@nexart/codemode-sdk 1.8.4 → 1.10.0

package/CHANGELOG.md

@@ -4,6 +4,64 @@ All notable changes to @nexart/codemode-sdk will be documented in this file.
 
 ---
 
+## [1.9.0] — 2026-02-25
+
+### Added — Attestation Parity (Reason Codes + Signed Receipt Verification)
+
+**Feature Release — Additive only. No existing APIs changed.**
+
+Brings the Code Mode SDK attestation layer to parity with `@nexart/ai-execution` v0.5.0.
+
+#### New Types (`types.ts`)
+- `CodeVerifyCode` — stable string-valued reason code enum (12 codes)
+- `CodeVerificationResult` — `{ ok, code, details? }` returned by all verification functions
+- `NodeReceiptVerifyResult` — alias of `CodeVerificationResult` for receipt-specific call sites
+- `NodeKeysDocument` — shape of `/.well-known/nexart-node.json`
+- `SignedAttestationReceipt` — payload signed by the attestation node
+- `CodeAttestationReceipt` — normalised receipt extracted from any bundle layout
+
+#### New Module — `nodeReceipt.ts`
+- `verifyNodeReceiptSignature({ receipt, signatureB64Url, key })` — offline Ed25519 verification (browser + Node, @noble/ed25519)
+- `fetchNodeKeys(nodeUrl)` — fetch `NodeKeysDocument` from attestation node
+- `selectNodeKey(doc, kid?)` — select key by explicit kid → activeKid → first
+- `verifyBundleAttestation(bundle, { nodeUrl, kid? })` — full offline attestation check with certificateHash cross-check (receipt-swap prevention), all three bundle layouts supported
+
+#### New Module — `attestation.ts`
+- `getAttestationReceipt(bundle)` — normalised receipt or null; recognises Layout A (top-level), Layout B (nested envelope), Layout C (legacy flat fields)
+- `hasAttestation(bundle)` — boolean shorthand
+
+#### New Module — `canonicalJson.ts`
+- `toCanonicalJson(value)` — deterministic sorted-key JSON serialisation used for signing/verifying receipt bytes
+
+#### New Dependencies
+- `@noble/ed25519` ^3.0.0 (browser-compatible Ed25519) — declared in `dependencies` (installed per-package, no hoisting required)
+- `@noble/hashes` ^1.7.0 (sha512 for noble ed25519) — same
+- `@types/node` ^20.0.0 (dev) — added to `devDependencies` so `Buffer`/`process`/`require` resolve correctly under TypeScript strict mode; prevents "works only when hoisted" failures
+
+#### TypeScript Config
+- `"types": ["node"]` added to both `tsconfig.json` and `tsconfig.types.json` `compilerOptions`
+- `nodeReceipt.ts`, `attestation.ts`, `canonicalJson.ts` added explicitly to both `files` arrays
+
+#### Tests
+- `tests/attestation.test.ts` — 25 tests covering all code paths, error cases, and all three bundle layouts; `npm run test:attestation`
+
+#### Fixtures
+- `fixtures/attestation/keys-v1.json`
+- `fixtures/attestation/receipt-v1.json`
+- `fixtures/attestation/receipt-v1.sig`
+- `fixtures/attestation/receipt-v1.pub`
+
+#### Docs
+- README: new Attestation & Verification section with reason codes, `verifyBundleAttestation` usage, node keys endpoint, and receipt extraction helpers
+
+#### Unchanged
+- No protocol changes (v1.2.0)
+- No changes to existing hashing or canonicalisation semantics
+- All existing `executeCodeMode`, `createRuntime`, `validateSnapshot` APIs unchanged
+- All existing smoke tests and execution boundary tests pass
+
+---
+
 ## [1.8.4] — 2026-01-25
 
 ### Fixed — Node ESM Compatibility

package/README.md

@@ -1,6 +1,6 @@
 # @nexart/codemode-sdk
 
-**Version: 1.8.4 (Protocol v1.2.0)**
+**Version: 1.9.0 (Protocol v1.2.0)**
 
 A deterministic execution runtime for reproducible, verifiable computation.
 
@@ -33,6 +33,43 @@ A deterministic execution runtime for reproducible, verifiable computation.
 
 ---
 
+## Quickstart: CLI Examples
+
+The SDK includes ready-to-run example sketches. Use the `@nexart/cli` to render them via the canonical renderer.
+
+### Setup
+
+```bash
+# Set up authentication for remote rendering
+export NEXART_RENDERER_ENDPOINT=https://nexart-canonical-renderer-production.up.railway.app
+export NEXART_API_KEY=nx_live_your_key_here
+```
+
+### Run Examples
+
+```bash
+# Run the main example sketch
+npx @nexart/cli run ./examples/sketch.js --seed 12345 --include-code --out ./out.png
+
+# Verify the output is deterministic
+npx @nexart/cli verify ./out.snapshot.json
+# Output: [nexart] Result: PASS
+```
+
+### Example Sketches
+
+| File | Description |
+|------|-------------|
+| `examples/sketch.js` | Main example — VAR controls + random palette, protocol-safe |
+| `examples/sketch-minimal.js` | Simple shapes, no randomness — identical every run |
+| `examples/sketch-vars.js` | Uses VAR + random() — demonstrates determinism |
+
+### Canonical Size
+
+The canonical renderer enforces a fixed canvas size of **1950x2400**. Do not pass custom `--width` or `--height` to the canonical endpoint — the size is enforced server-side for consistent, verifiable output.
+
+---
+
 ## What This SDK Does
 
 This SDK provides a **deterministic runtime layer** for executing code that must produce identical output given identical inputs — across environments, over time, and under verification.
@@ -434,6 +471,88 @@ The following are rejected with `[Code Mode Protocol Error]`:
 
 ---
 
+## Attestation & Verification (v1.9.0)
+
+### Verification Reason Codes
+
+Every verification function returns a `CodeVerificationResult` with a stable, machine-readable `code`:
+
+```typescript
+import { CodeVerifyCode } from '@nexart/codemode-sdk';
+
+// Stable string codes — safe to switch on, persist to storage, or compare:
+// CodeVerifyCode.OK
+// CodeVerifyCode.CERTIFICATE_HASH_MISMATCH
+// CodeVerifyCode.SNAPSHOT_HASH_MISMATCH
+// CodeVerifyCode.RENDER_HASH_MISMATCH
+// CodeVerifyCode.INVALID_SHA256_FORMAT
+// CodeVerifyCode.CANONICALIZATION_ERROR
+// CodeVerifyCode.SCHEMA_ERROR
+// CodeVerifyCode.NODE_RECEIPT_MISSING
+// CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND
+// CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE
+// CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED
+// CodeVerifyCode.UNKNOWN_ERROR
+```
+
+### Signed Node Receipt Verification (offline)
+
+Verify that a Code Mode snapshot bundle was attested by an authorised NexArt attestation node — entirely offline, browser and Node.js compatible:
+
+```typescript
+import { verifyBundleAttestation } from '@nexart/codemode-sdk';
+
+const res = await verifyBundleAttestation(bundle, { nodeUrl: 'https://node.nexart.dev' });
+console.log(res.ok, res.code);
+// true  "OK"
+// false "CERTIFICATE_HASH_MISMATCH"  (receipt doesn't match bundle)
+// false "NODE_RECEIPT_INVALID_SIGNATURE"  (tampered receipt)
+```
+
+`verifyBundleAttestation` performs these steps automatically:
+1. Extracts the signed receipt and signature from the bundle (top-level or nested layout).
+2. Cross-checks `receipt.certificateHash === bundle.certificateHash` to prevent receipt-swapping attacks.
+3. Fetches the node's public keys from `/.well-known/nexart-node.json`.
+4. Selects the appropriate key (by `kid`, `activeKid`, or first available).
+5. Verifies the Ed25519 signature over the canonical JSON bytes of the receipt.
+
+### Node Keys Endpoint
+
+Public keys are discovered automatically from:
+
+```
+GET {nodeUrl}/.well-known/nexart-node.json
+```
+
+You can also fetch or inspect keys directly:
+
+```typescript
+import { fetchNodeKeys, selectNodeKey } from '@nexart/codemode-sdk';
+
+const doc = await fetchNodeKeys('https://node.nexart.dev');
+const { key } = selectNodeKey(doc, 'kid-optional');
+```
+
+### Receipt Extraction Helpers
+
+Inspect bundles without performing full verification:
+
+```typescript
+import { getAttestationReceipt, hasAttestation } from '@nexart/codemode-sdk';
+
+if (hasAttestation(bundle)) {
+  const receipt = getAttestationReceipt(bundle);
+  console.log(receipt?.attestationId, receipt?.nodeId);
+}
+```
+
+Both helpers recognise:
+- **Layout A** — `bundle.receipt` + `bundle.signature` (signed envelope)
+- **Layout B** — `bundle.attestation.receipt` + `bundle.attestation.signature` (nested envelope)
+- **Layout C** — legacy flat fields (`bundle.attestationId`, `bundle.nodeRuntimeHash`, …)
+
+---
+
 ## Examples
 
 ```bash

package/dist/cjs/browser.cjs

@@ -1068,7 +1068,7 @@ var init_soundart_sketches = __esm({
 });
 
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.10.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 

package/dist/cjs/browser.js

@@ -1065,7 +1065,7 @@ var init_soundart_sketches = __esm({
 });
 
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.10.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 

package/dist/cjs/core.cjs

@@ -1,8 +1,11 @@
 'use strict';
 
+var ed25519 = require('@noble/ed25519');
+var sha2_js = require('@noble/hashes/sha2.js');
+
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 // version.ts
-var SDK_VERSION = "1.8.4";
+var SDK_VERSION = "1.10.0";
 var PROTOCOL_VERSION = "1.2.0";
 var PROTOCOL_PHASE = 3;
 
@@ -25,6 +28,20 @@ var DEFAULT_CONFIG = {
   minDuration: 1,
   maxDuration: 4
 };
+var CodeVerifyCode = {
+  OK: "OK",
+  CERTIFICATE_HASH_MISMATCH: "CERTIFICATE_HASH_MISMATCH",
+  SNAPSHOT_HASH_MISMATCH: "SNAPSHOT_HASH_MISMATCH",
+  RENDER_HASH_MISMATCH: "RENDER_HASH_MISMATCH",
+  INVALID_SHA256_FORMAT: "INVALID_SHA256_FORMAT",
+  CANONICALIZATION_ERROR: "CANONICALIZATION_ERROR",
+  SCHEMA_ERROR: "SCHEMA_ERROR",
+  NODE_RECEIPT_MISSING: "NODE_RECEIPT_MISSING",
+  NODE_RECEIPT_KEY_NOT_FOUND: "NODE_RECEIPT_KEY_NOT_FOUND",
+  NODE_RECEIPT_INVALID_SIGNATURE: "NODE_RECEIPT_INVALID_SIGNATURE",
+  NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED: "NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED",
+  UNKNOWN_ERROR: "UNKNOWN_ERROR"
+};
 
 // p5-runtime.ts
 var CODE_MODE_PROTOCOL_VERSION = PROTOCOL_VERSION;
@@ -1632,6 +1649,384 @@ function createEngine(config) {
   };
 }
 
+// canonicalJson.ts
+function toCanonicalJson(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") {
+    if (!isFinite(value)) throw new Error(`toCanonicalJson: non-finite number ${value}`);
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") return JSON.stringify(value);
+  if (Array.isArray(value)) {
+    return "[" + value.map(toCanonicalJson).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    return "{" + keys.filter((k) => obj[k] !== void 0 && typeof obj[k] !== "function").map((k) => `${JSON.stringify(k)}:${toCanonicalJson(obj[k])}`).join(",") + "}";
+  }
+  throw new Error(`toCanonicalJson: unsupported type ${typeof value}`);
+}
+
+// nodeReceipt.ts
+ed25519.hashes.sha512 = sha2_js.sha512;
+function base64urlToBytes(s) {
+  const pad = s.length % 4;
+  const base64 = s.replace(/-/g, "+").replace(/_/g, "/") + (pad ? "=".repeat(4 - pad) : "");
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  const binary = atob(base64);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+async function verifyNodeReceiptSignature(params) {
+  try {
+    const { receipt, signatureB64Url, key } = params;
+    let pubKeyBytes;
+    if (key.jwk) {
+      if (key.jwk.kty !== "OKP" || key.jwk.crv !== "Ed25519") {
+        return {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+          details: [
+            `JWK must have kty=OKP and crv=Ed25519, got kty=${key.jwk.kty} crv=${key.jwk.crv}`
+          ]
+        };
+      }
+      pubKeyBytes = base64urlToBytes(key.jwk.x);
+    } else if (key.rawB64Url) {
+      pubKeyBytes = base64urlToBytes(key.rawB64Url);
+    } else if (key.spkiB64) {
+      const spkiBytes = base64urlToBytes(key.spkiB64);
+      if (spkiBytes.length < 32) {
+        return {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+          details: ["SPKI key too short to extract Ed25519 public key"]
+        };
+      }
+      pubKeyBytes = spkiBytes.slice(spkiBytes.length - 32);
+    } else {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+        details: ["No usable key provided: supply jwk, rawB64Url, or spkiB64"]
+      };
+    }
+    if (pubKeyBytes.length !== 32) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+        details: [`Ed25519 public key must be 32 bytes, got ${pubKeyBytes.length}`]
+      };
+    }
+    const sigBytes = base64urlToBytes(signatureB64Url);
+    if (sigBytes.length !== 64) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+        details: [`Ed25519 signature must be 64 bytes, got ${sigBytes.length}`]
+      };
+    }
+    const msgBytes = new TextEncoder().encode(toCanonicalJson(receipt));
+    const isValid = await ed25519.verify(sigBytes, msgBytes, pubKeyBytes);
+    if (!isValid) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+        details: ["Ed25519 signature verification failed"]
+      };
+    }
+    return { ok: true, code: CodeVerifyCode.OK };
+  } catch (err) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_INVALID_SIGNATURE,
+      details: [err instanceof Error ? err.message : String(err)]
+    };
+  }
+}
+async function fetchNodeKeys(nodeUrl) {
+  const url = `${nodeUrl.replace(/\/+$/, "")}/.well-known/nexart-node.json`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch node keys from ${url}: HTTP ${response.status}`);
+  }
+  const data = await response.json();
+  if (typeof data !== "object" || data === null) {
+    throw new Error("Node keys response is not an object");
+  }
+  const doc = data;
+  if (typeof doc.nodeId !== "string" || !Array.isArray(doc.keys)) {
+    throw new Error("Node keys document missing required fields (nodeId, keys)");
+  }
+  return data;
+}
+function selectNodeKey(doc, kid) {
+  if (kid) {
+    const found = doc.keys.find((k) => k.kid === kid);
+    if (!found) {
+      return {
+        error: {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+          details: [`Key with kid="${kid}" not found in node keys document`]
+        }
+      };
+    }
+    return { key: found };
+  }
+  if (doc.activeKid) {
+    const found = doc.keys.find((k) => k.kid === doc.activeKid);
+    if (!found) {
+      return {
+        error: {
+          ok: false,
+          code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+          details: [`activeKid="${doc.activeKid}" not found in keys array`]
+        }
+      };
+    }
+    return { key: found };
+  }
+  if (doc.keys.length === 0) {
+    return {
+      error: {
+        ok: false,
+        code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+        details: ["No keys available in node keys document"]
+      }
+    };
+  }
+  return { key: doc.keys[0] };
+}
+function extractReceiptAndSignature(bundle) {
+  if (typeof bundle !== "object" || bundle === null) return null;
+  const b = bundle;
+  if (typeof b.receipt === "object" && b.receipt !== null && typeof b.signature === "string") {
+    return {
+      receipt: b.receipt,
+      signatureB64Url: b.signature,
+      attestorKeyId: typeof b.attestorKeyId === "string" ? b.attestorKeyId : void 0
+    };
+  }
+  if (typeof b.attestation === "object" && b.attestation !== null) {
+    const att = b.attestation;
+    if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+      return {
+        receipt: att.receipt,
+        signatureB64Url: att.signature,
+        attestorKeyId: typeof att.attestorKeyId === "string" ? att.attestorKeyId : void 0
+      };
+    }
+  }
+  if (typeof b.meta === "object" && b.meta !== null) {
+    const meta = b.meta;
+    if (typeof meta.attestation === "object" && meta.attestation !== null) {
+      const att = meta.attestation;
+      if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+        return {
+          receipt: att.receipt,
+          signatureB64Url: att.signature,
+          attestorKeyId: typeof att.attestorKeyId === "string" ? att.attestorKeyId : void 0
+        };
+      }
+    }
+  }
+  return null;
+}
+async function verifyBundleAttestation(bundle, options) {
+  const extracted = extractReceiptAndSignature(bundle);
+  if (!extracted) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_MISSING,
+      details: ["No signed receipt found in bundle (expected bundle.receipt + bundle.signature or bundle.attestation envelope)"]
+    };
+  }
+  const nodeId = extracted.receipt.nodeId;
+  const resolvedKid = options.kid ?? extracted.attestorKeyId ?? extracted.receipt.attestorKeyId;
+  function ctx() {
+    const lines = [];
+    if (nodeId) lines.push(`nodeId: ${nodeId}`);
+    if (resolvedKid) lines.push(`kid: ${resolvedKid}`);
+    return lines;
+  }
+  if (typeof bundle.certificateHash === "string") {
+    const bundleCertHash = bundle.certificateHash;
+    if (extracted.receipt.certificateHash !== bundleCertHash) {
+      return {
+        ok: false,
+        code: CodeVerifyCode.CERTIFICATE_HASH_MISMATCH,
+        details: [
+          "Receipt certificateHash does not match bundle certificateHash",
+          `receipt.certificateHash: ${extracted.receipt.certificateHash}`,
+          `bundle.certificateHash:  ${bundleCertHash}`,
+          ...ctx()
+        ]
+      };
+    }
+  }
+  let keysDoc;
+  try {
+    keysDoc = await fetchNodeKeys(options.nodeUrl);
+  } catch (err) {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_KEY_NOT_FOUND,
+      details: [...ctx(), err instanceof Error ? err.message : String(err)]
+    };
+  }
+  const selected = selectNodeKey(keysDoc, resolvedKid);
+  if (selected.error) {
+    return {
+      ...selected.error,
+      details: [...ctx(), ...selected.error.details ?? []]
+    };
+  }
+  const keyEntry = selected.key;
+  const keyParam = {};
+  if (keyEntry.publicKeyJwk) keyParam.jwk = keyEntry.publicKeyJwk;
+  else if (keyEntry.publicKey) keyParam.rawB64Url = keyEntry.publicKey;
+  else if (keyEntry.publicKeySpkiB64) keyParam.spkiB64 = keyEntry.publicKeySpkiB64;
+  else {
+    return {
+      ok: false,
+      code: CodeVerifyCode.NODE_RECEIPT_KEY_FORMAT_UNSUPPORTED,
+      details: [
+        `Key kid="${keyEntry.kid}" has no usable public key field (publicKeyJwk, publicKey, or publicKeySpkiB64)`,
+        ...ctx()
+      ]
+    };
+  }
+  const sigResult = await verifyNodeReceiptSignature({
+    receipt: extracted.receipt,
+    signatureB64Url: extracted.signatureB64Url,
+    key: keyParam
+  });
+  const contextLines = ctx();
+  if (contextLines.length === 0) return sigResult;
+  return sigResult.ok ? { ok: true, code: CodeVerifyCode.OK, details: contextLines } : { ...sigResult, details: [...contextLines, ...sigResult.details ?? []] };
+}
+
+// attestation.ts
+function getAttestationReceipt(bundle) {
+  if (typeof bundle !== "object" || bundle === null) return null;
+  const b = bundle;
+  if (typeof b.receipt === "object" && b.receipt !== null && typeof b.signature === "string") {
+    const r = b.receipt;
+    return {
+      attestationId: r.attestationId,
+      attestedAt: r.attestedAt,
+      nodeId: r.nodeId,
+      attestorKeyId: r.attestorKeyId,
+      nodeRuntimeHash: r.nodeRuntimeHash,
+      certificateHash: r.certificateHash,
+      protocolVersion: r.protocolVersion,
+      receipt: r,
+      signature: b.signature
+    };
+  }
+  if (typeof b.attestation === "object" && b.attestation !== null) {
+    const att = b.attestation;
+    if (typeof att.receipt === "object" && att.receipt !== null && typeof att.signature === "string") {
+      const r = att.receipt;
+      return {
+        attestationId: r.attestationId,
+        attestedAt: r.attestedAt,
+        nodeId: r.nodeId,
+        attestorKeyId: r.attestorKeyId,
+        nodeRuntimeHash: r.nodeRuntimeHash,
+        certificateHash: r.certificateHash,
+        protocolVersion: r.protocolVersion,
+        receipt: r,
+        signature: att.signature
+      };
+    }
+  }
+  if (typeof b.attestationId === "string") {
+    return {
+      attestationId: b.attestationId,
+      attestedAt: typeof b.attestedAt === "string" ? b.attestedAt : "",
+      nodeId: typeof b.nodeId === "string" ? b.nodeId : void 0,
+      attestorKeyId: typeof b.attestorKeyId === "string" ? b.attestorKeyId : void 0,
+      nodeRuntimeHash: typeof b.nodeRuntimeHash === "string" ? b.nodeRuntimeHash : void 0,
+      certificateHash: typeof b.certificateHash === "string" ? b.certificateHash : void 0,
+      protocolVersion: typeof b.protocolVersion === "string" ? b.protocolVersion : void 0
+    };
+  }
+  return null;
+}
+function hasAttestation(bundle) {
+  return getAttestationReceipt(bundle) !== null;
+}
+
+// cerProtocol.ts
+var ReasonCode = {
+  BUNDLE_HASH_MISMATCH: "BUNDLE_HASH_MISMATCH",
+  NODE_SIGNATURE_INVALID: "NODE_SIGNATURE_INVALID",
+  NODE_SIGNATURE_MISSING: "NODE_SIGNATURE_MISSING",
+  RECEIPT_HASH_MISMATCH: "RECEIPT_HASH_MISMATCH",
+  SCHEMA_VERSION_UNSUPPORTED: "SCHEMA_VERSION_UNSUPPORTED",
+  RECORD_NOT_FOUND: "RECORD_NOT_FOUND",
+  BUNDLE_CORRUPTED: "BUNDLE_CORRUPTED"
+};
+
+// verifyDetailed.ts
+function validateSnapshotStructure(snapshot) {
+  const codes = [];
+  if (!snapshot || typeof snapshot !== "object") {
+    codes.push(ReasonCode.BUNDLE_CORRUPTED);
+    return codes;
+  }
+  if (snapshot.protocol !== "nexart") {
+    codes.push(ReasonCode.SCHEMA_VERSION_UNSUPPORTED);
+  }
+  if (!snapshot.outputHash || !snapshot.outputHash.startsWith("sha256:")) {
+    codes.push(ReasonCode.BUNDLE_CORRUPTED);
+  }
+  if (!snapshot.codeHash || !snapshot.codeHash.startsWith("sha256:")) {
+    codes.push(ReasonCode.BUNDLE_CORRUPTED);
+  }
+  return codes;
+}
+function verifyCodeModeSnapshotDetailed(snapshot, options = {}) {
+  const verifiedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const verifier = "@nexart/codemode-sdk";
+  if (!snapshot || typeof snapshot !== "object" || Array.isArray(snapshot)) {
+    return {
+      status: "FAILED",
+      checks: { bundleIntegrity: "FAIL", nodeSignature: "SKIPPED", receiptConsistency: "SKIPPED" },
+      reasonCodes: [ReasonCode.BUNDLE_CORRUPTED],
+      certificateHash: "",
+      bundleType: "codemode.snapshot.v1",
+      verifiedAt,
+      verifier
+    };
+  }
+  const snap = snapshot;
+  const structureReasons = validateSnapshotStructure(snap);
+  const hashReasons = [];
+  if (options.outputHash !== void 0 && options.outputHash !== snap.outputHash) {
+    hashReasons.push(ReasonCode.BUNDLE_HASH_MISMATCH);
+  }
+  if (options.codeHash !== void 0 && options.codeHash !== snap.codeHash) {
+    hashReasons.push(ReasonCode.BUNDLE_HASH_MISMATCH);
+  }
+  const reasonCodes = [.../* @__PURE__ */ new Set([...structureReasons, ...hashReasons])];
+  const bundleIntegrity = reasonCodes.length === 0 ? "PASS" : "FAIL";
+  return {
+    status: bundleIntegrity === "PASS" ? "VERIFIED" : "FAILED",
+    checks: { bundleIntegrity, nodeSignature: "SKIPPED", receiptConsistency: "SKIPPED" },
+    reasonCodes,
+    certificateHash: snap.outputHash ?? "",
+    bundleType: "codemode.snapshot.v1",
+    verifiedAt,
+    verifier
+  };
+}
+
 // core-index.ts
 var SDK_VERSION2 = SDK_VERSION;
 var SDK_NAME = "@nexart/codemode-sdk";
@@ -1639,11 +2034,13 @@ var SDK_NAME = "@nexart/codemode-sdk";
 exports.CODE_MODE_ENFORCEMENT = CODE_MODE_ENFORCEMENT;
 exports.CODE_MODE_PROTOCOL_PHASE = CODE_MODE_PROTOCOL_PHASE;
 exports.CODE_MODE_PROTOCOL_VERSION = CODE_MODE_PROTOCOL_VERSION;
+exports.CodeVerifyCode = CodeVerifyCode;
 exports.DEFAULT_CONFIG = DEFAULT_CONFIG;
 exports.DEFAULT_VARS = DEFAULT_VARS;
 exports.PROTOCOL_IDENTITY = PROTOCOL_IDENTITY;
 exports.PROTOCOL_PHASE = PROTOCOL_PHASE;
 exports.PROTOCOL_VERSION = PROTOCOL_VERSION;
+exports.ReasonCode = ReasonCode;
 exports.SDK_NAME = SDK_NAME;
 exports.SDK_VERSION = SDK_VERSION2;
 exports.VAR_COUNT = VAR_COUNT;
@@ -1654,7 +2051,15 @@ exports.createEngine = createEngine;
 exports.createP5Runtime = createP5Runtime;
 exports.createProtocolVAR = createProtocolVAR;
 exports.executeCodeMode = executeCodeMode;
+exports.fetchNodeKeys = fetchNodeKeys;
+exports.getAttestationReceipt = getAttestationReceipt;
+exports.hasAttestation = hasAttestation;
 exports.injectTimeVariables = injectTimeVariables;
 exports.runLoopMode = runLoopMode;
 exports.runStaticMode = runStaticMode;
+exports.selectNodeKey = selectNodeKey;
+exports.toCanonicalJson = toCanonicalJson;
 exports.validateCodeModeSource = validateCodeModeSource;
+exports.verifyBundleAttestation = verifyBundleAttestation;
+exports.verifyCodeModeSnapshotDetailed = verifyCodeModeSnapshotDetailed;
+exports.verifyNodeReceiptSignature = verifyNodeReceiptSignature;