proofseal 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE +21 -0
  2. package/NOTICE +13 -0
  3. package/README.md +210 -2
  4. package/dist/cli/index.d.ts +2 -0
  5. package/dist/cli/index.js +440 -0
  6. package/dist/cli/index.js.map +1 -0
  7. package/dist/config.d.ts +19 -0
  8. package/dist/config.js +58 -0
  9. package/dist/config.js.map +1 -0
  10. package/dist/core/canonical.d.ts +16 -0
  11. package/dist/core/canonical.js +29 -0
  12. package/dist/core/canonical.js.map +1 -0
  13. package/dist/core/hash.d.ts +32 -0
  14. package/dist/core/hash.js +81 -0
  15. package/dist/core/hash.js.map +1 -0
  16. package/dist/core/marker-lint.d.ts +5 -0
  17. package/dist/core/marker-lint.js +55 -0
  18. package/dist/core/marker-lint.js.map +1 -0
  19. package/dist/core/paths.d.ts +10 -0
  20. package/dist/core/paths.js +13 -0
  21. package/dist/core/paths.js.map +1 -0
  22. package/dist/harness/quantize.d.ts +38 -0
  23. package/dist/harness/quantize.js +76 -0
  24. package/dist/harness/quantize.js.map +1 -0
  25. package/dist/harness/run.d.ts +61 -0
  26. package/dist/harness/run.js +137 -0
  27. package/dist/harness/run.js.map +1 -0
  28. package/dist/history/gitinfo.d.ts +16 -0
  29. package/dist/history/gitinfo.js +69 -0
  30. package/dist/history/gitinfo.js.map +1 -0
  31. package/dist/history/jsonl.d.ts +28 -0
  32. package/dist/history/jsonl.js +71 -0
  33. package/dist/history/jsonl.js.map +1 -0
  34. package/dist/history/queries.d.ts +43 -0
  35. package/dist/history/queries.js +86 -0
  36. package/dist/history/queries.js.map +1 -0
  37. package/dist/index.d.ts +18 -0
  38. package/dist/index.js +19 -0
  39. package/dist/index.js.map +1 -0
  40. package/dist/keys/derive.d.ts +28 -0
  41. package/dist/keys/derive.js +59 -0
  42. package/dist/keys/derive.js.map +1 -0
  43. package/dist/manifest/schema.d.ts +1068 -0
  44. package/dist/manifest/schema.js +102 -0
  45. package/dist/manifest/schema.js.map +1 -0
  46. package/dist/manifest/seal.d.ts +41 -0
  47. package/dist/manifest/seal.js +185 -0
  48. package/dist/manifest/seal.js.map +1 -0
  49. package/dist/manifest/verify.d.ts +102 -0
  50. package/dist/manifest/verify.js +246 -0
  51. package/dist/manifest/verify.js.map +1 -0
  52. package/dist/mcp/server.d.ts +1 -0
  53. package/dist/mcp/server.js +138 -0
  54. package/dist/mcp/server.js.map +1 -0
  55. package/package.json +50 -3
package/dist/manifest/schema.d.ts ADDED
@@ -0,0 +1,1068 @@
1
+ /**
2
+ * proofseal/v1 manifest schema — types + zod validation (ADR-0001 §5.3).
3
+ */
4
+ import { z } from 'zod';
5
+ export declare const SCHEMA_ID = "proofseal/v1";
6
+ export declare const ToleranceSchema: z.ZodObject<{
7
+ rtol: z.ZodNumber;
8
+ atol: z.ZodNumber;
9
+ }, "strip", z.ZodTypeAny, {
10
+ rtol: number;
11
+ atol: number;
12
+ }, {
13
+ rtol: number;
14
+ atol: number;
15
+ }>;
16
+ export type Tolerance = z.infer<typeof ToleranceSchema>;
17
+ export declare const FileHashClaimSchema: z.ZodObject<{
18
+ type: z.ZodLiteral<"file-hash">;
19
+ file: z.ZodString;
20
+ /** Computed at seal time; optional in config. */
21
+ sha256: z.ZodOptional<z.ZodString>;
22
+ id: z.ZodString;
23
+ desc: z.ZodOptional<z.ZodString>;
24
+ }, "strip", z.ZodTypeAny, {
25
+ type: "file-hash";
26
+ file: string;
27
+ id: string;
28
+ sha256?: string | undefined;
29
+ desc?: string | undefined;
30
+ }, {
31
+ type: "file-hash";
32
+ file: string;
33
+ id: string;
34
+ sha256?: string | undefined;
35
+ desc?: string | undefined;
36
+ }>;
37
+ export type FileHashClaim = z.infer<typeof FileHashClaimSchema>;
38
+ export declare const MarkerClaimSchema: z.ZodObject<{
39
+ type: z.ZodLiteral<"marker">;
40
+ file: z.ZodString;
41
+ marker: z.ZodString;
42
+ /** Computed at seal time; optional in config. */
43
+ sha256: z.ZodOptional<z.ZodString>;
44
+ markerVerified: z.ZodOptional<z.ZodBoolean>;
45
+ id: z.ZodString;
46
+ desc: z.ZodOptional<z.ZodString>;
47
+ }, "strip", z.ZodTypeAny, {
48
+ type: "marker";
49
+ file: string;
50
+ id: string;
51
+ marker: string;
52
+ sha256?: string | undefined;
53
+ desc?: string | undefined;
54
+ markerVerified?: boolean | undefined;
55
+ }, {
56
+ type: "marker";
57
+ file: string;
58
+ id: string;
59
+ marker: string;
60
+ sha256?: string | undefined;
61
+ desc?: string | undefined;
62
+ markerVerified?: boolean | undefined;
63
+ }>;
64
+ export type MarkerClaim = z.infer<typeof MarkerClaimSchema>;
65
+ export declare const HarnessClaimSchema: z.ZodObject<{
66
+ type: z.ZodLiteral<"harness">;
67
+ /** Harness name (defaults to claim id when omitted in config). */
68
+ harness: z.ZodString;
69
+ /** Command spawned with PROOFSEAL_SEED in env. */
70
+ cmd: z.ZodString;
71
+ seed: z.ZodOptional<z.ZodNumber>;
72
+ quantizeDecimals: z.ZodOptional<z.ZodNumber>;
73
+ /** Named output blocks to exclude from hashing (pitfall 6: un-hashable features). */
74
+ exclude: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
75
+ /** Committed expectation — set by `proofseal harness run --update`. */
76
+ expectedSha256: z.ZodOptional<z.ZodString>;
77
+ /** Path (relative to root) to a committed JSON array of reference numbers. */
78
+ referenceVector: z.ZodOptional<z.ZodString>;
79
+ tolerance: z.ZodOptional<z.ZodObject<{
80
+ rtol: z.ZodNumber;
81
+ atol: z.ZodNumber;
82
+ }, "strip", z.ZodTypeAny, {
83
+ rtol: number;
84
+ atol: number;
85
+ }, {
86
+ rtol: number;
87
+ atol: number;
88
+ }>>;
89
+ id: z.ZodString;
90
+ desc: z.ZodOptional<z.ZodString>;
91
+ }, "strip", z.ZodTypeAny, {
92
+ type: "harness";
93
+ id: string;
94
+ harness: string;
95
+ cmd: string;
96
+ desc?: string | undefined;
97
+ seed?: number | undefined;
98
+ quantizeDecimals?: number | undefined;
99
+ exclude?: string[] | undefined;
100
+ expectedSha256?: string | undefined;
101
+ referenceVector?: string | undefined;
102
+ tolerance?: {
103
+ rtol: number;
104
+ atol: number;
105
+ } | undefined;
106
+ }, {
107
+ type: "harness";
108
+ id: string;
109
+ harness: string;
110
+ cmd: string;
111
+ desc?: string | undefined;
112
+ seed?: number | undefined;
113
+ quantizeDecimals?: number | undefined;
114
+ exclude?: string[] | undefined;
115
+ expectedSha256?: string | undefined;
116
+ referenceVector?: string | undefined;
117
+ tolerance?: {
118
+ rtol: number;
119
+ atol: number;
120
+ } | undefined;
121
+ }>;
122
+ export type HarnessClaim = z.infer<typeof HarnessClaimSchema>;
123
+ export declare const ClaimSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
124
+ type: z.ZodLiteral<"file-hash">;
125
+ file: z.ZodString;
126
+ /** Computed at seal time; optional in config. */
127
+ sha256: z.ZodOptional<z.ZodString>;
128
+ id: z.ZodString;
129
+ desc: z.ZodOptional<z.ZodString>;
130
+ }, "strip", z.ZodTypeAny, {
131
+ type: "file-hash";
132
+ file: string;
133
+ id: string;
134
+ sha256?: string | undefined;
135
+ desc?: string | undefined;
136
+ }, {
137
+ type: "file-hash";
138
+ file: string;
139
+ id: string;
140
+ sha256?: string | undefined;
141
+ desc?: string | undefined;
142
+ }>, z.ZodObject<{
143
+ type: z.ZodLiteral<"marker">;
144
+ file: z.ZodString;
145
+ marker: z.ZodString;
146
+ /** Computed at seal time; optional in config. */
147
+ sha256: z.ZodOptional<z.ZodString>;
148
+ markerVerified: z.ZodOptional<z.ZodBoolean>;
149
+ id: z.ZodString;
150
+ desc: z.ZodOptional<z.ZodString>;
151
+ }, "strip", z.ZodTypeAny, {
152
+ type: "marker";
153
+ file: string;
154
+ id: string;
155
+ marker: string;
156
+ sha256?: string | undefined;
157
+ desc?: string | undefined;
158
+ markerVerified?: boolean | undefined;
159
+ }, {
160
+ type: "marker";
161
+ file: string;
162
+ id: string;
163
+ marker: string;
164
+ sha256?: string | undefined;
165
+ desc?: string | undefined;
166
+ markerVerified?: boolean | undefined;
167
+ }>, z.ZodObject<{
168
+ type: z.ZodLiteral<"harness">;
169
+ /** Harness name (defaults to claim id when omitted in config). */
170
+ harness: z.ZodString;
171
+ /** Command spawned with PROOFSEAL_SEED in env. */
172
+ cmd: z.ZodString;
173
+ seed: z.ZodOptional<z.ZodNumber>;
174
+ quantizeDecimals: z.ZodOptional<z.ZodNumber>;
175
+ /** Named output blocks to exclude from hashing (pitfall 6: un-hashable features). */
176
+ exclude: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
177
+ /** Committed expectation — set by `proofseal harness run --update`. */
178
+ expectedSha256: z.ZodOptional<z.ZodString>;
179
+ /** Path (relative to root) to a committed JSON array of reference numbers. */
180
+ referenceVector: z.ZodOptional<z.ZodString>;
181
+ tolerance: z.ZodOptional<z.ZodObject<{
182
+ rtol: z.ZodNumber;
183
+ atol: z.ZodNumber;
184
+ }, "strip", z.ZodTypeAny, {
185
+ rtol: number;
186
+ atol: number;
187
+ }, {
188
+ rtol: number;
189
+ atol: number;
190
+ }>>;
191
+ id: z.ZodString;
192
+ desc: z.ZodOptional<z.ZodString>;
193
+ }, "strip", z.ZodTypeAny, {
194
+ type: "harness";
195
+ id: string;
196
+ harness: string;
197
+ cmd: string;
198
+ desc?: string | undefined;
199
+ seed?: number | undefined;
200
+ quantizeDecimals?: number | undefined;
201
+ exclude?: string[] | undefined;
202
+ expectedSha256?: string | undefined;
203
+ referenceVector?: string | undefined;
204
+ tolerance?: {
205
+ rtol: number;
206
+ atol: number;
207
+ } | undefined;
208
+ }, {
209
+ type: "harness";
210
+ id: string;
211
+ harness: string;
212
+ cmd: string;
213
+ desc?: string | undefined;
214
+ seed?: number | undefined;
215
+ quantizeDecimals?: number | undefined;
216
+ exclude?: string[] | undefined;
217
+ expectedSha256?: string | undefined;
218
+ referenceVector?: string | undefined;
219
+ tolerance?: {
220
+ rtol: number;
221
+ atol: number;
222
+ } | undefined;
223
+ }>]>;
224
+ export type Claim = z.infer<typeof ClaimSchema>;
225
+ export declare const SummarySchema: z.ZodObject<{
226
+ totalClaims: z.ZodNumber;
227
+ verified: z.ZodNumber;
228
+ missing: z.ZodNumber;
229
+ }, "strip", z.ZodTypeAny, {
230
+ totalClaims: number;
231
+ verified: number;
232
+ missing: number;
233
+ }, {
234
+ totalClaims: number;
235
+ verified: number;
236
+ missing: number;
237
+ }>;
238
+ export type ManifestSummary = z.infer<typeof SummarySchema>;
239
+ /**
240
+ * Sealing environment (premortem #3: platform honesty). Recorded — and
241
+ * therefore signed — at seal time so verify can warn when the verifying OS
242
+ * differs (built/binary artifact hashes legitimately diverge across OSes).
243
+ */
244
+ export declare const PlatformSchema: z.ZodObject<{
245
+ os: z.ZodString;
246
+ arch: z.ZodString;
247
+ node: z.ZodString;
248
+ }, "strip", z.ZodTypeAny, {
249
+ os: string;
250
+ arch: string;
251
+ node: string;
252
+ }, {
253
+ os: string;
254
+ arch: string;
255
+ node: string;
256
+ }>;
257
+ export type ManifestPlatform = z.infer<typeof PlatformSchema>;
258
+ export declare const ManifestSchema: z.ZodObject<{
259
+ schema: z.ZodLiteral<"proofseal/v1">;
260
+ issuedAt: z.ZodString;
261
+ gitCommit: z.ZodString;
262
+ branch: z.ZodString;
263
+ salt: z.ZodString;
264
+ releases: z.ZodRecord<z.ZodString, z.ZodString>;
265
+ summary: z.ZodObject<{
266
+ totalClaims: z.ZodNumber;
267
+ verified: z.ZodNumber;
268
+ missing: z.ZodNumber;
269
+ }, "strip", z.ZodTypeAny, {
270
+ totalClaims: number;
271
+ verified: number;
272
+ missing: number;
273
+ }, {
274
+ totalClaims: number;
275
+ verified: number;
276
+ missing: number;
277
+ }>;
278
+ claims: z.ZodArray<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
279
+ type: z.ZodLiteral<"file-hash">;
280
+ file: z.ZodString;
281
+ /** Computed at seal time; optional in config. */
282
+ sha256: z.ZodOptional<z.ZodString>;
283
+ id: z.ZodString;
284
+ desc: z.ZodOptional<z.ZodString>;
285
+ }, "strip", z.ZodTypeAny, {
286
+ type: "file-hash";
287
+ file: string;
288
+ id: string;
289
+ sha256?: string | undefined;
290
+ desc?: string | undefined;
291
+ }, {
292
+ type: "file-hash";
293
+ file: string;
294
+ id: string;
295
+ sha256?: string | undefined;
296
+ desc?: string | undefined;
297
+ }>, z.ZodObject<{
298
+ type: z.ZodLiteral<"marker">;
299
+ file: z.ZodString;
300
+ marker: z.ZodString;
301
+ /** Computed at seal time; optional in config. */
302
+ sha256: z.ZodOptional<z.ZodString>;
303
+ markerVerified: z.ZodOptional<z.ZodBoolean>;
304
+ id: z.ZodString;
305
+ desc: z.ZodOptional<z.ZodString>;
306
+ }, "strip", z.ZodTypeAny, {
307
+ type: "marker";
308
+ file: string;
309
+ id: string;
310
+ marker: string;
311
+ sha256?: string | undefined;
312
+ desc?: string | undefined;
313
+ markerVerified?: boolean | undefined;
314
+ }, {
315
+ type: "marker";
316
+ file: string;
317
+ id: string;
318
+ marker: string;
319
+ sha256?: string | undefined;
320
+ desc?: string | undefined;
321
+ markerVerified?: boolean | undefined;
322
+ }>, z.ZodObject<{
323
+ type: z.ZodLiteral<"harness">;
324
+ /** Harness name (defaults to claim id when omitted in config). */
325
+ harness: z.ZodString;
326
+ /** Command spawned with PROOFSEAL_SEED in env. */
327
+ cmd: z.ZodString;
328
+ seed: z.ZodOptional<z.ZodNumber>;
329
+ quantizeDecimals: z.ZodOptional<z.ZodNumber>;
330
+ /** Named output blocks to exclude from hashing (pitfall 6: un-hashable features). */
331
+ exclude: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
332
+ /** Committed expectation — set by `proofseal harness run --update`. */
333
+ expectedSha256: z.ZodOptional<z.ZodString>;
334
+ /** Path (relative to root) to a committed JSON array of reference numbers. */
335
+ referenceVector: z.ZodOptional<z.ZodString>;
336
+ tolerance: z.ZodOptional<z.ZodObject<{
337
+ rtol: z.ZodNumber;
338
+ atol: z.ZodNumber;
339
+ }, "strip", z.ZodTypeAny, {
340
+ rtol: number;
341
+ atol: number;
342
+ }, {
343
+ rtol: number;
344
+ atol: number;
345
+ }>>;
346
+ id: z.ZodString;
347
+ desc: z.ZodOptional<z.ZodString>;
348
+ }, "strip", z.ZodTypeAny, {
349
+ type: "harness";
350
+ id: string;
351
+ harness: string;
352
+ cmd: string;
353
+ desc?: string | undefined;
354
+ seed?: number | undefined;
355
+ quantizeDecimals?: number | undefined;
356
+ exclude?: string[] | undefined;
357
+ expectedSha256?: string | undefined;
358
+ referenceVector?: string | undefined;
359
+ tolerance?: {
360
+ rtol: number;
361
+ atol: number;
362
+ } | undefined;
363
+ }, {
364
+ type: "harness";
365
+ id: string;
366
+ harness: string;
367
+ cmd: string;
368
+ desc?: string | undefined;
369
+ seed?: number | undefined;
370
+ quantizeDecimals?: number | undefined;
371
+ exclude?: string[] | undefined;
372
+ expectedSha256?: string | undefined;
373
+ referenceVector?: string | undefined;
374
+ tolerance?: {
375
+ rtol: number;
376
+ atol: number;
377
+ } | undefined;
378
+ }>]>, "many">;
379
+ /** Optional for backward compat: pre-platform manifests still validate. */
380
+ platform: z.ZodOptional<z.ZodObject<{
381
+ os: z.ZodString;
382
+ arch: z.ZodString;
383
+ node: z.ZodString;
384
+ }, "strip", z.ZodTypeAny, {
385
+ os: string;
386
+ arch: string;
387
+ node: string;
388
+ }, {
389
+ os: string;
390
+ arch: string;
391
+ node: string;
392
+ }>>;
393
+ }, "strip", z.ZodTypeAny, {
394
+ schema: "proofseal/v1";
395
+ issuedAt: string;
396
+ gitCommit: string;
397
+ branch: string;
398
+ salt: string;
399
+ releases: Record<string, string>;
400
+ summary: {
401
+ totalClaims: number;
402
+ verified: number;
403
+ missing: number;
404
+ };
405
+ claims: ({
406
+ type: "file-hash";
407
+ file: string;
408
+ id: string;
409
+ sha256?: string | undefined;
410
+ desc?: string | undefined;
411
+ } | {
412
+ type: "marker";
413
+ file: string;
414
+ id: string;
415
+ marker: string;
416
+ sha256?: string | undefined;
417
+ desc?: string | undefined;
418
+ markerVerified?: boolean | undefined;
419
+ } | {
420
+ type: "harness";
421
+ id: string;
422
+ harness: string;
423
+ cmd: string;
424
+ desc?: string | undefined;
425
+ seed?: number | undefined;
426
+ quantizeDecimals?: number | undefined;
427
+ exclude?: string[] | undefined;
428
+ expectedSha256?: string | undefined;
429
+ referenceVector?: string | undefined;
430
+ tolerance?: {
431
+ rtol: number;
432
+ atol: number;
433
+ } | undefined;
434
+ })[];
435
+ platform?: {
436
+ os: string;
437
+ arch: string;
438
+ node: string;
439
+ } | undefined;
440
+ }, {
441
+ schema: "proofseal/v1";
442
+ issuedAt: string;
443
+ gitCommit: string;
444
+ branch: string;
445
+ salt: string;
446
+ releases: Record<string, string>;
447
+ summary: {
448
+ totalClaims: number;
449
+ verified: number;
450
+ missing: number;
451
+ };
452
+ claims: ({
453
+ type: "file-hash";
454
+ file: string;
455
+ id: string;
456
+ sha256?: string | undefined;
457
+ desc?: string | undefined;
458
+ } | {
459
+ type: "marker";
460
+ file: string;
461
+ id: string;
462
+ marker: string;
463
+ sha256?: string | undefined;
464
+ desc?: string | undefined;
465
+ markerVerified?: boolean | undefined;
466
+ } | {
467
+ type: "harness";
468
+ id: string;
469
+ harness: string;
470
+ cmd: string;
471
+ desc?: string | undefined;
472
+ seed?: number | undefined;
473
+ quantizeDecimals?: number | undefined;
474
+ exclude?: string[] | undefined;
475
+ expectedSha256?: string | undefined;
476
+ referenceVector?: string | undefined;
477
+ tolerance?: {
478
+ rtol: number;
479
+ atol: number;
480
+ } | undefined;
481
+ })[];
482
+ platform?: {
483
+ os: string;
484
+ arch: string;
485
+ node: string;
486
+ } | undefined;
487
+ }>;
488
+ export type Manifest = z.infer<typeof ManifestSchema>;
489
+ export declare const IntegritySchema: z.ZodObject<{
490
+ manifestHashAlgo: z.ZodLiteral<"sha256">;
491
+ manifestHash: z.ZodString;
492
+ signatureAlgo: z.ZodLiteral<"ed25519">;
493
+ publicKey: z.ZodString;
494
+ signature: z.ZodString;
495
+ seedDerivation: z.ZodString;
496
+ }, "strip", z.ZodTypeAny, {
497
+ manifestHashAlgo: "sha256";
498
+ manifestHash: string;
499
+ signatureAlgo: "ed25519";
500
+ publicKey: string;
501
+ signature: string;
502
+ seedDerivation: string;
503
+ }, {
504
+ manifestHashAlgo: "sha256";
505
+ manifestHash: string;
506
+ signatureAlgo: "ed25519";
507
+ publicKey: string;
508
+ signature: string;
509
+ seedDerivation: string;
510
+ }>;
511
+ export type Integrity = z.infer<typeof IntegritySchema>;
512
+ export declare const WitnessSchema: z.ZodObject<{
513
+ manifest: z.ZodObject<{
514
+ schema: z.ZodLiteral<"proofseal/v1">;
515
+ issuedAt: z.ZodString;
516
+ gitCommit: z.ZodString;
517
+ branch: z.ZodString;
518
+ salt: z.ZodString;
519
+ releases: z.ZodRecord<z.ZodString, z.ZodString>;
520
+ summary: z.ZodObject<{
521
+ totalClaims: z.ZodNumber;
522
+ verified: z.ZodNumber;
523
+ missing: z.ZodNumber;
524
+ }, "strip", z.ZodTypeAny, {
525
+ totalClaims: number;
526
+ verified: number;
527
+ missing: number;
528
+ }, {
529
+ totalClaims: number;
530
+ verified: number;
531
+ missing: number;
532
+ }>;
533
+ claims: z.ZodArray<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
534
+ type: z.ZodLiteral<"file-hash">;
535
+ file: z.ZodString;
536
+ /** Computed at seal time; optional in config. */
537
+ sha256: z.ZodOptional<z.ZodString>;
538
+ id: z.ZodString;
539
+ desc: z.ZodOptional<z.ZodString>;
540
+ }, "strip", z.ZodTypeAny, {
541
+ type: "file-hash";
542
+ file: string;
543
+ id: string;
544
+ sha256?: string | undefined;
545
+ desc?: string | undefined;
546
+ }, {
547
+ type: "file-hash";
548
+ file: string;
549
+ id: string;
550
+ sha256?: string | undefined;
551
+ desc?: string | undefined;
552
+ }>, z.ZodObject<{
553
+ type: z.ZodLiteral<"marker">;
554
+ file: z.ZodString;
555
+ marker: z.ZodString;
556
+ /** Computed at seal time; optional in config. */
557
+ sha256: z.ZodOptional<z.ZodString>;
558
+ markerVerified: z.ZodOptional<z.ZodBoolean>;
559
+ id: z.ZodString;
560
+ desc: z.ZodOptional<z.ZodString>;
561
+ }, "strip", z.ZodTypeAny, {
562
+ type: "marker";
563
+ file: string;
564
+ id: string;
565
+ marker: string;
566
+ sha256?: string | undefined;
567
+ desc?: string | undefined;
568
+ markerVerified?: boolean | undefined;
569
+ }, {
570
+ type: "marker";
571
+ file: string;
572
+ id: string;
573
+ marker: string;
574
+ sha256?: string | undefined;
575
+ desc?: string | undefined;
576
+ markerVerified?: boolean | undefined;
577
+ }>, z.ZodObject<{
578
+ type: z.ZodLiteral<"harness">;
579
+ /** Harness name (defaults to claim id when omitted in config). */
580
+ harness: z.ZodString;
581
+ /** Command spawned with PROOFSEAL_SEED in env. */
582
+ cmd: z.ZodString;
583
+ seed: z.ZodOptional<z.ZodNumber>;
584
+ quantizeDecimals: z.ZodOptional<z.ZodNumber>;
585
+ /** Named output blocks to exclude from hashing (pitfall 6: un-hashable features). */
586
+ exclude: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
587
+ /** Committed expectation — set by `proofseal harness run --update`. */
588
+ expectedSha256: z.ZodOptional<z.ZodString>;
589
+ /** Path (relative to root) to a committed JSON array of reference numbers. */
590
+ referenceVector: z.ZodOptional<z.ZodString>;
591
+ tolerance: z.ZodOptional<z.ZodObject<{
592
+ rtol: z.ZodNumber;
593
+ atol: z.ZodNumber;
594
+ }, "strip", z.ZodTypeAny, {
595
+ rtol: number;
596
+ atol: number;
597
+ }, {
598
+ rtol: number;
599
+ atol: number;
600
+ }>>;
601
+ id: z.ZodString;
602
+ desc: z.ZodOptional<z.ZodString>;
603
+ }, "strip", z.ZodTypeAny, {
604
+ type: "harness";
605
+ id: string;
606
+ harness: string;
607
+ cmd: string;
608
+ desc?: string | undefined;
609
+ seed?: number | undefined;
610
+ quantizeDecimals?: number | undefined;
611
+ exclude?: string[] | undefined;
612
+ expectedSha256?: string | undefined;
613
+ referenceVector?: string | undefined;
614
+ tolerance?: {
615
+ rtol: number;
616
+ atol: number;
617
+ } | undefined;
618
+ }, {
619
+ type: "harness";
620
+ id: string;
621
+ harness: string;
622
+ cmd: string;
623
+ desc?: string | undefined;
624
+ seed?: number | undefined;
625
+ quantizeDecimals?: number | undefined;
626
+ exclude?: string[] | undefined;
627
+ expectedSha256?: string | undefined;
628
+ referenceVector?: string | undefined;
629
+ tolerance?: {
630
+ rtol: number;
631
+ atol: number;
632
+ } | undefined;
633
+ }>]>, "many">;
634
+ /** Optional for backward compat: pre-platform manifests still validate. */
635
+ platform: z.ZodOptional<z.ZodObject<{
636
+ os: z.ZodString;
637
+ arch: z.ZodString;
638
+ node: z.ZodString;
639
+ }, "strip", z.ZodTypeAny, {
640
+ os: string;
641
+ arch: string;
642
+ node: string;
643
+ }, {
644
+ os: string;
645
+ arch: string;
646
+ node: string;
647
+ }>>;
648
+ }, "strip", z.ZodTypeAny, {
649
+ schema: "proofseal/v1";
650
+ issuedAt: string;
651
+ gitCommit: string;
652
+ branch: string;
653
+ salt: string;
654
+ releases: Record<string, string>;
655
+ summary: {
656
+ totalClaims: number;
657
+ verified: number;
658
+ missing: number;
659
+ };
660
+ claims: ({
661
+ type: "file-hash";
662
+ file: string;
663
+ id: string;
664
+ sha256?: string | undefined;
665
+ desc?: string | undefined;
666
+ } | {
667
+ type: "marker";
668
+ file: string;
669
+ id: string;
670
+ marker: string;
671
+ sha256?: string | undefined;
672
+ desc?: string | undefined;
673
+ markerVerified?: boolean | undefined;
674
+ } | {
675
+ type: "harness";
676
+ id: string;
677
+ harness: string;
678
+ cmd: string;
679
+ desc?: string | undefined;
680
+ seed?: number | undefined;
681
+ quantizeDecimals?: number | undefined;
682
+ exclude?: string[] | undefined;
683
+ expectedSha256?: string | undefined;
684
+ referenceVector?: string | undefined;
685
+ tolerance?: {
686
+ rtol: number;
687
+ atol: number;
688
+ } | undefined;
689
+ })[];
690
+ platform?: {
691
+ os: string;
692
+ arch: string;
693
+ node: string;
694
+ } | undefined;
695
+ }, {
696
+ schema: "proofseal/v1";
697
+ issuedAt: string;
698
+ gitCommit: string;
699
+ branch: string;
700
+ salt: string;
701
+ releases: Record<string, string>;
702
+ summary: {
703
+ totalClaims: number;
704
+ verified: number;
705
+ missing: number;
706
+ };
707
+ claims: ({
708
+ type: "file-hash";
709
+ file: string;
710
+ id: string;
711
+ sha256?: string | undefined;
712
+ desc?: string | undefined;
713
+ } | {
714
+ type: "marker";
715
+ file: string;
716
+ id: string;
717
+ marker: string;
718
+ sha256?: string | undefined;
719
+ desc?: string | undefined;
720
+ markerVerified?: boolean | undefined;
721
+ } | {
722
+ type: "harness";
723
+ id: string;
724
+ harness: string;
725
+ cmd: string;
726
+ desc?: string | undefined;
727
+ seed?: number | undefined;
728
+ quantizeDecimals?: number | undefined;
729
+ exclude?: string[] | undefined;
730
+ expectedSha256?: string | undefined;
731
+ referenceVector?: string | undefined;
732
+ tolerance?: {
733
+ rtol: number;
734
+ atol: number;
735
+ } | undefined;
736
+ })[];
737
+ platform?: {
738
+ os: string;
739
+ arch: string;
740
+ node: string;
741
+ } | undefined;
742
+ }>;
743
+ integrity: z.ZodObject<{
744
+ manifestHashAlgo: z.ZodLiteral<"sha256">;
745
+ manifestHash: z.ZodString;
746
+ signatureAlgo: z.ZodLiteral<"ed25519">;
747
+ publicKey: z.ZodString;
748
+ signature: z.ZodString;
749
+ seedDerivation: z.ZodString;
750
+ }, "strip", z.ZodTypeAny, {
751
+ manifestHashAlgo: "sha256";
752
+ manifestHash: string;
753
+ signatureAlgo: "ed25519";
754
+ publicKey: string;
755
+ signature: string;
756
+ seedDerivation: string;
757
+ }, {
758
+ manifestHashAlgo: "sha256";
759
+ manifestHash: string;
760
+ signatureAlgo: "ed25519";
761
+ publicKey: string;
762
+ signature: string;
763
+ seedDerivation: string;
764
+ }>;
765
+ }, "strip", z.ZodTypeAny, {
766
+ manifest: {
767
+ schema: "proofseal/v1";
768
+ issuedAt: string;
769
+ gitCommit: string;
770
+ branch: string;
771
+ salt: string;
772
+ releases: Record<string, string>;
773
+ summary: {
774
+ totalClaims: number;
775
+ verified: number;
776
+ missing: number;
777
+ };
778
+ claims: ({
779
+ type: "file-hash";
780
+ file: string;
781
+ id: string;
782
+ sha256?: string | undefined;
783
+ desc?: string | undefined;
784
+ } | {
785
+ type: "marker";
786
+ file: string;
787
+ id: string;
788
+ marker: string;
789
+ sha256?: string | undefined;
790
+ desc?: string | undefined;
791
+ markerVerified?: boolean | undefined;
792
+ } | {
793
+ type: "harness";
794
+ id: string;
795
+ harness: string;
796
+ cmd: string;
797
+ desc?: string | undefined;
798
+ seed?: number | undefined;
799
+ quantizeDecimals?: number | undefined;
800
+ exclude?: string[] | undefined;
801
+ expectedSha256?: string | undefined;
802
+ referenceVector?: string | undefined;
803
+ tolerance?: {
804
+ rtol: number;
805
+ atol: number;
806
+ } | undefined;
807
+ })[];
808
+ platform?: {
809
+ os: string;
810
+ arch: string;
811
+ node: string;
812
+ } | undefined;
813
+ };
814
+ integrity: {
815
+ manifestHashAlgo: "sha256";
816
+ manifestHash: string;
817
+ signatureAlgo: "ed25519";
818
+ publicKey: string;
819
+ signature: string;
820
+ seedDerivation: string;
821
+ };
822
+ }, {
823
+ manifest: {
824
+ schema: "proofseal/v1";
825
+ issuedAt: string;
826
+ gitCommit: string;
827
+ branch: string;
828
+ salt: string;
829
+ releases: Record<string, string>;
830
+ summary: {
831
+ totalClaims: number;
832
+ verified: number;
833
+ missing: number;
834
+ };
835
+ claims: ({
836
+ type: "file-hash";
837
+ file: string;
838
+ id: string;
839
+ sha256?: string | undefined;
840
+ desc?: string | undefined;
841
+ } | {
842
+ type: "marker";
843
+ file: string;
844
+ id: string;
845
+ marker: string;
846
+ sha256?: string | undefined;
847
+ desc?: string | undefined;
848
+ markerVerified?: boolean | undefined;
849
+ } | {
850
+ type: "harness";
851
+ id: string;
852
+ harness: string;
853
+ cmd: string;
854
+ desc?: string | undefined;
855
+ seed?: number | undefined;
856
+ quantizeDecimals?: number | undefined;
857
+ exclude?: string[] | undefined;
858
+ expectedSha256?: string | undefined;
859
+ referenceVector?: string | undefined;
860
+ tolerance?: {
861
+ rtol: number;
862
+ atol: number;
863
+ } | undefined;
864
+ })[];
865
+ platform?: {
866
+ os: string;
867
+ arch: string;
868
+ node: string;
869
+ } | undefined;
870
+ };
871
+ integrity: {
872
+ manifestHashAlgo: "sha256";
873
+ manifestHash: string;
874
+ signatureAlgo: "ed25519";
875
+ publicKey: string;
876
+ signature: string;
877
+ seedDerivation: string;
878
+ };
879
+ }>;
880
+ export type Witness = z.infer<typeof WitnessSchema>;
881
+ /** proofseal.json config file shape. */
882
+ export declare const ConfigSchema: z.ZodObject<{
883
+ schema: z.ZodLiteral<"proofseal/v1">;
884
+ salt: z.ZodOptional<z.ZodString>;
885
+ manifest: z.ZodOptional<z.ZodString>;
886
+ history: z.ZodOptional<z.ZodString>;
887
+ releases: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
888
+ claims: z.ZodArray<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
889
+ type: z.ZodLiteral<"file-hash">;
890
+ file: z.ZodString;
891
+ /** Computed at seal time; optional in config. */
892
+ sha256: z.ZodOptional<z.ZodString>;
893
+ id: z.ZodString;
894
+ desc: z.ZodOptional<z.ZodString>;
895
+ }, "strip", z.ZodTypeAny, {
896
+ type: "file-hash";
897
+ file: string;
898
+ id: string;
899
+ sha256?: string | undefined;
900
+ desc?: string | undefined;
901
+ }, {
902
+ type: "file-hash";
903
+ file: string;
904
+ id: string;
905
+ sha256?: string | undefined;
906
+ desc?: string | undefined;
907
+ }>, z.ZodObject<{
908
+ type: z.ZodLiteral<"marker">;
909
+ file: z.ZodString;
910
+ marker: z.ZodString;
911
+ /** Computed at seal time; optional in config. */
912
+ sha256: z.ZodOptional<z.ZodString>;
913
+ markerVerified: z.ZodOptional<z.ZodBoolean>;
914
+ id: z.ZodString;
915
+ desc: z.ZodOptional<z.ZodString>;
916
+ }, "strip", z.ZodTypeAny, {
917
+ type: "marker";
918
+ file: string;
919
+ id: string;
920
+ marker: string;
921
+ sha256?: string | undefined;
922
+ desc?: string | undefined;
923
+ markerVerified?: boolean | undefined;
924
+ }, {
925
+ type: "marker";
926
+ file: string;
927
+ id: string;
928
+ marker: string;
929
+ sha256?: string | undefined;
930
+ desc?: string | undefined;
931
+ markerVerified?: boolean | undefined;
932
+ }>, z.ZodObject<{
933
+ type: z.ZodLiteral<"harness">;
934
+ /** Harness name (defaults to claim id when omitted in config). */
935
+ harness: z.ZodString;
936
+ /** Command spawned with PROOFSEAL_SEED in env. */
937
+ cmd: z.ZodString;
938
+ seed: z.ZodOptional<z.ZodNumber>;
939
+ quantizeDecimals: z.ZodOptional<z.ZodNumber>;
940
+ /** Named output blocks to exclude from hashing (pitfall 6: un-hashable features). */
941
+ exclude: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
942
+ /** Committed expectation — set by `proofseal harness run --update`. */
943
+ expectedSha256: z.ZodOptional<z.ZodString>;
944
+ /** Path (relative to root) to a committed JSON array of reference numbers. */
945
+ referenceVector: z.ZodOptional<z.ZodString>;
946
+ tolerance: z.ZodOptional<z.ZodObject<{
947
+ rtol: z.ZodNumber;
948
+ atol: z.ZodNumber;
949
+ }, "strip", z.ZodTypeAny, {
950
+ rtol: number;
951
+ atol: number;
952
+ }, {
953
+ rtol: number;
954
+ atol: number;
955
+ }>>;
956
+ id: z.ZodString;
957
+ desc: z.ZodOptional<z.ZodString>;
958
+ }, "strip", z.ZodTypeAny, {
959
+ type: "harness";
960
+ id: string;
961
+ harness: string;
962
+ cmd: string;
963
+ desc?: string | undefined;
964
+ seed?: number | undefined;
965
+ quantizeDecimals?: number | undefined;
966
+ exclude?: string[] | undefined;
967
+ expectedSha256?: string | undefined;
968
+ referenceVector?: string | undefined;
969
+ tolerance?: {
970
+ rtol: number;
971
+ atol: number;
972
+ } | undefined;
973
+ }, {
974
+ type: "harness";
975
+ id: string;
976
+ harness: string;
977
+ cmd: string;
978
+ desc?: string | undefined;
979
+ seed?: number | undefined;
980
+ quantizeDecimals?: number | undefined;
981
+ exclude?: string[] | undefined;
982
+ expectedSha256?: string | undefined;
983
+ referenceVector?: string | undefined;
984
+ tolerance?: {
985
+ rtol: number;
986
+ atol: number;
987
+ } | undefined;
988
+ }>]>, "many">;
989
+ }, "strip", z.ZodTypeAny, {
990
+ schema: "proofseal/v1";
991
+ claims: ({
992
+ type: "file-hash";
993
+ file: string;
994
+ id: string;
995
+ sha256?: string | undefined;
996
+ desc?: string | undefined;
997
+ } | {
998
+ type: "marker";
999
+ file: string;
1000
+ id: string;
1001
+ marker: string;
1002
+ sha256?: string | undefined;
1003
+ desc?: string | undefined;
1004
+ markerVerified?: boolean | undefined;
1005
+ } | {
1006
+ type: "harness";
1007
+ id: string;
1008
+ harness: string;
1009
+ cmd: string;
1010
+ desc?: string | undefined;
1011
+ seed?: number | undefined;
1012
+ quantizeDecimals?: number | undefined;
1013
+ exclude?: string[] | undefined;
1014
+ expectedSha256?: string | undefined;
1015
+ referenceVector?: string | undefined;
1016
+ tolerance?: {
1017
+ rtol: number;
1018
+ atol: number;
1019
+ } | undefined;
1020
+ })[];
1021
+ salt?: string | undefined;
1022
+ releases?: Record<string, string> | undefined;
1023
+ manifest?: string | undefined;
1024
+ history?: string | undefined;
1025
+ }, {
1026
+ schema: "proofseal/v1";
1027
+ claims: ({
1028
+ type: "file-hash";
1029
+ file: string;
1030
+ id: string;
1031
+ sha256?: string | undefined;
1032
+ desc?: string | undefined;
1033
+ } | {
1034
+ type: "marker";
1035
+ file: string;
1036
+ id: string;
1037
+ marker: string;
1038
+ sha256?: string | undefined;
1039
+ desc?: string | undefined;
1040
+ markerVerified?: boolean | undefined;
1041
+ } | {
1042
+ type: "harness";
1043
+ id: string;
1044
+ harness: string;
1045
+ cmd: string;
1046
+ desc?: string | undefined;
1047
+ seed?: number | undefined;
1048
+ quantizeDecimals?: number | undefined;
1049
+ exclude?: string[] | undefined;
1050
+ expectedSha256?: string | undefined;
1051
+ referenceVector?: string | undefined;
1052
+ tolerance?: {
1053
+ rtol: number;
1054
+ atol: number;
1055
+ } | undefined;
1056
+ })[];
1057
+ salt?: string | undefined;
1058
+ releases?: Record<string, string> | undefined;
1059
+ manifest?: string | undefined;
1060
+ history?: string | undefined;
1061
+ }>;
1062
+ export type ProofSealConfig = z.infer<typeof ConfigSchema>;
1063
+ /** Per-claim verification status (ADR §5.6, ported from ruflo verify.mjs). */
1064
+ export type ClaimStatus = 'pass' | 'drift' | 'regressed' | 'missing';
1065
+ /** Result of refreshing a claim against the live tree at seal time. */
1066
+ export type ClaimState = Claim & {
1067
+ missing: boolean;
1068
+ };