npm - @nexart/ai-execution - Versions diffs - 0.5.0 → 0.7.0 - Mend

@nexart/ai-execution 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/README.md +238 -9
package/dist/index.cjs +660 -10
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +267 -3
package/dist/index.d.ts +267 -3
package/dist/index.mjs +649 -10
package/dist/index.mjs.map +1 -1
package/dist/providers/anthropic.cjs +7 -1
package/dist/providers/anthropic.cjs.map +1 -1
package/dist/providers/anthropic.d.cts +1 -1
package/dist/providers/anthropic.d.ts +1 -1
package/dist/providers/anthropic.mjs +7 -1
package/dist/providers/anthropic.mjs.map +1 -1
package/dist/providers/openai.cjs +7 -1
package/dist/providers/openai.cjs.map +1 -1
package/dist/providers/openai.d.cts +1 -1
package/dist/providers/openai.d.ts +1 -1
package/dist/providers/openai.mjs +7 -1
package/dist/providers/openai.mjs.map +1 -1
package/dist/providers/wrap.cjs +7 -1
package/dist/providers/wrap.cjs.map +1 -1
package/dist/providers/wrap.d.cts +1 -1
package/dist/providers/wrap.d.ts +1 -1
package/dist/providers/wrap.mjs +7 -1
package/dist/providers/wrap.mjs.map +1 -1
package/dist/{types-BjEqrksn.d.cts → types-CcqCDPrD.d.cts} +119 -1
package/dist/{types-BjEqrksn.d.ts → types-CcqCDPrD.d.ts} +119 -1
package/fixtures/v060/legacy-attestation.json +32 -0
package/fixtures/v060/original-meta-bundle.json +36 -0
package/fixtures/v060/pre-v05-bundle.json +29 -0
package/fixtures/v060/redacted-bundle.json +36 -0
package/package.json +2 -2

package/dist/index.cjs CHANGED Viewed

@@ -38,25 +38,36 @@ __export(src_exports, {
   attestIfNeeded: () => attestIfNeeded,
   certifyAndAttestDecision: () => certifyAndAttestDecision,
   certifyDecision: () => certifyDecision,
+  certifyDecisionFromProviderCall: () => certifyDecisionFromProviderCall,
   computeInputHash: () => computeInputHash,
   computeOutputHash: () => computeOutputHash,
+  createClient: () => createClient,
   createSnapshot: () => createSnapshot,
   exportCer: () => exportCer,
   fetchNodeKeys: () => fetchNodeKeys,
   getAttestationReceipt: () => getAttestationReceipt,
   hasAttestation: () => hasAttestation,
   hashCanonicalJson: () => hashCanonicalJson,
+  hashToolOutput: () => hashToolOutput,
   hashUtf8: () => hashUtf8,
   importCer: () => importCer,
+  makeToolEvent: () => makeToolEvent,
+  mapToAiefReason: () => mapToAiefReason,
+  redactBeforeSeal: () => redactBeforeSeal,
   sanitizeForAttestation: () => sanitizeForAttestation,
+  sanitizeForStamp: () => sanitizeForStamp,
+  sanitizeForStorage: () => sanitizeForStorage,
   sealCer: () => sealCer,
   selectNodeKey: () => selectNodeKey,
   sha256Hex: () => sha256Hex,
   toCanonicalJson: () => toCanonicalJson,
+  validateProfile: () => validateProfile,
   verify: () => verifyCer,
+  verifyAief: () => verifyAief,
   verifyBundleAttestation: () => verifyBundleAttestation,
   verifyCer: () => verifyCer,
   verifyNodeReceiptSignature: () => verifyNodeReceiptSignature,
+  verifyRunSummary: () => verifyRunSummary,
   verifySnapshot: () => verifySnapshot,
   wrapProvider: () => wrapProvider
 });
@@ -76,7 +87,13 @@ var CerVerifyCode = {
   ATTESTATION_MISSING: "ATTESTATION_MISSING",
   ATTESTATION_KEY_NOT_FOUND: "ATTESTATION_KEY_NOT_FOUND",
   ATTESTATION_INVALID_SIGNATURE: "ATTESTATION_INVALID_SIGNATURE",
-  ATTESTATION_KEY_FORMAT_UNSUPPORTED: "ATTESTATION_KEY_FORMAT_UNSUPPORTED"
+  ATTESTATION_KEY_FORMAT_UNSUPPORTED: "ATTESTATION_KEY_FORMAT_UNSUPPORTED",
+  // v0.7.0 — Level 4 + AIEF interop codes
+  CHAIN_BREAK_DETECTED: "CHAIN_BREAK_DETECTED",
+  INCOMPLETE_ARTIFACT: "INCOMPLETE_ARTIFACT",
+  VERIFICATION_MATERIAL_UNAVAILABLE: "VERIFICATION_MATERIAL_UNAVAILABLE",
+  TOOL_EVIDENCE_MISSING: "TOOL_EVIDENCE_MISSING",
+  TOOL_OUTPUT_HASH_MISMATCH: "TOOL_OUTPUT_HASH_MISMATCH"
 };
 // src/errors.ts
@@ -172,7 +189,7 @@ function computeOutputHash(output) {
 }
 // src/snapshot.ts
-var PACKAGE_VERSION = "0.5.0";
+var PACKAGE_VERSION = "0.7.0";
 function validateParameters(params) {
   const errors = [];
   if (typeof params.temperature !== "number" || !Number.isFinite(params.temperature)) {
@@ -225,6 +242,9 @@ function createSnapshot(params) {
   if (params.workflowId !== void 0) snapshot.workflowId = params.workflowId ?? null;
   if (params.conversationId !== void 0) snapshot.conversationId = params.conversationId ?? null;
   if (params.prevStepHash !== void 0) snapshot.prevStepHash = params.prevStepHash ?? null;
+  if (params.toolCalls !== void 0 && params.toolCalls.length > 0) {
+    snapshot.toolCalls = params.toolCalls;
+  }
   return snapshot;
 }
 function verifySnapshot(snapshot) {
@@ -332,6 +352,9 @@ function sealCer(snapshot, options) {
   if (options?.meta) {
     bundle.meta = options.meta;
   }
+  if (options?.declaration) {
+    bundle.declaration = options.declaration;
+  }
   return bundle;
 }
 function verifyCer(bundle) {
@@ -523,9 +546,45 @@ function deepRemoveUndefined(value) {
   }
   return value;
 }
+function redactPath(obj, path, replacement) {
+  const parts = path.split(".");
+  const clone = { ...obj };
+  let cursor = clone;
+  for (let i = 0; i < parts.length - 1; i++) {
+    const key = parts[i];
+    if (typeof cursor[key] !== "object" || cursor[key] === null) return clone;
+    cursor[key] = { ...cursor[key] };
+    cursor = cursor[key];
+  }
+  const last = parts[parts.length - 1];
+  if (last in cursor) cursor[last] = replacement;
+  return clone;
+}
 function sanitizeForAttestation(bundle) {
   return deepRemoveUndefined(bundle);
 }
+function sanitizeForStorage(bundle, options) {
+  let cleaned = deepRemoveUndefined(bundle);
+  if (options?.redactPaths && options.redactPaths.length > 0) {
+    const replacement = options.redactWith ?? "[REDACTED]";
+    let obj = cleaned;
+    for (const path of options.redactPaths) {
+      obj = redactPath(obj, path, replacement);
+    }
+    cleaned = obj;
+  }
+  return cleaned;
+}
+function sanitizeForStamp(bundle) {
+  const core = {
+    bundleType: bundle.bundleType,
+    certificateHash: bundle.certificateHash,
+    createdAt: bundle.createdAt,
+    version: bundle.version,
+    snapshot: bundle.snapshot
+  };
+  return deepRemoveUndefined(core);
+}
 function hasAttestation(bundle) {
   if (typeof bundle !== "object" || bundle === null) return false;
   const b = bundle;
@@ -844,10 +903,10 @@ var M = (a, b = P) => {
   return r >= 0n ? r : b + r;
 };
 var modN = (a) => M(a, N);
-var invert = (num, md) => {
-  if (num === 0n || md <= 0n)
-    err("no inverse n=" + num + " mod=" + md);
-  let a = M(num, md), b = md, x = 0n, y = 1n, u = 1n, v = 0n;
+var invert = (num2, md) => {
+  if (num2 === 0n || md <= 0n)
+    err("no inverse n=" + num2 + " mod=" + md);
+  let a = M(num2, md), b = md, x = 0n, y = 1n, u = 1n, v = 0n;
   while (a !== 0n) {
     const q = b / a, r = b % a;
     const m = x - u * q, n = y - v * q;
@@ -1064,7 +1123,7 @@ var G = new Point(Gx, Gy, 1n, M(Gx * Gy));
 var I = new Point(0n, 1n, 1n, 0n);
 Point.BASE = G;
 Point.ZERO = I;
-var numTo32bLE = (num) => hexToBytes(padh(assertRange(num, 0n, B256), L2)).reverse();
+var numTo32bLE = (num2) => hexToBytes(padh(assertRange(num2, 0n, B256), L2)).reverse();
 var bytesToNumLE = (b) => big("0x" + bytesToHex(u8fr(abytes(b)).reverse()));
 var pow2 = (x, power) => {
   let r = x;
@@ -1237,10 +1296,10 @@ function clean(...arrays) {
 function createView(arr) {
   return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
 }
-function utf8ToBytes(str) {
-  if (typeof str !== "string")
+function utf8ToBytes(str2) {
+  if (typeof str2 !== "string")
     throw new Error("string expected");
-  return new Uint8Array(new TextEncoder().encode(str));
+  return new Uint8Array(new TextEncoder().encode(str2));
 }
 function toBytes(data) {
   if (typeof data === "string")
@@ -1846,6 +1905,586 @@ async function verifyBundleAttestation(bundle, options) {
   if (contextLines.length === 0) return sigResult;
   return sigResult.ok ? { ok: true, code: CerVerifyCode.OK, details: contextLines } : { ...sigResult, details: [...contextLines, ...sigResult.details ?? []] };
 }
+// src/certifyFromProvider.ts
+var crypto5 = __toESM(require("crypto"), 1);
+// src/providerExtract.ts
+function str(v) {
+  return typeof v === "string" && v.length > 0 ? v : null;
+}
+function num(v, fallback) {
+  return typeof v === "number" && Number.isFinite(v) ? v : fallback;
+}
+function numOrNull(v) {
+  return typeof v === "number" && Number.isFinite(v) ? v : null;
+}
+function extractChoicesOutput(response) {
+  const choices = response.choices;
+  if (!Array.isArray(choices) || choices.length === 0) return null;
+  const first = choices[0];
+  if (!first || typeof first !== "object") return null;
+  const msg = first.message;
+  if (!msg || typeof msg !== "object") return null;
+  if (typeof msg.content === "string") return msg.content;
+  if (Array.isArray(msg.content)) {
+    const texts = msg.content.filter((p) => typeof p === "object" && p !== null).map((p) => str(p.text)).filter((t) => t !== null);
+    return texts.length > 0 ? texts.join("\n") : null;
+  }
+  return null;
+}
+function extractAnthropicOutput(response) {
+  const content = response.content;
+  if (!Array.isArray(content) || content.length === 0) return null;
+  const first = content[0];
+  if (!first || typeof first !== "object") return null;
+  return str(first.text);
+}
+function extractGeminiOutput(response) {
+  const candidates = response.candidates;
+  if (!Array.isArray(candidates) || candidates.length === 0) return null;
+  const first = candidates[0];
+  if (!first || typeof first !== "object") return null;
+  const contentObj = first.content;
+  if (!contentObj || typeof contentObj !== "object") return null;
+  const parts = contentObj.parts;
+  if (!Array.isArray(parts) || parts.length === 0) return null;
+  const part = parts[0];
+  if (!part || typeof part !== "object") return null;
+  return str(part.text);
+}
+function extractGenericOutput(response) {
+  return str(response.text) ?? str(response.output_text) ?? (typeof response.output === "string" ? response.output : null) ?? str(response.result) ?? null;
+}
+function extractOutput(response) {
+  return extractChoicesOutput(response) ?? extractAnthropicOutput(response) ?? extractGeminiOutput(response) ?? extractGenericOutput(response);
+}
+function extractInput(request) {
+  if (Array.isArray(request.messages) && request.messages.length > 0) {
+    return { messages: request.messages };
+  }
+  if (Array.isArray(request.contents) && request.contents.length > 0) {
+    return { contents: request.contents };
+  }
+  if (typeof request.prompt === "string") return request.prompt;
+  if (typeof request.input === "string") return request.input;
+  if (typeof request.input === "object" && request.input !== null) {
+    return request.input;
+  }
+  return null;
+}
+function derivePrompt(request) {
+  if (typeof request.prompt === "string") return request.prompt;
+  if (Array.isArray(request.messages)) {
+    const msgs = request.messages;
+    for (let i = msgs.length - 1; i >= 0; i--) {
+      const msg = msgs[i];
+      if (msg.role === "user" || msg.role === "human") {
+        const content = msg.content;
+        if (typeof content === "string") return content;
+        if (Array.isArray(content)) {
+          const text = content.filter((p) => typeof p === "object" && p !== null).map((p) => str(p.text)).filter((t) => t !== null).join("\n");
+          if (text) return text;
+        }
+      }
+    }
+  }
+  if (Array.isArray(request.contents)) {
+    const contents = request.contents;
+    for (let i = contents.length - 1; i >= 0; i--) {
+      const c = contents[i];
+      if (c.role === "user") {
+        const parts = c.parts;
+        if (Array.isArray(parts)) {
+          const text = parts.map((p) => str(p.text)).filter((t) => t !== null).join("\n");
+          if (text) return text;
+        }
+      }
+    }
+  }
+  return null;
+}
+function extractParams(request) {
+  const cfg = typeof request.generationConfig === "object" && request.generationConfig !== null ? request.generationConfig : request;
+  return {
+    temperature: num(cfg.temperature, 1),
+    maxTokens: num(cfg.max_tokens ?? cfg.maxTokens ?? cfg.maxOutputTokens ?? cfg.max_output_tokens, 1024),
+    topP: numOrNull(cfg.top_p ?? cfg.topP),
+    seed: numOrNull(cfg.seed)
+  };
+}
+function extractModel(providerHint, request, response, override) {
+  const raw = override ?? str(request.model) ?? str(request.modelId) ?? // Bedrock
+  str(response.model) ?? str(response.modelId) ?? null;
+  if (!raw) return null;
+  const parts = raw.split("/");
+  const modelName = parts[parts.length - 1];
+  const modelVersion = str(response.model_version ?? response.modelVersion) ?? null;
+  return { model: modelName, modelVersion };
+}
+function tryUnwrapBedrock(request) {
+  const modelId = str(request.modelId);
+  if (!modelId) return null;
+  let body = {};
+  if (typeof request.body === "string") {
+    try {
+      body = JSON.parse(request.body);
+    } catch {
+      body = {};
+    }
+  } else if (typeof request.body === "object" && request.body !== null) {
+    body = request.body;
+  }
+  return { req: { ...body, modelId }, modelId };
+}
+function extractFromProviderCall(provider, modelOverride, rawRequest, rawResponse) {
+  let request = rawRequest;
+  if (provider === "bedrock" || str(rawRequest.modelId)) {
+    const unwrapped = tryUnwrapBedrock(rawRequest);
+    if (unwrapped) request = unwrapped.req;
+  }
+  const modelResult = extractModel(provider, request, rawResponse, modelOverride);
+  if (!modelResult) {
+    return {
+      ok: false,
+      reason: "Could not determine model name. Provide it via the `model` field, or ensure request.model / request.modelId is present."
+    };
+  }
+  const input = extractInput(request);
+  if (input === null) {
+    return {
+      ok: false,
+      reason: "Could not extract input. Expected request.messages (OpenAI/Anthropic/Mistral), request.contents (Gemini), or request.prompt/request.input (generic)."
+    };
+  }
+  const prompt = derivePrompt(request) ?? (typeof input === "string" ? input : "[structured input]");
+  const output = extractOutput(rawResponse);
+  if (output === null) {
+    return {
+      ok: false,
+      reason: "Could not extract output text. Expected response.choices[0].message.content (OpenAI/Mistral), response.content[0].text (Anthropic), response.candidates[0].content.parts[0].text (Gemini), or response.text / response.output_text (generic)."
+    };
+  }
+  const parameters = extractParams(request);
+  return {
+    ok: true,
+    data: {
+      model: modelResult.model,
+      modelVersion: modelResult.modelVersion,
+      prompt,
+      input,
+      output,
+      parameters
+    }
+  };
+}
+// src/certifyFromProvider.ts
+function certifyDecisionFromProviderCall(params) {
+  const extracted = extractFromProviderCall(
+    params.provider,
+    params.model,
+    params.request,
+    params.response
+  );
+  if (!extracted.ok) {
+    return { ok: false, code: CerVerifyCode.SCHEMA_ERROR, reason: extracted.reason };
+  }
+  const { model, modelVersion, prompt, input, output, parameters } = extracted.data;
+  try {
+    const snapshot = createSnapshot({
+      executionId: params.executionId ?? crypto5.randomUUID(),
+      timestamp: params.timestamp,
+      provider: params.provider,
+      model,
+      modelVersion,
+      prompt,
+      input,
+      parameters,
+      output,
+      appId: params.appId ?? null,
+      workflowId: params.workflowId ?? null,
+      conversationId: params.conversationId ?? null
+    });
+    const bundle = sealCer(snapshot, { meta: params.meta, createdAt: params.createdAt });
+    return { ok: true, bundle };
+  } catch (err2) {
+    return {
+      ok: false,
+      code: CerVerifyCode.SCHEMA_ERROR,
+      reason: err2 instanceof Error ? err2.message : String(err2)
+    };
+  }
+}
+// src/client.ts
+async function resolveApiKey(key) {
+  if (typeof key === "function") return key();
+  return key ?? "";
+}
+function mergeDefaultMeta(defaults, meta) {
+  const base = {};
+  if (defaults.tags && defaults.tags.length > 0) base.tags = defaults.tags;
+  if (defaults.source) base.source = defaults.source;
+  if (!meta && Object.keys(base).length === 0) return void 0;
+  return { ...base, ...meta };
+}
+function createClient(defaults = {}) {
+  return {
+    certifyDecision(params) {
+      return certifyDecision({
+        appId: defaults.appId ?? null,
+        workflowId: defaults.workflowId ?? null,
+        ...params,
+        meta: mergeDefaultMeta(defaults, params.meta)
+      });
+    },
+    async certifyAndAttestDecision(params, options) {
+      const nodeUrl = options?.nodeUrl ?? defaults.nodeUrl;
+      if (!nodeUrl) {
+        throw new Error("certifyAndAttestDecision requires nodeUrl (set in defaults or options)");
+      }
+      const apiKey = options?.apiKey ?? await resolveApiKey(defaults.apiKey);
+      const mergedParams = {
+        appId: defaults.appId ?? null,
+        workflowId: defaults.workflowId ?? null,
+        ...params,
+        meta: mergeDefaultMeta(defaults, params.meta)
+      };
+      return certifyAndAttestDecision(mergedParams, {
+        nodeUrl,
+        apiKey,
+        timeoutMs: options?.timeoutMs
+      });
+    },
+    verify(bundle) {
+      return verifyCer(bundle);
+    },
+    async verifyBundleAttestation(bundle, options) {
+      const nodeUrl = options?.nodeUrl ?? defaults.nodeUrl;
+      if (!nodeUrl) {
+        throw new Error("verifyBundleAttestation requires nodeUrl (set in defaults or options)");
+      }
+      return verifyBundleAttestation(bundle, { nodeUrl, kid: options?.kid });
+    }
+  };
+}
+// src/aief.ts
+var AIEF_REASON_MAP = {
+  [CerVerifyCode.OK]: "ok",
+  [CerVerifyCode.CERTIFICATE_HASH_MISMATCH]: "integrityProofMismatch",
+  [CerVerifyCode.SNAPSHOT_HASH_MISMATCH]: "integrityProofMismatch",
+  [CerVerifyCode.INPUT_HASH_MISMATCH]: "integrityProofMismatch",
+  [CerVerifyCode.OUTPUT_HASH_MISMATCH]: "integrityProofMismatch",
+  [CerVerifyCode.TOOL_OUTPUT_HASH_MISMATCH]: "integrityProofMismatch",
+  [CerVerifyCode.SCHEMA_ERROR]: "unsupportedSchema",
+  [CerVerifyCode.CANONICALIZATION_ERROR]: "malformedArtifact",
+  [CerVerifyCode.INVALID_SHA256_FORMAT]: "malformedArtifact",
+  [CerVerifyCode.UNKNOWN_ERROR]: "malformedArtifact",
+  [CerVerifyCode.INCOMPLETE_ARTIFACT]: "incompleteArtifact",
+  [CerVerifyCode.CHAIN_BREAK_DETECTED]: "chainBreakDetected",
+  [CerVerifyCode.VERIFICATION_MATERIAL_UNAVAILABLE]: "verificationMaterialUnavailable",
+  [CerVerifyCode.TOOL_EVIDENCE_MISSING]: "incompleteArtifact",
+  [CerVerifyCode.ATTESTATION_INVALID_SIGNATURE]: "signatureInvalid",
+  [CerVerifyCode.ATTESTATION_MISSING]: "verificationMaterialUnavailable",
+  [CerVerifyCode.ATTESTATION_KEY_NOT_FOUND]: "verificationMaterialUnavailable",
+  [CerVerifyCode.ATTESTATION_KEY_FORMAT_UNSUPPORTED]: "verificationMaterialUnavailable"
+};
+var INTEGRITY_FAILURE_CODES = /* @__PURE__ */ new Set([
+  CerVerifyCode.CERTIFICATE_HASH_MISMATCH,
+  CerVerifyCode.SNAPSHOT_HASH_MISMATCH,
+  CerVerifyCode.INPUT_HASH_MISMATCH,
+  CerVerifyCode.OUTPUT_HASH_MISMATCH,
+  CerVerifyCode.TOOL_OUTPUT_HASH_MISMATCH
+]);
+var SCHEMA_FAILURE_CODES = /* @__PURE__ */ new Set([
+  CerVerifyCode.SCHEMA_ERROR,
+  CerVerifyCode.CANONICALIZATION_ERROR,
+  CerVerifyCode.INVALID_SHA256_FORMAT,
+  CerVerifyCode.UNKNOWN_ERROR,
+  CerVerifyCode.INCOMPLETE_ARTIFACT
+]);
+function mapToAiefReason(code) {
+  return AIEF_REASON_MAP[code] ?? "malformedArtifact";
+}
+function verifyAief(bundle) {
+  const inner = verifyCer(bundle);
+  if (inner.ok) {
+    return {
+      result: "PASS",
+      reason: null,
+      checks: {
+        schemaSupported: true,
+        integrityValid: true,
+        protectedSetValid: true,
+        chainValid: true
+      }
+    };
+  }
+  const aiefReason = mapToAiefReason(inner.code);
+  const isIntegrityFailure = INTEGRITY_FAILURE_CODES.has(inner.code);
+  const isSchemaFailure = SCHEMA_FAILURE_CODES.has(inner.code);
+  const isChainFailure = inner.code === CerVerifyCode.CHAIN_BREAK_DETECTED;
+  const result = {
+    result: "FAIL",
+    reason: aiefReason,
+    checks: {
+      schemaSupported: !isSchemaFailure,
+      integrityValid: !isIntegrityFailure,
+      protectedSetValid: !isIntegrityFailure,
+      chainValid: !isChainFailure
+    }
+  };
+  if (inner.details && inner.details.length > 0) {
+    result.notes = inner.details;
+  } else if (inner.errors.length > 0) {
+    result.notes = inner.errors;
+  }
+  return result;
+}
+// src/tools.ts
+function hashToolOutput(value) {
+  if (typeof value === "string") {
+    return hashUtf8(value);
+  }
+  return hashCanonicalJson(value);
+}
+function makeToolEvent(params) {
+  const at = params.at ?? (/* @__PURE__ */ new Date()).toISOString();
+  const outputHash = hashToolOutput(params.output);
+  const event = {
+    toolId: params.toolId,
+    at,
+    outputHash
+  };
+  if (params.input !== void 0) {
+    event.inputHash = hashToolOutput(params.input);
+  }
+  if (params.evidenceRef !== void 0) {
+    event.evidenceRef = params.evidenceRef;
+  }
+  if (params.error !== void 0) {
+    event.error = params.error;
+  }
+  return event;
+}
+// src/chain.ts
+function verifyRunSummary(summary, bundles, opts) {
+  if (bundles.length !== summary.stepCount) {
+    return {
+      ok: false,
+      code: CerVerifyCode.INCOMPLETE_ARTIFACT,
+      errors: [
+        `Step count mismatch: summary declares ${summary.stepCount} step(s), received ${bundles.length}`
+      ],
+      details: ["Possible step deletion or insertion"]
+    };
+  }
+  if (bundles.length === 0) {
+    return { ok: true, code: CerVerifyCode.OK, errors: [] };
+  }
+  let prevHash = null;
+  for (let i = 0; i < bundles.length; i++) {
+    const bundle = bundles[i];
+    const summaryStep = summary.steps[i];
+    if (!summaryStep) {
+      return {
+        ok: false,
+        code: CerVerifyCode.INCOMPLETE_ARTIFACT,
+        errors: [`Missing summary entry for step index ${i}`],
+        breakAt: i
+      };
+    }
+    if (!opts?.skipBundleVerification) {
+      const bundleResult = verifyCer(bundle);
+      if (!bundleResult.ok) {
+        return {
+          ok: false,
+          code: bundleResult.code,
+          errors: [`Step ${i}: individual bundle verification failed: ${bundleResult.errors.join("; ")}`],
+          details: bundleResult.details,
+          breakAt: i
+        };
+      }
+    }
+    const stepIndex = bundle.snapshot?.stepIndex;
+    if (stepIndex !== i) {
+      return {
+        ok: false,
+        code: CerVerifyCode.CHAIN_BREAK_DETECTED,
+        errors: [`Step ${i}: expected stepIndex ${i}, got ${String(stepIndex)}`],
+        details: ["stepIndex mismatch indicates insertion or reordering"],
+        breakAt: i
+      };
+    }
+    const snapshotPrevHash = bundle.snapshot?.prevStepHash ?? null;
+    if (i === 0) {
+      if (snapshotPrevHash !== null) {
+        return {
+          ok: false,
+          code: CerVerifyCode.CHAIN_BREAK_DETECTED,
+          errors: [`Step 0: expected prevStepHash null, got "${snapshotPrevHash}"`],
+          details: ["First step must have prevStepHash null"],
+          breakAt: 0,
+          expectedPrev: "null",
+          observedPrev: snapshotPrevHash
+        };
+      }
+    } else {
+      if (snapshotPrevHash !== prevHash) {
+        return {
+          ok: false,
+          code: CerVerifyCode.CHAIN_BREAK_DETECTED,
+          errors: [`Step ${i}: prevStepHash mismatch \u2014 chain break detected`],
+          details: [
+            `Expected prevStepHash "${prevHash ?? "null"}", got "${snapshotPrevHash ?? "null"}"`
+          ],
+          breakAt: i,
+          expectedPrev: prevHash ?? void 0,
+          observedPrev: snapshotPrevHash ?? void 0
+        };
+      }
+    }
+    if (bundle.certificateHash !== summaryStep.certificateHash) {
+      return {
+        ok: false,
+        code: CerVerifyCode.CHAIN_BREAK_DETECTED,
+        errors: [`Step ${i}: certificateHash does not match summary record`],
+        details: [
+          `Summary has "${summaryStep.certificateHash}", bundle has "${bundle.certificateHash}"`
+        ],
+        breakAt: i
+      };
+    }
+    prevHash = bundle.certificateHash;
+  }
+  const lastBundle = bundles[bundles.length - 1];
+  if (summary.finalStepHash !== lastBundle.certificateHash) {
+    return {
+      ok: false,
+      code: CerVerifyCode.CHAIN_BREAK_DETECTED,
+      errors: ["summary.finalStepHash does not match last step certificateHash"],
+      details: [
+        `Expected "${summary.finalStepHash ?? "null"}", got "${lastBundle.certificateHash}"`
+      ],
+      breakAt: bundles.length - 1,
+      expectedPrev: summary.finalStepHash ?? void 0,
+      observedPrev: lastBundle.certificateHash
+    };
+  }
+  return { ok: true, code: CerVerifyCode.OK, errors: [] };
+}
+// src/redact.ts
+function hashValue(value) {
+  if (typeof value === "string") return hashUtf8(value);
+  return hashCanonicalJson(value);
+}
+function getNestedValue(obj, path) {
+  const parts = path.split(".");
+  let cursor = obj;
+  for (const part of parts) {
+    if (typeof cursor !== "object" || cursor === null) return void 0;
+    cursor = cursor[part];
+  }
+  return cursor;
+}
+function setNestedPath(obj, path, value) {
+  const parts = path.split(".");
+  const clone = { ...obj };
+  let cursor = clone;
+  for (let i = 0; i < parts.length - 1; i++) {
+    const key = parts[i];
+    const child = cursor[key];
+    if (typeof child !== "object" || child === null) return clone;
+    cursor[key] = { ...child };
+    cursor = cursor[key];
+  }
+  const last = parts[parts.length - 1];
+  if (last in cursor) {
+    cursor[last] = value;
+  }
+  return clone;
+}
+function redactBeforeSeal(snapshot, policy) {
+  let result = { ...snapshot };
+  for (const path of policy.paths) {
+    const original = getNestedValue(result, path);
+    if (original === void 0) continue;
+    const envelope = {
+      _redacted: true,
+      hash: hashValue(original)
+    };
+    result = setNestedPath(result, path, envelope);
+    if (path === "input") {
+      result["inputHash"] = computeInputHash(envelope);
+    } else if (path === "output") {
+      result["outputHash"] = computeOutputHash(envelope);
+    }
+  }
+  return result;
+}
+// src/profile.ts
+var SHA256_PATTERN2 = /^sha256:[0-9a-f]{64}$/;
+function validateToolEvent(event, index) {
+  const errs = [];
+  if (!event.toolId || typeof event.toolId !== "string") {
+    errs.push(`toolCalls[${index}].toolId must be a non-empty string`);
+  }
+  if (!event.at || typeof event.at !== "string") {
+    errs.push(`toolCalls[${index}].at must be a non-empty ISO 8601 string`);
+  }
+  if (!event.outputHash || !SHA256_PATTERN2.test(event.outputHash)) {
+    errs.push(`toolCalls[${index}].outputHash must be in sha256:<64hex> format, got "${event.outputHash ?? ""}"`);
+  }
+  if (event.inputHash !== void 0 && !SHA256_PATTERN2.test(event.inputHash)) {
+    errs.push(`toolCalls[${index}].inputHash must be in sha256:<64hex> format when present`);
+  }
+  return errs;
+}
+function validateL2(snapshot, label) {
+  const errs = [];
+  if (!snapshot.executionId) errs.push(`executionId is required for ${label}`);
+  if (!snapshot.timestamp) errs.push(`timestamp is required for ${label}`);
+  if (!snapshot.provider) errs.push(`provider is required for ${label}`);
+  if (!snapshot.model) errs.push(`model is required for ${label}`);
+  if (snapshot.input === void 0 || snapshot.input === null) errs.push(`input is required for ${label}`);
+  if (snapshot.output === void 0 || snapshot.output === null) errs.push(`output is required for ${label}`);
+  if (!snapshot.inputHash) errs.push(`inputHash is required for ${label}`);
+  if (!snapshot.outputHash) errs.push(`outputHash is required for ${label}`);
+  return errs;
+}
+function resolveSnapshot(target) {
+  if ("snapshot" in target && target.snapshot) {
+    return target.snapshot;
+  }
+  return target;
+}
+function validateProfile(target, profile) {
+  if (profile === "flexible") {
+    return { ok: true, errors: [] };
+  }
+  const snapshot = resolveSnapshot(target);
+  const errors = [];
+  if (profile === "AIEF_L2" || profile === "AIEF_L3" || profile === "AIEF_L4") {
+    errors.push(...validateL2(snapshot, profile));
+  }
+  if (profile === "AIEF_L4") {
+    if (snapshot.toolCalls && snapshot.toolCalls.length > 0) {
+      for (let i = 0; i < snapshot.toolCalls.length; i++) {
+        errors.push(...validateToolEvent(snapshot.toolCalls[i], i));
+      }
+    }
+    if (snapshot.stepIndex !== null && snapshot.stepIndex !== void 0 && snapshot.stepIndex > 0 && !snapshot.prevStepHash) {
+      errors.push("prevStepHash is required when stepIndex > 0 in AIEF_L4 profile");
+    }
+  }
+  return { ok: errors.length === 0, errors };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   CerAttestationError,
@@ -1856,25 +2495,36 @@ async function verifyBundleAttestation(bundle, options) {
   attestIfNeeded,
   certifyAndAttestDecision,
   certifyDecision,
+  certifyDecisionFromProviderCall,
   computeInputHash,
   computeOutputHash,
+  createClient,
   createSnapshot,
   exportCer,
   fetchNodeKeys,
   getAttestationReceipt,
   hasAttestation,
   hashCanonicalJson,
+  hashToolOutput,
   hashUtf8,
   importCer,
+  makeToolEvent,
+  mapToAiefReason,
+  redactBeforeSeal,
   sanitizeForAttestation,
+  sanitizeForStamp,
+  sanitizeForStorage,
   sealCer,
   selectNodeKey,
   sha256Hex,
   toCanonicalJson,
+  validateProfile,
   verify,
+  verifyAief,
   verifyBundleAttestation,
   verifyCer,
   verifyNodeReceiptSignature,
+  verifyRunSummary,
   verifySnapshot,
   wrapProvider
 });