npm - @provenonce/sdk - Versions diffs - 0.11.0 → 0.14.0 - Mend

@provenonce/sdk 0.11.0 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 // src/beat-sdk.ts
-import { createHash, generateKeyPairSync, sign, verify, createPrivateKey, createPublicKey } from "crypto";
+import { createHash, verify, createPublicKey } from "crypto";
 // src/errors.ts
 var ErrorCode = /* @__PURE__ */ ((ErrorCode2) => {
@@ -109,22 +109,53 @@ function computeBeat(prevHash, beatIndex, difficulty, nonce, anchorHash) {
   }
   return { index: beatIndex, hash: current, prev: prevHash, timestamp, nonce, anchor_hash: anchorHash };
 }
-var ED25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b657004220420", "hex");
-function generateWalletKeypair() {
-  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
-  const pubRaw = publicKey.export({ type: "spki", format: "der" }).subarray(12);
-  const privRaw = privateKey.export({ type: "pkcs8", format: "der" }).subarray(16);
-  return {
-    publicKey: Buffer.from(pubRaw).toString("hex"),
-    secretKey: Buffer.from(privRaw).toString("hex")
-  };
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58DecodeToBuffer(str) {
+  const map = {};
+  for (let i = 0; i < BASE58_ALPHABET.length; i++) map[BASE58_ALPHABET[i]] = i;
+  let bytes = [0];
+  for (let i = 0; i < str.length; i++) {
+    const val = map[str[i]];
+    if (val === void 0) throw new Error("invalid base58 character");
+    let carry = val;
+    for (let j = 0; j < bytes.length; j++) {
+      const x = bytes[j] * 58 + carry;
+      bytes[j] = x & 255;
+      carry = x >> 8;
+    }
+    while (carry > 0) {
+      bytes.push(carry & 255);
+      carry >>= 8;
+    }
+  }
+  for (let i = 0; i < str.length && str[i] === "1"; i++) bytes.push(0);
+  return Buffer.from(bytes.reverse());
+}
+function u64be(n) {
+  const buf = Buffer.alloc(8);
+  buf.writeUInt32BE(Math.floor(n / 4294967296), 0);
+  buf.writeUInt32BE(n >>> 0, 4);
+  return buf;
 }
-function signMessage(secretKeyHex, message) {
-  const privRaw = Buffer.from(secretKeyHex, "hex");
-  const privKeyDer = Buffer.concat([ED25519_PKCS8_PREFIX, privRaw]);
-  const keyObject = createPrivateKey({ key: privKeyDer, format: "der", type: "pkcs8" });
-  const sig = sign(null, Buffer.from(message), keyObject);
-  return Buffer.from(sig).toString("hex");
+var ANCHOR_DOMAIN_PREFIX = "PROVENONCE_BEATS_V1";
+function verifyAnchorHash(anchor) {
+  if (!anchor || !anchor.hash || !anchor.prev_hash) return false;
+  if (anchor.solana_entropy) {
+    const prefix = Buffer.from(ANCHOR_DOMAIN_PREFIX, "utf8");
+    const prev = Buffer.from(anchor.prev_hash, "hex");
+    const idx = u64be(anchor.beat_index);
+    const entropy = base58DecodeToBuffer(anchor.solana_entropy);
+    const preimage = Buffer.concat([prefix, prev, idx, entropy]);
+    const computed = createHash("sha256").update(preimage).digest("hex");
+    return computed === anchor.hash;
+  }
+  const nonce = `anchor:${anchor.utc}:${anchor.epoch}`;
+  const seed = `${anchor.prev_hash}:${anchor.beat_index}:${nonce}`;
+  let current = createHash("sha256").update(seed).digest("hex");
+  for (let i = 0; i < anchor.difficulty; i++) {
+    current = createHash("sha256").update(current).digest("hex");
+  }
+  return current === anchor.hash;
 }
 async function register(name, options) {
   if (!name || typeof name !== "string" || name.trim().length === 0) {
@@ -211,8 +242,6 @@ async function register(name, options) {
     }
     if (!registerRes.ok) throw mapApiError(registerRes.status, data2, "/api/v1/register");
     data2.wallet = {
-      public_key: "",
-      secret_key: "",
       address: data2.wallet?.address || options.walletAddress,
       chain: "ethereum"
     };
@@ -260,77 +289,6 @@ async function register(name, options) {
     if (!registerRes.ok) throw mapApiError(registerRes.status, data2, "/api/v1/register");
     const addr = data2.wallet?.address || data2.wallet?.solana_address || options.operatorWalletAddress;
     data2.wallet = {
-      public_key: "",
-      secret_key: "",
-      solana_address: addr,
-      address: addr,
-      chain: "solana"
-    };
-    return data2;
-  }
-  if (options?.walletModel === "self-custody" || options?.walletSecretKey) {
-    let walletKeys;
-    if (options?.walletSecretKey) {
-      const privRaw = Buffer.from(options.walletSecretKey, "hex");
-      const privKeyDer = Buffer.concat([ED25519_PKCS8_PREFIX, privRaw]);
-      const keyObject = createPrivateKey({ key: privKeyDer, format: "der", type: "pkcs8" });
-      const pubRaw = keyObject.export({ type: "spki", format: "der" }).subarray(12);
-      walletKeys = {
-        publicKey: Buffer.from(pubRaw).toString("hex"),
-        secretKey: options.walletSecretKey
-      };
-    } else {
-      walletKeys = generateWalletKeypair();
-    }
-    const challengeRes = await fetch(`${url}/api/v1/register`, {
-      method: "POST",
-      headers,
-      body: JSON.stringify({ name, action: "challenge" })
-    });
-    let challengeData;
-    try {
-      challengeData = await challengeRes.json();
-    } catch {
-      const err = new NetworkError(`Registration challenge failed: ${challengeRes.status} (non-JSON response)`);
-      err.walletKeys = { publicKey: walletKeys.publicKey, secretKey: walletKeys.secretKey };
-      throw err;
-    }
-    if (!challengeRes.ok || !challengeData.nonce) {
-      const err = mapApiError(challengeRes.status, challengeData, "/api/v1/register");
-      err.walletKeys = { publicKey: walletKeys.publicKey, secretKey: walletKeys.secretKey };
-      throw err;
-    }
-    const nonce = challengeData.nonce;
-    const message = `provenonce-register:${nonce}:${walletKeys.publicKey}:${name}`;
-    const walletSignature = signMessage(walletKeys.secretKey, message);
-    const registerRes = await fetch(`${url}/api/v1/register`, {
-      method: "POST",
-      headers,
-      body: JSON.stringify({
-        name,
-        wallet_public_key: walletKeys.publicKey,
-        wallet_signature: walletSignature,
-        wallet_nonce: nonce,
-        ...options?.metadata && { metadata: options.metadata }
-      })
-    });
-    let data2;
-    try {
-      data2 = await registerRes.json();
-    } catch {
-      const err = new NetworkError(`Registration failed: ${registerRes.status} (non-JSON response)`);
-      err.walletKeys = { publicKey: walletKeys.publicKey, secretKey: walletKeys.secretKey };
-      throw err;
-    }
-    if (!registerRes.ok) {
-      const err = mapApiError(registerRes.status, data2, "/api/v1/register");
-      err.walletKeys = { publicKey: walletKeys.publicKey, secretKey: walletKeys.secretKey };
-      throw err;
-    }
-    const addr = data2.wallet?.address || data2.wallet?.solana_address || "";
-    data2.wallet = {
-      public_key: walletKeys.publicKey,
-      secret_key: walletKeys.secretKey,
       solana_address: addr,
       address: addr,
       chain: "solana"
@@ -398,6 +356,8 @@ var BeatAgent = class {
       onStatusChange: () => {
       },
       verbose: false,
+      verifyAnchors: true,
+      beatsUrl: "https://beats.provenonce.dev",
       ...config
     };
   }
@@ -439,27 +399,7 @@ var BeatAgent = class {
       return { ok: false, error: err.message };
     }
   }
-  // ── PULSE (COMPUTE BEATS) ──
-  /**
-   * @deprecated Phase 2: VDF computation retired (D-68). Payment is the liveness mechanism.
-   * Use heartbeat() instead. This method will be removed in the next major version.
-   *
-   * Compute N beats locally (VDF hash chain).
-   */
-  pulse(count) {
-    console.warn("[Provenonce SDK] pulse() is deprecated. Use heartbeat() instead (Phase 2).");
-    if (this.status === "frozen") {
-      throw new FrozenError("Cannot pulse: agent is frozen. Use resync() to re-establish provenance.");
-    }
-    if (this.status !== "active") {
-      throw new StateError(`Cannot pulse: agent is ${this.status}.`, this.status);
-    }
-    if (count !== void 0 && (!Number.isInteger(count) || count < 1 || count > 1e4)) {
-      throw new ValidationError("pulse count must be an integer between 1 and 10000");
-    }
-    return this.computeBeats(count);
-  }
-  /** Internal beat computation — no status check. Used by both pulse() and resync(). */
+  /** Internal beat computation — no status check. Used by resync(). */
   computeBeats(count, onProgress) {
     const n = count || this.config.beatsPerPulse;
     if (!this.latestBeat) {
@@ -489,63 +429,6 @@ var BeatAgent = class {
     this.log(`Pulse: ${n} beats in ${elapsed}ms (${(elapsed / n).toFixed(1)}ms/beat, D=${this.difficulty})`);
     return newBeats;
   }
-  // ── CHECK-IN ──
-  /**
-   * @deprecated Phase 2: VDF check-in retired (D-68). Use heartbeat() instead.
-   * This method will be removed in the next major version.
-   */
-  async checkin() {
-    console.warn("[Provenonce SDK] checkin() is deprecated. Use heartbeat() instead (Phase 2).");
-    if (!this.latestBeat || this.latestBeat.index <= this.lastCheckinBeat) {
-      this.log("No new beats since last check-in. Call pulse() first.");
-      return { ok: true, total_beats: this.totalBeats };
-    }
-    try {
-      const fromBeat = this.lastCheckinBeat;
-      const toBeat = this.latestBeat.index;
-      const spotChecks = [];
-      const toBeatEntry = this.chain.find((b) => b.index === toBeat);
-      if (toBeatEntry) {
-        spotChecks.push({ index: toBeatEntry.index, hash: toBeatEntry.hash, prev: toBeatEntry.prev, nonce: toBeatEntry.nonce });
-      }
-      const available = this.chain.filter((b) => b.index > this.lastCheckinBeat && b.index !== toBeat);
-      const sampleCount = Math.min(4, available.length);
-      for (let i = 0; i < sampleCount; i++) {
-        const idx = Math.floor(Math.random() * available.length);
-        const beat = available[idx];
-        spotChecks.push({ index: beat.index, hash: beat.hash, prev: beat.prev, nonce: beat.nonce });
-        available.splice(idx, 1);
-      }
-      const fromHash = this.chain.find((b) => b.index === fromBeat)?.hash || this.genesisHash;
-      const toHash = this.latestBeat.hash;
-      const res = await this.api("POST", "/api/v1/agent/checkin", {
-        proof: {
-          from_beat: fromBeat,
-          to_beat: toBeat,
-          from_hash: fromHash,
-          to_hash: toHash,
-          beats_computed: toBeat - fromBeat,
-          global_anchor: this.globalBeat,
-          anchor_hash: this.globalAnchorHash || void 0,
-          spot_checks: spotChecks
-        }
-      });
-      if (res.ok) {
-        this.lastCheckinBeat = toBeat;
-        this.totalBeats = res.total_beats;
-        this.config.onCheckin(res);
-        this.log(`Check-in accepted: ${res.beats_accepted} beats, total=${res.total_beats}, global=${res.global_beat}`);
-        if (res.status === "warning_overdue") {
-          this.config.onStatusChange("warning", { beats_behind: res.beats_behind });
-          this.log(`\u26A0 WARNING: ${res.beats_behind} anchors behind. Check in more frequently.`);
-        }
-      }
-      return { ok: res.ok, total_beats: res.total_beats };
-    } catch (err) {
-      this.config.onError(err, "checkin");
-      return { ok: false, error: err.message };
-    }
-  }
   // ── AUTONOMOUS HEARTBEAT ──
   /**
    * Start the autonomous heartbeat loop.
@@ -595,60 +478,66 @@ var BeatAgent = class {
   }
   // ── RE-SYNC ──
   /**
-   * @deprecated Phase 2: Resync retired (D-67). Dormancy resume is free — just call heartbeat().
-   * This method will be removed in the next major version.
+   * Re-Sync Challenge (D-67 reversal): reactivate a frozen agent by proving CPU work.
+   *
+   * When BEATS_REQUIRED=true on the server: requires a signed Beats work-proof
+   * receipt. This method computes the proof automatically using computeWorkProof().
+   *
+   * When BEATS_REQUIRED=false (devnet): no receipt needed — agent is reactivated freely.
+   *
+   * Gap formula: min(gap_anchors * 100, 10_000) beats required (matches Beats constants).
    */
   async resync() {
-    console.warn("[Provenonce SDK] resync() is deprecated (D-67). Use heartbeat() to resume (Phase 2).");
     try {
-      this.log("Requesting re-sync challenge...");
-      const challenge = await this.api("POST", "/api/v1/agent/resync", {
-        action: "challenge"
-      });
-      if (!challenge.challenge) {
-        return { ok: false, error: "Failed to get challenge" };
-      }
-      const required = challenge.challenge.required_beats;
-      this.difficulty = challenge.challenge.difficulty;
-      this.log(`Re-sync challenge: compute ${required} beats at D=${this.difficulty}`);
+      this.log("Attempting resync...");
       await this.syncGlobal();
-      const startHash = challenge.challenge.start_from_hash;
-      const startBeat = challenge.challenge.start_from_beat;
-      this.latestBeat = { index: startBeat, hash: startHash, prev: "", timestamp: Date.now() };
-      this.chain = [this.latestBeat];
-      const t0 = Date.now();
-      this.computeBeats(required);
-      const elapsed = Date.now() - t0;
-      this.log(`Re-sync beats computed in ${elapsed}ms`);
-      const proof = await this.api("POST", "/api/v1/agent/resync", {
-        action: "prove",
-        challenge_nonce: challenge.challenge.nonce,
-        proof: {
-          from_beat: startBeat,
-          to_beat: this.latestBeat.index,
-          from_hash: startHash,
-          to_hash: this.latestBeat.hash,
-          beats_computed: required,
-          global_anchor: challenge.challenge.sync_to_global,
-          anchor_hash: this.globalAnchorHash || void 0,
-          spot_checks: (() => {
-            const toBeatEntry = this.chain.find((b) => b.index === this.latestBeat.index);
-            const available = this.chain.filter((b) => b.index !== this.latestBeat.index && b.index > startBeat);
-            const step = Math.max(1, Math.ceil(available.length / 5));
-            const others = available.filter((_, i) => i % step === 0).slice(0, 4);
-            const checks = toBeatEntry ? [toBeatEntry, ...others] : others;
-            return checks.map((b) => ({ index: b.index, hash: b.hash, prev: b.prev, nonce: b.nonce }));
-          })()
-        }
-      });
-      if (proof.ok) {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 3e4);
+      let probeRes;
+      let probeData;
+      try {
+        probeRes = await fetch(`${this.config.registryUrl}/api/v1/agent/resync`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": `Bearer ${this.config.apiKey}`
+          },
+          body: JSON.stringify({}),
+          signal: controller.signal
+        });
+        probeData = await probeRes.json();
+      } finally {
+        clearTimeout(timeout);
+      }
+      if (probeData.ok && probeData.status === "active") {
         this.status = "active";
-        this.totalBeats = proof.total_beats;
-        this.lastCheckinBeat = this.latestBeat.index;
         this.config.onStatusChange("active", { resynced: true });
-        this.log("\u2713 Re-synced. Agent is alive again in Beat time.");
+        this.log("\u2713 Re-synced (free). Agent is alive again in Beat time.");
+        return { ok: true, beats_required: 0 };
+      }
+      if (probeRes.status === 402 || probeData.code === "RECEIPT_REQUIRED") {
+        const requiredBeats = probeData.required_beats ?? 1e3;
+        this.log(`Re-sync challenge: compute ${requiredBeats} beats at D=${this.difficulty}`);
+        const proofResult = await this.computeWorkProof({
+          beatsNeeded: requiredBeats,
+          anchorHash: this.globalAnchorHash,
+          anchorIndex: this.globalBeat
+        });
+        if (!proofResult.ok || !proofResult.receipt) {
+          return { ok: false, error: proofResult.error || "Failed to compute work proof for resync", beats_required: requiredBeats };
+        }
+        this.log(`Work proof computed: ${proofResult.beats_computed} beats in ${proofResult.elapsed_ms}ms`);
+        const result = await this.api("POST", "/api/v1/agent/resync", {
+          beats_receipt: proofResult.receipt
+        });
+        if (result.ok && result.status === "active") {
+          this.status = "active";
+          this.config.onStatusChange("active", { resynced: true });
+          this.log("\u2713 Re-synced with work proof. Agent is alive again in Beat time.");
+        }
+        return { ok: !!result.ok, beats_required: requiredBeats };
       }
-      return { ok: proof.ok, beats_required: required };
+      return { ok: false, error: probeData.error || `Resync failed (status ${probeRes.status})` };
     } catch (err) {
       this.config.onError(err, "resync");
       return { ok: false, error: err.message };
@@ -657,9 +546,13 @@ var BeatAgent = class {
   // ── SPAWN ──
   /**
    * Request to spawn a child agent.
-   * Requires sufficient accumulated beats (Temporal Gestation).
+   * Requires sufficient accumulated beats (Temporal Gestation), OR a valid Beats work-proof receipt.
+   *
+   * @param childName    Optional name for the child agent
+   * @param childHash    Pre-registered child hash (Step 2 finalization)
+   * @param beatsReceipt Signed work-proof receipt from computeWorkProof() (receipt-based spawn)
    */
-  async requestSpawn(childName, childHash) {
+  async requestSpawn(childName, childHash, beatsReceipt) {
     try {
       if (childName !== void 0) {
         if (typeof childName !== "string" || childName.trim().length === 0) {
@@ -671,12 +564,15 @@ var BeatAgent = class {
       }
       const res = await this.api("POST", "/api/v1/agent/spawn", {
         child_name: childName,
-        child_hash: childHash
+        child_hash: childHash,
+        ...beatsReceipt && { beats_receipt: beatsReceipt }
       });
       if (res.eligible === false) {
         this.log(`Gestation incomplete: ${res.progress_pct}% (need ${res.deficit} more beats)`);
       } else if (res.ok) {
         this.log(`Child spawned: ${res.child_hash?.slice(0, 16)}...`);
+      } else if (res.spawn_authorization) {
+        this.log(`Spawn authorized${res.receipt_based ? " (receipt-based)" : ""}`);
       }
       return res;
     } catch (err) {
@@ -684,6 +580,132 @@ var BeatAgent = class {
       throw err;
     }
   }
+  /**
+   * Compute a Beats work-proof for spawn or resync authorization.
+   *
+   * Computes `beatsNeeded` sequential SHA-256 beats at `difficulty`, weaving in
+   * the given anchor hash, then submits to the Beats service and returns a signed receipt.
+   *
+   * @param opts.beatsNeeded  Minimum beats required (from spawn/resync response.required_beats)
+   * @param opts.anchorHash   Current global anchor hash (from syncGlobal or getAnchor)
+   * @param opts.anchorIndex  Current global anchor index
+   * @param opts.difficulty   Beat difficulty (default: agent's current difficulty)
+   */
+  async computeWorkProof(opts) {
+    const { beatsNeeded, anchorHash, anchorIndex } = opts;
+    const difficulty = opts.difficulty ?? this.difficulty;
+    if (!Number.isInteger(beatsNeeded) || beatsNeeded < 0) {
+      return { ok: false, error: "beatsNeeded must be a non-negative integer" };
+    }
+    const t0 = Date.now();
+    const genesisHash = createHash("sha256").update(`provenonce:work-proof-genesis:${this.config.apiKey.slice(0, 16)}:${Date.now()}`).digest("hex");
+    const beats = Math.max(beatsNeeded, 1);
+    let prevHash = genesisHash;
+    const spotCheckCount = Math.min(5, Math.max(1, Math.floor(beats / 100)));
+    const spotInterval = Math.max(1, Math.floor(beats / (spotCheckCount + 1)));
+    const spotChecks = [];
+    for (let i = 1; i <= beats; i++) {
+      const beat = computeBeat(prevHash, i, difficulty, void 0, anchorHash);
+      prevHash = beat.hash;
+      if (i % spotInterval === 0 && spotChecks.length < spotCheckCount) {
+        spotChecks.push({ index: beat.index, hash: beat.hash, prev: beat.prev });
+      }
+    }
+    const toHash = prevHash;
+    const elapsed_ms = Date.now() - t0;
+    this.log(`Work proof computed locally: ${beats} beats in ${elapsed_ms}ms`);
+    const beatsUrl = this.config.beatsUrl || "https://beats.provenonce.dev";
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 12e4);
+    try {
+      const res = await fetch(`${beatsUrl}/api/v1/beat/work-proof`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          work_proof: {
+            from_hash: genesisHash,
+            to_hash: toHash,
+            beats_computed: beats,
+            difficulty,
+            anchor_index: anchorIndex,
+            anchor_hash: anchorHash,
+            spot_checks: spotChecks
+          }
+        }),
+        signal: controller.signal
+      });
+      let data;
+      try {
+        data = await res.json();
+      } catch {
+        return { ok: false, error: `Beats service returned non-JSON (status ${res.status})` };
+      }
+      if (!data.valid || !data.receipt) {
+        return { ok: false, error: data.reason || data.error || "Work proof rejected by Beats service" };
+      }
+      this.log(`Work proof receipt issued by Beats: ${data.receipt.beats_verified} beats verified`);
+      return { ok: true, receipt: data.receipt, beats_computed: beats, elapsed_ms };
+    } catch (err) {
+      if (err.name === "AbortError") {
+        return { ok: false, error: "Work proof submission timed out" };
+      }
+      return { ok: false, error: err.message };
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  /**
+   * Compute a Beats work-proof and use it to request spawn authorization.
+   *
+   * Probes the spawn endpoint to determine required beats, computes the proof,
+   * and returns the spawn_authorization token. The caller still needs to:
+   *   1. Register the child via POST /api/v1/register with spawn_authorization
+   *   2. Finalize via POST /api/v1/agent/spawn with child_hash
+   *
+   * @param opts.childName   Optional name for the child agent
+   * @param opts.beatsNeeded Override the required beats (default: auto-probed)
+   */
+  async requestSpawnWithBeatsProof(opts) {
+    try {
+      await this.syncGlobal();
+      let requiredBeats = opts?.beatsNeeded;
+      if (requiredBeats === void 0) {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 3e4);
+        try {
+          const probeRes = await fetch(`${this.config.registryUrl}/api/v1/agent/spawn`, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              "Authorization": `Bearer ${this.config.apiKey}`
+            },
+            body: JSON.stringify({ child_name: opts?.childName }),
+            signal: controller.signal
+          });
+          const probeData = await probeRes.json();
+          if (probeData.spawn_authorization && probeData.eligible) {
+            return probeData;
+          }
+          requiredBeats = probeData.required_beats ?? 1e3;
+        } finally {
+          clearTimeout(timeout);
+        }
+      }
+      const proofResult = await this.computeWorkProof({
+        beatsNeeded: requiredBeats,
+        anchorHash: this.globalAnchorHash,
+        anchorIndex: this.globalBeat
+      });
+      if (!proofResult.ok || !proofResult.receipt) {
+        return { ok: false, eligible: false, error: proofResult.error || "Failed to compute work proof" };
+      }
+      this.log(`Submitting spawn with work proof (${proofResult.beats_computed} beats)`);
+      return this.requestSpawn(opts?.childName, void 0, proofResult.receipt);
+    } catch (err) {
+      this.config.onError(err, "requestSpawnWithBeatsProof");
+      throw err;
+    }
+  }
   /**
    * Purchase a SIGIL (cryptographic identity) for this agent.
    * SIGILs gate heartbeating, lineage proofs, and offline verification.
@@ -923,6 +945,10 @@ var BeatAgent = class {
       clearTimeout(timeout);
       const data = await res.json();
       if (data.anchor) {
+        if (this.config.verifyAnchors && !verifyAnchorHash(data.anchor)) {
+          this.log("\u26A0 Anchor hash verification FAILED \u2014 rejecting untrusted anchor");
+          return;
+        }
         this.globalBeat = data.anchor.beat_index;
         this.globalAnchorHash = data.anchor.hash || "";
         if (data.anchor.difficulty) this.difficulty = data.anchor.difficulty;
@@ -1020,7 +1046,7 @@ export {
   ValidationError,
   computeBeat,
   computeBeatsLite,
-  generateWalletKeypair,
-  register
+  register,
+  verifyAnchorHash
 };
 //# sourceMappingURL=index.mjs.map