError") {
+      throw new CerAttestationError(
+        `Attestation request timed out after ${timeoutMs}ms`
+      );
+    }
+    throw new CerAttestationError(
+      `Network error contacting attestation node: ${error.message}`
+    );
+  } finally {
+    clearTimeout(timer);
+  }
+  let body;
+  try {
+    body = await response.json();
+  } catch {
+    const text = await response.text().catch(() => "");
+    throw new CerAttestationError(
+      `Attestation node returned non-JSON response (${response.status}): ${text}`,
+      response.status
+    );
+  }
+  if (!response.ok) {
+    const result2 = body;
+    const msg = typeof result2.error === "string" ? result2.error : `HTTP ${response.status}`;
+    const details = Array.isArray(result2.details) ? result2.details : void 0;
+    throw new CerAttestationError(
+      `Attestation failed: ${msg}`,
+      response.status,
+      body,
+      details
+    );
+  }
+  const result = body;
+  const errors = [];
+  if (typeof result.certificateHash === "string" && result.certificateHash !== bundle.certificateHash) {
+    errors.push(
+      `Node returned certificateHash "${result.certificateHash}" but bundle has "${bundle.certificateHash}"`
+    );
+  }
+  const certHashErr = validateHashFormat(result.certificateHash, "response.certificateHash");
+  if (certHashErr) errors.push(certHashErr);
+  const runtimeHashErr = validateHashFormat(result.nodeRuntimeHash, "response.nodeRuntimeHash");
+  if (runtimeHashErr) errors.push(runtimeHashErr);
+  if (errors.length > 0) {
+    throw new CerAttestationError(
+      `Attestation response validation failed: ${errors.join("; ")}`,
+      response.status,
+      body,
+      errors
+    );
+  }
+  return {
+    ok: true,
+    attestationId: typeof result.attestationId === "string" ? result.attestationId : void 0,
+    nodeRuntimeHash: typeof result.nodeRuntimeHash === "string" ? result.nodeRuntimeHash : void 0,
+    certificateHash: typeof result.certificateHash === "string" ? result.certificateHash : void 0,
+    protocolVersion: typeof result.protocolVersion === "string" ? result.protocolVersion : void 0,
+    raw: body
+  };
+}
+
+// src/archive.ts
+function exportCer(bundle) {
+  return toCanonicalJson(bundle);
+}
+function importCer(json) {
+  let parsed;
+  try {
+    parsed = JSON.parse(json);
+  } catch (err) {
+    throw new CerVerificationError([`Invalid JSON: ${err.message}`]);
+  }
+  const bundle = parsed;
+  if (!bundle || typeof bundle !== "object") {
+    throw new CerVerificationError(["Parsed value is not an object"]);
+  }
+  if (bundle.bundleType !== "cer.ai.execution.v1") {
+    throw new CerVerificationError([`Expected bundleType "cer.ai.execution.v1", got "${bundle.bundleType}"`]);
+  }
+  const result = verifyCer(bundle);
+  if (!result.ok) {
+    throw new CerVerificationError(result.errors);
+  }
+  return bundle;
+}
+
+// src/providers/wrap.ts
+var crypto4 = __toESM(require("crypto"), 1);
+function wrapProvider(config) {
+  return {
+    async execute(params) {
+      const raw = await config.callFn(params.providerInput);
+      const output = config.extractOutput(raw);
+      const modelVersion = config.extractModelVersion ? config.extractModelVersion(raw) : params.modelVersion ?? null;
+      const snapshot = createSnapshot({
+        executionId: params.executionId ?? crypto4.randomUUID(),
+        provider: config.provider,
+        model: params.model,
+        modelVersion,
+        prompt: params.prompt,
+        input: params.input,
+        parameters: params.parameters,
+        output,
+        appId: params.appId
+      });
+      const bundle = sealCer(snapshot, { meta: params.meta });
+      return { output, snapshot, bundle };
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CerAttestationError,
+  CerVerificationError,
+  RunBuilder,
+  attest,
+  certifyDecision,
+  computeInputHash,
+  computeOutputHash,
+  createSnapshot,
+  exportCer,
+  hasAttestation,
+  hashCanonicalJson,
+  hashUtf8,
+  importCer,
+  sanitizeForAttestation,
+  sealCer,
+  sha256Hex,
+  toCanonicalJson,
+  verify,
+  verifyCer,
+  verifySnapshot,
+  wrapProvider
+});
+//# sourceMappingURL=index.cjs.map