@nexart/ai-execution 0.8.0 → 0.9.0

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { C as CreateSnapshotParams, A as AiExecutionSnapshotV1, V as VerificationResult, a as CerMeta, B as BundleDeclaration, b as CerAiExecutionBundle, c as CertifyDecisionParams, R as RunBuilderOptions, S as StepParams, d as RunSummary, e as AttestOptions, f as AttestationResult, g as SanitizeStorageOptions, h as AttestationReceipt, N as NodeKeysDocument, i as NodeReceiptVerifyResult, j as SignedAttestationReceipt, k as CerVerifyCode, l as AiefVerifyResult, T as ToolEvent, m as RunSummaryVerifyResult, n as AiefProfile } from './types-CcqCDPrD.cjs';
-export { o as AiExecutionParameters, p as AttestationReceiptResult, q as ClientDefaults, r as NexArtClient, P as ProviderCallParams, s as ProviderCallResult, t as ProviderConfig, u as RedactionEnvelope, W as WrappedExecutionParams, v as WrappedExecutionResult } from './types-CcqCDPrD.cjs';
+import { C as CreateSnapshotParams, A as AiExecutionSnapshotV1, V as VerificationResult, a as CerMeta, B as BundleDeclaration, b as CerAiExecutionBundle, c as CertifyDecisionParams, R as RunBuilderOptions, S as StepParams, d as RunSummary, e as AttestOptions, f as AttestationResult, g as SanitizeStorageOptions, h as AttestationReceipt, N as NodeKeysDocument, i as NodeReceiptVerifyResult, j as SignedAttestationReceipt, k as CerVerifyCode, l as AiefVerifyResult, T as ToolEvent, m as RunSummaryVerifyResult, n as AiefProfile } from './types-C5t12OK8.cjs';
+export { o as AiExecutionParameters, p as AttestationReceiptResult, q as ClientDefaults, r as NexArtClient, P as ProviderCallParams, s as ProviderCallResult, t as ProviderConfig, u as RedactionEnvelope, W as WrappedExecutionParams, v as WrappedExecutionResult } from './types-C5t12OK8.cjs';
 export { wrapProvider } from './providers/wrap.cjs';
 
 declare class CerVerificationError extends Error {
@@ -501,4 +501,68 @@ interface CertifyAndAttestRunResult {
  */
 declare function certifyAndAttestRun(steps: StepParams[], options?: CertifyAndAttestRunOptions): Promise<CertifyAndAttestRunResult>;
 
-export { AiExecutionSnapshotV1, AiefProfile, AiefVerifyResult, AttestOptions, AttestationReceipt, AttestationResult, BundleDeclaration, CerAiExecutionBundle, CerAttestationError, CerMeta, CerVerificationError, CerVerifyCode, CerVerifyCode as CerVerifyCodeType, type CertifyAndAttestRunOptions, type CertifyAndAttestRunResult, CertifyDecisionParams, CreateSnapshotParams, type ExportVerifiableRedactedOptions, type ExportVerifiableRedactedProvenance, type ExportVerifiableRedactedResult, type MakeToolEventParams, NodeKeysDocument, NodeReceiptVerifyResult, type ProfileValidationResult, type RedactBeforeSealPolicy, RunBuilder, RunBuilderOptions, RunSummary, RunSummaryVerifyResult, SanitizeStorageOptions, SignedAttestationReceipt, StepParams, ToolEvent, VerificationResult, type VerifyRunSummaryOptions, attest, attestIfNeeded, certifyAndAttestDecision, certifyAndAttestRun, certifyDecision, certifyDecisionFromProviderCall, computeInputHash, computeOutputHash, createClient, createSnapshot, exportCer, exportVerifiableRedacted, fetchNodeKeys, getAttestationReceipt, hasAttestation, hashCanonicalJson, hashToolOutput, hashUtf8, importCer, makeToolEvent, mapToAiefReason, redactBeforeSeal, sanitizeForAttestation, sanitizeForStamp, sanitizeForStorage, sealCer, selectNodeKey, sha256Hex, toCanonicalJson, validateProfile, verifyCer as verify, verifyAief, verifyBundleAttestation, verifyCer, verifyNodeReceiptSignature, verifyRunSummary, verifySnapshot };
+/**
+ * CER Protocol verification types — v0.9.0
+ *
+ * These are the canonical structured verification types for the NexArt
+ * Certified Execution Record (CER) Protocol. All NexArt-compatible verifiers
+ * should produce a CerVerificationResult.
+ *
+ * NOTE: The existing VerificationResult type (ok/errors/code shape) is preserved
+ * for backward compatibility. CerVerificationResult is the new protocol-aligned type.
+ */
+type VerificationStatus = 'VERIFIED' | 'FAILED' | 'NOT_FOUND';
+type CheckStatus = 'PASS' | 'FAIL' | 'SKIPPED';
+declare const ReasonCode: {
+    readonly BUNDLE_HASH_MISMATCH: "BUNDLE_HASH_MISMATCH";
+    readonly NODE_SIGNATURE_INVALID: "NODE_SIGNATURE_INVALID";
+    readonly NODE_SIGNATURE_MISSING: "NODE_SIGNATURE_MISSING";
+    readonly RECEIPT_HASH_MISMATCH: "RECEIPT_HASH_MISMATCH";
+    readonly SCHEMA_VERSION_UNSUPPORTED: "SCHEMA_VERSION_UNSUPPORTED";
+    readonly RECORD_NOT_FOUND: "RECORD_NOT_FOUND";
+    readonly BUNDLE_CORRUPTED: "BUNDLE_CORRUPTED";
+};
+type ReasonCode = typeof ReasonCode[keyof typeof ReasonCode];
+/**
+ * Canonical protocol verification result.
+ *
+ * Produced by verifyAiCerBundleDetailed() and verifyCodeModeSnapshotDetailed().
+ * All checks that are not applicable to a given bundle type are SKIPPED (never FAIL).
+ */
+interface CerVerificationResult {
+    status: VerificationStatus;
+    checks: {
+        bundleIntegrity: CheckStatus;
+        nodeSignature: CheckStatus;
+        receiptConsistency: CheckStatus;
+    };
+    reasonCodes: ReasonCode[];
+    certificateHash: string;
+    bundleType: string;
+    verifiedAt: string;
+    verifier: string;
+}
+
+/**
+ * verifyAiCerBundleDetailed — protocol-aligned AI CER verifier
+ *
+ * Returns a CerVerificationResult conforming to the CER Protocol spec.
+ * Wraps the existing verifyCer() + hasAttestation() helpers and maps
+ * their results into the structured protocol schema.
+ */
+
+/**
+ * Verify a CER AI execution bundle and return a structured CerVerificationResult.
+ *
+ * - bundleIntegrity: PASS/FAIL based on certificateHash integrity
+ * - nodeSignature:   PASS if attestation present and structurally valid; SKIPPED if absent
+ * - receiptConsistency: mirrors nodeSignature (SKIPPED when no attestation)
+ *
+ * Attestation is optional — its absence sets nodeSignature/receiptConsistency
+ * to SKIPPED, not FAIL.
+ *
+ * @param bundle - The raw CER bundle (typed as unknown for safety; validated internally)
+ */
+declare function verifyAiCerBundleDetailed(bundle: unknown): CerVerificationResult;
+
+export { AiExecutionSnapshotV1, AiefProfile, AiefVerifyResult, AttestOptions, AttestationReceipt, AttestationResult, BundleDeclaration, CerAiExecutionBundle, CerAttestationError, CerMeta, CerVerificationError, type CerVerificationResult, CerVerifyCode, CerVerifyCode as CerVerifyCodeType, type CertifyAndAttestRunOptions, type CertifyAndAttestRunResult, CertifyDecisionParams, type CheckStatus, CreateSnapshotParams, type ExportVerifiableRedactedOptions, type ExportVerifiableRedactedProvenance, type ExportVerifiableRedactedResult, type MakeToolEventParams, NodeKeysDocument, NodeReceiptVerifyResult, type ProfileValidationResult, ReasonCode, ReasonCode as ReasonCodeType, type RedactBeforeSealPolicy, RunBuilder, RunBuilderOptions, RunSummary, RunSummaryVerifyResult, SanitizeStorageOptions, SignedAttestationReceipt, StepParams, ToolEvent, VerificationResult, type VerificationStatus, type VerifyRunSummaryOptions, attest, attestIfNeeded, certifyAndAttestDecision, certifyAndAttestRun, certifyDecision, certifyDecisionFromProviderCall, computeInputHash, computeOutputHash, createClient, createSnapshot, exportCer, exportVerifiableRedacted, fetchNodeKeys, getAttestationReceipt, hasAttestation, hashCanonicalJson, hashToolOutput, hashUtf8, importCer, makeToolEvent, mapToAiefReason, redactBeforeSeal, sanitizeForAttestation, sanitizeForStamp, sanitizeForStorage, sealCer, selectNodeKey, sha256Hex, toCanonicalJson, validateProfile, verifyCer as verify, verifyAiCerBundleDetailed, verifyAief, verifyBundleAttestation, verifyCer, verifyNodeReceiptSignature, verifyRunSummary, verifySnapshot };

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { C as CreateSnapshotParams, A as AiExecutionSnapshotV1, V as VerificationResult, a as CerMeta, B as BundleDeclaration, b as CerAiExecutionBundle, c as CertifyDecisionParams, R as RunBuilderOptions, S as StepParams, d as RunSummary, e as AttestOptions, f as AttestationResult, g as SanitizeStorageOptions, h as AttestationReceipt, N as NodeKeysDocument, i as NodeReceiptVerifyResult, j as SignedAttestationReceipt, k as CerVerifyCode, l as AiefVerifyResult, T as ToolEvent, m as RunSummaryVerifyResult, n as AiefProfile } from './types-CcqCDPrD.js';
-export { o as AiExecutionParameters, p as AttestationReceiptResult, q as ClientDefaults, r as NexArtClient, P as ProviderCallParams, s as ProviderCallResult, t as ProviderConfig, u as RedactionEnvelope, W as WrappedExecutionParams, v as WrappedExecutionResult } from './types-CcqCDPrD.js';
+import { C as CreateSnapshotParams, A as AiExecutionSnapshotV1, V as VerificationResult, a as CerMeta, B as BundleDeclaration, b as CerAiExecutionBundle, c as CertifyDecisionParams, R as RunBuilderOptions, S as StepParams, d as RunSummary, e as AttestOptions, f as AttestationResult, g as SanitizeStorageOptions, h as AttestationReceipt, N as NodeKeysDocument, i as NodeReceiptVerifyResult, j as SignedAttestationReceipt, k as CerVerifyCode, l as AiefVerifyResult, T as ToolEvent, m as RunSummaryVerifyResult, n as AiefProfile } from './types-C5t12OK8.js';
+export { o as AiExecutionParameters, p as AttestationReceiptResult, q as ClientDefaults, r as NexArtClient, P as ProviderCallParams, s as ProviderCallResult, t as ProviderConfig, u as RedactionEnvelope, W as WrappedExecutionParams, v as WrappedExecutionResult } from './types-C5t12OK8.js';
 export { wrapProvider } from './providers/wrap.js';
 
 declare class CerVerificationError extends Error {
@@ -501,4 +501,68 @@ interface CertifyAndAttestRunResult {
  */
 declare function certifyAndAttestRun(steps: StepParams[], options?: CertifyAndAttestRunOptions): Promise<CertifyAndAttestRunResult>;
 
-export { AiExecutionSnapshotV1, AiefProfile, AiefVerifyResult, AttestOptions, AttestationReceipt, AttestationResult, BundleDeclaration, CerAiExecutionBundle, CerAttestationError, CerMeta, CerVerificationError, CerVerifyCode, CerVerifyCode as CerVerifyCodeType, type CertifyAndAttestRunOptions, type CertifyAndAttestRunResult, CertifyDecisionParams, CreateSnapshotParams, type ExportVerifiableRedactedOptions, type ExportVerifiableRedactedProvenance, type ExportVerifiableRedactedResult, type MakeToolEventParams, NodeKeysDocument, NodeReceiptVerifyResult, type ProfileValidationResult, type RedactBeforeSealPolicy, RunBuilder, RunBuilderOptions, RunSummary, RunSummaryVerifyResult, SanitizeStorageOptions, SignedAttestationReceipt, StepParams, ToolEvent, VerificationResult, type VerifyRunSummaryOptions, attest, attestIfNeeded, certifyAndAttestDecision, certifyAndAttestRun, certifyDecision, certifyDecisionFromProviderCall, computeInputHash, computeOutputHash, createClient, createSnapshot, exportCer, exportVerifiableRedacted, fetchNodeKeys, getAttestationReceipt, hasAttestation, hashCanonicalJson, hashToolOutput, hashUtf8, importCer, makeToolEvent, mapToAiefReason, redactBeforeSeal, sanitizeForAttestation, sanitizeForStamp, sanitizeForStorage, sealCer, selectNodeKey, sha256Hex, toCanonicalJson, validateProfile, verifyCer as verify, verifyAief, verifyBundleAttestation, verifyCer, verifyNodeReceiptSignature, verifyRunSummary, verifySnapshot };
+/**
+ * CER Protocol verification types — v0.9.0
+ *
+ * These are the canonical structured verification types for the NexArt
+ * Certified Execution Record (CER) Protocol. All NexArt-compatible verifiers
+ * should produce a CerVerificationResult.
+ *
+ * NOTE: The existing VerificationResult type (ok/errors/code shape) is preserved
+ * for backward compatibility. CerVerificationResult is the new protocol-aligned type.
+ */
+type VerificationStatus = 'VERIFIED' | 'FAILED' | 'NOT_FOUND';
+type CheckStatus = 'PASS' | 'FAIL' | 'SKIPPED';
+declare const ReasonCode: {
+    readonly BUNDLE_HASH_MISMATCH: "BUNDLE_HASH_MISMATCH";
+    readonly NODE_SIGNATURE_INVALID: "NODE_SIGNATURE_INVALID";
+    readonly NODE_SIGNATURE_MISSING: "NODE_SIGNATURE_MISSING";
+    readonly RECEIPT_HASH_MISMATCH: "RECEIPT_HASH_MISMATCH";
+    readonly SCHEMA_VERSION_UNSUPPORTED: "SCHEMA_VERSION_UNSUPPORTED";
+    readonly RECORD_NOT_FOUND: "RECORD_NOT_FOUND";
+    readonly BUNDLE_CORRUPTED: "BUNDLE_CORRUPTED";
+};
+type ReasonCode = typeof ReasonCode[keyof typeof ReasonCode];
+/**
+ * Canonical protocol verification result.
+ *
+ * Produced by verifyAiCerBundleDetailed() and verifyCodeModeSnapshotDetailed().
+ * All checks that are not applicable to a given bundle type are SKIPPED (never FAIL).
+ */
+interface CerVerificationResult {
+    status: VerificationStatus;
+    checks: {
+        bundleIntegrity: CheckStatus;
+        nodeSignature: CheckStatus;
+        receiptConsistency: CheckStatus;
+    };
+    reasonCodes: ReasonCode[];
+    certificateHash: string;
+    bundleType: string;
+    verifiedAt: string;
+    verifier: string;
+}
+
+/**
+ * verifyAiCerBundleDetailed — protocol-aligned AI CER verifier
+ *
+ * Returns a CerVerificationResult conforming to the CER Protocol spec.
+ * Wraps the existing verifyCer() + hasAttestation() helpers and maps
+ * their results into the structured protocol schema.
+ */
+
+/**
+ * Verify a CER AI execution bundle and return a structured CerVerificationResult.
+ *
+ * - bundleIntegrity: PASS/FAIL based on certificateHash integrity
+ * - nodeSignature:   PASS if attestation present and structurally valid; SKIPPED if absent
+ * - receiptConsistency: mirrors nodeSignature (SKIPPED when no attestation)
+ *
+ * Attestation is optional — its absence sets nodeSignature/receiptConsistency
+ * to SKIPPED, not FAIL.
+ *
+ * @param bundle - The raw CER bundle (typed as unknown for safety; validated internally)
+ */
+declare function verifyAiCerBundleDetailed(bundle: unknown): CerVerificationResult;
+
+export { AiExecutionSnapshotV1, AiefProfile, AiefVerifyResult, AttestOptions, AttestationReceipt, AttestationResult, BundleDeclaration, CerAiExecutionBundle, CerAttestationError, CerMeta, CerVerificationError, type CerVerificationResult, CerVerifyCode, CerVerifyCode as CerVerifyCodeType, type CertifyAndAttestRunOptions, type CertifyAndAttestRunResult, CertifyDecisionParams, type CheckStatus, CreateSnapshotParams, type ExportVerifiableRedactedOptions, type ExportVerifiableRedactedProvenance, type ExportVerifiableRedactedResult, type MakeToolEventParams, NodeKeysDocument, NodeReceiptVerifyResult, type ProfileValidationResult, ReasonCode, ReasonCode as ReasonCodeType, type RedactBeforeSealPolicy, RunBuilder, RunBuilderOptions, RunSummary, RunSummaryVerifyResult, SanitizeStorageOptions, SignedAttestationReceipt, StepParams, ToolEvent, VerificationResult, type VerificationStatus, type VerifyRunSummaryOptions, attest, attestIfNeeded, certifyAndAttestDecision, certifyAndAttestRun, certifyDecision, certifyDecisionFromProviderCall, computeInputHash, computeOutputHash, createClient, createSnapshot, exportCer, exportVerifiableRedacted, fetchNodeKeys, getAttestationReceipt, hasAttestation, hashCanonicalJson, hashToolOutput, hashUtf8, importCer, makeToolEvent, mapToAiefReason, redactBeforeSeal, sanitizeForAttestation, sanitizeForStamp, sanitizeForStorage, sealCer, selectNodeKey, sha256Hex, toCanonicalJson, validateProfile, verifyCer as verify, verifyAiCerBundleDetailed, verifyAief, verifyBundleAttestation, verifyCer, verifyNodeReceiptSignature, verifyRunSummary, verifySnapshot };

package/dist/index.mjs

@@ -382,7 +382,7 @@ function certifyDecision(params) {
     conversationId: params.conversationId,
     prevStepHash: params.prevStepHash
   });
-  return sealCer(snapshot, { meta: params.meta });
+  return sealCer(snapshot, { createdAt: params.createdAt, meta: params.meta });
 }
 
 // src/run.ts
@@ -2463,10 +2463,91 @@ async function certifyAndAttestRun(steps, options) {
     finalStepHash: runSummary.finalStepHash
   };
 }
+
+// src/cerProtocol.ts
+var ReasonCode = {
+  BUNDLE_HASH_MISMATCH: "BUNDLE_HASH_MISMATCH",
+  NODE_SIGNATURE_INVALID: "NODE_SIGNATURE_INVALID",
+  NODE_SIGNATURE_MISSING: "NODE_SIGNATURE_MISSING",
+  RECEIPT_HASH_MISMATCH: "RECEIPT_HASH_MISMATCH",
+  SCHEMA_VERSION_UNSUPPORTED: "SCHEMA_VERSION_UNSUPPORTED",
+  RECORD_NOT_FOUND: "RECORD_NOT_FOUND",
+  BUNDLE_CORRUPTED: "BUNDLE_CORRUPTED"
+};
+
+// src/verifyDetailed.ts
+function mapCerCodeToReasonCodes(cerCode) {
+  switch (cerCode) {
+    case CerVerifyCode.CERTIFICATE_HASH_MISMATCH:
+    case CerVerifyCode.SNAPSHOT_HASH_MISMATCH:
+    case CerVerifyCode.INPUT_HASH_MISMATCH:
+    case CerVerifyCode.OUTPUT_HASH_MISMATCH:
+      return [ReasonCode.BUNDLE_HASH_MISMATCH];
+    case CerVerifyCode.SCHEMA_ERROR:
+      return [ReasonCode.SCHEMA_VERSION_UNSUPPORTED];
+    case CerVerifyCode.CANONICALIZATION_ERROR:
+    case CerVerifyCode.UNKNOWN_ERROR:
+    case CerVerifyCode.INVALID_SHA256_FORMAT:
+      return [ReasonCode.BUNDLE_CORRUPTED];
+    case CerVerifyCode.ATTESTATION_INVALID_SIGNATURE:
+    case CerVerifyCode.ATTESTATION_KEY_FORMAT_UNSUPPORTED:
+    case CerVerifyCode.ATTESTATION_KEY_NOT_FOUND:
+      return [ReasonCode.NODE_SIGNATURE_INVALID];
+    case CerVerifyCode.ATTESTATION_MISSING:
+      return [ReasonCode.NODE_SIGNATURE_MISSING];
+    default:
+      return [];
+  }
+}
+function verifyAiCerBundleDetailed(bundle) {
+  const verifiedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const verifier = "@nexart/ai-execution";
+  if (!bundle || typeof bundle !== "object" || Array.isArray(bundle)) {
+    return {
+      status: "FAILED",
+      checks: { bundleIntegrity: "FAIL", nodeSignature: "SKIPPED", receiptConsistency: "SKIPPED" },
+      reasonCodes: [ReasonCode.BUNDLE_CORRUPTED],
+      certificateHash: "",
+      bundleType: "",
+      verifiedAt,
+      verifier
+    };
+  }
+  const b = bundle;
+  const bundleType = typeof b["bundleType"] === "string" ? b["bundleType"] : "";
+  const certificateHash = typeof b["certificateHash"] === "string" ? b["certificateHash"] : "";
+  if (bundleType !== "cer.ai.execution.v1") {
+    return {
+      status: "FAILED",
+      checks: { bundleIntegrity: "FAIL", nodeSignature: "SKIPPED", receiptConsistency: "SKIPPED" },
+      reasonCodes: [ReasonCode.SCHEMA_VERSION_UNSUPPORTED],
+      certificateHash,
+      bundleType,
+      verifiedAt,
+      verifier
+    };
+  }
+  const cerResult = verifyCer(bundle);
+  const bundleIntegrity = cerResult.ok ? "PASS" : "FAIL";
+  const attestationPresent = hasAttestation(bundle);
+  const nodeSignature = attestationPresent ? "PASS" : "SKIPPED";
+  const receiptConsistency = attestationPresent ? "PASS" : "SKIPPED";
+  const reasonCodes = cerResult.ok ? [] : mapCerCodeToReasonCodes(cerResult.code);
+  return {
+    status: cerResult.ok ? "VERIFIED" : "FAILED",
+    checks: { bundleIntegrity, nodeSignature, receiptConsistency },
+    reasonCodes,
+    certificateHash,
+    bundleType,
+    verifiedAt,
+    verifier
+  };
+}
 export {
   CerAttestationError,
   CerVerificationError,
   CerVerifyCode,
+  ReasonCode,
   RunBuilder,
   attest,
   attestIfNeeded,
@@ -2499,6 +2580,7 @@ export {
   toCanonicalJson,
   validateProfile,
   verifyCer as verify,
+  verifyAiCerBundleDetailed,
   verifyAief,
   verifyBundleAttestation,
   verifyCer,