@nexart/ai-execution 0.5.0 → 0.7.0

package/dist/providers/wrap.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/providers/wrap.ts","../../src/hash.ts","../../src/canonicalJson.ts","../../src/snapshot.ts","../../src/cer.ts"],"sourcesContent":["import * as crypto from 'crypto';\nimport type {\n  ProviderConfig,\n  WrappedExecutionParams,\n  WrappedExecutionResult,\n} from '../types.js';\nimport { createSnapshot } from '../snapshot.js';\nimport { sealCer } from '../cer.js';\n\nexport function wrapProvider<TInput = unknown, TOutput = unknown>(\n  config: ProviderConfig<TInput, TOutput>,\n) {\n  return {\n    async execute(params: WrappedExecutionParams & { providerInput: TInput }): Promise<WrappedExecutionResult> {\n      const raw = await config.callFn(params.providerInput);\n      const output = config.extractOutput(raw);\n      const modelVersion = config.extractModelVersion\n        ? config.extractModelVersion(raw)\n        : (params.modelVersion ?? null);\n\n      const snapshot = createSnapshot({\n        executionId: params.executionId ?? crypto.randomUUID(),\n        provider: config.provider,\n        model: params.model,\n        modelVersion,\n        prompt: params.prompt,\n        input: params.input,\n        parameters: params.parameters,\n        output,\n        appId: params.appId,\n      });\n\n      const bundle = sealCer(snapshot, { meta: params.meta });\n\n      return { output, snapshot, bundle };\n    },\n  };\n}\n","import * as crypto from 'crypto';\nimport { toCanonicalJson } from './canonicalJson.js';\n\nexport function sha256Hex(data: string | Uint8Array): string {\n  const hash = crypto.createHash('sha256');\n  if (typeof data === 'string') {\n    hash.update(data, 'utf-8');\n  } else {\n    hash.update(data);\n  }\n  return hash.digest('hex');\n}\n\nexport function hashUtf8(value: string): string {\n  return `sha256:${sha256Hex(value)}`;\n}\n\nexport function hashCanonicalJson(value: unknown): string {\n  const canonical = toCanonicalJson(value);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function computeInputHash(input: string | Record<string, unknown>): string {\n  if (typeof input === 'string') {\n    return hashUtf8(input);\n  }\n  return hashCanonicalJson(input);\n}\n\nexport function computeOutputHash(output: string | Record<string, unknown>): string {\n  if (typeof output === 'string') {\n    return hashUtf8(output);\n  }\n  return hashCanonicalJson(output);\n}\n","export function toCanonicalJson(value: unknown): string {\n  return canonicalize(value);\n}\n\nfunction canonicalize(value: unknown): string {\n  if (value === null) {\n    return 'null';\n  }\n\n  if (typeof value === 'boolean') {\n    return value ? 'true' : 'false';\n  }\n\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(`Non-finite number not allowed in canonical JSON: ${value}`);\n    }\n    return JSON.stringify(value);\n  }\n\n  if (typeof value === 'string') {\n    return JSON.stringify(value);\n  }\n\n  if (Array.isArray(value)) {\n    const items = value.map(item => canonicalize(item));\n    return '[' + items.join(',') + ']';\n  }\n\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>;\n    const keys = Object.keys(obj).sort();\n    const entries = keys.map(key => {\n      const val = obj[key];\n      if (val === undefined) {\n        return null;\n      }\n      return JSON.stringify(key) + ':' + canonicalize(val);\n    }).filter(e => e !== null);\n    return '{' + entries.join(',') + '}';\n  }\n\n  throw new Error(`Unsupported type for canonical JSON: ${typeof value}`);\n}\n","import type { AiExecutionSnapshotV1, CreateSnapshotParams, VerificationResult, AiExecutionParameters } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { computeInputHash, computeOutputHash } from './hash.js';\n\nconst PACKAGE_VERSION = '0.5.0';\n\nfunction validateParameters(params: AiExecutionParameters): string[] {\n  const errors: string[] = [];\n\n  if (typeof params.temperature !== 'number' || !Number.isFinite(params.temperature)) {\n    errors.push(`parameters.temperature must be a finite number, got: ${params.temperature}`);\n  }\n\n  if (typeof params.maxTokens !== 'number' || !Number.isFinite(params.maxTokens)) {\n    errors.push(`parameters.maxTokens must be a finite number, got: ${params.maxTokens}`);\n  }\n\n  if (params.topP !== null && (typeof params.topP !== 'number' || !Number.isFinite(params.topP))) {\n    errors.push(`parameters.topP must be a finite number or null, got: ${params.topP}`);\n  }\n\n  if (params.seed !== null && (typeof params.seed !== 'number' || !Number.isFinite(params.seed))) {\n    errors.push(`parameters.seed must be a finite number or null, got: ${params.seed}`);\n  }\n\n  return errors;\n}\n\nexport function createSnapshot(params: CreateSnapshotParams): AiExecutionSnapshotV1 {\n  const paramErrors = validateParameters(params.parameters);\n  if (paramErrors.length > 0) {\n    throw new Error(`Invalid parameters: ${paramErrors.join('; ')}`);\n  }\n\n  const inputHash = computeInputHash(params.input);\n  const outputHash = computeOutputHash(params.output);\n\n  const snapshot: AiExecutionSnapshotV1 = {\n    type: 'ai.execution.v1',\n    protocolVersion: '1.2.0',\n    executionSurface: 'ai',\n    executionId: params.executionId,\n    timestamp: params.timestamp ?? new Date().toISOString(),\n    provider: params.provider,\n    model: params.model,\n    modelVersion: params.modelVersion ?? null,\n    prompt: params.prompt,\n    input: params.input,\n    inputHash,\n    parameters: {\n      temperature: params.parameters.temperature,\n      maxTokens: params.parameters.maxTokens,\n      topP: params.parameters.topP ?? null,\n      seed: params.parameters.seed ?? null,\n    },\n    output: params.output,\n    outputHash,\n    sdkVersion: params.sdkVersion ?? PACKAGE_VERSION,\n    appId: params.appId ?? null,\n  };\n\n  if (params.runId !== undefined) snapshot.runId = params.runId ?? null;\n  if (params.stepId !== undefined) snapshot.stepId = params.stepId ?? null;\n  if (params.stepIndex !== undefined) snapshot.stepIndex = params.stepIndex ?? null;\n  if (params.workflowId !== undefined) snapshot.workflowId = params.workflowId ?? null;\n  if (params.conversationId !== undefined) snapshot.conversationId = params.conversationId ?? null;\n  if (params.prevStepHash !== undefined) snapshot.prevStepHash = params.prevStepHash ?? null;\n\n  return snapshot;\n}\n\nexport function verifySnapshot(snapshot: AiExecutionSnapshotV1): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n  const inputHashErrors: string[] = [];\n  const outputHashErrors: string[] = [];\n\n  if (snapshot.type !== 'ai.execution.v1') {\n    schemaErrors.push(`Expected type \"ai.execution.v1\", got \"${snapshot.type}\"`);\n  }\n\n  if (snapshot.protocolVersion !== '1.2.0') {\n    schemaErrors.push(`Expected protocolVersion \"1.2.0\", got \"${snapshot.protocolVersion}\"`);\n  }\n\n  if (snapshot.executionSurface !== 'ai') {\n    schemaErrors.push(`Expected executionSurface \"ai\", got \"${snapshot.executionSurface}\"`);\n  }\n\n  if (!snapshot.executionId || typeof snapshot.executionId !== 'string') {\n    schemaErrors.push('executionId must be a non-empty string');\n  }\n\n  if (!snapshot.timestamp || typeof snapshot.timestamp !== 'string') {\n    schemaErrors.push('timestamp must be a non-empty string');\n  }\n\n  if (!snapshot.provider || typeof snapshot.provider !== 'string') {\n    schemaErrors.push('provider must be a non-empty string');\n  }\n\n  if (!snapshot.model || typeof snapshot.model !== 'string') {\n    schemaErrors.push('model must be a non-empty string');\n  }\n\n  if (!snapshot.prompt || typeof snapshot.prompt !== 'string') {\n    schemaErrors.push('prompt must be a non-empty string');\n  }\n\n  if (snapshot.input === undefined || snapshot.input === null) {\n    schemaErrors.push('input must be a string or object');\n  }\n\n  if (snapshot.output === undefined || snapshot.output === null) {\n    schemaErrors.push('output must be a string or object');\n  }\n\n  const paramErrors = validateParameters(snapshot.parameters);\n  schemaErrors.push(...paramErrors);\n\n  if (!snapshot.inputHash || !snapshot.inputHash.startsWith('sha256:')) {\n    formatErrors.push(`inputHash must start with \"sha256:\", got \"${snapshot.inputHash}\"`);\n  }\n\n  if (!snapshot.outputHash || !snapshot.outputHash.startsWith('sha256:')) {\n    formatErrors.push(`outputHash must start with \"sha256:\", got \"${snapshot.outputHash}\"`);\n  }\n\n  if (formatErrors.length === 0) {\n    const expectedInputHash = computeInputHash(snapshot.input);\n    if (snapshot.inputHash !== expectedInputHash) {\n      inputHashErrors.push(`inputHash mismatch: expected ${expectedInputHash}, got ${snapshot.inputHash}`);\n    }\n\n    const expectedOutputHash = computeOutputHash(snapshot.output);\n    if (snapshot.outputHash !== expectedOutputHash) {\n      outputHashErrors.push(`outputHash mismatch: expected ${expectedOutputHash}, got ${snapshot.outputHash}`);\n    }\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...inputHashErrors, ...outputHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (inputHashErrors.length > 0 && outputHashErrors.length > 0) {\n    code = CerVerifyCode.SNAPSHOT_HASH_MISMATCH;\n    details = [...inputHashErrors, ...outputHashErrors];\n  } else if (inputHashErrors.length > 0) {\n    code = CerVerifyCode.INPUT_HASH_MISMATCH;\n    details = inputHashErrors;\n  } else if (outputHashErrors.length > 0) {\n    code = CerVerifyCode.OUTPUT_HASH_MISMATCH;\n    details = outputHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n","import type { AiExecutionSnapshotV1, CerAiExecutionBundle, CerMeta, VerificationResult } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { toCanonicalJson } from './canonicalJson.js';\nimport { sha256Hex } from './hash.js';\nimport { verifySnapshot } from './snapshot.js';\n\ninterface CertificatePayload {\n  bundleType: 'cer.ai.execution.v1';\n  createdAt: string;\n  snapshot: AiExecutionSnapshotV1;\n  version: '0.1';\n}\n\nfunction computeCertificateHash(payload: CertificatePayload): string {\n  const canonical = toCanonicalJson(payload);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function sealCer(\n  snapshot: AiExecutionSnapshotV1,\n  options?: { createdAt?: string; meta?: CerMeta }\n): CerAiExecutionBundle {\n  const createdAt = options?.createdAt ?? new Date().toISOString();\n\n  const payload: CertificatePayload = {\n    bundleType: 'cer.ai.execution.v1',\n    createdAt,\n    snapshot,\n    version: '0.1',\n  };\n\n  const certificateHash = computeCertificateHash(payload);\n\n  const bundle: CerAiExecutionBundle = {\n    bundleType: 'cer.ai.execution.v1',\n    certificateHash,\n    createdAt,\n    version: '0.1',\n    snapshot,\n  };\n\n  if (options?.meta) {\n    bundle.meta = options.meta;\n  }\n\n  return bundle;\n}\n\nexport function verifyCer(bundle: CerAiExecutionBundle): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n\n  if (bundle.bundleType !== 'cer.ai.execution.v1') {\n    schemaErrors.push(`Expected bundleType \"cer.ai.execution.v1\", got \"${bundle.bundleType}\"`);\n  }\n\n  if (bundle.version !== '0.1') {\n    schemaErrors.push(`Expected version \"0.1\", got \"${bundle.version}\"`);\n  }\n\n  if (!bundle.createdAt || typeof bundle.createdAt !== 'string') {\n    schemaErrors.push('createdAt must be a non-empty string');\n  }\n\n  if (!bundle.certificateHash || !bundle.certificateHash.startsWith('sha256:')) {\n    formatErrors.push(`certificateHash must start with \"sha256:\", got \"${bundle.certificateHash}\"`);\n  }\n\n  if (!bundle.snapshot) {\n    schemaErrors.push('snapshot is required');\n    const allErrors = [...schemaErrors, ...formatErrors];\n    return { ok: false, errors: allErrors, code: CerVerifyCode.SCHEMA_ERROR, details: schemaErrors };\n  }\n\n  let canonicalizationError: string | null = null;\n  let snapshotResult: VerificationResult | null = null;\n\n  try {\n    snapshotResult = verifySnapshot(bundle.snapshot);\n  } catch (err) {\n    canonicalizationError = err instanceof Error ? err.message : String(err);\n  }\n\n  if (canonicalizationError !== null) {\n    const errors = [...schemaErrors, ...formatErrors, canonicalizationError];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [canonicalizationError] };\n  }\n\n  const snapshotErrors = snapshotResult!.errors;\n\n  const certHashErrors: string[] = [];\n  try {\n    const payload: CertificatePayload = {\n      bundleType: 'cer.ai.execution.v1',\n      createdAt: bundle.createdAt,\n      snapshot: bundle.snapshot,\n      version: '0.1',\n    };\n    const expectedHash = computeCertificateHash(payload);\n    if (bundle.certificateHash !== expectedHash) {\n      certHashErrors.push(`certificateHash mismatch: expected ${expectedHash}, got ${bundle.certificateHash}`);\n    }\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, msg];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [msg] };\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, ...certHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (certHashErrors.length > 0 && snapshotErrors.length === 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else if (snapshotResult && snapshotResult.code !== CerVerifyCode.OK) {\n    code = snapshotResult.code;\n    details = snapshotResult.details ?? snapshotErrors;\n  } else if (certHashErrors.length > 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,UAAwB;;;ACAxB,aAAwB;;;ACAjB,SAAS,gBAAgB,OAAwB;AACtD,SAAO,aAAa,KAAK;AAC3B;AAEA,SAAS,aAAa,OAAwB;AAC5C,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,UAAU,WAAW;AAC9B,WAAO,QAAQ,SAAS;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI,MAAM,oDAAoD,KAAK,EAAE;AAAA,IAC7E;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,UAAM,QAAQ,MAAM,IAAI,UAAQ,aAAa,IAAI,CAAC;AAClD,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,UAAU,KAAK,IAAI,SAAO;AAC9B,YAAM,MAAM,IAAI,GAAG;AACnB,UAAI,QAAQ,QAAW;AACrB,eAAO;AAAA,MACT;AACA,aAAO,KAAK,UAAU,GAAG,IAAI,MAAM,aAAa,GAAG;AAAA,IACrD,CAAC,EAAE,OAAO,OAAK,MAAM,IAAI;AACzB,WAAO,MAAM,QAAQ,KAAK,GAAG,IAAI;AAAA,EACnC;AAEA,QAAM,IAAI,MAAM,wCAAwC,OAAO,KAAK,EAAE;AACxE;;;ADxCO,SAAS,UAAU,MAAmC;AAC3D,QAAM,OAAc,kBAAW,QAAQ;AACvC,MAAI,OAAO,SAAS,UAAU;AAC5B,SAAK,OAAO,MAAM,OAAO;AAAA,EAC3B,OAAO;AACL,SAAK,OAAO,IAAI;AAAA,EAClB;AACA,SAAO,KAAK,OAAO,KAAK;AAC1B;AAEO,SAAS,SAAS,OAAuB;AAC9C,SAAO,UAAU,UAAU,KAAK,CAAC;AACnC;AAEO,SAAS,kBAAkB,OAAwB;AACxD,QAAM,YAAY,gBAAgB,KAAK;AACvC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,iBAAiB,OAAiD;AAChF,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,SAAS,KAAK;AAAA,EACvB;AACA,SAAO,kBAAkB,KAAK;AAChC;AAEO,SAAS,kBAAkB,QAAkD;AAClF,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,SAAS,MAAM;AAAA,EACxB;AACA,SAAO,kBAAkB,MAAM;AACjC;;;AE9BA,IAAM,kBAAkB;AAExB,SAAS,mBAAmB,QAAyC;AACnE,QAAM,SAAmB,CAAC;AAE1B,MAAI,OAAO,OAAO,gBAAgB,YAAY,CAAC,OAAO,SAAS,OAAO,WAAW,GAAG;AAClF,WAAO,KAAK,wDAAwD,OAAO,WAAW,EAAE;AAAA,EAC1F;AAEA,MAAI,OAAO,OAAO,cAAc,YAAY,CAAC,OAAO,SAAS,OAAO,SAAS,GAAG;AAC9E,WAAO,KAAK,sDAAsD,OAAO,SAAS,EAAE;AAAA,EACtF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,SAAO;AACT;AAEO,SAAS,eAAe,QAAqD;AAClF,QAAM,cAAc,mBAAmB,OAAO,UAAU;AACxD,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI,MAAM,uBAAuB,YAAY,KAAK,IAAI,CAAC,EAAE;AAAA,EACjE;AAEA,QAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,QAAM,aAAa,kBAAkB,OAAO,MAAM;AAElD,QAAM,WAAkC;AAAA,IACtC,MAAM;AAAA,IACN,iBAAiB;AAAA,IACjB,kBAAkB;AAAA,IAClB,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACtD,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO;AAAA,IACd,cAAc,OAAO,gBAAgB;AAAA,IACrC,QAAQ,OAAO;AAAA,IACf,OAAO,OAAO;AAAA,IACd;AAAA,IACA,YAAY;AAAA,MACV,aAAa,OAAO,WAAW;AAAA,MAC/B,WAAW,OAAO,WAAW;AAAA,MAC7B,MAAM,OAAO,WAAW,QAAQ;AAAA,MAChC,MAAM,OAAO,WAAW,QAAQ;AAAA,IAClC;AAAA,IACA,QAAQ,OAAO;AAAA,IACf;AAAA,IACA,YAAY,OAAO,cAAc;AAAA,IACjC,OAAO,OAAO,SAAS;AAAA,EACzB;AAEA,MAAI,OAAO,UAAU,OAAW,UAAS,QAAQ,OAAO,SAAS;AACjE,MAAI,OAAO,WAAW,OAAW,UAAS,SAAS,OAAO,UAAU;AACpE,MAAI,OAAO,cAAc,OAAW,UAAS,YAAY,OAAO,aAAa;AAC7E,MAAI,OAAO,eAAe,OAAW,UAAS,aAAa,OAAO,cAAc;AAChF,MAAI,OAAO,mBAAmB,OAAW,UAAS,iBAAiB,OAAO,kBAAkB;AAC5F,MAAI,OAAO,iBAAiB,OAAW,UAAS,eAAe,OAAO,gBAAgB;AAEtF,SAAO;AACT;;;ACxDA,SAAS,uBAAuB,SAAqC;AACnE,QAAM,YAAY,gBAAgB,OAAO;AACzC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,QACd,UACA,SACsB;AACtB,QAAM,YAAY,SAAS,cAAa,oBAAI,KAAK,GAAE,YAAY;AAE/D,QAAM,UAA8B;AAAA,IAClC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,kBAAkB,uBAAuB,OAAO;AAEtD,QAAM,SAA+B;AAAA,IACnC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,EACF;AAEA,MAAI,SAAS,MAAM;AACjB,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO;AACT;;;AJrCO,SAAS,aACd,QACA;AACA,SAAO;AAAA,IACL,MAAM,QAAQ,QAA6F;AACzG,YAAM,MAAM,MAAM,OAAO,OAAO,OAAO,aAAa;AACpD,YAAM,SAAS,OAAO,cAAc,GAAG;AACvC,YAAM,eAAe,OAAO,sBACxB,OAAO,oBAAoB,GAAG,IAC7B,OAAO,gBAAgB;AAE5B,YAAM,WAAW,eAAe;AAAA,QAC9B,aAAa,OAAO,eAAsB,mBAAW;AAAA,QACrD,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd;AAAA,QACA,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,YAAY,OAAO;AAAA,QACnB;AAAA,QACA,OAAO,OAAO;AAAA,MAChB,CAAC;AAED,YAAM,SAAS,QAAQ,UAAU,EAAE,MAAM,OAAO,KAAK,CAAC;AAEtD,aAAO,EAAE,QAAQ,UAAU,OAAO;AAAA,IACpC;AAAA,EACF;AACF;","names":["crypto"]}
+{"version":3,"sources":["../../src/providers/wrap.ts","../../src/hash.ts","../../src/canonicalJson.ts","../../src/snapshot.ts","../../src/cer.ts"],"sourcesContent":["import * as crypto from 'crypto';\nimport type {\n  ProviderConfig,\n  WrappedExecutionParams,\n  WrappedExecutionResult,\n} from '../types.js';\nimport { createSnapshot } from '../snapshot.js';\nimport { sealCer } from '../cer.js';\n\nexport function wrapProvider<TInput = unknown, TOutput = unknown>(\n  config: ProviderConfig<TInput, TOutput>,\n) {\n  return {\n    async execute(params: WrappedExecutionParams & { providerInput: TInput }): Promise<WrappedExecutionResult> {\n      const raw = await config.callFn(params.providerInput);\n      const output = config.extractOutput(raw);\n      const modelVersion = config.extractModelVersion\n        ? config.extractModelVersion(raw)\n        : (params.modelVersion ?? null);\n\n      const snapshot = createSnapshot({\n        executionId: params.executionId ?? crypto.randomUUID(),\n        provider: config.provider,\n        model: params.model,\n        modelVersion,\n        prompt: params.prompt,\n        input: params.input,\n        parameters: params.parameters,\n        output,\n        appId: params.appId,\n      });\n\n      const bundle = sealCer(snapshot, { meta: params.meta });\n\n      return { output, snapshot, bundle };\n    },\n  };\n}\n","import * as crypto from 'crypto';\nimport { toCanonicalJson } from './canonicalJson.js';\n\nexport function sha256Hex(data: string | Uint8Array): string {\n  const hash = crypto.createHash('sha256');\n  if (typeof data === 'string') {\n    hash.update(data, 'utf-8');\n  } else {\n    hash.update(data);\n  }\n  return hash.digest('hex');\n}\n\nexport function hashUtf8(value: string): string {\n  return `sha256:${sha256Hex(value)}`;\n}\n\nexport function hashCanonicalJson(value: unknown): string {\n  const canonical = toCanonicalJson(value);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function computeInputHash(input: string | Record<string, unknown>): string {\n  if (typeof input === 'string') {\n    return hashUtf8(input);\n  }\n  return hashCanonicalJson(input);\n}\n\nexport function computeOutputHash(output: string | Record<string, unknown>): string {\n  if (typeof output === 'string') {\n    return hashUtf8(output);\n  }\n  return hashCanonicalJson(output);\n}\n","export function toCanonicalJson(value: unknown): string {\n  return canonicalize(value);\n}\n\nfunction canonicalize(value: unknown): string {\n  if (value === null) {\n    return 'null';\n  }\n\n  if (typeof value === 'boolean') {\n    return value ? 'true' : 'false';\n  }\n\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(`Non-finite number not allowed in canonical JSON: ${value}`);\n    }\n    return JSON.stringify(value);\n  }\n\n  if (typeof value === 'string') {\n    return JSON.stringify(value);\n  }\n\n  if (Array.isArray(value)) {\n    const items = value.map(item => canonicalize(item));\n    return '[' + items.join(',') + ']';\n  }\n\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>;\n    const keys = Object.keys(obj).sort();\n    const entries = keys.map(key => {\n      const val = obj[key];\n      if (val === undefined) {\n        return null;\n      }\n      return JSON.stringify(key) + ':' + canonicalize(val);\n    }).filter(e => e !== null);\n    return '{' + entries.join(',') + '}';\n  }\n\n  throw new Error(`Unsupported type for canonical JSON: ${typeof value}`);\n}\n","import type { AiExecutionSnapshotV1, CreateSnapshotParams, VerificationResult, AiExecutionParameters } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { computeInputHash, computeOutputHash } from './hash.js';\n\nconst PACKAGE_VERSION = '0.7.0';\n\nfunction validateParameters(params: AiExecutionParameters): string[] {\n  const errors: string[] = [];\n\n  if (typeof params.temperature !== 'number' || !Number.isFinite(params.temperature)) {\n    errors.push(`parameters.temperature must be a finite number, got: ${params.temperature}`);\n  }\n\n  if (typeof params.maxTokens !== 'number' || !Number.isFinite(params.maxTokens)) {\n    errors.push(`parameters.maxTokens must be a finite number, got: ${params.maxTokens}`);\n  }\n\n  if (params.topP !== null && (typeof params.topP !== 'number' || !Number.isFinite(params.topP))) {\n    errors.push(`parameters.topP must be a finite number or null, got: ${params.topP}`);\n  }\n\n  if (params.seed !== null && (typeof params.seed !== 'number' || !Number.isFinite(params.seed))) {\n    errors.push(`parameters.seed must be a finite number or null, got: ${params.seed}`);\n  }\n\n  return errors;\n}\n\nexport function createSnapshot(params: CreateSnapshotParams): AiExecutionSnapshotV1 {\n  const paramErrors = validateParameters(params.parameters);\n  if (paramErrors.length > 0) {\n    throw new Error(`Invalid parameters: ${paramErrors.join('; ')}`);\n  }\n\n  const inputHash = computeInputHash(params.input);\n  const outputHash = computeOutputHash(params.output);\n\n  const snapshot: AiExecutionSnapshotV1 = {\n    type: 'ai.execution.v1',\n    protocolVersion: '1.2.0',\n    executionSurface: 'ai',\n    executionId: params.executionId,\n    timestamp: params.timestamp ?? new Date().toISOString(),\n    provider: params.provider,\n    model: params.model,\n    modelVersion: params.modelVersion ?? null,\n    prompt: params.prompt,\n    input: params.input,\n    inputHash,\n    parameters: {\n      temperature: params.parameters.temperature,\n      maxTokens: params.parameters.maxTokens,\n      topP: params.parameters.topP ?? null,\n      seed: params.parameters.seed ?? null,\n    },\n    output: params.output,\n    outputHash,\n    sdkVersion: params.sdkVersion ?? PACKAGE_VERSION,\n    appId: params.appId ?? null,\n  };\n\n  if (params.runId !== undefined) snapshot.runId = params.runId ?? null;\n  if (params.stepId !== undefined) snapshot.stepId = params.stepId ?? null;\n  if (params.stepIndex !== undefined) snapshot.stepIndex = params.stepIndex ?? null;\n  if (params.workflowId !== undefined) snapshot.workflowId = params.workflowId ?? null;\n  if (params.conversationId !== undefined) snapshot.conversationId = params.conversationId ?? null;\n  if (params.prevStepHash !== undefined) snapshot.prevStepHash = params.prevStepHash ?? null;\n\n  // v0.7.0: AIEF-06 tool/dependency evidence — included in certificateHash when present\n  if (params.toolCalls !== undefined && params.toolCalls.length > 0) {\n    snapshot.toolCalls = params.toolCalls;\n  }\n\n  return snapshot;\n}\n\nexport function verifySnapshot(snapshot: AiExecutionSnapshotV1): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n  const inputHashErrors: string[] = [];\n  const outputHashErrors: string[] = [];\n\n  if (snapshot.type !== 'ai.execution.v1') {\n    schemaErrors.push(`Expected type \"ai.execution.v1\", got \"${snapshot.type}\"`);\n  }\n\n  if (snapshot.protocolVersion !== '1.2.0') {\n    schemaErrors.push(`Expected protocolVersion \"1.2.0\", got \"${snapshot.protocolVersion}\"`);\n  }\n\n  if (snapshot.executionSurface !== 'ai') {\n    schemaErrors.push(`Expected executionSurface \"ai\", got \"${snapshot.executionSurface}\"`);\n  }\n\n  if (!snapshot.executionId || typeof snapshot.executionId !== 'string') {\n    schemaErrors.push('executionId must be a non-empty string');\n  }\n\n  if (!snapshot.timestamp || typeof snapshot.timestamp !== 'string') {\n    schemaErrors.push('timestamp must be a non-empty string');\n  }\n\n  if (!snapshot.provider || typeof snapshot.provider !== 'string') {\n    schemaErrors.push('provider must be a non-empty string');\n  }\n\n  if (!snapshot.model || typeof snapshot.model !== 'string') {\n    schemaErrors.push('model must be a non-empty string');\n  }\n\n  if (!snapshot.prompt || typeof snapshot.prompt !== 'string') {\n    schemaErrors.push('prompt must be a non-empty string');\n  }\n\n  if (snapshot.input === undefined || snapshot.input === null) {\n    schemaErrors.push('input must be a string or object');\n  }\n\n  if (snapshot.output === undefined || snapshot.output === null) {\n    schemaErrors.push('output must be a string or object');\n  }\n\n  const paramErrors = validateParameters(snapshot.parameters);\n  schemaErrors.push(...paramErrors);\n\n  if (!snapshot.inputHash || !snapshot.inputHash.startsWith('sha256:')) {\n    formatErrors.push(`inputHash must start with \"sha256:\", got \"${snapshot.inputHash}\"`);\n  }\n\n  if (!snapshot.outputHash || !snapshot.outputHash.startsWith('sha256:')) {\n    formatErrors.push(`outputHash must start with \"sha256:\", got \"${snapshot.outputHash}\"`);\n  }\n\n  if (formatErrors.length === 0) {\n    const expectedInputHash = computeInputHash(snapshot.input);\n    if (snapshot.inputHash !== expectedInputHash) {\n      inputHashErrors.push(`inputHash mismatch: expected ${expectedInputHash}, got ${snapshot.inputHash}`);\n    }\n\n    const expectedOutputHash = computeOutputHash(snapshot.output);\n    if (snapshot.outputHash !== expectedOutputHash) {\n      outputHashErrors.push(`outputHash mismatch: expected ${expectedOutputHash}, got ${snapshot.outputHash}`);\n    }\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...inputHashErrors, ...outputHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (inputHashErrors.length > 0 && outputHashErrors.length > 0) {\n    code = CerVerifyCode.SNAPSHOT_HASH_MISMATCH;\n    details = [...inputHashErrors, ...outputHashErrors];\n  } else if (inputHashErrors.length > 0) {\n    code = CerVerifyCode.INPUT_HASH_MISMATCH;\n    details = inputHashErrors;\n  } else if (outputHashErrors.length > 0) {\n    code = CerVerifyCode.OUTPUT_HASH_MISMATCH;\n    details = outputHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n","import type { AiExecutionSnapshotV1, CerAiExecutionBundle, CerMeta, BundleDeclaration, VerificationResult } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { toCanonicalJson } from './canonicalJson.js';\nimport { sha256Hex } from './hash.js';\nimport { verifySnapshot } from './snapshot.js';\n\ninterface CertificatePayload {\n  bundleType: 'cer.ai.execution.v1';\n  createdAt: string;\n  snapshot: AiExecutionSnapshotV1;\n  version: '0.1';\n}\n\nfunction computeCertificateHash(payload: CertificatePayload): string {\n  const canonical = toCanonicalJson(payload);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function sealCer(\n  snapshot: AiExecutionSnapshotV1,\n  options?: { createdAt?: string; meta?: CerMeta; declaration?: BundleDeclaration }\n): CerAiExecutionBundle {\n  const createdAt = options?.createdAt ?? new Date().toISOString();\n\n  // certificateHash covers ONLY { bundleType, createdAt, snapshot, version }.\n  // `declaration` and `meta` are intentionally excluded — they are non-evidentiary.\n  const payload: CertificatePayload = {\n    bundleType: 'cer.ai.execution.v1',\n    createdAt,\n    snapshot,\n    version: '0.1',\n  };\n\n  const certificateHash = computeCertificateHash(payload);\n\n  const bundle: CerAiExecutionBundle = {\n    bundleType: 'cer.ai.execution.v1',\n    certificateHash,\n    createdAt,\n    version: '0.1',\n    snapshot,\n  };\n\n  if (options?.meta) {\n    bundle.meta = options.meta;\n  }\n\n  // v0.7.0: attach declaration block AFTER hashing — excluded from certificateHash by design.\n  if (options?.declaration) {\n    bundle.declaration = options.declaration;\n  }\n\n  return bundle;\n}\n\nexport function verifyCer(bundle: CerAiExecutionBundle): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n\n  if (bundle.bundleType !== 'cer.ai.execution.v1') {\n    schemaErrors.push(`Expected bundleType \"cer.ai.execution.v1\", got \"${bundle.bundleType}\"`);\n  }\n\n  if (bundle.version !== '0.1') {\n    schemaErrors.push(`Expected version \"0.1\", got \"${bundle.version}\"`);\n  }\n\n  if (!bundle.createdAt || typeof bundle.createdAt !== 'string') {\n    schemaErrors.push('createdAt must be a non-empty string');\n  }\n\n  if (!bundle.certificateHash || !bundle.certificateHash.startsWith('sha256:')) {\n    formatErrors.push(`certificateHash must start with \"sha256:\", got \"${bundle.certificateHash}\"`);\n  }\n\n  if (!bundle.snapshot) {\n    schemaErrors.push('snapshot is required');\n    const allErrors = [...schemaErrors, ...formatErrors];\n    return { ok: false, errors: allErrors, code: CerVerifyCode.SCHEMA_ERROR, details: schemaErrors };\n  }\n\n  let canonicalizationError: string | null = null;\n  let snapshotResult: VerificationResult | null = null;\n\n  try {\n    snapshotResult = verifySnapshot(bundle.snapshot);\n  } catch (err) {\n    canonicalizationError = err instanceof Error ? err.message : String(err);\n  }\n\n  if (canonicalizationError !== null) {\n    const errors = [...schemaErrors, ...formatErrors, canonicalizationError];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [canonicalizationError] };\n  }\n\n  const snapshotErrors = snapshotResult!.errors;\n\n  const certHashErrors: string[] = [];\n  try {\n    const payload: CertificatePayload = {\n      bundleType: 'cer.ai.execution.v1',\n      createdAt: bundle.createdAt,\n      snapshot: bundle.snapshot,\n      version: '0.1',\n    };\n    const expectedHash = computeCertificateHash(payload);\n    if (bundle.certificateHash !== expectedHash) {\n      certHashErrors.push(`certificateHash mismatch: expected ${expectedHash}, got ${bundle.certificateHash}`);\n    }\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, msg];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [msg] };\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, ...certHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (certHashErrors.length > 0 && snapshotErrors.length === 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else if (snapshotResult && snapshotResult.code !== CerVerifyCode.OK) {\n    code = snapshotResult.code;\n    details = snapshotResult.details ?? snapshotErrors;\n  } else if (certHashErrors.length > 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,UAAwB;;;ACAxB,aAAwB;;;ACAjB,SAAS,gBAAgB,OAAwB;AACtD,SAAO,aAAa,KAAK;AAC3B;AAEA,SAAS,aAAa,OAAwB;AAC5C,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,UAAU,WAAW;AAC9B,WAAO,QAAQ,SAAS;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI,MAAM,oDAAoD,KAAK,EAAE;AAAA,IAC7E;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,UAAM,QAAQ,MAAM,IAAI,UAAQ,aAAa,IAAI,CAAC;AAClD,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,UAAU,KAAK,IAAI,SAAO;AAC9B,YAAM,MAAM,IAAI,GAAG;AACnB,UAAI,QAAQ,QAAW;AACrB,eAAO;AAAA,MACT;AACA,aAAO,KAAK,UAAU,GAAG,IAAI,MAAM,aAAa,GAAG;AAAA,IACrD,CAAC,EAAE,OAAO,OAAK,MAAM,IAAI;AACzB,WAAO,MAAM,QAAQ,KAAK,GAAG,IAAI;AAAA,EACnC;AAEA,QAAM,IAAI,MAAM,wCAAwC,OAAO,KAAK,EAAE;AACxE;;;ADxCO,SAAS,UAAU,MAAmC;AAC3D,QAAM,OAAc,kBAAW,QAAQ;AACvC,MAAI,OAAO,SAAS,UAAU;AAC5B,SAAK,OAAO,MAAM,OAAO;AAAA,EAC3B,OAAO;AACL,SAAK,OAAO,IAAI;AAAA,EAClB;AACA,SAAO,KAAK,OAAO,KAAK;AAC1B;AAEO,SAAS,SAAS,OAAuB;AAC9C,SAAO,UAAU,UAAU,KAAK,CAAC;AACnC;AAEO,SAAS,kBAAkB,OAAwB;AACxD,QAAM,YAAY,gBAAgB,KAAK;AACvC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,iBAAiB,OAAiD;AAChF,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,SAAS,KAAK;AAAA,EACvB;AACA,SAAO,kBAAkB,KAAK;AAChC;AAEO,SAAS,kBAAkB,QAAkD;AAClF,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,SAAS,MAAM;AAAA,EACxB;AACA,SAAO,kBAAkB,MAAM;AACjC;;;AE9BA,IAAM,kBAAkB;AAExB,SAAS,mBAAmB,QAAyC;AACnE,QAAM,SAAmB,CAAC;AAE1B,MAAI,OAAO,OAAO,gBAAgB,YAAY,CAAC,OAAO,SAAS,OAAO,WAAW,GAAG;AAClF,WAAO,KAAK,wDAAwD,OAAO,WAAW,EAAE;AAAA,EAC1F;AAEA,MAAI,OAAO,OAAO,cAAc,YAAY,CAAC,OAAO,SAAS,OAAO,SAAS,GAAG;AAC9E,WAAO,KAAK,sDAAsD,OAAO,SAAS,EAAE;AAAA,EACtF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,SAAO;AACT;AAEO,SAAS,eAAe,QAAqD;AAClF,QAAM,cAAc,mBAAmB,OAAO,UAAU;AACxD,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI,MAAM,uBAAuB,YAAY,KAAK,IAAI,CAAC,EAAE;AAAA,EACjE;AAEA,QAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,QAAM,aAAa,kBAAkB,OAAO,MAAM;AAElD,QAAM,WAAkC;AAAA,IACtC,MAAM;AAAA,IACN,iBAAiB;AAAA,IACjB,kBAAkB;AAAA,IAClB,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACtD,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO;AAAA,IACd,cAAc,OAAO,gBAAgB;AAAA,IACrC,QAAQ,OAAO;AAAA,IACf,OAAO,OAAO;AAAA,IACd;AAAA,IACA,YAAY;AAAA,MACV,aAAa,OAAO,WAAW;AAAA,MAC/B,WAAW,OAAO,WAAW;AAAA,MAC7B,MAAM,OAAO,WAAW,QAAQ;AAAA,MAChC,MAAM,OAAO,WAAW,QAAQ;AAAA,IAClC;AAAA,IACA,QAAQ,OAAO;AAAA,IACf;AAAA,IACA,YAAY,OAAO,cAAc;AAAA,IACjC,OAAO,OAAO,SAAS;AAAA,EACzB;AAEA,MAAI,OAAO,UAAU,OAAW,UAAS,QAAQ,OAAO,SAAS;AACjE,MAAI,OAAO,WAAW,OAAW,UAAS,SAAS,OAAO,UAAU;AACpE,MAAI,OAAO,cAAc,OAAW,UAAS,YAAY,OAAO,aAAa;AAC7E,MAAI,OAAO,eAAe,OAAW,UAAS,aAAa,OAAO,cAAc;AAChF,MAAI,OAAO,mBAAmB,OAAW,UAAS,iBAAiB,OAAO,kBAAkB;AAC5F,MAAI,OAAO,iBAAiB,OAAW,UAAS,eAAe,OAAO,gBAAgB;AAGtF,MAAI,OAAO,cAAc,UAAa,OAAO,UAAU,SAAS,GAAG;AACjE,aAAS,YAAY,OAAO;AAAA,EAC9B;AAEA,SAAO;AACT;;;AC7DA,SAAS,uBAAuB,SAAqC;AACnE,QAAM,YAAY,gBAAgB,OAAO;AACzC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,QACd,UACA,SACsB;AACtB,QAAM,YAAY,SAAS,cAAa,oBAAI,KAAK,GAAE,YAAY;AAI/D,QAAM,UAA8B;AAAA,IAClC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,kBAAkB,uBAAuB,OAAO;AAEtD,QAAM,SAA+B;AAAA,IACnC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,EACF;AAEA,MAAI,SAAS,MAAM;AACjB,WAAO,OAAO,QAAQ;AAAA,EACxB;AAGA,MAAI,SAAS,aAAa;AACxB,WAAO,cAAc,QAAQ;AAAA,EAC/B;AAEA,SAAO;AACT;;;AJ5CO,SAAS,aACd,QACA;AACA,SAAO;AAAA,IACL,MAAM,QAAQ,QAA6F;AACzG,YAAM,MAAM,MAAM,OAAO,OAAO,OAAO,aAAa;AACpD,YAAM,SAAS,OAAO,cAAc,GAAG;AACvC,YAAM,eAAe,OAAO,sBACxB,OAAO,oBAAoB,GAAG,IAC7B,OAAO,gBAAgB;AAE5B,YAAM,WAAW,eAAe;AAAA,QAC9B,aAAa,OAAO,eAAsB,mBAAW;AAAA,QACrD,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd;AAAA,QACA,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,YAAY,OAAO;AAAA,QACnB;AAAA,QACA,OAAO,OAAO;AAAA,MAChB,CAAC;AAED,YAAM,SAAS,QAAQ,UAAU,EAAE,MAAM,OAAO,KAAK,CAAC;AAEtD,aAAO,EAAE,QAAQ,UAAU,OAAO;AAAA,IACpC;AAAA,EACF;AACF;","names":["crypto"]}

package/dist/providers/wrap.d.cts

@@ -1,4 +1,4 @@
-import { P as ProviderConfig, W as WrappedExecutionParams, m as WrappedExecutionResult } from '../types-BjEqrksn.cjs';
+import { t as ProviderConfig, W as WrappedExecutionParams, v as WrappedExecutionResult } from '../types-CcqCDPrD.cjs';
 
 declare function wrapProvider<TInput = unknown, TOutput = unknown>(config: ProviderConfig<TInput, TOutput>): {
     execute(params: WrappedExecutionParams & {

package/dist/providers/wrap.d.ts

@@ -1,4 +1,4 @@
-import { P as ProviderConfig, W as WrappedExecutionParams, m as WrappedExecutionResult } from '../types-BjEqrksn.js';
+import { t as ProviderConfig, W as WrappedExecutionParams, v as WrappedExecutionResult } from '../types-CcqCDPrD.js';
 
 declare function wrapProvider<TInput = unknown, TOutput = unknown>(config: ProviderConfig<TInput, TOutput>): {
     execute(params: WrappedExecutionParams & {

package/dist/providers/wrap.mjs

@@ -74,7 +74,7 @@ function computeOutputHash(output) {
 }
 
 // src/snapshot.ts
-var PACKAGE_VERSION = "0.5.0";
+var PACKAGE_VERSION = "0.7.0";
 function validateParameters(params) {
   const errors = [];
   if (typeof params.temperature !== "number" || !Number.isFinite(params.temperature)) {
@@ -127,6 +127,9 @@ function createSnapshot(params) {
   if (params.workflowId !== void 0) snapshot.workflowId = params.workflowId ?? null;
   if (params.conversationId !== void 0) snapshot.conversationId = params.conversationId ?? null;
   if (params.prevStepHash !== void 0) snapshot.prevStepHash = params.prevStepHash ?? null;
+  if (params.toolCalls !== void 0 && params.toolCalls.length > 0) {
+    snapshot.toolCalls = params.toolCalls;
+  }
   return snapshot;
 }
 
@@ -154,6 +157,9 @@ function sealCer(snapshot, options) {
   if (options?.meta) {
     bundle.meta = options.meta;
   }
+  if (options?.declaration) {
+    bundle.declaration = options.declaration;
+  }
   return bundle;
 }
 

package/dist/providers/wrap.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/providers/wrap.ts","../../src/hash.ts","../../src/canonicalJson.ts","../../src/snapshot.ts","../../src/cer.ts"],"sourcesContent":["import * as crypto from 'crypto';\nimport type {\n  ProviderConfig,\n  WrappedExecutionParams,\n  WrappedExecutionResult,\n} from '../types.js';\nimport { createSnapshot } from '../snapshot.js';\nimport { sealCer } from '../cer.js';\n\nexport function wrapProvider<TInput = unknown, TOutput = unknown>(\n  config: ProviderConfig<TInput, TOutput>,\n) {\n  return {\n    async execute(params: WrappedExecutionParams & { providerInput: TInput }): Promise<WrappedExecutionResult> {\n      const raw = await config.callFn(params.providerInput);\n      const output = config.extractOutput(raw);\n      const modelVersion = config.extractModelVersion\n        ? config.extractModelVersion(raw)\n        : (params.modelVersion ?? null);\n\n      const snapshot = createSnapshot({\n        executionId: params.executionId ?? crypto.randomUUID(),\n        provider: config.provider,\n        model: params.model,\n        modelVersion,\n        prompt: params.prompt,\n        input: params.input,\n        parameters: params.parameters,\n        output,\n        appId: params.appId,\n      });\n\n      const bundle = sealCer(snapshot, { meta: params.meta });\n\n      return { output, snapshot, bundle };\n    },\n  };\n}\n","import * as crypto from 'crypto';\nimport { toCanonicalJson } from './canonicalJson.js';\n\nexport function sha256Hex(data: string | Uint8Array): string {\n  const hash = crypto.createHash('sha256');\n  if (typeof data === 'string') {\n    hash.update(data, 'utf-8');\n  } else {\n    hash.update(data);\n  }\n  return hash.digest('hex');\n}\n\nexport function hashUtf8(value: string): string {\n  return `sha256:${sha256Hex(value)}`;\n}\n\nexport function hashCanonicalJson(value: unknown): string {\n  const canonical = toCanonicalJson(value);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function computeInputHash(input: string | Record<string, unknown>): string {\n  if (typeof input === 'string') {\n    return hashUtf8(input);\n  }\n  return hashCanonicalJson(input);\n}\n\nexport function computeOutputHash(output: string | Record<string, unknown>): string {\n  if (typeof output === 'string') {\n    return hashUtf8(output);\n  }\n  return hashCanonicalJson(output);\n}\n","export function toCanonicalJson(value: unknown): string {\n  return canonicalize(value);\n}\n\nfunction canonicalize(value: unknown): string {\n  if (value === null) {\n    return 'null';\n  }\n\n  if (typeof value === 'boolean') {\n    return value ? 'true' : 'false';\n  }\n\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(`Non-finite number not allowed in canonical JSON: ${value}`);\n    }\n    return JSON.stringify(value);\n  }\n\n  if (typeof value === 'string') {\n    return JSON.stringify(value);\n  }\n\n  if (Array.isArray(value)) {\n    const items = value.map(item => canonicalize(item));\n    return '[' + items.join(',') + ']';\n  }\n\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>;\n    const keys = Object.keys(obj).sort();\n    const entries = keys.map(key => {\n      const val = obj[key];\n      if (val === undefined) {\n        return null;\n      }\n      return JSON.stringify(key) + ':' + canonicalize(val);\n    }).filter(e => e !== null);\n    return '{' + entries.join(',') + '}';\n  }\n\n  throw new Error(`Unsupported type for canonical JSON: ${typeof value}`);\n}\n","import type { AiExecutionSnapshotV1, CreateSnapshotParams, VerificationResult, AiExecutionParameters } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { computeInputHash, computeOutputHash } from './hash.js';\n\nconst PACKAGE_VERSION = '0.5.0';\n\nfunction validateParameters(params: AiExecutionParameters): string[] {\n  const errors: string[] = [];\n\n  if (typeof params.temperature !== 'number' || !Number.isFinite(params.temperature)) {\n    errors.push(`parameters.temperature must be a finite number, got: ${params.temperature}`);\n  }\n\n  if (typeof params.maxTokens !== 'number' || !Number.isFinite(params.maxTokens)) {\n    errors.push(`parameters.maxTokens must be a finite number, got: ${params.maxTokens}`);\n  }\n\n  if (params.topP !== null && (typeof params.topP !== 'number' || !Number.isFinite(params.topP))) {\n    errors.push(`parameters.topP must be a finite number or null, got: ${params.topP}`);\n  }\n\n  if (params.seed !== null && (typeof params.seed !== 'number' || !Number.isFinite(params.seed))) {\n    errors.push(`parameters.seed must be a finite number or null, got: ${params.seed}`);\n  }\n\n  return errors;\n}\n\nexport function createSnapshot(params: CreateSnapshotParams): AiExecutionSnapshotV1 {\n  const paramErrors = validateParameters(params.parameters);\n  if (paramErrors.length > 0) {\n    throw new Error(`Invalid parameters: ${paramErrors.join('; ')}`);\n  }\n\n  const inputHash = computeInputHash(params.input);\n  const outputHash = computeOutputHash(params.output);\n\n  const snapshot: AiExecutionSnapshotV1 = {\n    type: 'ai.execution.v1',\n    protocolVersion: '1.2.0',\n    executionSurface: 'ai',\n    executionId: params.executionId,\n    timestamp: params.timestamp ?? new Date().toISOString(),\n    provider: params.provider,\n    model: params.model,\n    modelVersion: params.modelVersion ?? null,\n    prompt: params.prompt,\n    input: params.input,\n    inputHash,\n    parameters: {\n      temperature: params.parameters.temperature,\n      maxTokens: params.parameters.maxTokens,\n      topP: params.parameters.topP ?? null,\n      seed: params.parameters.seed ?? null,\n    },\n    output: params.output,\n    outputHash,\n    sdkVersion: params.sdkVersion ?? PACKAGE_VERSION,\n    appId: params.appId ?? null,\n  };\n\n  if (params.runId !== undefined) snapshot.runId = params.runId ?? null;\n  if (params.stepId !== undefined) snapshot.stepId = params.stepId ?? null;\n  if (params.stepIndex !== undefined) snapshot.stepIndex = params.stepIndex ?? null;\n  if (params.workflowId !== undefined) snapshot.workflowId = params.workflowId ?? null;\n  if (params.conversationId !== undefined) snapshot.conversationId = params.conversationId ?? null;\n  if (params.prevStepHash !== undefined) snapshot.prevStepHash = params.prevStepHash ?? null;\n\n  return snapshot;\n}\n\nexport function verifySnapshot(snapshot: AiExecutionSnapshotV1): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n  const inputHashErrors: string[] = [];\n  const outputHashErrors: string[] = [];\n\n  if (snapshot.type !== 'ai.execution.v1') {\n    schemaErrors.push(`Expected type \"ai.execution.v1\", got \"${snapshot.type}\"`);\n  }\n\n  if (snapshot.protocolVersion !== '1.2.0') {\n    schemaErrors.push(`Expected protocolVersion \"1.2.0\", got \"${snapshot.protocolVersion}\"`);\n  }\n\n  if (snapshot.executionSurface !== 'ai') {\n    schemaErrors.push(`Expected executionSurface \"ai\", got \"${snapshot.executionSurface}\"`);\n  }\n\n  if (!snapshot.executionId || typeof snapshot.executionId !== 'string') {\n    schemaErrors.push('executionId must be a non-empty string');\n  }\n\n  if (!snapshot.timestamp || typeof snapshot.timestamp !== 'string') {\n    schemaErrors.push('timestamp must be a non-empty string');\n  }\n\n  if (!snapshot.provider || typeof snapshot.provider !== 'string') {\n    schemaErrors.push('provider must be a non-empty string');\n  }\n\n  if (!snapshot.model || typeof snapshot.model !== 'string') {\n    schemaErrors.push('model must be a non-empty string');\n  }\n\n  if (!snapshot.prompt || typeof snapshot.prompt !== 'string') {\n    schemaErrors.push('prompt must be a non-empty string');\n  }\n\n  if (snapshot.input === undefined || snapshot.input === null) {\n    schemaErrors.push('input must be a string or object');\n  }\n\n  if (snapshot.output === undefined || snapshot.output === null) {\n    schemaErrors.push('output must be a string or object');\n  }\n\n  const paramErrors = validateParameters(snapshot.parameters);\n  schemaErrors.push(...paramErrors);\n\n  if (!snapshot.inputHash || !snapshot.inputHash.startsWith('sha256:')) {\n    formatErrors.push(`inputHash must start with \"sha256:\", got \"${snapshot.inputHash}\"`);\n  }\n\n  if (!snapshot.outputHash || !snapshot.outputHash.startsWith('sha256:')) {\n    formatErrors.push(`outputHash must start with \"sha256:\", got \"${snapshot.outputHash}\"`);\n  }\n\n  if (formatErrors.length === 0) {\n    const expectedInputHash = computeInputHash(snapshot.input);\n    if (snapshot.inputHash !== expectedInputHash) {\n      inputHashErrors.push(`inputHash mismatch: expected ${expectedInputHash}, got ${snapshot.inputHash}`);\n    }\n\n    const expectedOutputHash = computeOutputHash(snapshot.output);\n    if (snapshot.outputHash !== expectedOutputHash) {\n      outputHashErrors.push(`outputHash mismatch: expected ${expectedOutputHash}, got ${snapshot.outputHash}`);\n    }\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...inputHashErrors, ...outputHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (inputHashErrors.length > 0 && outputHashErrors.length > 0) {\n    code = CerVerifyCode.SNAPSHOT_HASH_MISMATCH;\n    details = [...inputHashErrors, ...outputHashErrors];\n  } else if (inputHashErrors.length > 0) {\n    code = CerVerifyCode.INPUT_HASH_MISMATCH;\n    details = inputHashErrors;\n  } else if (outputHashErrors.length > 0) {\n    code = CerVerifyCode.OUTPUT_HASH_MISMATCH;\n    details = outputHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n","import type { AiExecutionSnapshotV1, CerAiExecutionBundle, CerMeta, VerificationResult } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { toCanonicalJson } from './canonicalJson.js';\nimport { sha256Hex } from './hash.js';\nimport { verifySnapshot } from './snapshot.js';\n\ninterface CertificatePayload {\n  bundleType: 'cer.ai.execution.v1';\n  createdAt: string;\n  snapshot: AiExecutionSnapshotV1;\n  version: '0.1';\n}\n\nfunction computeCertificateHash(payload: CertificatePayload): string {\n  const canonical = toCanonicalJson(payload);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function sealCer(\n  snapshot: AiExecutionSnapshotV1,\n  options?: { createdAt?: string; meta?: CerMeta }\n): CerAiExecutionBundle {\n  const createdAt = options?.createdAt ?? new Date().toISOString();\n\n  const payload: CertificatePayload = {\n    bundleType: 'cer.ai.execution.v1',\n    createdAt,\n    snapshot,\n    version: '0.1',\n  };\n\n  const certificateHash = computeCertificateHash(payload);\n\n  const bundle: CerAiExecutionBundle = {\n    bundleType: 'cer.ai.execution.v1',\n    certificateHash,\n    createdAt,\n    version: '0.1',\n    snapshot,\n  };\n\n  if (options?.meta) {\n    bundle.meta = options.meta;\n  }\n\n  return bundle;\n}\n\nexport function verifyCer(bundle: CerAiExecutionBundle): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n\n  if (bundle.bundleType !== 'cer.ai.execution.v1') {\n    schemaErrors.push(`Expected bundleType \"cer.ai.execution.v1\", got \"${bundle.bundleType}\"`);\n  }\n\n  if (bundle.version !== '0.1') {\n    schemaErrors.push(`Expected version \"0.1\", got \"${bundle.version}\"`);\n  }\n\n  if (!bundle.createdAt || typeof bundle.createdAt !== 'string') {\n    schemaErrors.push('createdAt must be a non-empty string');\n  }\n\n  if (!bundle.certificateHash || !bundle.certificateHash.startsWith('sha256:')) {\n    formatErrors.push(`certificateHash must start with \"sha256:\", got \"${bundle.certificateHash}\"`);\n  }\n\n  if (!bundle.snapshot) {\n    schemaErrors.push('snapshot is required');\n    const allErrors = [...schemaErrors, ...formatErrors];\n    return { ok: false, errors: allErrors, code: CerVerifyCode.SCHEMA_ERROR, details: schemaErrors };\n  }\n\n  let canonicalizationError: string | null = null;\n  let snapshotResult: VerificationResult | null = null;\n\n  try {\n    snapshotResult = verifySnapshot(bundle.snapshot);\n  } catch (err) {\n    canonicalizationError = err instanceof Error ? err.message : String(err);\n  }\n\n  if (canonicalizationError !== null) {\n    const errors = [...schemaErrors, ...formatErrors, canonicalizationError];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [canonicalizationError] };\n  }\n\n  const snapshotErrors = snapshotResult!.errors;\n\n  const certHashErrors: string[] = [];\n  try {\n    const payload: CertificatePayload = {\n      bundleType: 'cer.ai.execution.v1',\n      createdAt: bundle.createdAt,\n      snapshot: bundle.snapshot,\n      version: '0.1',\n    };\n    const expectedHash = computeCertificateHash(payload);\n    if (bundle.certificateHash !== expectedHash) {\n      certHashErrors.push(`certificateHash mismatch: expected ${expectedHash}, got ${bundle.certificateHash}`);\n    }\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, msg];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [msg] };\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, ...certHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (certHashErrors.length > 0 && snapshotErrors.length === 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else if (snapshotResult && snapshotResult.code !== CerVerifyCode.OK) {\n    code = snapshotResult.code;\n    details = snapshotResult.details ?? snapshotErrors;\n  } else if (certHashErrors.length > 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n"],"mappings":";AAAA,YAAYA,aAAY;;;ACAxB,YAAY,YAAY;;;ACAjB,SAAS,gBAAgB,OAAwB;AACtD,SAAO,aAAa,KAAK;AAC3B;AAEA,SAAS,aAAa,OAAwB;AAC5C,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,UAAU,WAAW;AAC9B,WAAO,QAAQ,SAAS;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI,MAAM,oDAAoD,KAAK,EAAE;AAAA,IAC7E;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,UAAM,QAAQ,MAAM,IAAI,UAAQ,aAAa,IAAI,CAAC;AAClD,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,UAAU,KAAK,IAAI,SAAO;AAC9B,YAAM,MAAM,IAAI,GAAG;AACnB,UAAI,QAAQ,QAAW;AACrB,eAAO;AAAA,MACT;AACA,aAAO,KAAK,UAAU,GAAG,IAAI,MAAM,aAAa,GAAG;AAAA,IACrD,CAAC,EAAE,OAAO,OAAK,MAAM,IAAI;AACzB,WAAO,MAAM,QAAQ,KAAK,GAAG,IAAI;AAAA,EACnC;AAEA,QAAM,IAAI,MAAM,wCAAwC,OAAO,KAAK,EAAE;AACxE;;;ADxCO,SAAS,UAAU,MAAmC;AAC3D,QAAM,OAAc,kBAAW,QAAQ;AACvC,MAAI,OAAO,SAAS,UAAU;AAC5B,SAAK,OAAO,MAAM,OAAO;AAAA,EAC3B,OAAO;AACL,SAAK,OAAO,IAAI;AAAA,EAClB;AACA,SAAO,KAAK,OAAO,KAAK;AAC1B;AAEO,SAAS,SAAS,OAAuB;AAC9C,SAAO,UAAU,UAAU,KAAK,CAAC;AACnC;AAEO,SAAS,kBAAkB,OAAwB;AACxD,QAAM,YAAY,gBAAgB,KAAK;AACvC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,iBAAiB,OAAiD;AAChF,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,SAAS,KAAK;AAAA,EACvB;AACA,SAAO,kBAAkB,KAAK;AAChC;AAEO,SAAS,kBAAkB,QAAkD;AAClF,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,SAAS,MAAM;AAAA,EACxB;AACA,SAAO,kBAAkB,MAAM;AACjC;;;AE9BA,IAAM,kBAAkB;AAExB,SAAS,mBAAmB,QAAyC;AACnE,QAAM,SAAmB,CAAC;AAE1B,MAAI,OAAO,OAAO,gBAAgB,YAAY,CAAC,OAAO,SAAS,OAAO,WAAW,GAAG;AAClF,WAAO,KAAK,wDAAwD,OAAO,WAAW,EAAE;AAAA,EAC1F;AAEA,MAAI,OAAO,OAAO,cAAc,YAAY,CAAC,OAAO,SAAS,OAAO,SAAS,GAAG;AAC9E,WAAO,KAAK,sDAAsD,OAAO,SAAS,EAAE;AAAA,EACtF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,SAAO;AACT;AAEO,SAAS,eAAe,QAAqD;AAClF,QAAM,cAAc,mBAAmB,OAAO,UAAU;AACxD,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI,MAAM,uBAAuB,YAAY,KAAK,IAAI,CAAC,EAAE;AAAA,EACjE;AAEA,QAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,QAAM,aAAa,kBAAkB,OAAO,MAAM;AAElD,QAAM,WAAkC;AAAA,IACtC,MAAM;AAAA,IACN,iBAAiB;AAAA,IACjB,kBAAkB;AAAA,IAClB,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACtD,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO;AAAA,IACd,cAAc,OAAO,gBAAgB;AAAA,IACrC,QAAQ,OAAO;AAAA,IACf,OAAO,OAAO;AAAA,IACd;AAAA,IACA,YAAY;AAAA,MACV,aAAa,OAAO,WAAW;AAAA,MAC/B,WAAW,OAAO,WAAW;AAAA,MAC7B,MAAM,OAAO,WAAW,QAAQ;AAAA,MAChC,MAAM,OAAO,WAAW,QAAQ;AAAA,IAClC;AAAA,IACA,QAAQ,OAAO;AAAA,IACf;AAAA,IACA,YAAY,OAAO,cAAc;AAAA,IACjC,OAAO,OAAO,SAAS;AAAA,EACzB;AAEA,MAAI,OAAO,UAAU,OAAW,UAAS,QAAQ,OAAO,SAAS;AACjE,MAAI,OAAO,WAAW,OAAW,UAAS,SAAS,OAAO,UAAU;AACpE,MAAI,OAAO,cAAc,OAAW,UAAS,YAAY,OAAO,aAAa;AAC7E,MAAI,OAAO,eAAe,OAAW,UAAS,aAAa,OAAO,cAAc;AAChF,MAAI,OAAO,mBAAmB,OAAW,UAAS,iBAAiB,OAAO,kBAAkB;AAC5F,MAAI,OAAO,iBAAiB,OAAW,UAAS,eAAe,OAAO,gBAAgB;AAEtF,SAAO;AACT;;;ACxDA,SAAS,uBAAuB,SAAqC;AACnE,QAAM,YAAY,gBAAgB,OAAO;AACzC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,QACd,UACA,SACsB;AACtB,QAAM,YAAY,SAAS,cAAa,oBAAI,KAAK,GAAE,YAAY;AAE/D,QAAM,UAA8B;AAAA,IAClC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,kBAAkB,uBAAuB,OAAO;AAEtD,QAAM,SAA+B;AAAA,IACnC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,EACF;AAEA,MAAI,SAAS,MAAM;AACjB,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO;AACT;;;AJrCO,SAAS,aACd,QACA;AACA,SAAO;AAAA,IACL,MAAM,QAAQ,QAA6F;AACzG,YAAM,MAAM,MAAM,OAAO,OAAO,OAAO,aAAa;AACpD,YAAM,SAAS,OAAO,cAAc,GAAG;AACvC,YAAM,eAAe,OAAO,sBACxB,OAAO,oBAAoB,GAAG,IAC7B,OAAO,gBAAgB;AAE5B,YAAM,WAAW,eAAe;AAAA,QAC9B,aAAa,OAAO,eAAsB,mBAAW;AAAA,QACrD,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd;AAAA,QACA,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,YAAY,OAAO;AAAA,QACnB;AAAA,QACA,OAAO,OAAO;AAAA,MAChB,CAAC;AAED,YAAM,SAAS,QAAQ,UAAU,EAAE,MAAM,OAAO,KAAK,CAAC;AAEtD,aAAO,EAAE,QAAQ,UAAU,OAAO;AAAA,IACpC;AAAA,EACF;AACF;","names":["crypto"]}
+{"version":3,"sources":["../../src/providers/wrap.ts","../../src/hash.ts","../../src/canonicalJson.ts","../../src/snapshot.ts","../../src/cer.ts"],"sourcesContent":["import * as crypto from 'crypto';\nimport type {\n  ProviderConfig,\n  WrappedExecutionParams,\n  WrappedExecutionResult,\n} from '../types.js';\nimport { createSnapshot } from '../snapshot.js';\nimport { sealCer } from '../cer.js';\n\nexport function wrapProvider<TInput = unknown, TOutput = unknown>(\n  config: ProviderConfig<TInput, TOutput>,\n) {\n  return {\n    async execute(params: WrappedExecutionParams & { providerInput: TInput }): Promise<WrappedExecutionResult> {\n      const raw = await config.callFn(params.providerInput);\n      const output = config.extractOutput(raw);\n      const modelVersion = config.extractModelVersion\n        ? config.extractModelVersion(raw)\n        : (params.modelVersion ?? null);\n\n      const snapshot = createSnapshot({\n        executionId: params.executionId ?? crypto.randomUUID(),\n        provider: config.provider,\n        model: params.model,\n        modelVersion,\n        prompt: params.prompt,\n        input: params.input,\n        parameters: params.parameters,\n        output,\n        appId: params.appId,\n      });\n\n      const bundle = sealCer(snapshot, { meta: params.meta });\n\n      return { output, snapshot, bundle };\n    },\n  };\n}\n","import * as crypto from 'crypto';\nimport { toCanonicalJson } from './canonicalJson.js';\n\nexport function sha256Hex(data: string | Uint8Array): string {\n  const hash = crypto.createHash('sha256');\n  if (typeof data === 'string') {\n    hash.update(data, 'utf-8');\n  } else {\n    hash.update(data);\n  }\n  return hash.digest('hex');\n}\n\nexport function hashUtf8(value: string): string {\n  return `sha256:${sha256Hex(value)}`;\n}\n\nexport function hashCanonicalJson(value: unknown): string {\n  const canonical = toCanonicalJson(value);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function computeInputHash(input: string | Record<string, unknown>): string {\n  if (typeof input === 'string') {\n    return hashUtf8(input);\n  }\n  return hashCanonicalJson(input);\n}\n\nexport function computeOutputHash(output: string | Record<string, unknown>): string {\n  if (typeof output === 'string') {\n    return hashUtf8(output);\n  }\n  return hashCanonicalJson(output);\n}\n","export function toCanonicalJson(value: unknown): string {\n  return canonicalize(value);\n}\n\nfunction canonicalize(value: unknown): string {\n  if (value === null) {\n    return 'null';\n  }\n\n  if (typeof value === 'boolean') {\n    return value ? 'true' : 'false';\n  }\n\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(`Non-finite number not allowed in canonical JSON: ${value}`);\n    }\n    return JSON.stringify(value);\n  }\n\n  if (typeof value === 'string') {\n    return JSON.stringify(value);\n  }\n\n  if (Array.isArray(value)) {\n    const items = value.map(item => canonicalize(item));\n    return '[' + items.join(',') + ']';\n  }\n\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>;\n    const keys = Object.keys(obj).sort();\n    const entries = keys.map(key => {\n      const val = obj[key];\n      if (val === undefined) {\n        return null;\n      }\n      return JSON.stringify(key) + ':' + canonicalize(val);\n    }).filter(e => e !== null);\n    return '{' + entries.join(',') + '}';\n  }\n\n  throw new Error(`Unsupported type for canonical JSON: ${typeof value}`);\n}\n","import type { AiExecutionSnapshotV1, CreateSnapshotParams, VerificationResult, AiExecutionParameters } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { computeInputHash, computeOutputHash } from './hash.js';\n\nconst PACKAGE_VERSION = '0.7.0';\n\nfunction validateParameters(params: AiExecutionParameters): string[] {\n  const errors: string[] = [];\n\n  if (typeof params.temperature !== 'number' || !Number.isFinite(params.temperature)) {\n    errors.push(`parameters.temperature must be a finite number, got: ${params.temperature}`);\n  }\n\n  if (typeof params.maxTokens !== 'number' || !Number.isFinite(params.maxTokens)) {\n    errors.push(`parameters.maxTokens must be a finite number, got: ${params.maxTokens}`);\n  }\n\n  if (params.topP !== null && (typeof params.topP !== 'number' || !Number.isFinite(params.topP))) {\n    errors.push(`parameters.topP must be a finite number or null, got: ${params.topP}`);\n  }\n\n  if (params.seed !== null && (typeof params.seed !== 'number' || !Number.isFinite(params.seed))) {\n    errors.push(`parameters.seed must be a finite number or null, got: ${params.seed}`);\n  }\n\n  return errors;\n}\n\nexport function createSnapshot(params: CreateSnapshotParams): AiExecutionSnapshotV1 {\n  const paramErrors = validateParameters(params.parameters);\n  if (paramErrors.length > 0) {\n    throw new Error(`Invalid parameters: ${paramErrors.join('; ')}`);\n  }\n\n  const inputHash = computeInputHash(params.input);\n  const outputHash = computeOutputHash(params.output);\n\n  const snapshot: AiExecutionSnapshotV1 = {\n    type: 'ai.execution.v1',\n    protocolVersion: '1.2.0',\n    executionSurface: 'ai',\n    executionId: params.executionId,\n    timestamp: params.timestamp ?? new Date().toISOString(),\n    provider: params.provider,\n    model: params.model,\n    modelVersion: params.modelVersion ?? null,\n    prompt: params.prompt,\n    input: params.input,\n    inputHash,\n    parameters: {\n      temperature: params.parameters.temperature,\n      maxTokens: params.parameters.maxTokens,\n      topP: params.parameters.topP ?? null,\n      seed: params.parameters.seed ?? null,\n    },\n    output: params.output,\n    outputHash,\n    sdkVersion: params.sdkVersion ?? PACKAGE_VERSION,\n    appId: params.appId ?? null,\n  };\n\n  if (params.runId !== undefined) snapshot.runId = params.runId ?? null;\n  if (params.stepId !== undefined) snapshot.stepId = params.stepId ?? null;\n  if (params.stepIndex !== undefined) snapshot.stepIndex = params.stepIndex ?? null;\n  if (params.workflowId !== undefined) snapshot.workflowId = params.workflowId ?? null;\n  if (params.conversationId !== undefined) snapshot.conversationId = params.conversationId ?? null;\n  if (params.prevStepHash !== undefined) snapshot.prevStepHash = params.prevStepHash ?? null;\n\n  // v0.7.0: AIEF-06 tool/dependency evidence — included in certificateHash when present\n  if (params.toolCalls !== undefined && params.toolCalls.length > 0) {\n    snapshot.toolCalls = params.toolCalls;\n  }\n\n  return snapshot;\n}\n\nexport function verifySnapshot(snapshot: AiExecutionSnapshotV1): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n  const inputHashErrors: string[] = [];\n  const outputHashErrors: string[] = [];\n\n  if (snapshot.type !== 'ai.execution.v1') {\n    schemaErrors.push(`Expected type \"ai.execution.v1\", got \"${snapshot.type}\"`);\n  }\n\n  if (snapshot.protocolVersion !== '1.2.0') {\n    schemaErrors.push(`Expected protocolVersion \"1.2.0\", got \"${snapshot.protocolVersion}\"`);\n  }\n\n  if (snapshot.executionSurface !== 'ai') {\n    schemaErrors.push(`Expected executionSurface \"ai\", got \"${snapshot.executionSurface}\"`);\n  }\n\n  if (!snapshot.executionId || typeof snapshot.executionId !== 'string') {\n    schemaErrors.push('executionId must be a non-empty string');\n  }\n\n  if (!snapshot.timestamp || typeof snapshot.timestamp !== 'string') {\n    schemaErrors.push('timestamp must be a non-empty string');\n  }\n\n  if (!snapshot.provider || typeof snapshot.provider !== 'string') {\n    schemaErrors.push('provider must be a non-empty string');\n  }\n\n  if (!snapshot.model || typeof snapshot.model !== 'string') {\n    schemaErrors.push('model must be a non-empty string');\n  }\n\n  if (!snapshot.prompt || typeof snapshot.prompt !== 'string') {\n    schemaErrors.push('prompt must be a non-empty string');\n  }\n\n  if (snapshot.input === undefined || snapshot.input === null) {\n    schemaErrors.push('input must be a string or object');\n  }\n\n  if (snapshot.output === undefined || snapshot.output === null) {\n    schemaErrors.push('output must be a string or object');\n  }\n\n  const paramErrors = validateParameters(snapshot.parameters);\n  schemaErrors.push(...paramErrors);\n\n  if (!snapshot.inputHash || !snapshot.inputHash.startsWith('sha256:')) {\n    formatErrors.push(`inputHash must start with \"sha256:\", got \"${snapshot.inputHash}\"`);\n  }\n\n  if (!snapshot.outputHash || !snapshot.outputHash.startsWith('sha256:')) {\n    formatErrors.push(`outputHash must start with \"sha256:\", got \"${snapshot.outputHash}\"`);\n  }\n\n  if (formatErrors.length === 0) {\n    const expectedInputHash = computeInputHash(snapshot.input);\n    if (snapshot.inputHash !== expectedInputHash) {\n      inputHashErrors.push(`inputHash mismatch: expected ${expectedInputHash}, got ${snapshot.inputHash}`);\n    }\n\n    const expectedOutputHash = computeOutputHash(snapshot.output);\n    if (snapshot.outputHash !== expectedOutputHash) {\n      outputHashErrors.push(`outputHash mismatch: expected ${expectedOutputHash}, got ${snapshot.outputHash}`);\n    }\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...inputHashErrors, ...outputHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (inputHashErrors.length > 0 && outputHashErrors.length > 0) {\n    code = CerVerifyCode.SNAPSHOT_HASH_MISMATCH;\n    details = [...inputHashErrors, ...outputHashErrors];\n  } else if (inputHashErrors.length > 0) {\n    code = CerVerifyCode.INPUT_HASH_MISMATCH;\n    details = inputHashErrors;\n  } else if (outputHashErrors.length > 0) {\n    code = CerVerifyCode.OUTPUT_HASH_MISMATCH;\n    details = outputHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n","import type { AiExecutionSnapshotV1, CerAiExecutionBundle, CerMeta, BundleDeclaration, VerificationResult } from './types.js';\nimport { CerVerifyCode } from './types.js';\nimport { toCanonicalJson } from './canonicalJson.js';\nimport { sha256Hex } from './hash.js';\nimport { verifySnapshot } from './snapshot.js';\n\ninterface CertificatePayload {\n  bundleType: 'cer.ai.execution.v1';\n  createdAt: string;\n  snapshot: AiExecutionSnapshotV1;\n  version: '0.1';\n}\n\nfunction computeCertificateHash(payload: CertificatePayload): string {\n  const canonical = toCanonicalJson(payload);\n  return `sha256:${sha256Hex(canonical)}`;\n}\n\nexport function sealCer(\n  snapshot: AiExecutionSnapshotV1,\n  options?: { createdAt?: string; meta?: CerMeta; declaration?: BundleDeclaration }\n): CerAiExecutionBundle {\n  const createdAt = options?.createdAt ?? new Date().toISOString();\n\n  // certificateHash covers ONLY { bundleType, createdAt, snapshot, version }.\n  // `declaration` and `meta` are intentionally excluded — they are non-evidentiary.\n  const payload: CertificatePayload = {\n    bundleType: 'cer.ai.execution.v1',\n    createdAt,\n    snapshot,\n    version: '0.1',\n  };\n\n  const certificateHash = computeCertificateHash(payload);\n\n  const bundle: CerAiExecutionBundle = {\n    bundleType: 'cer.ai.execution.v1',\n    certificateHash,\n    createdAt,\n    version: '0.1',\n    snapshot,\n  };\n\n  if (options?.meta) {\n    bundle.meta = options.meta;\n  }\n\n  // v0.7.0: attach declaration block AFTER hashing — excluded from certificateHash by design.\n  if (options?.declaration) {\n    bundle.declaration = options.declaration;\n  }\n\n  return bundle;\n}\n\nexport function verifyCer(bundle: CerAiExecutionBundle): VerificationResult {\n  const schemaErrors: string[] = [];\n  const formatErrors: string[] = [];\n\n  if (bundle.bundleType !== 'cer.ai.execution.v1') {\n    schemaErrors.push(`Expected bundleType \"cer.ai.execution.v1\", got \"${bundle.bundleType}\"`);\n  }\n\n  if (bundle.version !== '0.1') {\n    schemaErrors.push(`Expected version \"0.1\", got \"${bundle.version}\"`);\n  }\n\n  if (!bundle.createdAt || typeof bundle.createdAt !== 'string') {\n    schemaErrors.push('createdAt must be a non-empty string');\n  }\n\n  if (!bundle.certificateHash || !bundle.certificateHash.startsWith('sha256:')) {\n    formatErrors.push(`certificateHash must start with \"sha256:\", got \"${bundle.certificateHash}\"`);\n  }\n\n  if (!bundle.snapshot) {\n    schemaErrors.push('snapshot is required');\n    const allErrors = [...schemaErrors, ...formatErrors];\n    return { ok: false, errors: allErrors, code: CerVerifyCode.SCHEMA_ERROR, details: schemaErrors };\n  }\n\n  let canonicalizationError: string | null = null;\n  let snapshotResult: VerificationResult | null = null;\n\n  try {\n    snapshotResult = verifySnapshot(bundle.snapshot);\n  } catch (err) {\n    canonicalizationError = err instanceof Error ? err.message : String(err);\n  }\n\n  if (canonicalizationError !== null) {\n    const errors = [...schemaErrors, ...formatErrors, canonicalizationError];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [canonicalizationError] };\n  }\n\n  const snapshotErrors = snapshotResult!.errors;\n\n  const certHashErrors: string[] = [];\n  try {\n    const payload: CertificatePayload = {\n      bundleType: 'cer.ai.execution.v1',\n      createdAt: bundle.createdAt,\n      snapshot: bundle.snapshot,\n      version: '0.1',\n    };\n    const expectedHash = computeCertificateHash(payload);\n    if (bundle.certificateHash !== expectedHash) {\n      certHashErrors.push(`certificateHash mismatch: expected ${expectedHash}, got ${bundle.certificateHash}`);\n    }\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, msg];\n    return { ok: false, errors, code: CerVerifyCode.CANONICALIZATION_ERROR, details: [msg] };\n  }\n\n  const errors = [...schemaErrors, ...formatErrors, ...snapshotErrors, ...certHashErrors];\n\n  if (errors.length === 0) {\n    return { ok: true, errors: [], code: CerVerifyCode.OK };\n  }\n\n  let code: typeof CerVerifyCode[keyof typeof CerVerifyCode];\n  let details: string[];\n\n  if (schemaErrors.length > 0) {\n    code = CerVerifyCode.SCHEMA_ERROR;\n    details = schemaErrors;\n  } else if (formatErrors.length > 0) {\n    code = CerVerifyCode.INVALID_SHA256_FORMAT;\n    details = formatErrors;\n  } else if (certHashErrors.length > 0 && snapshotErrors.length === 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else if (snapshotResult && snapshotResult.code !== CerVerifyCode.OK) {\n    code = snapshotResult.code;\n    details = snapshotResult.details ?? snapshotErrors;\n  } else if (certHashErrors.length > 0) {\n    code = CerVerifyCode.CERTIFICATE_HASH_MISMATCH;\n    details = certHashErrors;\n  } else {\n    code = CerVerifyCode.UNKNOWN_ERROR;\n    details = errors;\n  }\n\n  return { ok: false, errors, code, details };\n}\n"],"mappings":";AAAA,YAAYA,aAAY;;;ACAxB,YAAY,YAAY;;;ACAjB,SAAS,gBAAgB,OAAwB;AACtD,SAAO,aAAa,KAAK;AAC3B;AAEA,SAAS,aAAa,OAAwB;AAC5C,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,UAAU,WAAW;AAC9B,WAAO,QAAQ,SAAS;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI,MAAM,oDAAoD,KAAK,EAAE;AAAA,IAC7E;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,UAAM,QAAQ,MAAM,IAAI,UAAQ,aAAa,IAAI,CAAC;AAClD,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,UAAU,KAAK,IAAI,SAAO;AAC9B,YAAM,MAAM,IAAI,GAAG;AACnB,UAAI,QAAQ,QAAW;AACrB,eAAO;AAAA,MACT;AACA,aAAO,KAAK,UAAU,GAAG,IAAI,MAAM,aAAa,GAAG;AAAA,IACrD,CAAC,EAAE,OAAO,OAAK,MAAM,IAAI;AACzB,WAAO,MAAM,QAAQ,KAAK,GAAG,IAAI;AAAA,EACnC;AAEA,QAAM,IAAI,MAAM,wCAAwC,OAAO,KAAK,EAAE;AACxE;;;ADxCO,SAAS,UAAU,MAAmC;AAC3D,QAAM,OAAc,kBAAW,QAAQ;AACvC,MAAI,OAAO,SAAS,UAAU;AAC5B,SAAK,OAAO,MAAM,OAAO;AAAA,EAC3B,OAAO;AACL,SAAK,OAAO,IAAI;AAAA,EAClB;AACA,SAAO,KAAK,OAAO,KAAK;AAC1B;AAEO,SAAS,SAAS,OAAuB;AAC9C,SAAO,UAAU,UAAU,KAAK,CAAC;AACnC;AAEO,SAAS,kBAAkB,OAAwB;AACxD,QAAM,YAAY,gBAAgB,KAAK;AACvC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,iBAAiB,OAAiD;AAChF,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,SAAS,KAAK;AAAA,EACvB;AACA,SAAO,kBAAkB,KAAK;AAChC;AAEO,SAAS,kBAAkB,QAAkD;AAClF,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,SAAS,MAAM;AAAA,EACxB;AACA,SAAO,kBAAkB,MAAM;AACjC;;;AE9BA,IAAM,kBAAkB;AAExB,SAAS,mBAAmB,QAAyC;AACnE,QAAM,SAAmB,CAAC;AAE1B,MAAI,OAAO,OAAO,gBAAgB,YAAY,CAAC,OAAO,SAAS,OAAO,WAAW,GAAG;AAClF,WAAO,KAAK,wDAAwD,OAAO,WAAW,EAAE;AAAA,EAC1F;AAEA,MAAI,OAAO,OAAO,cAAc,YAAY,CAAC,OAAO,SAAS,OAAO,SAAS,GAAG;AAC9E,WAAO,KAAK,sDAAsD,OAAO,SAAS,EAAE;AAAA,EACtF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,MAAI,OAAO,SAAS,SAAS,OAAO,OAAO,SAAS,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,IAAI;AAC9F,WAAO,KAAK,yDAAyD,OAAO,IAAI,EAAE;AAAA,EACpF;AAEA,SAAO;AACT;AAEO,SAAS,eAAe,QAAqD;AAClF,QAAM,cAAc,mBAAmB,OAAO,UAAU;AACxD,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI,MAAM,uBAAuB,YAAY,KAAK,IAAI,CAAC,EAAE;AAAA,EACjE;AAEA,QAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,QAAM,aAAa,kBAAkB,OAAO,MAAM;AAElD,QAAM,WAAkC;AAAA,IACtC,MAAM;AAAA,IACN,iBAAiB;AAAA,IACjB,kBAAkB;AAAA,IAClB,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACtD,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO;AAAA,IACd,cAAc,OAAO,gBAAgB;AAAA,IACrC,QAAQ,OAAO;AAAA,IACf,OAAO,OAAO;AAAA,IACd;AAAA,IACA,YAAY;AAAA,MACV,aAAa,OAAO,WAAW;AAAA,MAC/B,WAAW,OAAO,WAAW;AAAA,MAC7B,MAAM,OAAO,WAAW,QAAQ;AAAA,MAChC,MAAM,OAAO,WAAW,QAAQ;AAAA,IAClC;AAAA,IACA,QAAQ,OAAO;AAAA,IACf;AAAA,IACA,YAAY,OAAO,cAAc;AAAA,IACjC,OAAO,OAAO,SAAS;AAAA,EACzB;AAEA,MAAI,OAAO,UAAU,OAAW,UAAS,QAAQ,OAAO,SAAS;AACjE,MAAI,OAAO,WAAW,OAAW,UAAS,SAAS,OAAO,UAAU;AACpE,MAAI,OAAO,cAAc,OAAW,UAAS,YAAY,OAAO,aAAa;AAC7E,MAAI,OAAO,eAAe,OAAW,UAAS,aAAa,OAAO,cAAc;AAChF,MAAI,OAAO,mBAAmB,OAAW,UAAS,iBAAiB,OAAO,kBAAkB;AAC5F,MAAI,OAAO,iBAAiB,OAAW,UAAS,eAAe,OAAO,gBAAgB;AAGtF,MAAI,OAAO,cAAc,UAAa,OAAO,UAAU,SAAS,GAAG;AACjE,aAAS,YAAY,OAAO;AAAA,EAC9B;AAEA,SAAO;AACT;;;AC7DA,SAAS,uBAAuB,SAAqC;AACnE,QAAM,YAAY,gBAAgB,OAAO;AACzC,SAAO,UAAU,UAAU,SAAS,CAAC;AACvC;AAEO,SAAS,QACd,UACA,SACsB;AACtB,QAAM,YAAY,SAAS,cAAa,oBAAI,KAAK,GAAE,YAAY;AAI/D,QAAM,UAA8B;AAAA,IAClC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,kBAAkB,uBAAuB,OAAO;AAEtD,QAAM,SAA+B;AAAA,IACnC,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,EACF;AAEA,MAAI,SAAS,MAAM;AACjB,WAAO,OAAO,QAAQ;AAAA,EACxB;AAGA,MAAI,SAAS,aAAa;AACxB,WAAO,cAAc,QAAQ;AAAA,EAC/B;AAEA,SAAO;AACT;;;AJ5CO,SAAS,aACd,QACA;AACA,SAAO;AAAA,IACL,MAAM,QAAQ,QAA6F;AACzG,YAAM,MAAM,MAAM,OAAO,OAAO,OAAO,aAAa;AACpD,YAAM,SAAS,OAAO,cAAc,GAAG;AACvC,YAAM,eAAe,OAAO,sBACxB,OAAO,oBAAoB,GAAG,IAC7B,OAAO,gBAAgB;AAE5B,YAAM,WAAW,eAAe;AAAA,QAC9B,aAAa,OAAO,eAAsB,mBAAW;AAAA,QACrD,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd;AAAA,QACA,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,YAAY,OAAO;AAAA,QACnB;AAAA,QACA,OAAO,OAAO;AAAA,MAChB,CAAC;AAED,YAAM,SAAS,QAAQ,UAAU,EAAE,MAAM,OAAO,KAAK,CAAC;AAEtD,aAAO,EAAE,QAAQ,UAAU,OAAO;AAAA,IACpC;AAAA,EACF;AACF;","names":["crypto"]}

package/dist/{types-BjEqrksn.d.cts → types-CcqCDPrD.d.cts}

@@ -4,6 +4,58 @@ interface AiExecutionParameters {
     topP: number | null;
     seed: number | null;
 }
+/** AIEF-06 tool call evidence record. Include in snapshot.toolCalls. */
+interface ToolEvent {
+    toolId: string;
+    at: string;
+    inputHash?: string;
+    outputHash: string;
+    evidenceRef?: string;
+    error?: string;
+}
+/**
+ * Declarative block attached to a bundle that describes its integrity scheme
+ * and protected set. EXCLUDED from certificateHash by design — purely informational.
+ * Satisfies AIEF-02 SHOULD requirement for self-describing artifacts.
+ */
+interface BundleDeclaration {
+    stabilitySchemeId: string;
+    protectedSetId: string;
+    protectedFields: string[];
+    notes?: string;
+}
+/** Stable placeholder produced by redactBeforeSeal(). Preserves the original value's hash. */
+interface RedactionEnvelope {
+    _redacted: true;
+    hash: string;
+}
+/** Exact AIEF §9.1 output shape returned by verifyAief(). */
+interface AiefVerifyResult {
+    result: 'PASS' | 'FAIL';
+    reason: string | null;
+    checks: {
+        schemaSupported: boolean;
+        integrityValid: boolean;
+        protectedSetValid: boolean;
+        chainValid: boolean;
+    };
+    field?: string;
+    expected?: string;
+    observed?: string;
+    notes?: string[];
+}
+/** Result returned by verifyRunSummary(). */
+interface RunSummaryVerifyResult {
+    ok: boolean;
+    code: CerVerifyCode;
+    errors: string[];
+    details?: string[];
+    breakAt?: number;
+    expectedPrev?: string;
+    observedPrev?: string;
+}
+/** Opt-in strictness profile. Does NOT affect certificateHash computation. */
+type AiefProfile = 'flexible' | 'AIEF_L2' | 'AIEF_L3' | 'AIEF_L4';
 interface AiExecutionSnapshotV1 {
     type: 'ai.execution.v1';
     protocolVersion: '1.2.0';
@@ -27,6 +79,8 @@ interface AiExecutionSnapshotV1 {
     workflowId?: string | null;
     conversationId?: string | null;
     prevStepHash?: string | null;
+    /** v0.7.0 — AIEF-06 tool/dependency evidence. Included in certificateHash when present. */
+    toolCalls?: ToolEvent[];
 }
 interface CerMeta {
     source?: string;
@@ -40,6 +94,12 @@ interface CerAiExecutionBundle {
     version: '0.1';
     snapshot: AiExecutionSnapshotV1;
     meta?: CerMeta;
+    /**
+     * v0.7.0 — Optional declarative block describing the integrity scheme and protected set.
+     * EXCLUDED from certificateHash computation by design. Purely informational.
+     * Satisfies AIEF-02 SHOULD requirement for self-describing artifacts.
+     */
+    declaration?: BundleDeclaration;
 }
 declare const CerVerifyCode: {
     readonly OK: "OK";
@@ -55,6 +115,11 @@ declare const CerVerifyCode: {
     readonly ATTESTATION_KEY_NOT_FOUND: "ATTESTATION_KEY_NOT_FOUND";
     readonly ATTESTATION_INVALID_SIGNATURE: "ATTESTATION_INVALID_SIGNATURE";
     readonly ATTESTATION_KEY_FORMAT_UNSUPPORTED: "ATTESTATION_KEY_FORMAT_UNSUPPORTED";
+    readonly CHAIN_BREAK_DETECTED: "CHAIN_BREAK_DETECTED";
+    readonly INCOMPLETE_ARTIFACT: "INCOMPLETE_ARTIFACT";
+    readonly VERIFICATION_MATERIAL_UNAVAILABLE: "VERIFICATION_MATERIAL_UNAVAILABLE";
+    readonly TOOL_EVIDENCE_MISSING: "TOOL_EVIDENCE_MISSING";
+    readonly TOOL_OUTPUT_HASH_MISMATCH: "TOOL_OUTPUT_HASH_MISMATCH";
 };
 type CerVerifyCode = typeof CerVerifyCode[keyof typeof CerVerifyCode];
 interface VerificationResult {
@@ -81,6 +146,8 @@ interface CreateSnapshotParams {
     workflowId?: string | null;
     conversationId?: string | null;
     prevStepHash?: string | null;
+    /** v0.7.0 — AIEF-06 tool/dependency evidence records. */
+    toolCalls?: ToolEvent[];
 }
 interface AttestationResult {
     ok: boolean;
@@ -199,6 +266,57 @@ interface ProviderConfig<TInput = unknown, TOutput = unknown> {
     extractOutput: (raw: TOutput) => string | Record<string, unknown>;
     extractModelVersion?: (raw: TOutput) => string | null;
 }
+/** Parameters for the high-level certifyDecisionFromProviderCall wrapper. */
+interface ProviderCallParams {
+    provider: string;
+    model?: string;
+    request: Record<string, unknown>;
+    response: Record<string, unknown>;
+    meta?: CerMeta;
+    executionId?: string;
+    timestamp?: string;
+    /** CER creation timestamp. Defaults to current time if omitted. */
+    createdAt?: string;
+    appId?: string | null;
+    workflowId?: string | null;
+    conversationId?: string | null;
+}
+/** Result of certifyDecisionFromProviderCall. */
+type ProviderCallResult = {
+    ok: true;
+    bundle: CerAiExecutionBundle;
+} | {
+    ok: false;
+    code: typeof CerVerifyCode.SCHEMA_ERROR;
+    reason: string;
+};
+/** Defaults applied to every call made through a NexArtClient instance. */
+interface ClientDefaults {
+    appId?: string | null;
+    workflowId?: string | null;
+    nodeUrl?: string;
+    apiKey?: string | (() => string | Promise<string>);
+    tags?: string[];
+    source?: string;
+}
+/** Pre-configured client returned by createClient(). */
+interface NexArtClient {
+    certifyDecision(params: CertifyDecisionParams): CerAiExecutionBundle;
+    certifyAndAttestDecision(params: CertifyDecisionParams, options?: Partial<AttestOptions>): Promise<{
+        bundle: CerAiExecutionBundle;
+        receipt: AttestationReceipt;
+    }>;
+    verify(bundle: CerAiExecutionBundle): VerificationResult;
+    verifyBundleAttestation(bundle: unknown, options?: {
+        nodeUrl?: string;
+        kid?: string;
+    }): Promise<NodeReceiptVerifyResult>;
+}
+/** Options for sanitizeForStorage. */
+interface SanitizeStorageOptions {
+    redactPaths?: string[];
+    redactWith?: string;
+}
 interface WrappedExecutionParams {
     prompt: string;
     input: string | Record<string, unknown>;
@@ -215,4 +333,4 @@ interface WrappedExecutionResult {
     bundle: CerAiExecutionBundle;
 }
 
-export { type AiExecutionSnapshotV1 as A, type CreateSnapshotParams as C, type NodeKeysDocument as N, type ProviderConfig as P, type RunBuilderOptions as R, type StepParams as S, type VerificationResult as V, type WrappedExecutionParams as W, type CerMeta as a, type CerAiExecutionBundle as b, type CertifyDecisionParams as c, type RunSummary as d, type AttestOptions as e, type AttestationResult as f, type AttestationReceipt as g, type NodeReceiptVerifyResult as h, type SignedAttestationReceipt as i, type AiExecutionParameters as j, type AttestationReceiptResult as k, CerVerifyCode as l, type WrappedExecutionResult as m };
+export { type AiExecutionSnapshotV1 as A, type BundleDeclaration as B, type CreateSnapshotParams as C, type NodeKeysDocument as N, type ProviderCallParams as P, type RunBuilderOptions as R, type StepParams as S, type ToolEvent as T, type VerificationResult as V, type WrappedExecutionParams as W, type CerMeta as a, type CerAiExecutionBundle as b, type CertifyDecisionParams as c, type RunSummary as d, type AttestOptions as e, type AttestationResult as f, type SanitizeStorageOptions as g, type AttestationReceipt as h, type NodeReceiptVerifyResult as i, type SignedAttestationReceipt as j, CerVerifyCode as k, type AiefVerifyResult as l, type RunSummaryVerifyResult as m, type AiefProfile as n, type AiExecutionParameters as o, type AttestationReceiptResult as p, type ClientDefaults as q, type NexArtClient as r, type ProviderCallResult as s, type ProviderConfig as t, type RedactionEnvelope as u, type WrappedExecutionResult as v };

package/dist/{types-BjEqrksn.d.ts → types-CcqCDPrD.d.ts}

@@ -4,6 +4,58 @@ interface AiExecutionParameters {
     topP: number | null;
     seed: number | null;
 }
+/** AIEF-06 tool call evidence record. Include in snapshot.toolCalls. */
+interface ToolEvent {
+    toolId: string;
+    at: string;
+    inputHash?: string;
+    outputHash: string;
+    evidenceRef?: string;
+    error?: string;
+}
+/**
+ * Declarative block attached to a bundle that describes its integrity scheme
+ * and protected set. EXCLUDED from certificateHash by design — purely informational.
+ * Satisfies AIEF-02 SHOULD requirement for self-describing artifacts.
+ */
+interface BundleDeclaration {
+    stabilitySchemeId: string;
+    protectedSetId: string;
+    protectedFields: string[];
+    notes?: string;
+}
+/** Stable placeholder produced by redactBeforeSeal(). Preserves the original value's hash. */
+interface RedactionEnvelope {
+    _redacted: true;
+    hash: string;
+}
+/** Exact AIEF §9.1 output shape returned by verifyAief(). */
+interface AiefVerifyResult {
+    result: 'PASS' | 'FAIL';
+    reason: string | null;
+    checks: {
+        schemaSupported: boolean;
+        integrityValid: boolean;
+        protectedSetValid: boolean;
+        chainValid: boolean;
+    };
+    field?: string;
+    expected?: string;
+    observed?: string;
+    notes?: string[];
+}
+/** Result returned by verifyRunSummary(). */
+interface RunSummaryVerifyResult {
+    ok: boolean;
+    code: CerVerifyCode;
+    errors: string[];
+    details?: string[];
+    breakAt?: number;
+    expectedPrev?: string;
+    observedPrev?: string;
+}
+/** Opt-in strictness profile. Does NOT affect certificateHash computation. */
+type AiefProfile = 'flexible' | 'AIEF_L2' | 'AIEF_L3' | 'AIEF_L4';
 interface AiExecutionSnapshotV1 {
     type: 'ai.execution.v1';
     protocolVersion: '1.2.0';
@@ -27,6 +79,8 @@ interface AiExecutionSnapshotV1 {
     workflowId?: string | null;
     conversationId?: string | null;
     prevStepHash?: string | null;
+    /** v0.7.0 — AIEF-06 tool/dependency evidence. Included in certificateHash when present. */
+    toolCalls?: ToolEvent[];
 }
 interface CerMeta {
     source?: string;
@@ -40,6 +94,12 @@ interface CerAiExecutionBundle {
     version: '0.1';
     snapshot: AiExecutionSnapshotV1;
     meta?: CerMeta;
+    /**
+     * v0.7.0 — Optional declarative block describing the integrity scheme and protected set.
+     * EXCLUDED from certificateHash computation by design. Purely informational.
+     * Satisfies AIEF-02 SHOULD requirement for self-describing artifacts.
+     */
+    declaration?: BundleDeclaration;
 }
 declare const CerVerifyCode: {
     readonly OK: "OK";
@@ -55,6 +115,11 @@ declare const CerVerifyCode: {
     readonly ATTESTATION_KEY_NOT_FOUND: "ATTESTATION_KEY_NOT_FOUND";
     readonly ATTESTATION_INVALID_SIGNATURE: "ATTESTATION_INVALID_SIGNATURE";
     readonly ATTESTATION_KEY_FORMAT_UNSUPPORTED: "ATTESTATION_KEY_FORMAT_UNSUPPORTED";
+    readonly CHAIN_BREAK_DETECTED: "CHAIN_BREAK_DETECTED";
+    readonly INCOMPLETE_ARTIFACT: "INCOMPLETE_ARTIFACT";
+    readonly VERIFICATION_MATERIAL_UNAVAILABLE: "VERIFICATION_MATERIAL_UNAVAILABLE";
+    readonly TOOL_EVIDENCE_MISSING: "TOOL_EVIDENCE_MISSING";
+    readonly TOOL_OUTPUT_HASH_MISMATCH: "TOOL_OUTPUT_HASH_MISMATCH";
 };
 type CerVerifyCode = typeof CerVerifyCode[keyof typeof CerVerifyCode];
 interface VerificationResult {
@@ -81,6 +146,8 @@ interface CreateSnapshotParams {
     workflowId?: string | null;
     conversationId?: string | null;
     prevStepHash?: string | null;
+    /** v0.7.0 — AIEF-06 tool/dependency evidence records. */
+    toolCalls?: ToolEvent[];
 }
 interface AttestationResult {
     ok: boolean;
@@ -199,6 +266,57 @@ interface ProviderConfig<TInput = unknown, TOutput = unknown> {
     extractOutput: (raw: TOutput) => string | Record<string, unknown>;
     extractModelVersion?: (raw: TOutput) => string | null;
 }
+/** Parameters for the high-level certifyDecisionFromProviderCall wrapper. */
+interface ProviderCallParams {
+    provider: string;
+    model?: string;
+    request: Record<string, unknown>;
+    response: Record<string, unknown>;
+    meta?: CerMeta;
+    executionId?: string;
+    timestamp?: string;
+    /** CER creation timestamp. Defaults to current time if omitted. */
+    createdAt?: string;
+    appId?: string | null;
+    workflowId?: string | null;
+    conversationId?: string | null;
+}
+/** Result of certifyDecisionFromProviderCall. */
+type ProviderCallResult = {
+    ok: true;
+    bundle: CerAiExecutionBundle;
+} | {
+    ok: false;
+    code: typeof CerVerifyCode.SCHEMA_ERROR;
+    reason: string;
+};
+/** Defaults applied to every call made through a NexArtClient instance. */
+interface ClientDefaults {
+    appId?: string | null;
+    workflowId?: string | null;
+    nodeUrl?: string;
+    apiKey?: string | (() => string | Promise<string>);
+    tags?: string[];
+    source?: string;
+}
+/** Pre-configured client returned by createClient(). */
+interface NexArtClient {
+    certifyDecision(params: CertifyDecisionParams): CerAiExecutionBundle;
+    certifyAndAttestDecision(params: CertifyDecisionParams, options?: Partial<AttestOptions>): Promise<{
+        bundle: CerAiExecutionBundle;
+        receipt: AttestationReceipt;
+    }>;
+    verify(bundle: CerAiExecutionBundle): VerificationResult;
+    verifyBundleAttestation(bundle: unknown, options?: {
+        nodeUrl?: string;
+        kid?: string;
+    }): Promise<NodeReceiptVerifyResult>;
+}
+/** Options for sanitizeForStorage. */
+interface SanitizeStorageOptions {
+    redactPaths?: string[];
+    redactWith?: string;
+}
 interface WrappedExecutionParams {
     prompt: string;
     input: string | Record<string, unknown>;
@@ -215,4 +333,4 @@ interface WrappedExecutionResult {
     bundle: CerAiExecutionBundle;
 }
 
-export { type AiExecutionSnapshotV1 as A, type CreateSnapshotParams as C, type NodeKeysDocument as N, type ProviderConfig as P, type RunBuilderOptions as R, type StepParams as S, type VerificationResult as V, type WrappedExecutionParams as W, type CerMeta as a, type CerAiExecutionBundle as b, type CertifyDecisionParams as c, type RunSummary as d, type AttestOptions as e, type AttestationResult as f, type AttestationReceipt as g, type NodeReceiptVerifyResult as h, type SignedAttestationReceipt as i, type AiExecutionParameters as j, type AttestationReceiptResult as k, CerVerifyCode as l, type WrappedExecutionResult as m };
+export { type AiExecutionSnapshotV1 as A, type BundleDeclaration as B, type CreateSnapshotParams as C, type NodeKeysDocument as N, type ProviderCallParams as P, type RunBuilderOptions as R, type StepParams as S, type ToolEvent as T, type VerificationResult as V, type WrappedExecutionParams as W, type CerMeta as a, type CerAiExecutionBundle as b, type CertifyDecisionParams as c, type RunSummary as d, type AttestOptions as e, type AttestationResult as f, type SanitizeStorageOptions as g, type AttestationReceipt as h, type NodeReceiptVerifyResult as i, type SignedAttestationReceipt as j, CerVerifyCode as k, type AiefVerifyResult as l, type RunSummaryVerifyResult as m, type AiefProfile as n, type AiExecutionParameters as o, type AttestationReceiptResult as p, type ClientDefaults as q, type NexArtClient as r, type ProviderCallResult as s, type ProviderConfig as t, type RedactionEnvelope as u, type WrappedExecutionResult as v };

package/fixtures/v060/legacy-attestation.json

@@ -0,0 +1,32 @@
+{
+  "bundleType": "cer.ai.execution.v1",
+  "certificateHash": "sha256:57a9981040e9ef36d76e6645f655200aaae2679a4c37824ce7e7131c876721fb",
+  "createdAt": "2026-01-15T00:00:00.000Z",
+  "version": "0.1",
+  "snapshot": {
+    "type": "ai.execution.v1",
+    "protocolVersion": "1.2.0",
+    "executionSurface": "ai",
+    "executionId": "v060-legacy-att-001",
+    "timestamp": "2026-01-15T00:00:00.000Z",
+    "provider": "openai",
+    "model": "gpt-3.5-turbo",
+    "modelVersion": null,
+    "prompt": "Translate to French.",
+    "input": "Hello world",
+    "inputHash": "sha256:64ec88ca00b268e5ba1a35678a1b5316d212f4f366b2477232534a8aeca37f3c",
+    "parameters": {
+      "temperature": 0.7,
+      "maxTokens": 512,
+      "topP": null,
+      "seed": null
+    },
+    "output": "Bonjour le monde",
+    "outputHash": "sha256:4dc45b5ed3de202a5693c926caf95bd9710bef4fe5fb16a1c24a08ed428e8ae0",
+    "sdkVersion": "0.4.0",
+    "appId": null
+  },
+  "attestationId": "att-legacy-001",
+  "nodeRuntimeHash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+  "protocolVersion": "1.2.0"
+}

package/fixtures/v060/original-meta-bundle.json

@@ -0,0 +1,36 @@
+{
+  "bundleType": "cer.ai.execution.v1",
+  "certificateHash": "sha256:74685f0c07eb4ad59bafc6d45aa071ee0da50ec518b814d24d47760d3fb30b4d",
+  "createdAt": "2026-01-15T00:00:00.000Z",
+  "version": "0.1",
+  "snapshot": {
+    "type": "ai.execution.v1",
+    "protocolVersion": "1.2.0",
+    "executionSurface": "ai",
+    "executionId": "v060-redacted-001",
+    "timestamp": "2026-01-15T00:00:00.000Z",
+    "provider": "mistral",
+    "model": "mistral-large-latest",
+    "modelVersion": null,
+    "prompt": "What is the capital of France?",
+    "input": "What is the capital of France?",
+    "inputHash": "sha256:115049a298532be2f181edb03f766770c0db84c22aff39003fec340deaec7545",
+    "parameters": {
+      "temperature": 0.7,
+      "maxTokens": 512,
+      "topP": null,
+      "seed": null
+    },
+    "output": "Paris",
+    "outputHash": "sha256:5dd272b4f316b776a7b8e3d0894b37e1e42be3d5d3b204b8a5836cc50597a6b1",
+    "sdkVersion": "0.6.0",
+    "appId": "test-app"
+  },
+  "meta": {
+    "source": "api",
+    "tags": [
+      "geo"
+    ],
+    "apiKey": "sk-test-12345"
+  }
+}