protect-mcp 0.5.5 → 0.6.0

package/README.md

@@ -1,6 +1,73 @@
 # protect-mcp
 
-Enterprise security gateway for MCP servers and Claude Code hooks. Signed receipts, Cedar policies, and swarm-aware audit trails.
+[![npm version](https://img.shields.io/npm/v/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![Downloads](https://img.shields.io/npm/dm/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![Claude Code Marketplace](https://img.shields.io/badge/Claude%20Code-marketplace-d97757?logo=anthropic&logoColor=white)](https://github.com/wshobson/agents/tree/main/plugins/protect-mcp)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue)](./LICENSE)
+
+> A policy check that sits between your AI agent and the tools it calls.
+> Every tool call is evaluated against a rule you wrote. Every decision is signed.
+
+## What it does, in plain English
+
+When an AI agent (Claude Code, Cursor, a custom LangChain app, anything that
+uses the Model Context Protocol) wants to run a command, edit a file, or call
+an API, `protect-mcp` intercepts that request before it executes:
+
+1. **Checks a policy.** You write rules in [Cedar](https://www.cedarpolicy.com/)
+   — the same policy language AWS uses for IAM. Rules like *"never allow
+   `rm -rf /`"*, *"only allow `Bash` during working hours"*, or *"require
+   human approval for anything touching production."*
+2. **Returns a decision.** `allow`, `deny`, or `request_approval`. The agent
+   framework respects the decision — if it's `deny`, the tool call doesn't run.
+3. **Signs a receipt.** An Ed25519-signed, hash-chained record of the decision,
+   written to `.receipts/`. Verifiable offline by anyone with the public key.
+   When your auditor asks *"what did that agent do on 2026-03-14?"* you have
+   cryptographic proof — not a log file you might have tampered with.
+
+You install it once. Your agent keeps working the same way. The difference:
+every action it takes is now policy-checked and audit-evidenced.
+
+## Who this is for
+
+- **Developers using Claude Code / Cursor / Cline** who want *"don't let the
+  agent delete my repo"* enforced rather than hoped for.
+- **Security teams** shipping agents to engineering who need a portable
+  policy layer that travels across frameworks.
+- **Compliance teams** who need tamper-evident evidence of what agents did,
+  verifiable without trusting the vendor.
+
+## How it relates to `sb-runtime`
+
+`protect-mcp` is a **library** — it sits inside your agent framework and
+gates tool calls cooperatively. Right tool when you own the agent's code and
+trust its framework to honour decisions.
+
+[`sb-runtime`](https://github.com/ScopeBlind/sb-runtime) is the companion
+**binary** that wraps the whole agent *process* in an OS-level sandbox
+(Landlock + seccomp on Linux). It enforces decisions at the kernel layer —
+the agent can't ignore them even if it tried. Use `sb-runtime` when you're
+running an agent you didn't write, or when you want belt-and-braces defence
+in depth:
+
+```
+┌─────────────────────────────────────────────────┐
+│  sb-runtime   ← OS refuses forbidden syscalls   │
+│  ┌───────────────────────────────────────────┐  │
+│  │  agent process (Claude Code, Python, …)   │  │
+│  │  ┌─────────────────────────────────────┐  │  │
+│  │  │  protect-mcp                        │  │  │
+│  │  │    ← Cedar decides per tool call,   │  │  │
+│  │  │      receipts every decision        │  │  │
+│  │  └─────────────────────────────────────┘  │  │
+│  └───────────────────────────────────────────┘  │
+└─────────────────────────────────────────────────┘
+```
+
+**One-liner:** `protect-mcp` is the policy hook inside your agent.
+`sb-runtime` is the OS sandbox around it. You want both.
+
+---
 
 ## Quick Start — Claude Code
 
@@ -277,7 +344,7 @@ The receipt format is independently implemented and verified across multiple sys
 | **4 independent implementations** | TypeScript (protect-mcp), Python (protect-mcp-adk), Rust (Cedar WASM), APS ProxyGateway |
 | **2 IETF Internet-Drafts** | [draft-farley-acta-signed-receipts-01](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/), [draft-pidlisnyi-aps-00](https://datatracker.ietf.org/doc/draft-pidlisnyi-aps/) |
 | **8 cross-engine receipts** | [Composition test](https://github.com/ScopeBlind/examples/tree/main/interop/composition-test): 2 engines, 1 verifier, all VALID |
-| **1 enterprise integration** | [Microsoft AGT PR #667](https://github.com/microsoft/agent-governance-toolkit/pull/667) merged |
+| **3 enterprise integrations** | Microsoft AGT [#667](https://github.com/microsoft/agent-governance-toolkit/pull/667), [#1159](https://github.com/microsoft/agent-governance-toolkit/pull/1159), [#1168](https://github.com/microsoft/agent-governance-toolkit/pull/1168) |
 | **1 verifier, zero dependencies** | `npx @veritasacta/verify receipt.json --key <hex>` (Apache-2.0, offline) |
 
 Verify any receipt from any implementation:
@@ -291,7 +358,7 @@ npx @veritasacta/verify receipt.json --key <public-key-hex>
 
 - **IETF Internet-Draft**: [draft-farley-acta-signed-receipts-01](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)
 - **Patent Status**: 4 Australian provisional patents pending (2025-2026)
-- **Cedar WASM**: [PR #64](https://github.com/cedar-policy/cedar-for-agents/pull/64) on cedar-for-agents (under review)
+- **Cedar WASM**: [PR #64](https://github.com/cedar-policy/cedar-for-agents/pull/64) merged + [PR #73](https://github.com/cedar-policy/cedar-for-agents/pull/73) (RequestGenerator, pending review)
 
 ## What's New in v0.5.3
 

package/dist/{ed25519-V7HDL2WC.mjs → chunk-LYKNULYU.mjs}

@@ -12,10 +12,10 @@ import {
   hexToBytes,
   isBytes,
   randomBytes,
+  rotr,
   toBytes,
   utf8ToBytes
 } from "./chunk-D733KAPG.mjs";
-import "./chunk-PQJP2ZCI.mjs";
 
 // node_modules/@noble/hashes/esm/_md.js
 function setBigUint64(view, byteOffset, value, isLE) {
@@ -30,6 +30,12 @@ function setBigUint64(view, byteOffset, value, isLE) {
   view.setUint32(byteOffset + h, wh, isLE);
   view.setUint32(byteOffset + l, wl, isLE);
 }
+function Chi(a, b, c) {
+  return a & b ^ ~a & c;
+}
+function Maj(a, b, c) {
+  return a & b ^ a & c ^ b & c;
+}
 var HashMD = class extends Hash {
   constructor(blockLen, outputLen, padOffset, isLE) {
     super();
@@ -120,6 +126,16 @@ var HashMD = class extends Hash {
     return this._cloneInto();
   }
 };
+var SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
 var SHA512_IV = /* @__PURE__ */ Uint32Array.from([
   1779033703,
   4089235720,
@@ -175,6 +191,143 @@ var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >
 var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
 
 // node_modules/@noble/hashes/esm/sha2.js
+var SHA256_K = /* @__PURE__ */ Uint32Array.from([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+var SHA256 = class extends HashMD {
+  constructor(outputLen = 32) {
+    super(64, outputLen, 8, false);
+    this.A = SHA256_IV[0] | 0;
+    this.B = SHA256_IV[1] | 0;
+    this.C = SHA256_IV[2] | 0;
+    this.D = SHA256_IV[3] | 0;
+    this.E = SHA256_IV[4] | 0;
+    this.F = SHA256_IV[5] | 0;
+    this.G = SHA256_IV[6] | 0;
+    this.H = SHA256_IV[7] | 0;
+  }
+  get() {
+    const { A, B, C, D, E, F, G, H } = this;
+    return [A, B, C, D, E, F, G, H];
+  }
+  // prettier-ignore
+  set(A, B, C, D, E, F, G, H) {
+    this.A = A | 0;
+    this.B = B | 0;
+    this.C = C | 0;
+    this.D = D | 0;
+    this.E = E | 0;
+    this.F = F | 0;
+    this.G = G | 0;
+    this.H = H | 0;
+  }
+  process(view, offset) {
+    for (let i = 0; i < 16; i++, offset += 4)
+      SHA256_W[i] = view.getUint32(offset, false);
+    for (let i = 16; i < 64; i++) {
+      const W15 = SHA256_W[i - 15];
+      const W2 = SHA256_W[i - 2];
+      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
+      SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
+    }
+    let { A, B, C, D, E, F, G, H } = this;
+    for (let i = 0; i < 64; i++) {
+      const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+      const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0;
+      const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
+      const T2 = sigma0 + Maj(A, B, C) | 0;
+      H = G;
+      G = F;
+      F = E;
+      E = D + T1 | 0;
+      D = C;
+      C = B;
+      B = A;
+      A = T1 + T2 | 0;
+    }
+    A = A + this.A | 0;
+    B = B + this.B | 0;
+    C = C + this.C | 0;
+    D = D + this.D | 0;
+    E = E + this.E | 0;
+    F = F + this.F | 0;
+    G = G + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A, B, C, D, E, F, G, H);
+  }
+  roundClean() {
+    clean(SHA256_W);
+  }
+  destroy() {
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    clean(this.buffer);
+  }
+};
 var K512 = /* @__PURE__ */ (() => split([
   "0x428a2f98d728ae22",
   "0x7137449123ef65cd",
@@ -372,6 +525,7 @@ var SHA512 = class extends HashMD {
     this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
   }
 };
+var sha256 = /* @__PURE__ */ createHasher(() => new SHA256());
 var sha512 = /* @__PURE__ */ createHasher(() => new SHA512());
 
 // node_modules/@noble/curves/esm/utils.js
@@ -2260,23 +2414,25 @@ var hashToCurve = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
 var encodeToCurve = /* @__PURE__ */ (() => ed25519_hasher.encodeToCurve)();
 var hashToRistretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
 var hash_to_ristretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
+
 export {
-  ED25519_TORSION_SUBGROUP,
-  RistrettoPoint,
+  sha256,
   ed25519,
-  ed25519_hasher,
   ed25519ctx,
   ed25519ph,
+  x25519,
+  ed25519_hasher,
+  ristretto255,
+  ristretto255_hasher,
+  ED25519_TORSION_SUBGROUP,
+  edwardsToMontgomeryPub,
   edwardsToMontgomery,
   edwardsToMontgomeryPriv,
-  edwardsToMontgomeryPub,
-  encodeToCurve,
+  RistrettoPoint,
   hashToCurve,
+  encodeToCurve,
   hashToRistretto255,
-  hash_to_ristretto255,
-  ristretto255,
-  ristretto255_hasher,
-  x25519
+  hash_to_ristretto255
 };
 /*! Bundled license information:
 

package/dist/cli.mjs

@@ -145,7 +145,7 @@ async function handleInit(argv) {
   let keypair;
   {
     const { randomBytes } = await import("crypto");
-    const { ed25519 } = await import("./ed25519-V7HDL2WC.mjs");
+    const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
     const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
     const privateKey = randomBytes(32);
     const publicKey = ed25519.getPublicKey(privateKey);
@@ -765,7 +765,7 @@ ${bold("protect-mcp quickstart")}
   const { randomBytes } = await import("crypto");
   let keypair;
   try {
-    const { ed25519 } = await import("./ed25519-V7HDL2WC.mjs");
+    const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
     const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
     const privateKey = randomBytes(32);
     const publicKey = ed25519.getPublicKey(privateKey);
@@ -1111,7 +1111,7 @@ ${bold("protect-mcp init-hooks")}
     if (!existsSync(keysDir)) mkdirSync(keysDir, { recursive: true });
     const { randomBytes: rb } = await import("crypto");
     try {
-      const { ed25519 } = await import("./ed25519-V7HDL2WC.mjs");
+      const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
       const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
       const privateKey = rb(32);
       const publicKey = ed25519.getPublicKey(privateKey);

package/dist/ed25519-DZMMNNVE.mjs

@@ -0,0 +1,38 @@
+import {
+  ED25519_TORSION_SUBGROUP,
+  RistrettoPoint,
+  ed25519,
+  ed25519_hasher,
+  ed25519ctx,
+  ed25519ph,
+  edwardsToMontgomery,
+  edwardsToMontgomeryPriv,
+  edwardsToMontgomeryPub,
+  encodeToCurve,
+  hashToCurve,
+  hashToRistretto255,
+  hash_to_ristretto255,
+  ristretto255,
+  ristretto255_hasher,
+  x25519
+} from "./chunk-LYKNULYU.mjs";
+import "./chunk-D733KAPG.mjs";
+import "./chunk-PQJP2ZCI.mjs";
+export {
+  ED25519_TORSION_SUBGROUP,
+  RistrettoPoint,
+  ed25519,
+  ed25519_hasher,
+  ed25519ctx,
+  ed25519ph,
+  edwardsToMontgomery,
+  edwardsToMontgomeryPriv,
+  edwardsToMontgomeryPub,
+  encodeToCurve,
+  hashToCurve,
+  hashToRistretto255,
+  hash_to_ristretto255,
+  ristretto255,
+  ristretto255_hasher,
+  x25519
+};

package/dist/index.d.mts

@@ -95,6 +95,29 @@ interface SigningConfig {
     issuer?: string;
     /** Whether signing is enabled (default: true when key_path is set) */
     enabled?: boolean;
+    /**
+     * Commitment-mode signing.
+     *
+     * When enabled, listed fields are committed via SHA-256(salt || JCS({name, salt, value}))
+     * and the receipt payload carries a single committed_fields_root (Merkle root) instead
+     * of the cleartext field values. Per draft-farley-acta-signed-receipts-01 §commitment-mode.
+     *
+     * The receipt issuer keeps the openings (value + salt per field) for later selective
+     * disclosure. A receipt holder can prove a field's value to an auditor without
+     * revealing other committed fields.
+     *
+     * @since 0.6.0
+     */
+    commitment_mode?: {
+        /** Whether commitment-mode signing is active. Default: false. */
+        enabled?: boolean;
+        /**
+         * Names of payload fields to commit.
+         * Recommended defaults: tool, scope, payload_digest, swarm.
+         * Other fields remain cleartext.
+         */
+        committed_field_names?: string[];
+    };
 }
 interface RateLimit {
     count: number;
@@ -825,6 +848,131 @@ declare function getSignerInfo(): {
  */
 declare function isSigningEnabled(): boolean;
 
+/**
+ * A Merkle inclusion proof for a single leaf.
+ *
+ * The siblings array lists the sibling hashes encountered while walking
+ * from the leaf up to the root. Each sibling is hex-encoded SHA-256.
+ * The (index, treeSize) pair determines whether the current node is
+ * left or right at each level during verification.
+ */
+interface MerkleProof {
+    /** Zero-based index of the leaf in the canonically-sorted leaf list. */
+    index: number;
+    /** Total number of leaves in the tree. */
+    treeSize: number;
+    /** Sibling hashes from leaf upward, hex-encoded SHA-256 (lowercase). */
+    siblings: string[];
+}
+
+/**
+ * @scopeblind/protect-mcp: Commitment-Mode Signing
+ *
+ * Produces commitment-mode signed receipts per draft-farley-acta-signed-receipts-01
+ * §commitment-mode. Each listed field is independently committed via
+ * SHA-256(0x00 || JCS({name, salt, value})), arranged into an RFC 6962-style
+ * Merkle tree with explicit one-byte domain separation, and the receipt payload
+ * carries a single committed_fields_root field instead of the cleartext values.
+ *
+ * The receipt holder retains openings (value + salt per field) and can selectively
+ * disclose any subset to auditors via Merkle inclusion proofs verifiable by
+ * @veritasacta/verify@>=0.6.0.
+ *
+ * This module sits alongside signing.ts (the legacy @veritasacta/artifacts-based
+ * cleartext path) and is invoked when SigningConfig.commitment_mode.enabled is
+ * true. The two paths are mutually exclusive on a per-receipt basis.
+ *
+ * @since 0.6.0
+ * @standard draft-farley-acta-signed-receipts-01 §commitment-mode
+ * @standard RFC 6962 (Certificate Transparency Merkle tree construction)
+ * @standard RFC 8032 (Ed25519)
+ * @standard RFC 8785 (JCS)
+ */
+
+/**
+ * The opening information for a single committed field. Held by the
+ * receipt issuer; never embedded in the published receipt. Required to
+ * later produce a selective-disclosure proof.
+ */
+interface CommittedFieldOpening {
+    /** Field name (matches one of committed_field_names). */
+    name: string;
+    /** Cleartext value of the field. */
+    value: unknown;
+    /** Salt bytes (32 random bytes per field per receipt). */
+    salt: Uint8Array;
+    /** Zero-based index of the field in the canonically-sorted leaf list. */
+    index: number;
+}
+/**
+ * The result of signing a decision in commitment mode.
+ */
+interface CommittedSignResult {
+    /** The signed receipt as a JSON string (canonical wire form). */
+    signed: string;
+    /** Receipt artifact type, e.g. "decision_receipt_committed_v1". */
+    artifact_type: string;
+    /**
+     * Per-field openings, indexed by field name. The issuer MUST persist
+     * these securely if it intends to support selective disclosure later.
+     * Storing them is the issuer's responsibility; this library does not
+     * write them to disk.
+     */
+    openings: Record<string, CommittedFieldOpening>;
+    /** Lowercase hex SHA-256 of the canonical signed receipt. */
+    receipt_hash: string;
+}
+/**
+ * A minimal selective-disclosure envelope. Reveal a single committed field
+ * to an auditor by supplying its (name, value, salt, proof). The auditor
+ * recomputes the leaf hash and walks the proof to confirm it reconstructs
+ * the receipt's committed_fields_root.
+ *
+ * Compatible with @veritasacta/verify@>=0.6.0.
+ */
+interface MinimalDisclosure {
+    /** The receipt this disclosure targets, by canonical hash. */
+    parent_receipt_hash: string;
+    /** Disclosed field name. */
+    name: string;
+    /** Cleartext value of the disclosed field. */
+    value: unknown;
+    /** Salt as base64url (no padding). */
+    salt: string;
+    /** Merkle inclusion proof. */
+    proof: MerkleProof;
+}
+/**
+ * Sign a DecisionLog in commitment mode.
+ *
+ * @param entry - The decision log entry to sign.
+ * @param committedFieldNames - Names of fields to commit. Recommended:
+ *   ["tool", "scope", "payload_digest", "swarm"]. Fields not listed
+ *   remain cleartext in the signed payload.
+ * @param signingKey - Ed25519 private key (32 bytes hex or raw).
+ * @param publicKey - Ed25519 public key (32 bytes hex).
+ * @param kid - Key identifier (RFC 7638 JWK thumbprint or operator-chosen).
+ * @param issuer - Issuer identifier (e.g. "my-gateway.example.com").
+ *
+ * @returns Signed receipt JSON, openings (per field), and receipt hash.
+ *
+ * @standard draft-farley-acta-signed-receipts-01 §signature-scope
+ *   The signature covers SHA-256(JCS(payload_minus_signature)).
+ */
+declare function signCommittedDecision(entry: DecisionLog, committedFieldNames: string[], signingKey: string, publicKey: string, kid: string, issuer: string): CommittedSignResult;
+/**
+ * Build a minimal selective-disclosure envelope for a single committed
+ * field. The envelope can be verified offline by anyone who has the
+ * receipt's committed_fields_root (which the receipt itself carries).
+ *
+ * @param receiptHash - Canonical hash of the receipt the disclosure targets.
+ * @param fieldName - Which field to disclose.
+ * @param openings - The full openings map produced by signCommittedDecision.
+ *
+ * @standard draft-farley-acta-signed-receipts-01 §commitment-disclosure
+ */
+declare function discloseField(receiptHash: string, fieldName: string, openings: Record<string, CommittedFieldOpening>): MinimalDisclosure;
+
 /**
  * @scopeblind/protect-mcp — External PDP Adapter
  *
@@ -2763,4 +2911,4 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
     receipt: Record<string, unknown>;
 }>;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };