@propxchain/core-client 0.3.0-canary.27 → 0.3.0-canary.29

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@propxchain/core-client",
-  "version": "0.3.0-canary.27",
+  "version": "0.3.0-canary.29",
   "description": "Typed TypeScript client for the PropXchain core canisters on the Internet Computer. Includes a deterministic mock mode for local development and tests.",
   "license": "UNLICENSED",
   "type": "module",
@@ -35,6 +35,9 @@
     "typecheck": "tsc -p tsconfig.json --noEmit"
   },
   "dependencies": {
+    "@dfinity/agent": "^1.4.0",
+    "@dfinity/certificate-verification": "^3.1.0",
+    "@dfinity/principal": "^1.4.0",
     "@icp-sdk/auth": "^7.0.0",
     "@icp-sdk/core": "^5.4.0"
   },

package/src/audit/auditChain.ts

@@ -0,0 +1,88 @@
+// Audit hash chain — TypeScript mirror of ledger_manager's derived chain (ADR 0013).
+//
+// This MUST match the Motoko encoding in
+// packages/core/src/ledger_manager/main.mo (encodeAuditEvent / chainHead)
+// byte-for-byte, or verification will reject genuine records. The canonical
+// encoding: each field 4-byte big-endian length-prefixed UTF-8; metadata uses
+// a 1-byte presence tag (0 = null, 1 = present). eventHash_i =
+// SHA-256(prevHash ++ encode(event_i)); genesis prevHash = 32 zero bytes;
+// events ordered by eventId ascending.
+
+import { Principal } from "@icp-sdk/core/principal";
+
+/** Structural shape of a decoded ledger_manager AuditEvent (candid). */
+export interface CertifiedAuditEvent {
+  eventId: bigint;
+  transactionId: string;
+  eventType: string;
+  timestamp: bigint;
+  caller: Principal;
+  details: string;
+  metadata: [] | [string];
+}
+
+const encoder = new TextEncoder();
+
+function lenPrefixed(bytes: Uint8Array): Uint8Array {
+  const n = bytes.length;
+  const out = new Uint8Array(4 + n);
+  out[0] = (n >>> 24) & 0xff;
+  out[1] = (n >>> 16) & 0xff;
+  out[2] = (n >>> 8) & 0xff;
+  out[3] = n & 0xff;
+  out.set(bytes, 4);
+  return out;
+}
+
+function concat(chunks: Uint8Array[]): Uint8Array {
+  const total = chunks.reduce((sum, c) => sum + c.length, 0);
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+
+/** Canonical event encoding — mirrors ledger_manager.encodeAuditEvent. */
+export function encodeAuditEvent(e: CertifiedAuditEvent): Uint8Array {
+  const parts: Uint8Array[] = [
+    lenPrefixed(encoder.encode(e.eventId.toString())),
+    lenPrefixed(encoder.encode(e.transactionId)),
+    lenPrefixed(encoder.encode(e.eventType)),
+    lenPrefixed(encoder.encode(e.timestamp.toString())),
+    lenPrefixed(encoder.encode(e.caller.toText())),
+    lenPrefixed(encoder.encode(e.details)),
+  ];
+  if (e.metadata.length === 0) {
+    parts.push(new Uint8Array([0]));
+  } else {
+    parts.push(new Uint8Array([1]));
+    parts.push(lenPrefixed(encoder.encode(e.metadata[0])));
+  }
+  return concat(parts);
+}
+
+async function sha256(data: Uint8Array): Promise<Uint8Array> {
+  const digest = await crypto.subtle.digest("SHA-256", data as unknown as BufferSource);
+  return new Uint8Array(digest);
+}
+
+/**
+ * Recompute a transaction's chain head from its events — mirrors
+ * ledger_manager.chainHead. Events are sorted by eventId ascending (the
+ * canister's canonical order) so the result is independent of array order.
+ */
+export async function recomputeHeadHash(
+  events: CertifiedAuditEvent[],
+): Promise<Uint8Array> {
+  const ordered = [...events].sort((a, b) =>
+    a.eventId < b.eventId ? -1 : a.eventId > b.eventId ? 1 : 0,
+  );
+  let head: Uint8Array = new Uint8Array(32); // genesis: 32 zero bytes
+  for (const e of ordered) {
+    head = await sha256(concat([head, encodeAuditEvent(e)]));
+  }
+  return head;
+}

package/src/audit/index.ts

@@ -0,0 +1,19 @@
+// Verifiable audit trail (ADR 0013) — chain recompute, certificate
+// verification, and sealed proof bundles for the per-transaction audit log.
+export {
+  type CertifiedAuditEvent,
+  encodeAuditEvent,
+  recomputeHeadHash,
+} from "./auditChain.js";
+export {
+  type CertifiedTransactionLog,
+  type VerifyResult,
+  type VerifyOptions,
+  verifyCertifiedAuditLog,
+} from "./verifyAuditLog.js";
+export {
+  AUDIT_SEAL_DOC_TYPE,
+  type AuditSealBundle,
+  buildAuditSealBundle,
+  serializeAuditSealBundle,
+} from "./sealAuditBundle.js";

package/src/audit/sealAuditBundle.ts

@@ -0,0 +1,90 @@
+// Sealed audit bundle (ADR 0013, proof model ii).
+//
+// A contemporaneous, self-contained snapshot of a transaction's certified
+// audit log. Built from a getCertifiedTransactionLog response (a query, so the
+// subnet certificate is present) — typically at completion, and regenerable on
+// demand. The bundle verifies offline against the IC root key, even if
+// PropXchain is gone: a forensic verifier re-runs verifyCertifiedAuditLog with
+// a relaxed freshness window.
+//
+// Persistence: the serialized bundle is stored on-chain in document_storage
+// (docType "audit_seal") per ADR 0008. That upload uses the existing document
+// upload path and is the caller's step — buildAuditSealBundle only produces the
+// bytes (no document bodies are embedded; events reference any documents by
+// hash only).
+
+import { type CertifiedTransactionLog } from "./verifyAuditLog.js";
+
+export const AUDIT_SEAL_DOC_TYPE = "audit_seal";
+
+interface SerializableAuditEvent {
+  eventId: string;
+  transactionId: string;
+  eventType: string;
+  timestamp: string;
+  caller: string;
+  details: string;
+  metadata: string | null;
+}
+
+export interface AuditSealBundle {
+  version: 1;
+  canisterId: string;
+  transactionId: string;
+  /** Client capture time (ISO). The authoritative time is inside the certificate. */
+  capturedAt: string;
+  events: SerializableAuditEvent[];
+  headHashHex: string;
+  certificateB64: string;
+  witnessB64: string;
+}
+
+function toHex(bytes: Uint8Array): string {
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+function toB64(bytes: Uint8Array): string {
+  // Browser + Node (>=20) both expose btoa; build a binary string first.
+  let binary = "";
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary);
+}
+
+/**
+ * Build a sealed, serializable proof bundle from a certified log response.
+ * Throws if the response carries no certificate (nothing to seal).
+ */
+export function buildAuditSealBundle(args: {
+  canisterId: string;
+  transactionId: string;
+  capturedAt: string;
+  log: CertifiedTransactionLog;
+}): AuditSealBundle {
+  const { canisterId, transactionId, capturedAt, log } = args;
+  if (log.certificate.length === 0) {
+    throw new Error("cannot seal: certified log response has no certificate");
+  }
+  return {
+    version: 1,
+    canisterId,
+    transactionId,
+    capturedAt,
+    events: log.events.map((e) => ({
+      eventId: e.eventId.toString(),
+      transactionId: e.transactionId,
+      eventType: e.eventType,
+      timestamp: e.timestamp.toString(),
+      caller: e.caller.toText(),
+      details: e.details,
+      metadata: e.metadata.length === 0 ? null : e.metadata[0],
+    })),
+    headHashHex: toHex(log.headHash),
+    certificateB64: toB64(log.certificate[0]),
+    witnessB64: toB64(log.witness),
+  };
+}
+
+/** Serialize a bundle to bytes for on-chain storage (document_storage). */
+export function serializeAuditSealBundle(bundle: AuditSealBundle): Uint8Array {
+  return new TextEncoder().encode(JSON.stringify(bundle));
+}

package/src/audit/verifyAuditLog.ts

@@ -0,0 +1,168 @@
+// Verifier for the certified per-transaction audit log (ADR 0013).
+//
+// Proves a transaction's audit trail is genuine canister state against the IC
+// root key, trusting no part of PropXchain:
+//   1. verify the subnet certificate + Merkle witness;
+//   2. read the certified headHash for the transaction from the witness tree;
+//   3. confirm the response's stated head matches the certified head;
+//   4. recompute the chain from the events and confirm it matches.
+//
+// Uses the @dfinity/* family (agent, principal, certificate-verification)
+// throughout — that is the lineage certificate-verification depends on, so the
+// HashTree/Principal types line up. The rest of core-client uses @icp-sdk;
+// this leaf module's boundary is plain Uint8Array/string, so the split is
+// contained.
+//
+// Live verification keeps the certificate-freshness window tight. Forensic
+// verification of a sealed historical bundle (ADR 0013, proof model ii)
+// relaxes it by design — the bundle proves a fact as-of the certificate's
+// /time, not a current one.
+
+import { lookup_path, lookupResultToBuffer } from "@dfinity/agent";
+import type { HashTree } from "@dfinity/agent";
+import { Principal } from "@dfinity/principal";
+import { type CertifiedAuditEvent, recomputeHeadHash } from "./auditChain.js";
+
+// @dfinity/certificate-verification ships an ESM .d.ts (named exports, no
+// default) but a UMD .cjs as `main`. TS sees ESM; Node's loader sees CJS. A
+// static named import typechecks but fails at runtime; a default import does
+// the reverse. Load it dynamically and fall back across both shapes so the
+// verifier works in Node, browser bundlers, and typecheck alike.
+interface VerifyCertificationParams {
+  canisterId: Principal;
+  encodedCertificate: ArrayBuffer;
+  encodedTree: ArrayBuffer;
+  rootKey: ArrayBuffer;
+  maxCertificateTimeOffsetMs: number;
+}
+type VerifyCertificationFn = (p: VerifyCertificationParams) => Promise<HashTree>;
+
+let cachedVerify: VerifyCertificationFn | undefined;
+async function loadVerifyCertification(): Promise<VerifyCertificationFn> {
+  if (cachedVerify) return cachedVerify;
+  const mod = (await import("@dfinity/certificate-verification")) as unknown as {
+    verifyCertification?: VerifyCertificationFn;
+    default?: { verifyCertification?: VerifyCertificationFn };
+  };
+  const fn = mod.verifyCertification ?? mod.default?.verifyCertification;
+  if (!fn) {
+    throw new Error(
+      "verifyCertification not found in @dfinity/certificate-verification",
+    );
+  }
+  cachedVerify = fn;
+  return fn;
+}
+
+/** Decoded ledger_manager.getCertifiedTransactionLog response. */
+export interface CertifiedTransactionLog {
+  events: CertifiedAuditEvent[];
+  headHash: Uint8Array;
+  certificate: [] | [Uint8Array];
+  witness: Uint8Array;
+}
+
+export interface VerifyResult {
+  verified: boolean;
+  reason?: string;
+  eventCount: number;
+}
+
+export interface VerifyOptions {
+  canisterId: string;
+  /** IC root public key — the mainnet constant, or `agent.rootKey` for local. */
+  rootKey: Uint8Array;
+  transactionId: string;
+  log: CertifiedTransactionLog;
+  /**
+   * Certificate freshness window. Omit for live verification (5 min). For
+   * forensic verification of a sealed bundle, pass a large value (e.g.
+   * Number.MAX_SAFE_INTEGER) to accept a historical certificate.
+   */
+  maxCertificateTimeOffsetMs?: number;
+}
+
+const FIVE_MINUTES_MS = 5 * 60 * 1000;
+
+function toArrayBuffer(u8: Uint8Array): ArrayBuffer {
+  const copy = new Uint8Array(u8.length);
+  copy.set(u8);
+  return copy.buffer;
+}
+
+function equalBytes(a: Uint8Array, b: Uint8Array): boolean {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+export async function verifyCertifiedAuditLog(
+  opts: VerifyOptions,
+): Promise<VerifyResult> {
+  const { log, transactionId } = opts;
+  const eventCount = log.events.length;
+
+  if (log.certificate.length === 0) {
+    return { verified: false, reason: "no certificate in response", eventCount };
+  }
+
+  // 1. Verify the subnet certificate + witness against the IC root key.
+  let tree: HashTree;
+  try {
+    const verifyCertification = await loadVerifyCertification();
+    tree = await verifyCertification({
+      canisterId: Principal.fromText(opts.canisterId),
+      encodedCertificate: toArrayBuffer(log.certificate[0]),
+      encodedTree: toArrayBuffer(log.witness),
+      rootKey: toArrayBuffer(opts.rootKey),
+      maxCertificateTimeOffsetMs:
+        opts.maxCertificateTimeOffsetMs ?? FIVE_MINUTES_MS,
+    });
+  } catch (err) {
+    return {
+      verified: false,
+      reason: `certificate verification failed: ${String(err)}`,
+      eventCount,
+    };
+  }
+
+  // 2. Read the certified headHash for this transaction from the witness tree.
+  // The path segment is the UTF-8 bytes of the transactionId — exactly the key
+  // ledger_manager certified (Text.encodeUtf8(transactionId)).
+  const lookup = lookup_path(
+    [toArrayBuffer(new TextEncoder().encode(transactionId))],
+    tree,
+  );
+  const certifiedBuf = lookupResultToBuffer(lookup);
+  if (!certifiedBuf) {
+    return {
+      verified: false,
+      reason: "transaction head not present in certified tree",
+      eventCount,
+    };
+  }
+  const certifiedHead = new Uint8Array(certifiedBuf);
+
+  // 3. The response's stated head must match the certified value.
+  if (!equalBytes(certifiedHead, log.headHash)) {
+    return {
+      verified: false,
+      reason: "response headHash does not match certified value",
+      eventCount,
+    };
+  }
+
+  // 4. The head recomputed from the events must match the certified head.
+  const recomputed = await recomputeHeadHash(log.events);
+  if (!equalBytes(recomputed, certifiedHead)) {
+    return {
+      verified: false,
+      reason:
+        "recomputed chain head does not match certified head — events tampered",
+      eventCount,
+    };
+  }
+
+  return { verified: true, eventCount };
+}

package/src/canisters/transaction_manager/transaction_manager.did

@@ -272,12 +272,15 @@ type Result_3 =
    err: text;
    ok: OfficialSearchResult;
  };
-type Result_2 = 
+type Result_21 = 
  variant {
    err: text;
-   ok: TransactionParty;
+   ok: record {
+         registrations: nat;
+         transactions: nat;
+       };
  };
-type Result_19 = 
+type Result_20 = 
  variant {
    err: text;
    ok: record {
@@ -285,11 +288,21 @@ type Result_19 =
          text;
        };
  };
-type Result_18 = 
+type Result_2 = 
+ variant {
+   err: text;
+   ok: TransactionParty;
+ };
+type Result_19 = 
  variant {
    err: text;
    ok: Phase;
  };
+type Result_18 = 
+ variant {
+   err: text;
+   ok: opt HmlrFetchRecord;
+ };
 type Result_17 = 
  variant {
    err: text;
@@ -468,6 +481,13 @@ type LandRegistryIntegration =
    submittedToLRAt: opt int;
    totalLRCosts: nat;
  };
+type HmlrFetchRecord = 
+ record {
+   fetchedAt: int;
+   fetchedBy: principal;
+   responseHash: text;
+   titleNumber: text;
+ };
 type BotConnection = 
  record {
    addedAt: int;
@@ -500,6 +520,7 @@ service : {
    (Result);
   assignSolicitorRecord: (transactionId: text, solicitorRecord:
    SolicitorRecord) -> (Result_1);
+  backfillTransactionMembers: () -> (Result_21);
   bootstrapDocumentStorageCanister: (canisterId: principal) -> (Result);
   canAccessTransaction: (transactionId: text) -> (bool) query;
   connectBot: (transactionId: text, botPrincipal: principal, botName:
@@ -519,7 +540,7 @@ service : {
    postcode: text, titleNumber: text, seller: principal, previousOwner: 
    text, amount: nat64, transactionType: text, userRole: text, propertyType:
    text, propertyCategory: text, mode: text, deposit: nat64, mortgageAmount:
-   nat64, completionDate: text) -> (Result_19);
+   nat64, completionDate: text) -> (Result_20);
   deleteTransaction: (transactionId: text) -> (Result);
   disconnectBot: (transactionId: text, botPrincipal: principal) -> (Result_1);
   doesTransactionExist: (transactionId: text) -> (bool) query;
@@ -528,11 +549,12 @@ service : {
                                   text;
                                 }) query;
   getAllTransactions: () -> (vec Transaction) query;
-  getCurrentPhase: (transactionId: text) -> (Result_18) query;
+  getCurrentPhase: (transactionId: text) -> (Result_19) query;
   getCycles: () -> (nat) query;
   getDocumentStorageCanister: () -> (opt principal) query;
   getExpiringSearches: (withinDays: nat) -> (vec Transaction) query;
   getFlowState: (transactionId: text) -> (opt text) query;
+  getHmlrFetch: (transactionId: text) -> (Result_18) query;
   getInviteCode: (transactionId: text) -> (Result) query;
   getLandRegistryCanister: () -> (text) query;
   getLandRegistryDetail: (transactionID: text) ->
@@ -580,7 +602,6 @@ service : {
   /// create. Counterpart to `removeParty` (which is seller/admin-driven and
   /// gated against primary parties) — this is the "I want out" path for a
   /// joined buyer or any other access-list member.
-  /// 
   /// Gates:
   ///   - Anonymous callers rejected outright.
   ///   - Seller / createdBy cannot leave their own transaction (they
@@ -588,7 +609,6 @@ service : {
   ///   - Caller must currently have access to the transaction.
   ///   - Locked after contract exchange (same posture as assignBuyer):
   ///     once the deal is signed nobody walks away by toggling a button.
-  /// 
   /// Effects:
   ///   - Caller is removed from `accessList`.
   ///   - If the caller is the assigned buyer (`txn.buyer == msg.caller`),
@@ -598,7 +618,6 @@ service : {
   ///     reusable by a new joiner.
   ///   - Audit event `buyer_left` (or `party_left` for non-buyer leavers)
   ///     is logged via the existing ledger pattern.
-  /// 
   /// Concurrency: uses the same acquireTxLock/finally releaseTxLock
   /// posture as assignBuyer so a leave can't race against an in-flight
   /// stage write.
@@ -616,7 +635,6 @@ service : {
   ///   2. Stale-pin txs where the org's pinned principal changed after the
   ///      tx was created (e.g. admin password reset → new ICP key, or org
   ///      ownership transferred to a different admin).
-  /// 
   /// Idempotent over the target: re-running with the same developerPrincipal
   /// returns an error (already at target), so admin-driven backfill scripts
   /// don't silently re-touch state. Always rejects:
@@ -638,6 +656,8 @@ service : {
    acceptedQuoteHash: text, finalAmountPence: nat) -> (Result_1);
   recordFormUpload: (txId: text, formType: text, fileHash: text, fileName:
    text) -> (Result_1);
+  recordHmlrFetched: (transactionId: text, titleNumber: text, responseHash:
+   text) -> (Result_1);
   /// Record a single party's signature on-chain.
   /// The canister identifies the caller as buyer or seller from the transaction principals.
   /// When both parties have signed, the status auto-advances to #exchanged.

package/src/canisters/transaction_manager/transaction_manager.did.d.ts

@@ -20,6 +20,12 @@ export interface BotConnection {
   'addedAt' : bigint,
   'addedBy' : Principal,
 }
+export interface HmlrFetchRecord {
+  'fetchedAt' : bigint,
+  'fetchedBy' : Principal,
+  'titleNumber' : string,
+  'responseHash' : string,
+}
 export interface LandRegistryIntegration {
   'status' : LandRegistryStatus,
   'lastPolledAt' : [] | [bigint],
@@ -152,12 +158,18 @@ export type Result_16 = { 'ok' : TransactionPartyProgress } |
   { 'err' : string };
 export type Result_17 = { 'ok' : NextStepRecommendation } |
   { 'err' : string };
-export type Result_18 = { 'ok' : Phase } |
+export type Result_18 = { 'ok' : [] | [HmlrFetchRecord] } |
   { 'err' : string };
-export type Result_19 = { 'ok' : [string, string] } |
+export type Result_19 = { 'ok' : Phase } |
   { 'err' : string };
 export type Result_2 = { 'ok' : TransactionParty } |
   { 'err' : string };
+export type Result_20 = { 'ok' : [string, string] } |
+  { 'err' : string };
+export type Result_21 = {
+    'ok' : { 'registrations' : bigint, 'transactions' : bigint }
+  } |
+  { 'err' : string };
 export type Result_3 = { 'ok' : OfficialSearchResult } |
   { 'err' : string };
 export type Result_4 = { 'ok' : ApplicationStatusUpdate } |
@@ -380,6 +392,7 @@ export interface _SERVICE {
   'assignBuyer' : ActorMethod<[string, Principal], Result>,
   'assignSolicitor' : ActorMethod<[string, Principal], Result>,
   'assignSolicitorRecord' : ActorMethod<[string, SolicitorRecord], Result_1>,
+  'backfillTransactionMembers' : ActorMethod<[], Result_21>,
   'bootstrapDocumentStorageCanister' : ActorMethod<[Principal], Result>,
   'canAccessTransaction' : ActorMethod<[string], boolean>,
   'connectBot' : ActorMethod<[string, Principal, string], Result_1>,
@@ -425,18 +438,19 @@ export interface _SERVICE {
       bigint,
       string,
     ],
-    Result_19
+    Result_20
   >,
   'deleteTransaction' : ActorMethod<[string], Result>,
   'disconnectBot' : ActorMethod<[string, Principal], Result_1>,
   'doesTransactionExist' : ActorMethod<[string], boolean>,
   'getAllInviteCodes' : ActorMethod<[], Array<[string, string]>>,
   'getAllTransactions' : ActorMethod<[], Array<Transaction>>,
-  'getCurrentPhase' : ActorMethod<[string], Result_18>,
+  'getCurrentPhase' : ActorMethod<[string], Result_19>,
   'getCycles' : ActorMethod<[], bigint>,
   'getDocumentStorageCanister' : ActorMethod<[], [] | [Principal]>,
   'getExpiringSearches' : ActorMethod<[bigint], Array<Transaction>>,
   'getFlowState' : ActorMethod<[string], [] | [string]>,
+  'getHmlrFetch' : ActorMethod<[string], Result_18>,
   'getInviteCode' : ActorMethod<[string], Result>,
   'getLandRegistryCanister' : ActorMethod<[], string>,
   'getLandRegistryDetail' : ActorMethod<
@@ -488,7 +502,6 @@ export interface _SERVICE {
    * / create. Counterpart to `removeParty` (which is seller/admin-driven and
    * / gated against primary parties) — this is the "I want out" path for a
    * / joined buyer or any other access-list member.
-   * /
    * / Gates:
    * /   - Anonymous callers rejected outright.
    * /   - Seller / createdBy cannot leave their own transaction (they
@@ -496,7 +509,6 @@ export interface _SERVICE {
    * /   - Caller must currently have access to the transaction.
    * /   - Locked after contract exchange (same posture as assignBuyer):
    * /     once the deal is signed nobody walks away by toggling a button.
-   * /
    * / Effects:
    * /   - Caller is removed from `accessList`.
    * /   - If the caller is the assigned buyer (`txn.buyer == msg.caller`),
@@ -506,7 +518,6 @@ export interface _SERVICE {
    * /     reusable by a new joiner.
    * /   - Audit event `buyer_left` (or `party_left` for non-buyer leavers)
    * /     is logged via the existing ledger pattern.
-   * /
    * / Concurrency: uses the same acquireTxLock/finally releaseTxLock
    * / posture as assignBuyer so a leave can't race against an in-flight
    * / stage write.
@@ -525,7 +536,6 @@ export interface _SERVICE {
    * /   2. Stale-pin txs where the org's pinned principal changed after the
    * /      tx was created (e.g. admin password reset → new ICP key, or org
    * /      ownership transferred to a different admin).
-   * /
    * / Idempotent over the target: re-running with the same developerPrincipal
    * / returns an error (already at target), so admin-driven backfill scripts
    * / don't silently re-touch state. Always rejects:
@@ -551,6 +561,7 @@ export interface _SERVICE {
     Result_1
   >,
   'recordFormUpload' : ActorMethod<[string, string, string, string], Result_1>,
+  'recordHmlrFetched' : ActorMethod<[string, string, string], Result_1>,
   /**
    * / Record a single party's signature on-chain.
    * / The canister identifies the caller as buyer or seller from the transaction principals.

package/src/canisters/transaction_manager/transaction_manager.did.js

@@ -72,7 +72,11 @@ export const idlFactory = ({ IDL }) => {
     'regulatoryBody' : RegulatoryBody,
   });
   const Result_1 = IDL.Variant({ 'ok' : IDL.Null, 'err' : IDL.Text });
-  const Result_19 = IDL.Variant({
+  const Result_21 = IDL.Variant({
+    'ok' : IDL.Record({ 'registrations' : IDL.Nat, 'transactions' : IDL.Nat }),
+    'err' : IDL.Text,
+  });
+  const Result_20 = IDL.Variant({
     'ok' : IDL.Tuple(IDL.Text, IDL.Text),
     'err' : IDL.Text,
   });
@@ -193,7 +197,17 @@ export const idlFactory = ({ IDL }) => {
     'preCompletion' : IDL.Null,
     'searches' : IDL.Null,
   });
-  const Result_18 = IDL.Variant({ 'ok' : Phase, 'err' : IDL.Text });
+  const Result_19 = IDL.Variant({ 'ok' : Phase, 'err' : IDL.Text });
+  const HmlrFetchRecord = IDL.Record({
+    'fetchedAt' : IDL.Int,
+    'fetchedBy' : IDL.Principal,
+    'titleNumber' : IDL.Text,
+    'responseHash' : IDL.Text,
+  });
+  const Result_18 = IDL.Variant({
+    'ok' : IDL.Opt(HmlrFetchRecord),
+    'err' : IDL.Text,
+  });
   const Notification = IDL.Record({
     'id' : IDL.Nat,
     'documentHash' : IDL.Text,
@@ -423,6 +437,7 @@ export const idlFactory = ({ IDL }) => {
         [Result_1],
         [],
       ),
+    'backfillTransactionMembers' : IDL.Func([], [Result_21], []),
     'bootstrapDocumentStorageCanister' : IDL.Func(
         [IDL.Principal],
         [Result],
@@ -484,7 +499,7 @@ export const idlFactory = ({ IDL }) => {
           IDL.Nat64,
           IDL.Text,
         ],
-        [Result_19],
+        [Result_20],
         [],
       ),
     'deleteTransaction' : IDL.Func([IDL.Text], [Result], []),
@@ -496,7 +511,7 @@ export const idlFactory = ({ IDL }) => {
         ['query'],
       ),
     'getAllTransactions' : IDL.Func([], [IDL.Vec(Transaction)], ['query']),
-    'getCurrentPhase' : IDL.Func([IDL.Text], [Result_18], ['query']),
+    'getCurrentPhase' : IDL.Func([IDL.Text], [Result_19], ['query']),
     'getCycles' : IDL.Func([], [IDL.Nat], ['query']),
     'getDocumentStorageCanister' : IDL.Func(
         [],
@@ -509,6 +524,7 @@ export const idlFactory = ({ IDL }) => {
         ['query'],
       ),
     'getFlowState' : IDL.Func([IDL.Text], [IDL.Opt(IDL.Text)], ['query']),
+    'getHmlrFetch' : IDL.Func([IDL.Text], [Result_18], ['query']),
     'getInviteCode' : IDL.Func([IDL.Text], [Result], ['query']),
     'getLandRegistryCanister' : IDL.Func([], [IDL.Text], ['query']),
     'getLandRegistryDetail' : IDL.Func(
@@ -613,6 +629,11 @@ export const idlFactory = ({ IDL }) => {
         [Result_1],
         [],
       ),
+    'recordHmlrFetched' : IDL.Func(
+        [IDL.Text, IDL.Text, IDL.Text],
+        [Result_1],
+        [],
+      ),
     'recordPartySignature' : IDL.Func(
         [IDL.Text, IDL.Text, IDL.Text],
         [Result],