kontext-sdk 0.8.0 → 0.9.0

package/dist/index.d.ts

@@ -1,3 +1,83 @@
+/** What kind of queries a provider can handle */
+type QueryType = 'address' | 'entity_name' | 'both';
+/** Jurisdictions for sanctions list mapping */
+type Jurisdiction = 'US' | 'EU' | 'UK' | 'UN' | 'UAE' | 'SG' | 'HK' | 'IN' | 'KR' | 'MY' | 'TH' | 'NZ' | 'CN' | 'GLOBAL';
+/** Known sanctions lists */
+type SanctionsList = 'OFAC_SDN' | 'OFAC_NON_SDN' | 'EU_CONSOLIDATED' | 'UN_SECURITY_COUNCIL' | 'UK_OFSI' | 'UAE_LOCAL' | 'MAS_TFS' | 'HK_UNSO' | 'INDIA_DOMESTIC' | 'KOFIU_DOMESTIC' | 'BNM_DOMESTIC' | 'AMLO_DOMESTIC' | 'NZ_DESIGNATED' | 'OPENSANCTIONS' | 'CHAINALYSIS' | 'CUSTOM';
+/** How a match was determined */
+type MatchType = 'exact_address' | 'fuzzy_name' | 'alias_match' | 'associated' | 'partial';
+/** Entity sanctioning status */
+type EntityStatus = 'active' | 'delisted';
+/** Context passed to providers for jurisdiction-aware routing */
+interface ScreeningContext {
+    token?: Token | string;
+    currency?: string;
+    amount?: string;
+    chain?: Chain | string;
+    agentId?: string;
+    [key: string]: unknown;
+}
+/** A single match from a screening provider */
+interface ScreeningMatch {
+    list: SanctionsList;
+    matchType: MatchType;
+    similarity: number;
+    matchedValue: string;
+    entityStatus: EntityStatus;
+    entityName?: string;
+    program?: string;
+}
+/** Result from a single screening provider */
+interface ScreeningResult {
+    providerId: string;
+    hit: boolean;
+    matches: ScreeningMatch[];
+    listsChecked: readonly SanctionsList[];
+    entriesSearched: number;
+    durationMs: number;
+    error?: string;
+}
+/**
+ * Pluggable screening provider interface.
+ *
+ * Providers declare what query types they support via `queryTypes`.
+ * The ScreeningAggregator uses this to route queries: addresses go
+ * to `'address'` or `'both'` providers; entity names go to
+ * `'entity_name'` or `'both'` providers.
+ */
+interface ScreeningProvider {
+    readonly id: string;
+    readonly name: string;
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey: boolean;
+    readonly browserCompatible: boolean;
+    readonly queryTypes: readonly QueryType[];
+    /** Screen an address or entity name */
+    screen(query: string, context?: ScreeningContext): Promise<ScreeningResult>;
+    /** Whether this provider is currently available */
+    isAvailable(): boolean;
+    /** Sync local data (optional — only for providers with local cache) */
+    sync?(): Promise<{
+        updated: boolean;
+        count: number;
+    }>;
+    /** Number of entries in the provider's dataset (optional) */
+    getEntryCount?(): number;
+}
+/** Check if a query string is a blockchain address */
+declare function isBlockchainAddress(query: string): boolean;
+/** Check if a provider supports the detected query type */
+declare function providerSupportsQuery(provider: ScreeningProvider, query: string): boolean;
+/** Required sanctions lists by crypto token */
+declare const TOKEN_REQUIRED_LISTS: Record<string, readonly SanctionsList[]>;
+/** Required sanctions lists by fiat currency */
+declare const CURRENCY_REQUIRED_LISTS: Record<string, readonly SanctionsList[]>;
+/**
+ * Get the required sanctions lists for a given screening context.
+ * Token takes precedence over currency when both are provided.
+ */
+declare function getRequiredLists(context?: ScreeningContext): readonly SanctionsList[];
+
 /**
  * Result of an export operation.
  */
@@ -324,6 +404,74 @@ interface KontextConfig {
      * ```
      */
     approvalThreshold?: string;
+    /**
+     * Pluggable sanctions screening configuration. When provided, verify()
+     * uses the ScreeningAggregator instead of the built-in UsdcCompliance /
+     * PaymentCompliance code paths.
+     *
+     * Free tier — no plan gating. Each screen() call counts as 1 event.
+     *
+     * @example
+     * ```typescript
+     * import { Kontext, OFACAddressProvider, UKOFSIProvider } from 'kontext-sdk';
+     *
+     * const ctx = Kontext.init({
+     *   projectId: 'my-app',
+     *   environment: 'production',
+     *   screening: {
+     *     providers: [new OFACAddressProvider(), new UKOFSIProvider()],
+     *     consensus: 'ANY_MATCH',
+     *   },
+     * });
+     * ```
+     */
+    screening?: ScreeningConfig;
+    /**
+     * Compliance policy configuration. Customizes thresholds, allowed
+     * tokens/currencies, and blocked corridors.
+     *
+     * All fields optional — defaults match current behavior ($3K EDD,
+     * $10K CTR, $50K large transaction).
+     */
+    policy?: PolicyConfig;
+}
+/** Screening configuration for pluggable multi-provider sanctions screening */
+interface ScreeningConfig {
+    /** Screening providers to use */
+    providers: ScreeningProvider[];
+    /** How to combine results from multiple providers (default: 'ANY_MATCH') */
+    consensus?: 'ANY_MATCH' | 'ALL_MATCH' | 'MAJORITY';
+    /** Addresses or entity names to always block */
+    blocklist?: string[];
+    /** Addresses or entity names to always allow (overrides provider hits) */
+    allowlist?: string[];
+    /** Per-provider timeout in milliseconds (default: 5000) */
+    providerTimeoutMs?: number;
+}
+/** Compliance policy configuration */
+interface PolicyConfig {
+    /** Customizable compliance thresholds */
+    thresholds?: {
+        /** Enhanced Due Diligence threshold (default: 3000) */
+        edd?: number;
+        /** CTR reporting threshold (default: 10000) */
+        reporting?: number;
+        /** Large transaction threshold (default: 50000) */
+        largeTransaction?: number;
+    };
+    /** Restrict to specific tokens */
+    allowedTokens?: Token[];
+    /** Restrict to specific currencies */
+    allowedCurrencies?: string[];
+    /** Blocked jurisdiction pairs */
+    corridors?: {
+        blocked?: Array<{
+            from: string;
+            to: string;
+        }>;
+    };
+    /** When true, refuse verify() if no screening provider is configured (default: false) */
+    requireScreening?: boolean;
 }
 /**
  * Interface for metadata validation. Compatible with Zod schemas and any
@@ -765,6 +913,12 @@ interface VerifyInput extends LogTransactionInput {
     confidence?: number;
     /** Additional reasoning context */
     context?: Record<string, unknown>;
+    /** When provided, anchors the terminal digest on-chain after compliance checks */
+    anchor?: OnChainAnchorConfig;
+    /** Counterparty agent for bilateral A2A attestation exchange */
+    counterparty?: CounterpartyConfig;
+    /** ERC-8021 config: fetch and parse builder attribution from transaction calldata */
+    erc8021?: ERC8021Config;
 }
 /** Result of the verify() convenience method */
 interface VerifyResult {
@@ -790,10 +944,16 @@ interface VerifyResult {
     };
     /** Reasoning entry ID (present when reasoning was provided in input) */
     reasoningId?: string;
+    /** On-chain anchor proof (present when anchor config provided in input) */
+    anchorProof?: AnchorResult;
+    /** Counterparty attestation (present when counterparty config provided in input) */
+    counterparty?: CounterpartyAttestation;
     /** True when the transaction amount exceeds the approvalThreshold */
     requiresApproval?: boolean;
     /** The pending approval task (present when requiresApproval is true) */
     task?: Task;
+    /** ERC-8021 builder attribution (present when erc8021 config provided and tx has attribution) */
+    attribution?: ERC8021Attribution;
 }
 /**
  * Input for logging an agent's reasoning/decision step.
@@ -852,6 +1012,307 @@ interface ReasoningEntry {
     /** Context */
     context: Record<string, unknown>;
 }
+/** Configuration for on-chain digest anchoring */
+interface OnChainAnchorConfig {
+    /** JSON-RPC URL for the target chain */
+    rpcUrl: string;
+    /** KontextAnchor contract address */
+    contractAddress: string;
+    /** Private key of the signer (hex with 0x prefix). Required for write operations. */
+    privateKey?: string;
+    /** ERC-8021 builder code for transaction attribution (default: 'kontext') */
+    builderCode?: string;
+}
+/** Result of an on-chain anchor transaction */
+interface AnchorResult {
+    /** The digest that was anchored */
+    digest: string;
+    /** The on-chain transaction hash */
+    txHash: string;
+    /** The block number containing the anchor */
+    blockNumber: number;
+    /** Block timestamp (unix seconds) */
+    timestamp: number;
+    /** Contract address used */
+    contractAddress: string;
+    /** Chain the anchor was submitted to */
+    chain: string;
+}
+/** Result of verifying an anchor on-chain */
+interface AnchorVerification {
+    /** Whether the digest was found on-chain */
+    anchored: boolean;
+    /** The digest that was checked */
+    digest: string;
+    /** Anchorer address (if anchored) */
+    anchorer?: string;
+    /** Project hash (if anchored) */
+    projectHash?: string;
+    /** Block timestamp (if anchored) */
+    timestamp?: number;
+}
+/** ERC-8021 transaction attribution data parsed from calldata suffix */
+interface ERC8021Attribution {
+    /** Builder/entity codes extracted from the calldata suffix */
+    codes: string[];
+    /** Schema ID (0 = canonical code registry) */
+    schemaId: number;
+    /** Raw suffix hex (with 0x prefix) */
+    rawSuffix: string;
+}
+/** ERC-8021 configuration for verify() */
+interface ERC8021Config {
+    /** JSON-RPC URL for fetching transaction calldata */
+    rpcUrl: string;
+    /** Registry contract address for resolving codes to payout addresses (future use) */
+    registryAddress?: string;
+}
+/** Agent card served at /.well-known/kontext.json */
+interface AgentCard {
+    /** Agent identifier */
+    agentId: string;
+    /** Kontext SDK version */
+    kontextVersion: string;
+    /** Supported capabilities (e.g., ['verify', 'attest']) */
+    capabilities: string[];
+    /** Attestation endpoint path (relative to host) */
+    attestEndpoint: string;
+}
+/** Counterparty configuration for verify() */
+interface CounterpartyConfig {
+    /** Base URL of the counterparty agent (e.g., https://agent.example.com) */
+    endpoint: string;
+    /** Expected agent ID (optional, verified against agent card) */
+    agentId?: string;
+    /** Timeout for attestation exchange in milliseconds (default: 10000) */
+    timeoutMs?: number;
+}
+/** Attestation request sent to counterparty */
+interface AttestationRequest {
+    /** Sender's terminal digest */
+    senderDigest: string;
+    /** Sender's agent ID */
+    senderAgentId: string;
+    /** Transaction hash */
+    txHash?: string;
+    /** Chain */
+    chain?: string;
+    /** Transfer amount */
+    amount: string;
+    /** Token */
+    token?: string;
+    /** Timestamp of the request */
+    timestamp: string;
+}
+/** Attestation response from counterparty */
+interface AttestationResponse {
+    /** Whether the counterparty attested */
+    attested: boolean;
+    /** Counterparty's terminal digest */
+    receiverDigest: string;
+    /** Counterparty's agent ID */
+    receiverAgentId: string;
+    /** Timestamp of attestation */
+    timestamp: string;
+}
+/** Counterparty attestation result included in VerifyResult */
+interface CounterpartyAttestation {
+    /** Whether the counterparty successfully attested */
+    attested: boolean;
+    /** Counterparty's digest (proof they ran compliance) */
+    digest: string;
+    /** Counterparty's agent ID */
+    agentId: string;
+    /** Attestation timestamp */
+    timestamp: string;
+}
+/** Session status */
+type SessionStatus = 'active' | 'ended' | 'expired';
+/** Checkpoint status */
+type CheckpointStatus = 'pending' | 'attested' | 'rejected' | 'expired';
+/** Attestation decision */
+type AttestationDecision = 'approved' | 'rejected';
+/** Constraints on what an agent session is authorized to do */
+interface SessionConstraints {
+    /** Maximum single transaction amount */
+    maxAmount?: string;
+    /** Allowed blockchain networks */
+    allowedChains?: Chain[];
+    /** Allowed tokens */
+    allowedTokens?: Token[];
+    /** Allowed recipient addresses (normalized to lowercase) */
+    allowedRecipients?: string[];
+}
+/** Input for creating a delegated agent session */
+interface CreateSessionInput {
+    /** Agent being delegated authority */
+    agentId: string;
+    /** Human principal who authorized this session */
+    delegatedBy: string;
+    /** Scoped capabilities (e.g., ['transfer', 'approve', 'query']) */
+    scope: string[];
+    /** Optional constraints on the session */
+    constraints?: SessionConstraints;
+    /** Session TTL in milliseconds (default: no expiry) */
+    expiresIn?: number;
+    /** Arbitrary metadata */
+    metadata?: Record<string, unknown>;
+}
+/** A delegated agent session with provenance data */
+interface AgentSession {
+    /** Unique session identifier */
+    sessionId: string;
+    /** Agent ID */
+    agentId: string;
+    /** Human who delegated authority */
+    delegatedBy: string;
+    /** Authorized scope */
+    scope: string[];
+    /** Session constraints */
+    constraints?: SessionConstraints;
+    /** Session status */
+    status: SessionStatus;
+    /** Creation timestamp */
+    createdAt: string;
+    /** End timestamp (when explicitly ended) */
+    endedAt?: string;
+    /** Expiry timestamp */
+    expiresAt?: string;
+    /** Digest from the chain link that recorded session creation */
+    digest?: string;
+    /** Prior digest in the chain */
+    priorDigest?: string;
+    /** Arbitrary metadata */
+    metadata: Record<string, unknown>;
+}
+/** Interface for external attestation providers (developer implements) */
+interface ProvenanceAttestor {
+    /** Sign an attestation payload */
+    sign(payload: AttestationPayload): Promise<AttestationSignature>;
+    /** Get the verification key for signature checking */
+    getVerificationKey(): Promise<VerificationKey>;
+}
+/** Payload presented to an attestor for signing */
+interface AttestationPayload {
+    /** Checkpoint ID */
+    checkpointId: string;
+    /** SHA-256 of concatenated action digests */
+    actionsDigest: string;
+    /** Session this checkpoint belongs to */
+    sessionId: string;
+    /** Timestamp of checkpoint creation */
+    timestamp: string;
+}
+/** Cryptographic signature from an attestor */
+interface AttestationSignature {
+    /** The signature bytes (hex or base64) */
+    signature: string;
+    /** Algorithm used (e.g., 'ES256', 'Ed25519', 'RS256') */
+    algorithm: string;
+    /** Optional key identifier */
+    keyId?: string;
+}
+/** Public verification key for checking attestation signatures */
+interface VerificationKey {
+    /** Public key (PEM, JWK string, or hex) */
+    publicKey: string;
+    /** Algorithm */
+    algorithm: string;
+    /** Optional key identifier */
+    keyId?: string;
+}
+/** A human attestation attached to a checkpoint */
+interface HumanAttestation {
+    /** Unique attestation identifier */
+    attestationId: string;
+    /** Checkpoint this attestation covers */
+    checkpointId: string;
+    /** Human reviewer identifier */
+    reviewerId: string;
+    /** Decision */
+    decision: AttestationDecision;
+    /** Optional evidence or notes from the reviewer */
+    evidence?: string;
+    /** Cryptographic signature */
+    signature: AttestationSignature;
+    /** Verification key for the signature */
+    verificationKey: VerificationKey;
+    /** Attestation timestamp */
+    timestamp: string;
+}
+/** Input for creating a provenance checkpoint */
+interface CreateCheckpointInput {
+    /** Session this checkpoint belongs to */
+    sessionId: string;
+    /** Action IDs to include in this checkpoint */
+    actionIds: string[];
+    /** Human-readable summary of what the agent did */
+    summary: string;
+    /** Checkpoint TTL in milliseconds (default: no expiry) */
+    expiresIn?: number;
+}
+/** A provenance checkpoint -- a review point in the action stream */
+interface ProvenanceCheckpoint {
+    /** Unique checkpoint identifier */
+    id: string;
+    /** Session this checkpoint belongs to */
+    sessionId: string;
+    /** Action IDs covered by this checkpoint */
+    actionIds: string[];
+    /** Human-readable summary */
+    summary: string;
+    /** SHA-256 of concatenated action digests (proves which actions were reviewed) */
+    actionsDigest: string;
+    /** Checkpoint status */
+    status: CheckpointStatus;
+    /** Attached human attestation (present after attestation) */
+    attestation?: HumanAttestation;
+    /** Creation timestamp */
+    createdAt: string;
+    /** Expiry timestamp */
+    expiresAt?: string;
+}
+/** A provenance action with session binding */
+interface ProvenanceAction {
+    /** Action ID */
+    actionId: string;
+    /** Action type */
+    type: string;
+    /** Digest from the chain */
+    digest: string;
+    /** Prior digest */
+    priorDigest: string;
+    /** Session this action is bound to */
+    sessionId: string;
+    /** Action timestamp */
+    timestamp: string;
+}
+/** Verification summary for a provenance bundle */
+interface ProvenanceBundleVerification {
+    /** Whether the digest chain covering these actions is valid */
+    digestChainValid: boolean;
+    /** Total actions in the session */
+    totalActions: number;
+    /** Actions covered by an approved human attestation */
+    humanAttested: number;
+    /** Actions bound to the session */
+    sessionScoped: number;
+    /** Actions not yet covered by any checkpoint */
+    unattested: number;
+}
+/** Complete provenance export for a session */
+interface ProvenanceBundle {
+    /** The session record */
+    session: AgentSession;
+    /** All actions bound to this session */
+    actions: ProvenanceAction[];
+    /** All checkpoints for this session */
+    checkpoints: ProvenanceCheckpoint[];
+    /** Verification summary */
+    verification: ProvenanceBundleVerification;
+    /** Export timestamp */
+    generatedAt: string;
+}
 /** Error codes for Kontext SDK */
 declare enum KontextErrorCode {
     INITIALIZATION_ERROR = "INITIALIZATION_ERROR",
@@ -1063,7 +1524,7 @@ interface PlanUsage {
     seats: number;
     /** Number of events logged in the current billing period */
     eventCount: number;
-    /** Maximum events allowed (Pro: seats x 100K) */
+    /** Maximum events allowed */
     limit: number;
     /** Remaining events before limit */
     remainingEvents: number;
@@ -1252,140 +1713,745 @@ declare class FeatureFlagManager {
     private triggerBackgroundRefresh;
 }
 
+/** Entity type for an agent identity */
+type EntityType = 'individual' | 'organization' | 'bot' | 'unknown';
+/** KYC verification status */
+type KYCStatus = 'none' | 'pending' | 'verified' | 'rejected' | 'expired';
+/** A wallet mapping associated with an agent */
+interface WalletMapping {
+    /** Wallet address (normalized to lowercase) */
+    address: string;
+    /** Blockchain network */
+    chain: string;
+    /** Whether this wallet was verified on-chain */
+    verified: boolean;
+    /** When the wallet was added */
+    addedAt: string;
+    /** Optional label for the wallet */
+    label?: string;
+}
+/** Reference to an external KYC provider verification */
+interface KYCProviderReference {
+    /** KYC provider name (e.g., 'jumio', 'onfido', 'sumsub') */
+    provider: string;
+    /** External reference/case ID from the provider */
+    referenceId: string;
+    /** Verification status */
+    status: KYCStatus;
+    /** When the verification was completed */
+    verifiedAt: string | null;
+    /** When the verification expires */
+    expiresAt: string | null;
+    /** Risk level assigned by the provider */
+    riskLevel?: 'low' | 'medium' | 'high';
+}
+/** Declared agent identity */
+interface AgentIdentity {
+    /** Agent ID (primary key) */
+    agentId: string;
+    /** Display name */
+    displayName?: string;
+    /** Entity type */
+    entityType: EntityType;
+    /** Wallet addresses associated with the agent */
+    wallets: WalletMapping[];
+    /** External KYC provider references */
+    kycReferences: KYCProviderReference[];
+    /** Contact URI (email, ENS, etc.) */
+    contactUri?: string;
+    /** Arbitrary metadata */
+    metadata: Record<string, unknown>;
+    /** When the identity was first registered */
+    createdAt: string;
+    /** When the identity was last updated */
+    updatedAt: string;
+}
+/** Input for registering a new agent identity */
+interface RegisterIdentityInput {
+    /** Agent ID */
+    agentId: string;
+    /** Display name */
+    displayName?: string;
+    /** Entity type */
+    entityType?: EntityType;
+    /** Initial wallet mappings */
+    wallets?: Array<{
+        address: string;
+        chain: string;
+        label?: string;
+    }>;
+    /** Contact URI */
+    contactUri?: string;
+    /** Arbitrary metadata */
+    metadata?: Record<string, unknown>;
+}
+/** Input for updating an existing agent identity */
+interface UpdateIdentityInput {
+    /** Updated display name */
+    displayName?: string;
+    /** Updated entity type */
+    entityType?: EntityType;
+    /** Updated contact URI */
+    contactUri?: string;
+    /** Metadata to merge */
+    metadata?: Record<string, unknown>;
+}
+/** Heuristic used to cluster wallet addresses */
+type ClusteringHeuristic = 'common-agent' | 'funding-chain' | 'gas-sponsorship' | 'temporal-co-spending' | 'declared-wallets';
+/** Evidence for why two addresses were clustered */
+interface ClusteringEvidence {
+    /** Heuristic that produced this evidence */
+    heuristic: ClusteringHeuristic;
+    /** Confidence of this particular heuristic (0-1) */
+    confidence: number;
+    /** Addresses involved */
+    addresses: [string, string];
+    /** When this evidence was detected */
+    detectedAt: string;
+    /** Additional detail */
+    detail?: string;
+}
+/** A cluster of related wallet addresses */
+interface WalletCluster {
+    /** Cluster ID */
+    id: string;
+    /** All addresses in the cluster (normalized lowercase) */
+    addresses: string[];
+    /** Agent IDs associated with this cluster */
+    agentIds: string[];
+    /** Evidence trail for this cluster */
+    evidence: ClusteringEvidence[];
+    /** Highest confidence from any evidence */
+    confidence: number;
+    /** When the cluster was formed */
+    createdAt: string;
+}
+/** Configuration for wallet clustering */
+interface WalletClusteringConfig {
+    /** Temporal co-spending window in seconds (default: 60) */
+    temporalWindowSeconds?: number;
+    /** Minimum destination overlap ratio for temporal heuristic (default: 0.3) */
+    minDestinationOverlap?: number;
+    /** Minimum number of sponsored wallets for gas sponsorship heuristic (default: 3) */
+    minGasSponsoredWallets?: number;
+}
+/** Temporal features extracted from transaction patterns */
+interface TemporalFeatures {
+    /** Mean inter-transaction interval in seconds */
+    meanIntervalSeconds: number;
+    /** Standard deviation of inter-transaction intervals */
+    stddevIntervalSeconds: number;
+    /** 24-bin hour-of-day histogram (normalized to sum=1) */
+    hourHistogram: number[];
+    /** 7-bin day-of-week histogram (normalized to sum=1) */
+    dayHistogram: number[];
+}
+/** Financial features extracted from transaction amounts */
+interface FinancialFeatures {
+    /** Mean transaction amount */
+    meanAmount: number;
+    /** Standard deviation of transaction amounts */
+    stddevAmount: number;
+    /** Median transaction amount */
+    medianAmount: number;
+    /** Ratio of round amounts (divisible by 100) */
+    roundAmountRatio: number;
+    /** Amount percentiles [p10, p25, p50, p75, p90] */
+    percentiles: [number, number, number, number, number];
+}
+/** Network features from transaction graph */
+interface NetworkFeatures {
+    /** Number of unique destination addresses */
+    uniqueDestinations: number;
+    /** Address reuse ratio: 1 - (unique / total) */
+    reuseRatio: number;
+    /** Herfindahl-Hirschman Index for destination concentration */
+    concentrationIndex: number;
+    /** Number of unique source addresses */
+    uniqueSources: number;
+}
+/** Operational features from chain/token usage */
+interface OperationalFeatures {
+    /** Distribution of transactions across chains (normalized) */
+    chainDistribution: Record<string, number>;
+    /** Distribution of transactions across tokens (normalized) */
+    tokenDistribution: Record<string, number>;
+    /** Primary chain (most used) */
+    primaryChain: string;
+    /** Primary token (most used) */
+    primaryToken: string;
+}
+/** Complete behavioral embedding for an agent */
+interface BehavioralEmbedding {
+    /** Agent ID */
+    agentId: string;
+    /** Temporal features */
+    temporal: TemporalFeatures;
+    /** Financial features */
+    financial: FinancialFeatures;
+    /** Network features */
+    network: NetworkFeatures;
+    /** Operational features */
+    operational: OperationalFeatures;
+    /** Number of transactions used to compute the embedding */
+    sampleSize: number;
+    /** When the embedding was computed */
+    computedAt: string;
+}
+/** A signal contributing to an agent link */
+interface LinkSignal {
+    /** Signal type */
+    type: 'wallet-overlap' | 'behavioral-similarity' | 'declared-identity';
+    /** Signal strength (0-1) */
+    strength: number;
+    /** Weight of this signal type (0-1) */
+    weight: number;
+    /** Detail about the signal */
+    detail?: string;
+}
+/** Link status */
+type LinkStatus = 'inferred' | 'confirmed' | 'rejected';
+/** A link between two agents */
+interface AgentLink {
+    /** Link ID */
+    id: string;
+    /** First agent ID */
+    agentIdA: string;
+    /** Second agent ID */
+    agentIdB: string;
+    /** Overall confidence (0-1) */
+    confidence: number;
+    /** Signals contributing to this link */
+    signals: LinkSignal[];
+    /** Link status */
+    status: LinkStatus;
+    /** When the link was created */
+    createdAt: string;
+    /** Who reviewed the link (if reviewed) */
+    reviewedBy?: string;
+    /** When the link was reviewed */
+    reviewedAt?: string;
+}
+/** Configuration for cross-session linking */
+interface CrossSessionLinkerConfig {
+    /** Minimum behavioral similarity to consider (default: 0.85) */
+    minBehavioralSimilarity?: number;
+    /** Minimum overall confidence to create a link (default: 0.6) */
+    minLinkConfidence?: number;
+}
+/** A component contributing to the KYA confidence score */
+interface KYAScoreComponent {
+    /** Component name */
+    name: string;
+    /** Raw component score (0-100) */
+    score: number;
+    /** Weight of this component (0-1) */
+    weight: number;
+    /** Weighted contribution to overall score */
+    weightedScore: number;
+    /** Human-readable detail */
+    detail: string;
+}
+/** Confidence level label */
+type KYAConfidenceLevel = 'unknown' | 'low' | 'medium' | 'high' | 'verified';
+/** Complete KYA confidence score for an agent */
+interface KYAConfidenceScore {
+    /** Agent ID */
+    agentId: string;
+    /** Overall score (0-100) */
+    score: number;
+    /** Confidence level */
+    level: KYAConfidenceLevel;
+    /** Component breakdown */
+    components: KYAScoreComponent[];
+    /** When the score was computed */
+    computedAt: string;
+}
+/** Configuration for confidence scoring weights */
+interface KYAConfidenceScorerConfig {
+    /** Weight for declared identity component (default: 0.20) */
+    declaredIdentityWeight?: number;
+    /** Weight for KYC verification component (default: 0.30) */
+    kycVerificationWeight?: number;
+    /** Weight for wallet graph component (default: 0.20) */
+    walletGraphWeight?: number;
+    /** Weight for behavioral consistency component (default: 0.20) */
+    behavioralConsistencyWeight?: number;
+    /** Weight for external enrichment component (default: 0.10) */
+    externalEnrichmentWeight?: number;
+}
+/** Aggregated KYA data for inclusion in audit exports */
+interface KYAEnvelope {
+    /** All registered identities */
+    identities: AgentIdentity[];
+    /** Wallet clusters */
+    clusters: WalletCluster[];
+    /** Behavioral embeddings (if enterprise) */
+    embeddings: BehavioralEmbedding[];
+    /** Agent links (if enterprise) */
+    links: AgentLink[];
+    /** Confidence scores */
+    scores: KYAConfidenceScore[];
+    /** When the envelope was generated */
+    generatedAt: string;
+}
+
 /**
- * Main Kontext SDK client. Provides a unified interface to all SDK features:
- * action logging, task confirmation, audit export, trust scoring, and
- * anomaly detection.
- *
- * Supports two operating modes:
- * - **Local mode** (no API key): All data stored locally, suitable for
- *   open-source usage and development.
- * - **Cloud mode** (with API key): Data synced to Kontext API for
- *   persistent storage and advanced features.
- *
- * @example
- * ```typescript
- * import { Kontext } from '@kontext/sdk';
- *
- * const kontext = Kontext.init({
- *   projectId: 'my-project',
- *   environment: 'development',
- * });
- *
- * await kontext.logTransaction({
- *   txHash: '0x...',
- *   chain: 'base',
- *   amount: '100',
- *   token: 'USDC',
- *   from: '0xSender',
- *   to: '0xReceiver',
- *   agentId: 'agent-1',
- * });
- * ```
+ * In-memory registry for agent identities.
+ * Provides CRUD operations, wallet index lookups, and KYC reference management.
  */
-declare class Kontext {
-    private readonly config;
-    private readonly store;
-    private readonly logger;
-    private readonly taskManager;
-    private readonly auditExporter;
-    private readonly mode;
-    private readonly planManager;
-    private readonly exporter;
-    private readonly featureFlagManager;
-    private readonly trustScorer;
-    private readonly anomalyDetector;
-    private constructor();
+declare class AgentIdentityRegistry {
+    /** agentId -> AgentIdentity */
+    private readonly identities;
+    /** normalized address -> agentId (reverse index) */
+    private readonly walletIndex;
     /**
-     * Initialize the Kontext SDK.
-     *
-     * @param config - Configuration options
-     * @returns Initialized Kontext client instance
-     *
-     * @example
-     * ```typescript
-     * // Local/OSS mode (no API key)
-     * const kontext = Kontext.init({
-     *   projectId: 'my-project',
-     *   environment: 'development',
-     * });
-     *
-     * // Cloud mode (with API key)
-     * const kontext = Kontext.init({
-     *   apiKey: 'sk_live_...',
-     *   projectId: 'my-project',
-     *   environment: 'production',
-     * });
-     *
-     * // With persistent file storage
-     * const kontext = Kontext.init({
-     *   projectId: 'my-project',
-     *   environment: 'development',
-     *   storage: new FileStorage('./kontext-data'),
-     * });
-     * ```
+     * Register a new agent identity.
      */
-    static init(config: KontextConfig): Kontext;
+    register(input: RegisterIdentityInput): AgentIdentity;
     /**
-     * Get the current operating mode.
+     * Update an existing agent identity.
      */
-    getMode(): KontextMode;
+    update(agentId: string, input: UpdateIdentityInput): AgentIdentity;
     /**
-     * Get the current configuration (API key is masked).
+     * Get an agent identity by agent ID.
      */
-    getConfig(): Omit<KontextConfig, 'apiKey'> & {
-        apiKey?: string;
-    };
+    get(agentId: string): AgentIdentity | undefined;
     /**
-     * Validate metadata against the configured schema, if any.
-     * No-op when metadataSchema is not configured.
+     * Remove an agent identity and all wallet index entries.
      */
-    private validateMetadata;
+    remove(agentId: string): boolean;
     /**
-     * Log a generic agent action.
-     *
-     * @param input - Action details
-     * @returns The created action log entry
+     * Get all registered identities.
      */
-    log(input: LogActionInput): Promise<ActionLog>;
+    getAll(): AgentIdentity[];
     /**
-     * Log a cryptocurrency transaction with full chain details.
-     *
-     * @param input - Transaction details
-     * @returns The created transaction record
+     * Add a wallet to an existing agent identity.
      */
-    logTransaction(input: LogTransactionInput): Promise<TransactionRecord>;
+    addWallet(agentId: string, wallet: {
+        address: string;
+        chain: string;
+        label?: string;
+    }): AgentIdentity;
     /**
-     * Flush any pending log batches.
+     * Remove a wallet from an agent identity.
      */
-    flushLogs(): Promise<void>;
+    removeWallet(agentId: string, address: string): AgentIdentity;
     /**
-     * Persist all current in-memory state to the attached storage adapter.
-     * No-op if no storage adapter is configured.
+     * Look up an agent identity by wallet address.
      */
-    flush(): Promise<void>;
+    lookupByWallet(address: string): AgentIdentity | undefined;
     /**
-     * Restore state from the attached storage adapter.
-     * Loads previously persisted actions, transactions, tasks, and anomalies.
-     * Also restores the digest chain's terminal digest so that new actions
-     * chain correctly across process boundaries.
-     * No-op if no storage adapter is configured.
+     * Add a KYC provider reference to an agent identity.
      */
-    restore(): Promise<void>;
+    addKycReference(agentId: string, reference: KYCProviderReference): AgentIdentity;
     /**
-     * Create a new tracked task that requires evidence for confirmation.
-     *
-     * @param input - Task details including required evidence types
-     * @returns The created task
+     * Get the overall KYC status for an agent.
+     * Returns the best status from all references.
      */
-    createTask(input: CreateTaskInput): Promise<Task>;
+    getKycStatus(agentId: string): KYCStatus;
     /**
-     * Confirm a task by providing evidence.
-     *
-     * @param input - Task ID and evidence data
-     * @returns The confirmed task
+     * Check if an agent has at least one verified and non-expired KYC reference.
      */
-    confirmTask(input: ConfirmTaskInput): Promise<Task>;
+    hasVerifiedKyc(agentId: string): boolean;
+}
+
+/**
+ * In-memory data store for the Kontext SDK.
+ * Holds all action logs, transactions, tasks, and anomaly events.
+ *
+ * When a StorageAdapter is provided, call `flush()` to persist state
+ * and `restore()` to reload from storage.
+ */
+declare class KontextStore {
+    private actions;
+    private transactions;
+    private tasks;
+    private anomalies;
+    private sessions;
+    private checkpoints;
+    private storageAdapter;
+    private readonly maxEntries;
+    constructor(maxEntries?: number);
+    /**
+     * Attach a storage adapter for persistence.
+     *
+     * @param adapter - The storage backend to use
+     */
+    setStorageAdapter(adapter: StorageAdapter): void;
+    /**
+     * Get the currently attached storage adapter (if any).
+     */
+    getStorageAdapter(): StorageAdapter | null;
+    /**
+     * Persist all current in-memory state to the attached storage adapter.
+     * No-op if no adapter is attached.
+     */
+    flush(): Promise<void>;
+    /**
+     * Restore in-memory state from the attached storage adapter.
+     * Merges loaded data with any existing in-memory data.
+     * No-op if no adapter is attached.
+     */
+    restore(): Promise<void>;
+    /** Append an action log entry. Evicts oldest 10% when maxEntries is exceeded. */
+    addAction(action: ActionLog): void;
+    /** Retrieve all action log entries. */
+    getActions(): ActionLog[];
+    /** Retrieve actions filtered by a predicate. */
+    queryActions(predicate: (action: ActionLog) => boolean): ActionLog[];
+    /** Get actions for a specific agent. */
+    getActionsByAgent(agentId: string): ActionLog[];
+    /** Get actions for a specific session (across all agents). */
+    getActionsBySession(sessionId: string): ActionLog[];
+    /** Append a transaction record. Evicts oldest 10% when maxEntries is exceeded. */
+    addTransaction(tx: TransactionRecord): void;
+    /** Retrieve all transaction records. */
+    getTransactions(): TransactionRecord[];
+    /** Retrieve transactions filtered by a predicate. */
+    queryTransactions(predicate: (tx: TransactionRecord) => boolean): TransactionRecord[];
+    /** Get transactions for a specific agent. */
+    getTransactionsByAgent(agentId: string): TransactionRecord[];
+    /** Get the most recent N transactions for an agent. */
+    getRecentTransactions(agentId: string, limit: number): TransactionRecord[];
+    /** Store a task. */
+    addTask(task: Task): void;
+    /** Retrieve a task by ID. */
+    getTask(taskId: string): Task | undefined;
+    /** Update a task. */
+    updateTask(taskId: string, updates: Partial<Task>): Task | undefined;
+    /** Retrieve all tasks. */
+    getTasks(): Task[];
+    /** Retrieve tasks filtered by a predicate. */
+    queryTasks(predicate: (task: Task) => boolean): Task[];
+    /** Append an anomaly event. Evicts oldest 10% when maxEntries is exceeded. */
+    addAnomaly(anomaly: AnomalyEvent): void;
+    /** Retrieve all anomaly events. */
+    getAnomalies(): AnomalyEvent[];
+    /** Retrieve anomalies filtered by a predicate. */
+    queryAnomalies(predicate: (anomaly: AnomalyEvent) => boolean): AnomalyEvent[];
+    /** Store a session. */
+    addSession(session: AgentSession): void;
+    /** Retrieve a session by ID. */
+    getSession(sessionId: string): AgentSession | undefined;
+    /** Update a session. */
+    updateSession(sessionId: string, updates: Partial<AgentSession>): AgentSession | undefined;
+    /** Retrieve all sessions. */
+    getSessions(): AgentSession[];
+    /** Retrieve sessions filtered by a predicate. */
+    querySessions(predicate: (session: AgentSession) => boolean): AgentSession[];
+    /** Store a checkpoint. */
+    addCheckpoint(checkpoint: ProvenanceCheckpoint): void;
+    /** Retrieve a checkpoint by ID. */
+    getCheckpoint(checkpointId: string): ProvenanceCheckpoint | undefined;
+    /** Update a checkpoint. */
+    updateCheckpoint(checkpointId: string, updates: Partial<ProvenanceCheckpoint>): ProvenanceCheckpoint | undefined;
+    /** Retrieve all checkpoints. */
+    getCheckpoints(): ProvenanceCheckpoint[];
+    /** Retrieve checkpoints filtered by a predicate. */
+    queryCheckpoints(predicate: (cp: ProvenanceCheckpoint) => boolean): ProvenanceCheckpoint[];
+    /** Get total record counts across all stores. */
+    getCounts(): {
+        actions: number;
+        transactions: number;
+        tasks: number;
+        anomalies: number;
+        sessions: number;
+        checkpoints: number;
+    };
+    /** Clear all stored data. Useful for testing. */
+    clear(): void;
+}
+
+/**
+ * Clusters wallet addresses using multiple heuristics.
+ * Builds on UnionFind for efficient merging.
+ */
+declare class WalletClusterer {
+    private readonly config;
+    private cachedClusters;
+    constructor(config?: WalletClusteringConfig);
+    /**
+     * Analyze transactions from the store and registry to produce wallet clusters.
+     */
+    analyzeFromStore(store: KontextStore, registry?: AgentIdentityRegistry): WalletCluster[];
+    /**
+     * Get cached clusters (or empty if not analyzed yet).
+     */
+    getClusters(): WalletCluster[];
+    /**
+     * Invalidate the cached clusters.
+     */
+    invalidateCache(): void;
+    /**
+     * Heuristic 1: Common Agent (confidence 0.9)
+     * Same agentId used multiple addresses -> union all from/to per agent.
+     */
+    private applyCommonAgent;
+    /**
+     * Heuristic 2: Funding Chain (confidence 0.7)
+     * If A sends to B, and A is agent-associated -> union A and B.
+     */
+    private applyFundingChain;
+    /**
+     * Heuristic 3: Gas Sponsorship (confidence 0.75)
+     * If G is from in transfers to 3+ distinct agent wallets -> union G with all.
+     */
+    private applyGasSponsorship;
+    /**
+     * Heuristic 4: Temporal Co-Spending (confidence 0.6)
+     * Addresses transacting within a window with destination overlap.
+     */
+    private applyTemporalCoSpending;
+    /**
+     * Heuristic 5: Declared Wallets (confidence 1.0)
+     * All wallets declared by the same identity are unioned.
+     */
+    private applyDeclaredWallets;
+    private buildClusters;
+}
+
+/**
+ * Computes behavioral fingerprints (embeddings) from agent transaction patterns.
+ * Used for cross-session linking and behavioral consistency scoring.
+ */
+declare class BehavioralFingerprinter {
+    /**
+     * Compute a behavioral embedding for an agent from their transaction history.
+     * Returns null if the agent has fewer than MIN_SAMPLE_SIZE transactions.
+     */
+    computeEmbedding(agentId: string, store: KontextStore): BehavioralEmbedding | null;
+    /**
+     * Compute cosine similarity between two behavioral embeddings.
+     * Returns a value in [0, 1] where 1 means identical and 0 means orthogonal.
+     */
+    cosineSimilarity(a: BehavioralEmbedding, b: BehavioralEmbedding): number;
+    private extractTemporalFeatures;
+    private extractFinancialFeatures;
+    private extractNetworkFeatures;
+    private extractOperationalFeatures;
+    private percentile;
+    /**
+     * Flatten an embedding into a numeric vector for cosine similarity.
+     * Log-scales magnitude values with log(1+x).
+     */
+    private flattenEmbedding;
+}
+
+/**
+ * Links agents across sessions by analyzing wallet graph overlap,
+ * behavioral similarity, and declared identity signals.
+ */
+declare class CrossSessionLinker {
+    private readonly config;
+    private readonly links;
+    constructor(config?: CrossSessionLinkerConfig);
+    /**
+     * Analyze all agents and create links between those with sufficient signals.
+     */
+    analyzeAndLink(store: KontextStore, registry: AgentIdentityRegistry, clusterer: WalletClusterer, fingerprinter: BehavioralFingerprinter): AgentLink[];
+    /**
+     * Manually link two agents.
+     */
+    manualLink(agentIdA: string, agentIdB: string, reviewedBy: string): AgentLink;
+    /**
+     * Review a link (confirm or reject).
+     */
+    reviewLink(linkId: string, decision: 'confirmed' | 'rejected', reviewedBy: string): AgentLink | undefined;
+    /**
+     * Get all agents linked to the given agent.
+     */
+    getLinkedAgents(agentId: string): string[];
+    /**
+     * Get all links for a specific agent.
+     */
+    getLinksForAgent(agentId: string): AgentLink[];
+    /**
+     * Get all links.
+     */
+    getAllLinks(): AgentLink[];
+    private getLinkKey;
+    private computeWalletOverlap;
+    private computeDeclaredIdentitySignal;
+}
+
+/**
+ * Computes a composite KYA confidence score from 5 signal components.
+ */
+declare class KYAConfidenceScorer {
+    private readonly weights;
+    constructor(config?: KYAConfidenceScorerConfig);
+    /**
+     * Compute a composite confidence score for an agent.
+     */
+    computeScore(agentId: string, registry: AgentIdentityRegistry, clusterer: WalletClusterer, fingerprinter: BehavioralFingerprinter, linker: CrossSessionLinker, store: KontextStore): KYAConfidenceScore;
+    private scoreDeclaredIdentity;
+    private scoreKycVerification;
+    private scoreWalletGraph;
+    private scoreBehavioralConsistency;
+    private scoreExternalEnrichment;
+    private scoreToLevel;
+}
+
+/**
+ * Main Kontext SDK client. Provides a unified interface to all SDK features:
+ * action logging, task confirmation, audit export, trust scoring, and
+ * anomaly detection.
+ *
+ * Supports two operating modes:
+ * - **Local mode** (no API key): All data stored locally, suitable for
+ *   open-source usage and development.
+ * - **Cloud mode** (with API key): Data synced to Kontext API for
+ *   persistent storage and advanced features.
+ *
+ * @example
+ * ```typescript
+ * import { Kontext } from '@kontext/sdk';
+ *
+ * const kontext = Kontext.init({
+ *   projectId: 'my-project',
+ *   environment: 'development',
+ * });
+ *
+ * await kontext.logTransaction({
+ *   txHash: '0x...',
+ *   chain: 'base',
+ *   amount: '100',
+ *   token: 'USDC',
+ *   from: '0xSender',
+ *   to: '0xReceiver',
+ *   agentId: 'agent-1',
+ * });
+ * ```
+ */
+declare class Kontext {
+    private readonly config;
+    private readonly store;
+    private readonly logger;
+    private readonly taskManager;
+    private readonly auditExporter;
+    private readonly mode;
+    private readonly planManager;
+    private readonly exporter;
+    private readonly featureFlagManager;
+    private readonly trustScorer;
+    private readonly anomalyDetector;
+    private readonly screeningAggregator;
+    private provenanceManager;
+    private identityRegistry;
+    private walletClusterer;
+    private behavioralFingerprinter;
+    private crossSessionLinker;
+    private confidenceScorer;
+    private constructor();
+    /**
+     * Initialize the Kontext SDK.
+     *
+     * @param config - Configuration options
+     * @returns Initialized Kontext client instance
+     *
+     * @example
+     * ```typescript
+     * // Local/OSS mode (no API key)
+     * const kontext = Kontext.init({
+     *   projectId: 'my-project',
+     *   environment: 'development',
+     * });
+     *
+     * // Cloud mode (with API key)
+     * const kontext = Kontext.init({
+     *   apiKey: 'sk_live_...',
+     *   projectId: 'my-project',
+     *   environment: 'production',
+     * });
+     *
+     * // With persistent file storage
+     * const kontext = Kontext.init({
+     *   projectId: 'my-project',
+     *   environment: 'development',
+     *   storage: new FileStorage('./kontext-data'),
+     * });
+     * ```
+     */
+    static init(config: KontextConfig): Kontext;
+    /**
+     * Get the current operating mode.
+     */
+    getMode(): KontextMode;
+    /**
+     * Get the current configuration (API key is masked).
+     */
+    getConfig(): Omit<KontextConfig, 'apiKey'> & {
+        apiKey?: string;
+    };
+    /**
+     * Validate metadata against the configured schema, if any.
+     * No-op when metadataSchema is not configured.
+     */
+    private validateMetadata;
+    /**
+     * Map aggregated screening results into UsdcComplianceCheck format.
+     * Produces the same check/riskLevel/recommendations shape as
+     * UsdcCompliance.checkTransaction() and PaymentCompliance.checkPayment().
+     */
+    private buildComplianceFromScreening;
+    /** Lazy-init ProvenanceManager on first use. */
+    private getProvenanceManager;
+    /** Lazy-init AgentIdentityRegistry on first use. */
+    private getIdentityRegistry;
+    /** Lazy-init WalletClusterer on first use. */
+    private getWalletClusterer;
+    /** Lazy-init BehavioralFingerprinter on first use. */
+    private getBehavioralFingerprinter;
+    /** Lazy-init CrossSessionLinker on first use. */
+    private getCrossSessionLinker;
+    /** Lazy-init KYAConfidenceScorer on first use. */
+    private getConfidenceScorer;
+    /**
+     * Log a generic agent action.
+     *
+     * @param input - Action details
+     * @returns The created action log entry
+     */
+    log(input: LogActionInput): Promise<ActionLog>;
+    /**
+     * Log a cryptocurrency transaction with full chain details.
+     *
+     * @param input - Transaction details
+     * @returns The created transaction record
+     */
+    logTransaction(input: LogTransactionInput): Promise<TransactionRecord>;
+    /**
+     * Flush any pending log batches.
+     */
+    flushLogs(): Promise<void>;
+    /**
+     * Persist all current in-memory state to the attached storage adapter.
+     * No-op if no storage adapter is configured.
+     */
+    flush(): Promise<void>;
+    /**
+     * Restore state from the attached storage adapter.
+     * Loads previously persisted actions, transactions, tasks, and anomalies.
+     * Also restores the digest chain's terminal digest so that new actions
+     * chain correctly across process boundaries.
+     * No-op if no storage adapter is configured.
+     */
+    restore(): Promise<void>;
+    /**
+     * Create a new tracked task that requires evidence for confirmation.
+     *
+     * @param input - Task details including required evidence types
+     * @returns The created task
+     */
+    createTask(input: CreateTaskInput): Promise<Task>;
+    /**
+     * Confirm a task by providing evidence.
+     *
+     * @param input - Task ID and evidence data
+     * @returns The confirmed task
+     */
+    confirmTask(input: ConfirmTaskInput): Promise<Task>;
     /**
      * Get the current status of a task.
      *
@@ -1624,6 +2690,120 @@ declare class Kontext {
      * ```
      */
     generateComplianceCertificate(input: GenerateComplianceCertificateInput): Promise<ComplianceCertificate>;
+    /**
+     * Create a delegated agent session. Records the delegation in the
+     * tamper-evident digest chain as the session's genesis event.
+     */
+    createAgentSession(input: CreateSessionInput): Promise<AgentSession>;
+    /**
+     * Get an agent session by ID. Automatically marks expired sessions.
+     */
+    getAgentSession(sessionId: string): AgentSession | undefined;
+    /**
+     * Get all agent sessions.
+     */
+    getAgentSessions(): AgentSession[];
+    /**
+     * End an active agent session. Records the termination in the digest chain.
+     */
+    endAgentSession(sessionId: string): Promise<AgentSession>;
+    /**
+     * Check whether an action is within a session's delegated scope.
+     */
+    validateSessionScope(sessionId: string, action: string): boolean;
+    /**
+     * Get all actions bound to a session (via sessionId on log/verify calls).
+     */
+    getSessionActions(sessionId: string): ActionLog[];
+    /**
+     * Create a provenance checkpoint -- a review point where a human
+     * can attest to a batch of agent actions.
+     */
+    createCheckpoint(input: CreateCheckpointInput): Promise<ProvenanceCheckpoint>;
+    /**
+     * Attach an externally-produced human attestation to a checkpoint.
+     * The attestation includes a cryptographic signature that the agent
+     * never touches -- key separation is the critical security property.
+     */
+    attachAttestation(checkpointId: string, attestation: HumanAttestation): Promise<ProvenanceCheckpoint>;
+    /**
+     * Get a checkpoint by ID.
+     */
+    getCheckpoint(checkpointId: string): ProvenanceCheckpoint | undefined;
+    /**
+     * Get all checkpoints, optionally filtered by session.
+     */
+    getCheckpoints(sessionId?: string): ProvenanceCheckpoint[];
+    /**
+     * Export the full provenance bundle for a session: session record,
+     * all bound actions, all checkpoints, and verification stats.
+     */
+    getProvenanceBundle(sessionId: string): ProvenanceBundle;
+    /**
+     * Register a new agent identity with optional wallet mappings.
+     * Requires Pro plan.
+     */
+    registerAgentIdentity(input: RegisterIdentityInput): AgentIdentity;
+    /**
+     * Get a registered agent identity by ID.
+     * Requires Pro plan.
+     */
+    getAgentIdentity(agentId: string): AgentIdentity | undefined;
+    /**
+     * Update an existing agent identity.
+     * Requires Pro plan.
+     */
+    updateAgentIdentity(agentId: string, input: UpdateIdentityInput): AgentIdentity;
+    /**
+     * Remove an agent identity.
+     * Requires Pro plan.
+     */
+    removeAgentIdentity(agentId: string): boolean;
+    /**
+     * Add a wallet to an existing agent identity.
+     * Requires Pro plan.
+     */
+    addAgentWallet(agentId: string, wallet: {
+        address: string;
+        chain: string;
+        label?: string;
+        isPrimary?: boolean;
+    }): AgentIdentity;
+    /**
+     * Look up which agent owns a wallet address.
+     * Requires Pro plan.
+     */
+    lookupAgentByWallet(address: string): AgentIdentity | undefined;
+    /**
+     * Compute wallet clusters from transaction patterns and declared identities.
+     * Requires Pro plan.
+     */
+    getWalletClusters(): WalletCluster[];
+    /**
+     * Export all KYA data as a single envelope.
+     * Requires Pro plan.
+     */
+    getKYAExport(): KYAEnvelope;
+    /**
+     * Compute a behavioral embedding for an agent from transaction history.
+     * Returns null if insufficient data. Requires Enterprise plan.
+     */
+    computeBehavioralEmbedding(agentId: string): BehavioralEmbedding | null;
+    /**
+     * Analyze all agents and create cross-session links.
+     * Requires Enterprise plan.
+     */
+    analyzeAgentLinks(): AgentLink[];
+    /**
+     * Get agents linked to a specific agent.
+     * Requires Enterprise plan.
+     */
+    getLinkedAgents(agentId: string): string[];
+    /**
+     * Compute a composite identity confidence score for an agent.
+     * Requires Enterprise plan.
+     */
+    getKYAConfidenceScore(agentId: string): KYAConfidenceScore;
     /**
      * Get current usage statistics for the plan.
      *
@@ -1765,159 +2945,309 @@ declare class UsdcCompliance {
      * }
      * ```
      */
-    static isSanctioned(address: string): boolean;
-    /**
-     * Perform a detailed sanctions check that returns which list matched.
-     *
-     * @param address - The Ethereum address to check
-     * @returns SanctionsCheckResult with match details
-     */
-    static checkSanctionsDetailed(address: string): SanctionsCheckResult;
+    static isSanctioned(address: string): boolean;
+    /**
+     * Perform a detailed sanctions check that returns which list matched.
+     *
+     * @param address - The Ethereum address to check
+     * @returns SanctionsCheckResult with match details
+     */
+    static checkSanctionsDetailed(address: string): SanctionsCheckResult;
+    /**
+     * Get all known sanctioned addresses.
+     *
+     * @returns Array of sanctioned addresses
+     */
+    static getSanctionedAddresses(): string[];
+    /**
+     * Get the USDC contract address for a given chain.
+     *
+     * @param chain - The blockchain network
+     * @returns The USDC contract address, or undefined for unsupported chains
+     */
+    static getContractAddress(chain: Chain): string | undefined;
+    /**
+     * Get the chains supported for USDC compliance monitoring.
+     */
+    static getSupportedChains(): Chain[];
+    /**
+     * Add new sanctioned addresses at runtime.
+     * Normalizes all addresses to lowercase for consistent matching.
+     * Skips addresses that are already in the list.
+     *
+     * @param addresses - Array of Ethereum addresses to add
+     * @returns The count of newly added addresses (excluding duplicates)
+     */
+    static addSanctionedAddresses(addresses: string[]): number;
+    /**
+     * Replace the entire sanctioned addresses list at runtime.
+     * Clears existing entries and rebuilds from the provided array.
+     *
+     * @param addresses - The new complete list of sanctioned addresses
+     */
+    static replaceSanctionedAddresses(addresses: string[]): void;
+    /**
+     * Get the current number of addresses in the sanctions list.
+     *
+     * @returns The size of the current sanctions list
+     */
+    static getSanctionsListSize(): number;
+    private static checkTokenType;
+    private static checkChainSupport;
+    private static checkAddressFormat;
+    private static checkAmountValid;
+    private static checkSanctions;
+    private static checkEnhancedDueDiligence;
+    private static checkReportingThreshold;
+    private static generateRecommendations;
+}
+
+declare class PaymentCompliance {
+    /**
+     * Run compliance checks on a general payment.
+     *
+     * @param input - Payment to evaluate
+     * @returns UsdcComplianceCheck with pass/fail results and recommendations
+     */
+    static checkPayment(input: LogTransactionInput): UsdcComplianceCheck;
+    private static checkAmountValid;
+    private static checkEntityScreening;
+    private static checkEnhancedDueDiligence;
+    private static checkReportingThreshold;
+    private static generateRecommendations;
+}
+
+/**
+ * Verify whether a digest has been anchored on-chain.
+ * Uses eth_call — no signing required, no dependencies.
+ */
+declare function verifyAnchor(rpcUrl: string, contractAddress: string, digest: string): Promise<AnchorVerification>;
+/**
+ * Get full anchor details for a digest.
+ * Returns null if the digest is not anchored.
+ */
+declare function getAnchor(rpcUrl: string, contractAddress: string, digest: string): Promise<{
+    anchorer: string;
+    projectHash: string;
+    timestamp: number;
+} | null>;
+/**
+ * Anchor a digest hash on-chain via the KontextAnchor contract.
+ * Requires viem: `npm install viem`
+ */
+declare function anchorDigest(config: OnChainAnchorConfig, digest: string, projectId: string): Promise<AnchorResult>;
+/**
+ * Exporter that anchors terminal digest hashes on Base chain.
+ * Buffers events and anchors when batchSize is reached.
+ */
+declare class OnChainExporter implements EventExporter {
+    private readonly config;
+    private readonly projectId;
+    private readonly batchSize;
+    private readonly getTerminalDigest;
+    private eventCount;
+    constructor(config: OnChainAnchorConfig, projectId: string, getTerminalDigest: () => string);
+    export(events: ActionLog[]): Promise<ExporterResult>;
+    flush(): Promise<void>;
+    shutdown(): Promise<void>;
+}
+
+/** Default builder code for Kontext anchor transactions */
+declare const KONTEXT_BUILDER_CODE = "kontext";
+/**
+ * Encode an ERC-8021 data suffix for the given builder codes.
+ * Returns hex string (no 0x prefix) to append directly to calldata.
+ *
+ * Layout: [codesLength (1 byte)][codes (ASCII, comma-delimited)][schemaId (1 byte)][marker (16 bytes)]
+ */
+declare function encodeERC8021Suffix(codes: string[]): string;
+/**
+ * Parse an ERC-8021 data suffix from calldata.
+ * Returns null if the calldata does not contain a valid ERC-8021 suffix.
+ * Parses backward from the end of calldata.
+ */
+declare function parseERC8021Suffix(calldata: string): ERC8021Attribution | null;
+/**
+ * Fetch a transaction's calldata and parse ERC-8021 attribution.
+ * Uses eth_getTransactionByHash via JSON-RPC (zero dependencies).
+ */
+declare function fetchTransactionAttribution(rpcUrl: string, txHash: string): Promise<ERC8021Attribution | null>;
+
+/**
+ * Fetch the counterparty's agent card from /.well-known/kontext.json
+ */
+declare function fetchAgentCard(endpoint: string, timeoutMs?: number): Promise<AgentCard>;
+/**
+ * Exchange compliance attestation with a counterparty agent.
+ *
+ * Flow:
+ * 1. Fetch counterparty's agent card from /.well-known/kontext.json
+ * 2. Validate agent ID if specified
+ * 3. Verify counterparty supports attestation
+ * 4. POST attestation request to counterparty's attest endpoint
+ * 5. Return counterparty's attestation response
+ */
+declare function exchangeAttestation(config: CounterpartyConfig, request: AttestationRequest): Promise<CounterpartyAttestation>;
+
+/**
+ * ActionLogger handles structured logging of all agent actions.
+ *
+ * Supports two output modes:
+ * - **Local mode** (no API key): Writes structured JSON logs to the local filesystem.
+ * - **Cloud mode** (with API key): Batches and sends logs to the Kontext API.
+ *
+ * Logs include timestamps, agent IDs, correlation IDs, and arbitrary metadata
+ * for full audit traceability.
+ */
+declare class ActionLogger {
+    private readonly config;
+    private readonly store;
+    private readonly digestChain;
+    private batch;
+    private flushTimer;
+    private readonly batchSize;
+    private readonly flushIntervalMs;
+    private readonly isCloudMode;
+    private readonly logLevel;
+    constructor(config: KontextConfig, store: KontextStore);
+    /**
+     * Log a generic agent action.
+     *
+     * @param input - Action details including type, description, agentId, and metadata
+     * @returns The created ActionLog entry
+     *
+     * @example
+     * ```typescript
+     * const action = await logger.log({
+     *   type: 'approval',
+     *   description: 'Agent approved USDC spending',
+     *   agentId: 'agent-1',
+     *   metadata: { spender: '0x...', amount: '1000' },
+     * });
+     * ```
+     */
+    log(input: LogActionInput): Promise<ActionLog>;
+    /**
+     * Log a cryptocurrency transaction with full chain details.
+     *
+     * @param input - Transaction details including txHash, chain, amount, token, from, to
+     * @returns The created TransactionRecord
+     *
+     * @example
+     * ```typescript
+     * const tx = await logger.logTransaction({
+     *   txHash: '0xabc123...',
+     *   chain: 'base',
+     *   amount: '100.00',
+     *   token: 'USDC',
+     *   from: '0xSender...',
+     *   to: '0xReceiver...',
+     *   agentId: 'payment-agent-1',
+     * });
+     * ```
+     */
+    logTransaction(input: LogTransactionInput): Promise<TransactionRecord>;
     /**
-     * Get all known sanctioned addresses.
-     *
-     * @returns Array of sanctioned addresses
+     * Flush the current batch of logs.
+     * In local mode, writes to a JSON file.
+     * In cloud mode, sends to the Kontext API.
      */
-    static getSanctionedAddresses(): string[];
+    flush(): Promise<void>;
     /**
-     * Get the USDC contract address for a given chain.
-     *
-     * @param chain - The blockchain network
-     * @returns The USDC contract address, or undefined for unsupported chains
+     * Stop the logger and flush any remaining logs.
      */
-    static getContractAddress(chain: Chain): string | undefined;
+    destroy(): Promise<void>;
     /**
-     * Get the chains supported for USDC compliance monitoring.
+     * Get the terminal digest — the latest SHA-256 digest in the chain.
+     * Can be embedded in outgoing messages as tamper-evident proof.
      */
-    static getSupportedChains(): Chain[];
+    getTerminalDigest(): string;
     /**
-     * Add new sanctioned addresses at runtime.
-     * Normalizes all addresses to lowercase for consistent matching.
-     * Skips addresses that are already in the list.
-     *
-     * @param addresses - Array of Ethereum addresses to add
-     * @returns The count of newly added addresses (excluding duplicates)
+     * Get the full digest chain for export or verification.
      */
-    static addSanctionedAddresses(addresses: string[]): number;
+    getDigestChain(): DigestChain;
     /**
-     * Replace the entire sanctioned addresses list at runtime.
-     * Clears existing entries and rebuilds from the provided array.
-     *
-     * @param addresses - The new complete list of sanctioned addresses
+     * Verify the integrity of the digest chain against stored actions.
      */
-    static replaceSanctionedAddresses(addresses: string[]): void;
+    verifyChain(actions: ActionLog[]): ReturnType<DigestChain['verify']>;
     /**
-     * Get the current number of addresses in the sanctions list.
-     *
-     * @returns The size of the current sanctions list
+     * Restore chain state from persisted actions so that new actions
+     * chain correctly across process boundaries.
      */
-    static getSanctionsListSize(): number;
-    private static checkTokenType;
-    private static checkChainSupport;
-    private static checkAddressFormat;
-    private static checkAmountValid;
-    private static checkSanctions;
-    private static checkEnhancedDueDiligence;
-    private static checkReportingThreshold;
-    private static generateRecommendations;
-}
-
-declare class PaymentCompliance {
+    restoreChainState(terminalDigest: string): void;
+    private validateTransactionInput;
+    private flushToFile;
+    private flushToApi;
     /**
-     * Run compliance checks on a general payment.
-     *
-     * @param input - Payment to evaluate
-     * @returns UsdcComplianceCheck with pass/fail results and recommendations
+     * Emit a log message at the specified severity level.
+     * Only outputs if the message level meets or exceeds the configured logLevel.
      */
-    static checkPayment(input: LogTransactionInput): UsdcComplianceCheck;
-    private static checkAmountValid;
-    private static checkEntityScreening;
-    private static checkEnhancedDueDiligence;
-    private static checkReportingThreshold;
-    private static generateRecommendations;
+    emitLog(level: LogLevel, message: string, data?: unknown): void;
 }
 
 /**
- * In-memory data store for the Kontext SDK.
- * Holds all action logs, transactions, tasks, and anomaly events.
- *
- * When a StorageAdapter is provided, call `flush()` to persist state
- * and `restore()` to reload from storage.
+ * Manages agent provenance across three layers:
+ * - Layer 1: Session delegation (who authorized the agent)
+ * - Layer 2: Action binding (actions linked to sessions via sessionId)
+ * - Layer 3: Human attestation checkpoints (cryptographic review proof)
  */
-declare class KontextStore {
-    private actions;
-    private transactions;
-    private tasks;
-    private anomalies;
-    private storageAdapter;
-    private readonly maxEntries;
-    constructor(maxEntries?: number);
+declare class ProvenanceManager {
+    private readonly store;
+    private readonly logger;
+    constructor(store: KontextStore, logger: ActionLogger);
     /**
-     * Attach a storage adapter for persistence.
-     *
-     * @param adapter - The storage backend to use
+     * Create a delegated agent session. Records the delegation in the
+     * tamper-evident digest chain as the session's genesis event.
      */
-    setStorageAdapter(adapter: StorageAdapter): void;
+    createSession(input: CreateSessionInput): Promise<AgentSession>;
     /**
-     * Get the currently attached storage adapter (if any).
+     * Get an agent session by ID. Automatically marks expired sessions.
      */
-    getStorageAdapter(): StorageAdapter | null;
+    getSession(sessionId: string): AgentSession | undefined;
     /**
-     * Persist all current in-memory state to the attached storage adapter.
-     * No-op if no adapter is attached.
+     * Get all agent sessions.
      */
-    flush(): Promise<void>;
+    getSessions(): AgentSession[];
     /**
-     * Restore in-memory state from the attached storage adapter.
-     * Merges loaded data with any existing in-memory data.
-     * No-op if no adapter is attached.
+     * End an active agent session. Records the termination in the digest chain.
      */
-    restore(): Promise<void>;
-    /** Append an action log entry. Evicts oldest 10% when maxEntries is exceeded. */
-    addAction(action: ActionLog): void;
-    /** Retrieve all action log entries. */
-    getActions(): ActionLog[];
-    /** Retrieve actions filtered by a predicate. */
-    queryActions(predicate: (action: ActionLog) => boolean): ActionLog[];
-    /** Get actions for a specific agent. */
-    getActionsByAgent(agentId: string): ActionLog[];
-    /** Get actions for a specific session (across all agents). */
-    getActionsBySession(sessionId: string): ActionLog[];
-    /** Append a transaction record. Evicts oldest 10% when maxEntries is exceeded. */
-    addTransaction(tx: TransactionRecord): void;
-    /** Retrieve all transaction records. */
-    getTransactions(): TransactionRecord[];
-    /** Retrieve transactions filtered by a predicate. */
-    queryTransactions(predicate: (tx: TransactionRecord) => boolean): TransactionRecord[];
-    /** Get transactions for a specific agent. */
-    getTransactionsByAgent(agentId: string): TransactionRecord[];
-    /** Get the most recent N transactions for an agent. */
-    getRecentTransactions(agentId: string, limit: number): TransactionRecord[];
-    /** Store a task. */
-    addTask(task: Task): void;
-    /** Retrieve a task by ID. */
-    getTask(taskId: string): Task | undefined;
-    /** Update a task. */
-    updateTask(taskId: string, updates: Partial<Task>): Task | undefined;
-    /** Retrieve all tasks. */
-    getTasks(): Task[];
-    /** Retrieve tasks filtered by a predicate. */
-    queryTasks(predicate: (task: Task) => boolean): Task[];
-    /** Append an anomaly event. Evicts oldest 10% when maxEntries is exceeded. */
-    addAnomaly(anomaly: AnomalyEvent): void;
-    /** Retrieve all anomaly events. */
-    getAnomalies(): AnomalyEvent[];
-    /** Retrieve anomalies filtered by a predicate. */
-    queryAnomalies(predicate: (anomaly: AnomalyEvent) => boolean): AnomalyEvent[];
-    /** Get total record counts across all stores. */
-    getCounts(): {
-        actions: number;
-        transactions: number;
-        tasks: number;
-        anomalies: number;
-    };
-    /** Clear all stored data. Useful for testing. */
-    clear(): void;
+    endSession(sessionId: string): Promise<AgentSession>;
+    /**
+     * Check whether an action is within a session's delegated scope.
+     */
+    validateScope(sessionId: string, action: string): boolean;
+    /**
+     * Check whether a transaction meets session constraints.
+     */
+    validateConstraints(sessionId: string, input: {
+        amount?: string;
+        chain?: string;
+        token?: string;
+        to?: string;
+    }): boolean;
+    /**
+     * Create a provenance checkpoint -- a review point where a human
+     * can attest to a batch of agent actions.
+     */
+    createCheckpoint(input: CreateCheckpointInput): Promise<ProvenanceCheckpoint>;
+    /**
+     * Attach an externally-produced human attestation to a checkpoint.
+     * The attestation includes a cryptographic signature that the agent
+     * never touches -- key separation is the critical security property.
+     */
+    attachAttestation(checkpointId: string, attestation: HumanAttestation): Promise<ProvenanceCheckpoint>;
+    /**
+     * Get a checkpoint by ID. Automatically marks expired checkpoints.
+     */
+    getCheckpoint(checkpointId: string): ProvenanceCheckpoint | undefined;
+    /**
+     * Get all checkpoints, optionally filtered by session.
+     */
+    getCheckpoints(sessionId?: string): ProvenanceCheckpoint[];
+    /**
+     * Export the full provenance bundle for a session.
+     */
+    getProvenanceBundle(sessionId: string): ProvenanceBundle;
 }
 
 /** Pre-fetched data for a single agent, passed to factor methods to avoid redundant store queries. */
@@ -2182,4 +3512,346 @@ declare class AnomalyDetector {
     private notifyCallbacks;
 }
 
-export { type ActionLog, type AgentData, type AnomalyCallback, type AnomalyDetectionConfig, AnomalyDetector, type AnomalyEvent, type AnomalyRuleType, type AnomalySeverity, type AnomalyThresholds, type Chain, type ComplianceCertificate, type ComplianceCheckResult, type ComplianceReport, type ConfirmTaskInput, ConsoleExporter, type CreateTaskInput, type DateRange, DigestChain, type DigestLink, type DigestVerification, type Environment, type EventExporter, type ExportFormat, type ExportOptions, type ExportResult, type ExporterResult, type FeatureFlag, type FeatureFlagConfig, FeatureFlagManager, FileStorage, type FlagPlanTargeting, type FlagScope, type FlagTargeting, type GatedFeature, type GenerateComplianceCertificateInput, JsonFileExporter, Kontext, type KontextConfig, KontextError, KontextErrorCode, type KontextMode, type LimitEvent, type LogActionInput, type LogLevel, type LogReasoningInput, type LogTransactionInput, MemoryStorage, type MetadataValidator, NoopExporter, PLAN_LIMITS, PaymentCompliance, type PlanConfig, PlanManager, type PlanTier, type PlanUsage, type PrecisionTimestamp, type ReasoningEntry, type ReportOptions, type ReportType, type RiskFactor, type SanctionsCheckResult, type StorageAdapter, type Task, type TaskEvidence, type TaskStatus, type Token, type TransactionEvaluation, type TransactionRecord, type TrustFactor, type TrustScore, TrustScorer, UsdcCompliance, type UsdcComplianceCheck, type VerifyInput, type VerifyResult, isCryptoTransaction, isFeatureAvailable, requirePlan, verifyExportedChain };
+/**
+ * OFAC SDN Address Provider.
+ *
+ * Screens blockchain addresses against the U.S. Treasury OFAC Specially
+ * Designated Nationals (SDN) list. Uses ~33 hardcoded addresses from
+ * the public SDN list. Distinguishes between actively sanctioned and
+ * delisted (formerly sanctioned) addresses.
+ *
+ * - **Free tier**, no API key required
+ * - **Browser-safe** — pure in-memory lookups
+ * - O(1) Set lookup, case-insensitive
+ *
+ * @example
+ * ```typescript
+ * const provider = new OFACAddressProvider();
+ * const result = await provider.screen('0x098B716B8Aaf21512996dC57EB0615e2383E2f96');
+ * // result.hit === true (Lazarus Group, OFAC sanctioned)
+ * ```
+ */
+declare class OFACAddressProvider implements ScreeningProvider {
+    readonly id = "ofac-sdn-address";
+    readonly name = "OFAC SDN Address Screener";
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey = false;
+    readonly browserCompatible = true;
+    readonly queryTypes: readonly QueryType[];
+    screen(query: string, _context?: ScreeningContext): Promise<ScreeningResult>;
+    isAvailable(): boolean;
+    getEntryCount(): number;
+}
+
+/**
+ * OFAC SDN Entity Name Provider.
+ *
+ * Screens entity/person names against the full OFAC SDN entity database
+ * (18,664 entities) using fuzzy string matching. Wraps the existing
+ * `OFACSanctionsScreener` from `ofac-sanctions.ts`.
+ *
+ * - **Free tier**, no API key required
+ * - **Node.js only** — loads full SDN data, too large for browser
+ * - Fuzzy matching at 0.85 threshold with minimum 4-char match length
+ * - Distinguishes between active and delisted entities
+ *
+ * @example
+ * ```typescript
+ * const provider = new OFACEntityProvider();
+ * if (provider.isAvailable()) {
+ *   const result = await provider.screen('Lazarus Group');
+ *   // result.hit === true
+ * }
+ * ```
+ */
+declare class OFACEntityProvider implements ScreeningProvider {
+    readonly id = "ofac-sdn-entity";
+    readonly name = "OFAC SDN Entity Screener";
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey = false;
+    readonly browserCompatible = false;
+    readonly queryTypes: readonly QueryType[];
+    screen(query: string, _context?: ScreeningContext): Promise<ScreeningResult>;
+    isAvailable(): boolean;
+    getEntryCount(): number;
+}
+
+/**
+ * UK OFSI Address Provider.
+ *
+ * Screens blockchain addresses against the UK OFSI Consolidated List.
+ * Coverage is limited compared to OFAC — most UK sanctions are entity-name-based.
+ * For comprehensive UK entity screening, use OpenSanctionsProvider.
+ *
+ * - **Free tier**, no API key required
+ * - **Browser-safe** — pure in-memory lookups
+ *
+ * @example
+ * ```typescript
+ * const provider = new UKOFSIProvider();
+ * const result = await provider.screen('0x098B716B8Aaf21512996dC57EB0615e2383E2f96');
+ * // result.hit === true (Lazarus Group, OFSI designated)
+ * ```
+ */
+declare class UKOFSIProvider implements ScreeningProvider {
+    readonly id = "uk-ofsi-address";
+    readonly name = "UK OFSI Address Screener";
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey = false;
+    readonly browserCompatible = true;
+    readonly queryTypes: readonly QueryType[];
+    screen(query: string, _context?: ScreeningContext): Promise<ScreeningResult>;
+    isAvailable(): boolean;
+    getEntryCount(): number;
+}
+
+/**
+ * OpenSanctions Local Provider.
+ *
+ * Screens addresses and entity names against locally-synced OpenSanctions
+ * bulk data (331+ sources including APAC domestic lists).
+ *
+ * Data is NOT bundled — developers download via `kontext sync` and handle
+ * their own OpenSanctions licensing (CC-BY-NC 4.0 for non-commercial,
+ * commercial license for business use).
+ *
+ * - **Free tier**, no API key required
+ * - **Node.js only** — reads from local filesystem
+ * - Supports address + entity name queries
+ *
+ * @example
+ * ```typescript
+ * const provider = new OpenSanctionsLocalProvider();
+ * if (provider.isAvailable()) {
+ *   const result = await provider.screen('Lazarus Group');
+ *   // result.hit === true if match found in local data
+ * }
+ * ```
+ */
+declare class OpenSanctionsLocalProvider implements ScreeningProvider {
+    readonly id = "opensanctions-local";
+    readonly name = "OpenSanctions (Local Data)";
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey = false;
+    readonly browserCompatible = false;
+    readonly queryTypes: readonly QueryType[];
+    private dataDir;
+    private entities;
+    private addressSet;
+    private addressToEntity;
+    private loaded;
+    constructor(dataDir?: string);
+    screen(query: string, _context?: ScreeningContext): Promise<ScreeningResult>;
+    isAvailable(): boolean;
+    getEntryCount(): number;
+    sync(): Promise<{
+        updated: boolean;
+        count: number;
+    }>;
+    private screenAddress;
+    private screenEntityName;
+    private entityToMatch;
+    private getEntityStatus;
+    private loadData;
+    private resolveDataDir;
+}
+
+/**
+ * OpenSanctions REST API Provider.
+ *
+ * Screens both blockchain addresses AND entity names via the OpenSanctions
+ * `/match` endpoint. Covers 331+ sanctions sources worldwide including
+ * OFAC, EU, UN, UK, and APAC domestic lists.
+ *
+ * - **Free tier** in Kontext (metered by events)
+ * - **Requires API key** from OpenSanctions (developer brings own key)
+ * - **NOT browser-compatible** — requires server-side API calls
+ *
+ * @example
+ * ```typescript
+ * const provider = new OpenSanctionsProvider({
+ *   apiKey: process.env.OPENSANCTIONS_API_KEY!,
+ * });
+ * const result = await provider.screen('Lazarus Group');
+ * ```
+ */
+declare class OpenSanctionsProvider implements ScreeningProvider {
+    readonly id = "opensanctions-api";
+    readonly name = "OpenSanctions (API)";
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey = true;
+    readonly browserCompatible = false;
+    readonly queryTypes: readonly QueryType[];
+    private readonly apiKey;
+    private readonly baseUrl;
+    private readonly dataset;
+    constructor(config: {
+        apiKey: string;
+        baseUrl?: string;
+        dataset?: string;
+    });
+    screen(query: string, _context?: ScreeningContext): Promise<ScreeningResult>;
+    isAvailable(): boolean;
+}
+/**
+ * Chainalysis Free API Provider.
+ *
+ * Screens blockchain addresses via the Chainalysis free screening API.
+ * Address-only — does not support entity name screening.
+ *
+ * - **Free tier** in Kontext (metered by events)
+ * - **Requires API key** from Chainalysis (developer brings own key)
+ * - **NOT browser-compatible** — requires server-side API calls
+ *
+ * @example
+ * ```typescript
+ * const provider = new ChainalysisFreeAPIProvider({
+ *   apiKey: process.env.CHAINALYSIS_API_KEY!,
+ * });
+ * const result = await provider.screen('0x098B716B8Aaf21512996dC57EB0615e2383E2f96');
+ * ```
+ */
+declare class ChainalysisFreeAPIProvider implements ScreeningProvider {
+    readonly id = "chainalysis-free-api";
+    readonly name = "Chainalysis Free API";
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey = true;
+    readonly browserCompatible = false;
+    readonly queryTypes: readonly QueryType[];
+    private readonly apiKey;
+    private readonly baseUrl;
+    constructor(config: {
+        apiKey: string;
+        baseUrl?: string;
+    });
+    screen(query: string, _context?: ScreeningContext): Promise<ScreeningResult>;
+    isAvailable(): boolean;
+}
+
+/**
+ * Chainalysis OFAC Oracle Provider.
+ *
+ * Screens blockchain addresses against the Chainalysis sanctions oracle,
+ * which tracks OFAC SDN addresses. Supports two modes:
+ *
+ * 1. **REST API mode** (default): Queries the Chainalysis screening API
+ * 2. **On-chain mode**: Queries the on-chain oracle contract via eth_call
+ *    (requires an Ethereum RPC URL)
+ *
+ * - **Free tier** in Kontext (metered by events)
+ * - **Requires API key** (REST mode) or **RPC URL** (on-chain mode)
+ * - **NOT browser-compatible** — requires server-side calls
+ *
+ * @example
+ * ```typescript
+ * // REST API mode
+ * const provider = new ChainalysisOracleProvider({
+ *   apiKey: process.env.CHAINALYSIS_API_KEY!,
+ * });
+ *
+ * // On-chain mode
+ * const provider = new ChainalysisOracleProvider({
+ *   rpcUrl: 'https://eth-mainnet.g.alchemy.com/v2/YOUR_KEY',
+ * });
+ * ```
+ */
+declare class ChainalysisOracleProvider implements ScreeningProvider {
+    readonly id = "chainalysis-oracle";
+    readonly name = "Chainalysis OFAC Oracle";
+    readonly lists: readonly SanctionsList[];
+    readonly requiresApiKey = true;
+    readonly browserCompatible = false;
+    readonly queryTypes: readonly QueryType[];
+    private readonly apiKey;
+    private readonly rpcUrl;
+    private readonly apiBaseUrl;
+    constructor(config: {
+        apiKey?: string;
+        rpcUrl?: string;
+        apiBaseUrl?: string;
+    });
+    screen(query: string, _context?: ScreeningContext): Promise<ScreeningResult>;
+    isAvailable(): boolean;
+    private screenOnChain;
+    private screenApi;
+    private errorResult;
+}
+
+type ConsensusStrategy = 'ANY_MATCH' | 'ALL_MATCH' | 'MAJORITY';
+interface ScreeningAggregatorConfig {
+    providers: ScreeningProvider[];
+    consensus?: ConsensusStrategy;
+    blocklist?: string[];
+    allowlist?: string[];
+    continueOnError?: boolean;
+    providerTimeoutMs?: number;
+    onEvent?: () => void;
+    providerRateLimitPerSec?: number;
+}
+interface AggregatedScreeningResult {
+    providerId: string;
+    hit: boolean;
+    matches: ScreeningMatch[];
+    listsChecked: readonly SanctionsList[];
+    entriesSearched: number;
+    durationMs: number;
+    queryType: QueryType;
+    totalProviders: number;
+    hitCount: number;
+    consensus: ConsensusStrategy;
+    blocklisted?: boolean;
+    allowlisted?: boolean;
+    errors: Array<{
+        providerId: string;
+        error: string;
+    }>;
+    uncoveredLists: SanctionsList[];
+    providerResults: ScreeningResult[];
+}
+/**
+ * Multi-provider screening orchestrator.
+ *
+ * Routes queries to compatible providers based on auto-detected query type,
+ * applies consensus strategy, and tracks jurisdiction coverage.
+ *
+ * @example
+ * ```typescript
+ * const agg = new ScreeningAggregator({
+ *   providers: [new OFACAddressProvider(), new UKOFSIProvider()],
+ *   consensus: 'ANY_MATCH',
+ *   onEvent: () => planManager.recordEvent(),
+ * });
+ *
+ * const result = await agg.screen('0x098B716B8Aaf21512996dC57EB0615e2383E2f96');
+ * ```
+ */
+declare class ScreeningAggregator {
+    private readonly providers;
+    private readonly consensus;
+    private readonly blocklistSet;
+    private readonly allowlistSet;
+    private readonly continueOnError;
+    private readonly providerTimeoutMs;
+    private readonly onEvent;
+    constructor(config: ScreeningAggregatorConfig);
+    /**
+     * Screen a single query (address or entity name).
+     */
+    screen(query: string, context?: ScreeningContext): Promise<AggregatedScreeningResult>;
+    /**
+     * Screen multiple queries in batch.
+     */
+    screenBatch(queries: string[], context?: ScreeningContext): Promise<Map<string, AggregatedScreeningResult>>;
+    /**
+     * Get available providers, optionally filtered by query type.
+     */
+    getAvailableProviders(queryType?: QueryType): ScreeningProvider[];
+    /**
+     * Get the union of all sanctions lists covered by available providers.
+     */
+    getCoveredLists(): SanctionsList[];
+    private runWithTimeout;
+    private buildResult;
+}
+
+export { type ActionLog, type AgentCard, type AgentData, type AgentIdentity, AgentIdentityRegistry, type AgentLink, type AgentSession, type AggregatedScreeningResult, type AnchorResult, type AnchorVerification, type AnomalyCallback, type AnomalyDetectionConfig, AnomalyDetector, type AnomalyEvent, type AnomalyRuleType, type AnomalySeverity, type AnomalyThresholds, type AttestationDecision, type AttestationPayload, type AttestationRequest, type AttestationResponse, type AttestationSignature, type BehavioralEmbedding, BehavioralFingerprinter, CURRENCY_REQUIRED_LISTS, type Chain, ChainalysisFreeAPIProvider, ChainalysisOracleProvider, type CheckpointStatus, type ClusteringEvidence, type ClusteringHeuristic, type ComplianceCertificate, type ComplianceCheckResult, type ComplianceReport, type ConfirmTaskInput, type ConsensusStrategy, ConsoleExporter, type CounterpartyAttestation, type CounterpartyConfig, type CreateCheckpointInput, type CreateSessionInput, type CreateTaskInput, CrossSessionLinker, type CrossSessionLinkerConfig, type DateRange, DigestChain, type DigestLink, type DigestVerification, type ERC8021Attribution, type ERC8021Config, type EntityStatus, type EntityType, type Environment, type EventExporter, type ExportFormat, type ExportOptions, type ExportResult, type ExporterResult, type FeatureFlag, type FeatureFlagConfig, FeatureFlagManager, FileStorage, type FinancialFeatures, type FlagPlanTargeting, type FlagScope, type FlagTargeting, type GatedFeature, type GenerateComplianceCertificateInput, type HumanAttestation, JsonFileExporter, type Jurisdiction, KONTEXT_BUILDER_CODE, type KYAConfidenceLevel, type KYAConfidenceScore, KYAConfidenceScorer, type KYAConfidenceScorerConfig, type KYAEnvelope, type KYAScoreComponent, type KYCProviderReference, type KYCStatus, Kontext, type KontextConfig, KontextError, KontextErrorCode, type KontextMode, type LimitEvent, type LinkSignal, type LinkStatus, type LogActionInput, type LogLevel, type LogReasoningInput, type LogTransactionInput, type MatchType, MemoryStorage, type MetadataValidator, type NetworkFeatures, NoopExporter, OFACAddressProvider, OFACEntityProvider, type OnChainAnchorConfig, OnChainExporter, OpenSanctionsLocalProvider, OpenSanctionsProvider, type OperationalFeatures, PLAN_LIMITS, PaymentCompliance, type PlanConfig, PlanManager, type PlanTier, type PlanUsage, type PolicyConfig, type PrecisionTimestamp, type ProvenanceAction, type ProvenanceAttestor, type ProvenanceBundle, type ProvenanceBundleVerification, type ProvenanceCheckpoint, ProvenanceManager, type QueryType, type ReasoningEntry, type RegisterIdentityInput, type ReportOptions, type ReportType, type RiskFactor, type SanctionsCheckResult, type SanctionsList, ScreeningAggregator, type ScreeningAggregatorConfig, type ScreeningConfig, type ScreeningContext, type ScreeningMatch, type ScreeningProvider, type ScreeningResult, type SessionConstraints, type SessionStatus, type StorageAdapter, TOKEN_REQUIRED_LISTS, type Task, type TaskEvidence, type TaskStatus, type TemporalFeatures, type Token, type TransactionEvaluation, type TransactionRecord, type TrustFactor, type TrustScore, TrustScorer, UKOFSIProvider, type UpdateIdentityInput, UsdcCompliance, type UsdcComplianceCheck, type VerificationKey, type VerifyInput, type VerifyResult, type WalletCluster, WalletClusterer, type WalletClusteringConfig, type WalletMapping, anchorDigest, encodeERC8021Suffix, exchangeAttestation, fetchAgentCard, fetchTransactionAttribution, getAnchor, getRequiredLists, isBlockchainAddress, isCryptoTransaction, isFeatureAvailable, parseERC8021Suffix, providerSupportsQuery, requirePlan, verifyAnchor, verifyExportedChain };