arsia-protocol 1.0.0__py3-none-any.whl

arsia_protocol/__init__.py

@@ -0,0 +1,927 @@
+# SPDX-License-Identifier: BUSL-1.1
+# Copyright 2025-2026 Arsia Labs (Arsia Tecnologia Unipessoal Lda)
+
+"""ARSIA Protocol — reference Python SDK.
+
+Build, sign, verify, and validate ARSIA message envelopes: the
+compliance-enforced communication layer for autonomous AI agents.
+
+See https://arsiaprotocol.org for the specification.
+
+All public symbols from every SDK module are re-exported here so that
+consumers can write::
+
+    from arsia_protocol import sign_message, verify_message
+    from arsia_protocol import ArsiaMessage, compute_trust_level
+
+Low-level cryptographic primitives (``hazmat.*``) and the data
+resolver (``_data_resolver``) are intentionally NOT re-exported —
+they are implementation details.
+"""
+
+from __future__ import annotations
+
+# -- Layer 0 — Standalone ---------------------------------------------------
+
+from arsia_protocol.core.version import (
+    PROTOCOL_VERSION,
+    __version__,
+    compare_versions,
+    extract_content_type_version,
+    is_compatible,
+    parse_version,
+    validate_outbound_version,
+)
+
+from arsia_protocol.hazmat.primitives.ed25519 import (
+    generate_keypair as generate_ed25519_keypair,
+)
+
+from arsia_protocol.identity.agent_id import (
+    AGENT_ID_PATTERN,
+    AgentId,
+    is_identity_record_expired,
+    is_valid_agent_id,
+    parse_agent_id,
+    validate_agent_id,
+)
+
+# -- Layer 1 — Types --------------------------------------------------------
+
+from arsia_protocol.types import (
+    BreachNotificationPayload,
+    NotificationTarget,
+    AISystemClassification,
+    ActionCategory,
+    ActionDescriptor,
+    AlternativeConsidered,
+    ArsiaAuditRecord,
+    ArsiaCapabilityDescriptor,
+    ArsiaCompliance,
+    ArsiaContext,
+    ArsiaDiscoveryDocument,
+    ArsiaError,
+    ArsiaErrorCode,
+    ArsiaFeatures,
+    ArsiaIdempotency,
+    ArsiaIntent,
+    ArsiaJWK,
+    ArsiaJWKS,
+    ArsiaMessage,
+    ArsiaPayload,
+    ArsiaRateLimits,
+    ArsiaSecurity,
+    AssetTransferReceiptResult,
+    AssetTransferRequestArgs,
+    AssetTransferReversalArgs,
+    AssetType,
+    AuditEventType,
+    BrokerCapacity,
+    BrokerEntry,
+    BrokerHealth,
+    CapabilityPolicy,
+    CapabilityRule,
+    CapabilityRuleStatus,
+    EscrowConditions,
+    Explanation,
+    GDPRLegalBasis,
+    HumanOversightLevel,
+    LegalBasis,
+    IdentityRecord,
+    OversightStatus,
+    PiiClassification,
+    PiiSpecialCategory,
+    SignatureAlgorithm,
+    StateEntry,
+    StateScope,
+    TransferStatus,
+    ValidationError,
+)
+
+# -- Layer 2 — Core ---------------------------------------------------------
+
+from arsia_protocol.core.message import (
+    ARSIA_CONTENT_TYPE,
+    CLOCK_SKEW_TOLERANCE_SECONDS,
+    DEFAULT_MAX_MESSAGE_BYTES,
+    DEFAULT_REQUEST_TTL_SECONDS,
+    AsyncProcessingStatus,
+    build_async_status_response,
+    check_envelope_size,
+    create_approval_decision,
+    create_error,
+    create_event,
+    create_pending_approval,
+    create_request,
+    create_response,
+    format_timestamp,
+    is_expired,
+    matches_arsia_content_type,
+    sign_message,
+    verify_message,
+)
+
+from arsia_protocol.core.errors import (
+    ERROR_REGISTRY,
+    RETRY_POLICY,
+    ErrorCodeInfo,
+    RetryPolicy,
+    build_error_envelope,
+    build_forbidden_error,
+    build_not_implemented_error,
+    build_oversight_denied_error,
+    build_oversight_expired_error,
+    build_payload_too_large_error,
+    build_rate_limited_error,
+    build_service_unavailable_error,
+    compute_retry_delay,
+    get_error_info,
+    is_retryable,
+)
+
+from arsia_protocol.core.encryption import (
+    decrypt_and_verify,
+    encrypt_payload,
+)
+
+from arsia_protocol.core.compliance import (
+    CLASSIFICATION_HIERARCHY,
+    apply_profile,
+    check_oversight_timeout,
+    get_clock_skew_seconds,
+    get_effective_retention,
+    get_profile,
+    get_profile_names,
+    load_profiles,
+    validate_compliance,
+    validate_explainability,
+)
+
+# -- Layer 3 — Validation ---------------------------------------------------
+
+from arsia_protocol.core.validation import (
+    INTENT_CONTENT_FIELD,
+    IdentityConsistencyResult,
+    PayloadTypeRegistry,
+    check_identity_consistency,
+    resolve_content_field,
+    validate_compliance_field,
+    validate_correlation,
+    validate_envelope,
+    validate_identity_record,
+    validate_schema,
+    validate_semantic,
+)
+
+# -- Layer 4 — Primitives ---------------------------------------------------
+
+from arsia_protocol.actions.actions import (
+    CAPABILITY_MAX_LENGTH,
+    CAPABILITY_PATTERN,
+    EXPLICIT_GRANT_ONLY,
+    RESERVED_CAPABILITIES,
+    RESERVED_PREFIX,
+    ExecutionState,
+    RISK_LEVEL_CLASSIFICATION,
+    RiskClassification,
+    VALID_TRANSITIONS,
+    attach_effective_capabilities,
+    build_partial_execution_audit,
+    build_partial_rollback_response,
+    build_rollback_audit_record,
+    build_timeout_error,
+    is_explanation_required,
+    create_rollback_request,
+    build_version_not_supported_error,
+    downgrade_capabilities,
+    find_unsatisfied_capabilities,
+    get_risk_classification,
+    is_approval_expired,
+    is_major_version_bump,
+    is_reserved_capability,
+    is_reserved_prefix_misuse,
+    is_terminal_state,
+    is_valid_capability,
+    is_valid_transition,
+    match_capabilities,
+    match_capability,
+    resolve_action_version,
+    validate_action_descriptor,
+    validate_capability,
+    validate_explanation,
+    validate_explanation_timestamp,
+    validate_response_explanation,
+    validate_rollback,
+    validate_timeout_cancellation,
+)
+
+from arsia_protocol.identity.certificates import (
+    CertificateVerificationResult,
+    QC_STATEMENTS_OID,
+    TrustLevel,
+    compute_trust_level,
+    extract_public_key_from_cert,
+    has_qc_statements,
+    is_certificate_chain_expired,
+    verify_certificate_chain,
+)
+
+from arsia_protocol.identity.discovery import (
+    JWKS_MAX_CACHE_SECONDS,
+    JWKSCachePolicy,
+    ROTATION_OVERLAP_HOURS,
+    RSA_MINIMUM_KEY_BITS,
+    build_capability_listing,
+    build_discovery_document,
+    build_ec_jwk,
+    build_encryption_jwks,
+    build_identity_record_signature,
+    build_jwk,
+    build_jwks,
+    build_rotation_jwks,
+    filter_compromised_keys,
+    is_kid_revoked,
+    public_key_from_jwk,
+    select_jwk_from_jwks,
+    validate_capability_prerequisites,
+    validate_jwks_kid_uniqueness,
+    validate_rsa_key_size,
+    verify_identity_record_signature,
+    verify_jwks_agent_id_consistency,
+)
+
+from arsia_protocol.core.authorization import (
+    DEFAULT_CLOCK_SKEW_SECONDS,
+    DPOP_TYP,
+    JWT_TYP,
+    SUPPORTED_ALGORITHMS,
+    DPoPValidationResult,
+    TokenValidationResult,
+    build_dpop_proof,
+    build_jwt,
+    build_token_request,
+    check_scope_coverage,
+    compute_jwk_thumbprint,
+    decode_jwt,
+    parse_scope,
+    validate_dpop_proof,
+    validate_token_claims,
+    verify_dpop_binding,
+    verify_jwt_signature,
+)
+
+from arsia_protocol.identity.onboarding import (
+    CapabilityEvaluationResult,
+    CapabilityStatus,
+    CheckResult,
+    DenialReason,
+    ONBOARDING_AUDIT_EVENTS,
+    ONBOARDING_EVALUATE_CAPABILITY,
+    OnboardingDecision,
+    OnboardingOutcome,
+    OnboardingPhase,
+    ProvenanceResult,
+    build_decision_payload,
+    build_onboarding_decision,
+    check_audit_payload_hash,
+    check_audit_record_fields,
+    check_audit_records_array,
+    is_classification_consistent,
+    check_correlation_id,
+    check_discovery_response,
+    check_envelope_id,
+    check_envelope_required_fields,
+    check_expires_at,
+    check_pending_approval,
+    validate_profile_requirement,
+    evaluate_capability_policy,
+    evaluate_phase2_checks,
+    validate_capability_policy,
+    verify_provenance,
+)
+
+from arsia_protocol.state.breach import (
+    BREACH_CAPABILITY,
+    PAYLOAD_TYPE_BREACH_NOTIFICATION,
+    build_breach_notification,
+    validate_breach_notification,
+)
+
+from arsia_protocol.state.state import (
+    OPERATION_TO_CAPABILITY,
+    PAYLOAD_TYPE_DELETE,
+    PAYLOAD_TYPE_GET,
+    PAYLOAD_TYPE_GRANT,
+    PAYLOAD_TYPE_PREFIX,
+    PAYLOAD_TYPE_PURGE,
+    PAYLOAD_TYPE_QUERY,
+    PAYLOAD_TYPE_REVOKE,
+    PAYLOAD_TYPE_SET,
+    PAYLOAD_TYPE_SNAPSHOT,
+    STATE_CAPABILITY_PURGE,
+    STATE_CAPABILITY_READ,
+    STATE_CAPABILITY_SNAPSHOT,
+    STATE_CAPABILITY_WRITE,
+    STATE_KEY_MAX_LENGTH,
+    STATE_OPERATIONS,
+    STATE_RESERVED_KEY_PREFIX,
+    STATE_SCOPES,
+    STATE_VALUE_MAX_BYTES,
+    STATE_WILDCARD_EXCLUDES,
+    apply_compliance_defaults_for_state,
+    build_conflict_error,
+    build_delete_args,
+    build_get_args,
+    build_grant_args,
+    build_grant_result,
+    build_purge_args,
+    build_purge_result,
+    build_query_args,
+    build_revoke_args,
+    build_revoke_result,
+    build_set_args,
+    build_snapshot_args,
+    compute_effective_retention,
+    compute_value_size,
+    detect_immutable_field_changes,
+    enforce_value_size_limit,
+    is_entry_expired,
+    is_reserved_key,
+    is_within_retention,
+    parse_state_key,
+    payload_type_for,
+    required_capability_for,
+    resolve_entry_data_residency,
+    resolve_entry_retention,
+    validate_custom_state_payload_type,
+    validate_eu_ai_act_response,
+    validate_state_entry,
+    validate_state_key,
+    wildcard_covers_state_capability,
+)
+
+from arsia_protocol.assets.assets import (
+    ASSET_PRECISION,
+    ASSET_TYPES,
+    ASSETS_CAPABILITIES,
+    ASSETS_CAPABILITY_RISK_LEVELS,
+    ASSETS_PAYLOAD_PREFIX,
+    DORA_INCIDENT_TYPES,
+    DORA_SEVERITIES,
+    DoraIncidentType,
+    DoraSeverity,
+    ESCROW_STATES,
+    ESCROW_TRANSITIONS,
+    EscrowState,
+    FINANCIAL_ASSET_TYPES,
+    ISO_4217_CURRENCY_CODES,
+    MIFID_AUDIT_FIELDS,
+    MIFID_RETENTION_DAYS_MIN,
+    PAYLOAD_TYPE_DORA_INCIDENT,
+    PAYLOAD_TYPE_ESCROW_CANCEL,
+    PAYLOAD_TYPE_ESCROW_DISPUTE,
+    PAYLOAD_TYPE_TRANSFER_RECEIPT,
+    PAYLOAD_TYPE_TRANSFER_REQUEST,
+    PAYLOAD_TYPE_TRANSFER_REVERSAL,
+    PaymentReferenceStore,
+    SCA_REQUIRED_MIN_RISK_LEVEL,
+    build_dora_incident_event,
+    build_escrow_created_audit,
+    build_escrow_disputed_audit,
+    build_escrow_released_audit,
+    build_escrow_returned_audit,
+    build_mifid_audit_fields,
+    build_reversal_audit_fields,
+    can_reach_disputed,
+    classify_dora_incident_type,
+    count_decimal_places,
+    enforce_mifid_retention,
+    is_assets_capability,
+    is_infrastructure_failure,
+    is_mifid_applicable,
+    is_sca_exempt,
+    is_terminal_escrow_state,
+    is_valid_escrow_transition,
+    requires_human_oversight,
+    requires_psd2_sca,
+    validate_assets_token_scope,
+    validate_currency_or_unit,
+    validate_escrow_cancel,
+    validate_escrow_conditions,
+    validate_escrow_dispute,
+    validate_escrow_release,
+    PAYLOAD_TYPE_ESCROW_RELEASE,
+    AssetPendingApprovalArgs,
+    validate_asset_pending_approval,
+    validate_metadata_no_financial_data,
+    validate_payment_reference_unique,
+    validate_psd2_sca_factors,
+    validate_compliance_echo,
+    validate_idempotency_key_in_envelope,
+    validate_receipt_against_request,
+    validate_reversal_precondition,
+    validate_transfer_amount,
+    validate_transfer_delegation,
+    validate_transfer_receipt,
+    validate_transfer_request,
+    validate_transfer_reversal,
+    validate_two_party_auth,
+)
+
+from arsia_protocol.routing.routing import (
+    BROKER_EXPIRY_SAFETY_MARGIN_S,
+    BROKER_FORWARD_TIMEOUT_S,
+    BrokerRelayAuditRecord,
+    DEFAULT_PRIORITY,
+    EU_EEA_MEMBER_STATES,
+    LIFECYCLE_STATES,
+    LIFECYCLE_TRANSITIONS,
+    ForwardingResult,
+    LifecycleState,
+    MAX_RETRIES_RECOMMENDED,
+    MAX_RETRY_DELAY_S,
+    PAYLOAD_HASH_HEX_LENGTH,
+    RATE_LIMITED_DEFAULT_DELAY_S,
+    RETRYABLE_LIFECYCLE_STATES,
+    RETRY_BASE_DELAY_S,
+    RETRY_MULTIPLIER,
+    RateLimitStatus,
+    RoutingDecision,
+    TERMINAL_LIFECYCLE_STATES,
+    Topology,
+    broker_serves_zone,
+    build_broker_relay_audit_record,
+    compute_rate_limited_delay,
+    is_eu_eea_member,
+    is_retryable_lifecycle_state,
+    is_terminal_lifecycle_state,
+    is_valid_lifecycle_transition,
+    parse_rate_limit_headers,
+    resolve_priority,
+    select_broker_by_priority,
+    select_broker_random,
+    select_topology,
+    validate_broker_entry,
+    validate_broker_relay_audit_record,
+    validate_relay_preconditions,
+)
+
+# -- Layer 5 — Cross-cutting ------------------------------------------------
+
+from arsia_protocol.state.audit import (
+    AUDIT_EVENT_TYPES,
+    build_audit_record,
+    compute_payload_hash,
+    derive_event_type_from_intent,
+    validate_audit_record,
+)
+
+from arsia_protocol.core.idempotency import (
+    HEADER_ONLY_RETENTION_HOURS,
+    IDEMPOTENCY_KEY_MAX_LENGTH,
+    IDEMPOTENCY_KEY_MIN_LENGTH,
+    DuplicateIdempotencyKey,
+    DuplicateRequestInProgress,
+    IdempotencyKeySource,
+    IdempotencyRecord,
+    IdempotencyScope,
+    IdempotencyStatus,
+    IdempotencyStore,
+    compute_idempotency_expiry,
+    extract_envelope_idempotency,
+    is_idempotency_record_expired,
+    is_valid_idempotency_key,
+    resolve_idempotency_key,
+    resolve_idempotency_source,
+    scope_tuple,
+    validate_idempotency_key,
+)
+
+del annotations
+
+__all__ = [
+    # version (Layer 0)
+    "__version__",
+    "PROTOCOL_VERSION",
+    "compare_versions",
+    "extract_content_type_version",
+    "is_compatible",
+    "parse_version",
+    "validate_outbound_version",
+    # hazmat convenience (Layer 0)
+    "generate_ed25519_keypair",
+    # identity (Layer 0)
+    "AGENT_ID_PATTERN",
+    "AgentId",
+    "is_identity_record_expired",
+    "is_valid_agent_id",
+    "parse_agent_id",
+    "validate_agent_id",
+    # types (Layer 1)
+    "BreachNotificationPayload",
+    "NotificationTarget",
+    "AISystemClassification",
+    "ActionCategory",
+    "ActionDescriptor",
+    "AlternativeConsidered",
+    "ArsiaAuditRecord",
+    "ArsiaCapabilityDescriptor",
+    "ArsiaCompliance",
+    "ArsiaContext",
+    "ArsiaDiscoveryDocument",
+    "ArsiaError",
+    "ArsiaErrorCode",
+    "ArsiaFeatures",
+    "ArsiaIdempotency",
+    "ArsiaIntent",
+    "ArsiaJWK",
+    "ArsiaJWKS",
+    "ArsiaMessage",
+    "ArsiaPayload",
+    "ArsiaRateLimits",
+    "ArsiaSecurity",
+    "AssetTransferReceiptResult",
+    "AssetTransferRequestArgs",
+    "AssetTransferReversalArgs",
+    "AssetType",
+    "AuditEventType",
+    "BrokerCapacity",
+    "BrokerEntry",
+    "BrokerHealth",
+    "CapabilityPolicy",
+    "CapabilityRule",
+    "CapabilityRuleStatus",
+    "EscrowConditions",
+    "Explanation",
+    "GDPRLegalBasis",
+    "HumanOversightLevel",
+    "IdentityRecord",
+    "LegalBasis",
+    "OversightStatus",
+    "PiiClassification",
+    "PiiSpecialCategory",
+    "SignatureAlgorithm",
+    "StateEntry",
+    "StateScope",
+    "TransferStatus",
+    "ValidationError",
+    # message (Layer 2)
+    "ARSIA_CONTENT_TYPE",
+    "AsyncProcessingStatus",
+    "build_async_status_response",
+    "CLOCK_SKEW_TOLERANCE_SECONDS",
+    "DEFAULT_MAX_MESSAGE_BYTES",
+    "DEFAULT_REQUEST_TTL_SECONDS",
+    "check_envelope_size",
+    "create_approval_decision",
+    "create_error",
+    "create_event",
+    "create_pending_approval",
+    "create_request",
+    "create_response",
+    "format_timestamp",
+    "is_expired",
+    "matches_arsia_content_type",
+    "sign_message",
+    "verify_message",
+    # encryption (Layer 2)
+    "decrypt_and_verify",
+    "encrypt_payload",
+    # errors (Layer 2)
+    "ERROR_REGISTRY",
+    "ErrorCodeInfo",
+    "RETRY_POLICY",
+    "RetryPolicy",
+    "build_error_envelope",
+    "build_forbidden_error",
+    "build_not_implemented_error",
+    "build_oversight_denied_error",
+    "build_oversight_expired_error",
+    "build_payload_too_large_error",
+    "build_rate_limited_error",
+    "build_service_unavailable_error",
+    "compute_retry_delay",
+    "get_error_info",
+    "is_retryable",
+    # compliance (Layer 2)
+    "CLASSIFICATION_HIERARCHY",
+    "apply_profile",
+    "check_oversight_timeout",
+    "get_clock_skew_seconds",
+    "get_effective_retention",
+    "get_profile",
+    "get_profile_names",
+    "load_profiles",
+    "validate_compliance",
+    "validate_explainability",
+    # validation (Layer 3)
+    "INTENT_CONTENT_FIELD",
+    "IdentityConsistencyResult",
+    "PayloadTypeRegistry",
+    "check_identity_consistency",
+    "resolve_content_field",
+    "validate_compliance_field",
+    "validate_correlation",
+    "validate_envelope",
+    "validate_identity_record",
+    "validate_schema",
+    "validate_semantic",
+    # actions (Layer 4)
+    "CAPABILITY_MAX_LENGTH",
+    "CAPABILITY_PATTERN",
+    "ExecutionState",
+    "EXPLICIT_GRANT_ONLY",
+    "RESERVED_CAPABILITIES",
+    "RESERVED_PREFIX",
+    "RISK_LEVEL_CLASSIFICATION",
+    "RiskClassification",
+    "VALID_TRANSITIONS",
+    "attach_effective_capabilities",
+    "build_partial_execution_audit",
+    "build_partial_rollback_response",
+    "build_rollback_audit_record",
+    "build_timeout_error",
+    "is_explanation_required",
+    "create_rollback_request",
+    "build_version_not_supported_error",
+    "downgrade_capabilities",
+    "find_unsatisfied_capabilities",
+    "get_risk_classification",
+    "is_approval_expired",
+    "is_major_version_bump",
+    "is_reserved_capability",
+    "is_reserved_prefix_misuse",
+    "is_terminal_state",
+    "is_valid_capability",
+    "is_valid_transition",
+    "match_capabilities",
+    "match_capability",
+    "resolve_action_version",
+    "validate_action_descriptor",
+    "validate_capability",
+    "validate_explanation",
+    "validate_explanation_timestamp",
+    "validate_response_explanation",
+    "validate_rollback",
+    "validate_timeout_cancellation",
+    # certificates (Layer 4)
+    "CertificateVerificationResult",
+    "QC_STATEMENTS_OID",
+    "TrustLevel",
+    "compute_trust_level",
+    "extract_public_key_from_cert",
+    "has_qc_statements",
+    "is_certificate_chain_expired",
+    "verify_certificate_chain",
+    # discovery (Layer 4)
+    "JWKS_MAX_CACHE_SECONDS",
+    "JWKSCachePolicy",
+    "ROTATION_OVERLAP_HOURS",
+    "RSA_MINIMUM_KEY_BITS",
+    "build_capability_listing",
+    "build_discovery_document",
+    "build_ec_jwk",
+    "build_encryption_jwks",
+    "build_identity_record_signature",
+    "build_jwk",
+    "build_jwks",
+    "build_rotation_jwks",
+    "filter_compromised_keys",
+    "is_kid_revoked",
+    "public_key_from_jwk",
+    "select_jwk_from_jwks",
+    "validate_capability_prerequisites",
+    "validate_jwks_kid_uniqueness",
+    "validate_rsa_key_size",
+    "verify_identity_record_signature",
+    "verify_jwks_agent_id_consistency",
+    # authorization (Layer 4)
+    "DEFAULT_CLOCK_SKEW_SECONDS",
+    "DPOP_TYP",
+    "DPoPValidationResult",
+    "JWT_TYP",
+    "SUPPORTED_ALGORITHMS",
+    "TokenValidationResult",
+    "build_dpop_proof",
+    "build_jwt",
+    "build_token_request",
+    "check_scope_coverage",
+    "compute_jwk_thumbprint",
+    "decode_jwt",
+    "parse_scope",
+    "validate_dpop_proof",
+    "validate_token_claims",
+    "verify_dpop_binding",
+    "verify_jwt_signature",
+    # onboarding (Layer 4)
+    "CapabilityEvaluationResult",
+    "CapabilityStatus",
+    "CheckResult",
+    "DenialReason",
+    "ONBOARDING_AUDIT_EVENTS",
+    "ONBOARDING_EVALUATE_CAPABILITY",
+    "OnboardingDecision",
+    "OnboardingOutcome",
+    "OnboardingPhase",
+    "ProvenanceResult",
+    "build_decision_payload",
+    "build_onboarding_decision",
+    "check_audit_payload_hash",
+    "check_audit_record_fields",
+    "check_audit_records_array",
+    "is_classification_consistent",
+    "check_correlation_id",
+    "check_discovery_response",
+    "check_envelope_id",
+    "check_envelope_required_fields",
+    "check_expires_at",
+    "check_pending_approval",
+    "validate_profile_requirement",
+    "evaluate_capability_policy",
+    "evaluate_phase2_checks",
+    "validate_capability_policy",
+    "verify_provenance",
+    # breach (Layer 4)
+    "BREACH_CAPABILITY",
+    "PAYLOAD_TYPE_BREACH_NOTIFICATION",
+    "build_breach_notification",
+    "validate_breach_notification",
+    # state (Layer 4)
+    "OPERATION_TO_CAPABILITY",
+    "PAYLOAD_TYPE_DELETE",
+    "PAYLOAD_TYPE_GET",
+    "PAYLOAD_TYPE_GRANT",
+    "PAYLOAD_TYPE_PREFIX",
+    "PAYLOAD_TYPE_PURGE",
+    "PAYLOAD_TYPE_QUERY",
+    "PAYLOAD_TYPE_REVOKE",
+    "PAYLOAD_TYPE_SET",
+    "PAYLOAD_TYPE_SNAPSHOT",
+    "STATE_CAPABILITY_PURGE",
+    "STATE_CAPABILITY_READ",
+    "STATE_CAPABILITY_SNAPSHOT",
+    "STATE_CAPABILITY_WRITE",
+    "STATE_KEY_MAX_LENGTH",
+    "STATE_OPERATIONS",
+    "STATE_RESERVED_KEY_PREFIX",
+    "STATE_SCOPES",
+    "STATE_VALUE_MAX_BYTES",
+    "STATE_WILDCARD_EXCLUDES",
+    "apply_compliance_defaults_for_state",
+    "build_delete_args",
+    "build_conflict_error",
+    "build_get_args",
+    "build_grant_args",
+    "build_grant_result",
+    "build_purge_args",
+    "build_purge_result",
+    "build_query_args",
+    "build_revoke_args",
+    "build_revoke_result",
+    "build_set_args",
+    "build_snapshot_args",
+    "compute_effective_retention",
+    "compute_value_size",
+    "detect_immutable_field_changes",
+    "enforce_value_size_limit",
+    "is_entry_expired",
+    "is_reserved_key",
+    "is_within_retention",
+    "parse_state_key",
+    "payload_type_for",
+    "required_capability_for",
+    "resolve_entry_data_residency",
+    "resolve_entry_retention",
+    "validate_custom_state_payload_type",
+    "validate_eu_ai_act_response",
+    "validate_state_entry",
+    "validate_state_key",
+    "wildcard_covers_state_capability",
+    # assets (Layer 4)
+    "ASSET_PRECISION",
+    "ASSET_TYPES",
+    "ASSETS_CAPABILITIES",
+    "ASSETS_CAPABILITY_RISK_LEVELS",
+    "ASSETS_PAYLOAD_PREFIX",
+    "DORA_INCIDENT_TYPES",
+    "DORA_SEVERITIES",
+    "DoraIncidentType",
+    "DoraSeverity",
+    "ESCROW_STATES",
+    "ESCROW_TRANSITIONS",
+    "EscrowState",
+    "FINANCIAL_ASSET_TYPES",
+    "ISO_4217_CURRENCY_CODES",
+    "MIFID_AUDIT_FIELDS",
+    "MIFID_RETENTION_DAYS_MIN",
+    "PAYLOAD_TYPE_DORA_INCIDENT",
+    "PAYLOAD_TYPE_ESCROW_CANCEL",
+    "PAYLOAD_TYPE_ESCROW_DISPUTE",
+    "PAYLOAD_TYPE_TRANSFER_RECEIPT",
+    "PAYLOAD_TYPE_TRANSFER_REQUEST",
+    "PAYLOAD_TYPE_TRANSFER_REVERSAL",
+    "PaymentReferenceStore",
+    "SCA_REQUIRED_MIN_RISK_LEVEL",
+    "build_dora_incident_event",
+    "build_escrow_created_audit",
+    "build_escrow_disputed_audit",
+    "build_escrow_released_audit",
+    "build_escrow_returned_audit",
+    "build_mifid_audit_fields",
+    "build_reversal_audit_fields",
+    "can_reach_disputed",
+    "classify_dora_incident_type",
+    "count_decimal_places",
+    "enforce_mifid_retention",
+    "is_assets_capability",
+    "is_infrastructure_failure",
+    "is_mifid_applicable",
+    "is_sca_exempt",
+    "is_terminal_escrow_state",
+    "is_valid_escrow_transition",
+    "requires_human_oversight",
+    "requires_psd2_sca",
+    "validate_assets_token_scope",
+    "validate_currency_or_unit",
+    "validate_escrow_cancel",
+    "validate_escrow_conditions",
+    "validate_escrow_dispute",
+    "validate_escrow_release",
+    "PAYLOAD_TYPE_ESCROW_RELEASE",
+    "AssetPendingApprovalArgs",
+    "validate_asset_pending_approval",
+    "validate_metadata_no_financial_data",
+    "validate_payment_reference_unique",
+    "validate_psd2_sca_factors",
+    "validate_compliance_echo",
+    "validate_idempotency_key_in_envelope",
+    "validate_receipt_against_request",
+    "validate_reversal_precondition",
+    "validate_transfer_amount",
+    "validate_transfer_delegation",
+    "validate_transfer_receipt",
+    "validate_transfer_request",
+    "validate_transfer_reversal",
+    "validate_two_party_auth",
+    # routing (Layer 4)
+    "BROKER_EXPIRY_SAFETY_MARGIN_S",
+    "BROKER_FORWARD_TIMEOUT_S",
+    "BrokerRelayAuditRecord",
+    "DEFAULT_PRIORITY",
+    "EU_EEA_MEMBER_STATES",
+    "LIFECYCLE_STATES",
+    "LIFECYCLE_TRANSITIONS",
+    "ForwardingResult",
+    "LifecycleState",
+    "MAX_RETRIES_RECOMMENDED",
+    "MAX_RETRY_DELAY_S",
+    "PAYLOAD_HASH_HEX_LENGTH",
+    "RATE_LIMITED_DEFAULT_DELAY_S",
+    "RETRY_BASE_DELAY_S",
+    "RETRY_MULTIPLIER",
+    "RETRYABLE_LIFECYCLE_STATES",
+    "RateLimitStatus",
+    "RoutingDecision",
+    "TERMINAL_LIFECYCLE_STATES",
+    "Topology",
+    "broker_serves_zone",
+    "build_broker_relay_audit_record",
+    "compute_rate_limited_delay",
+    "is_eu_eea_member",
+    "is_retryable_lifecycle_state",
+    "is_terminal_lifecycle_state",
+    "is_valid_lifecycle_transition",
+    "parse_rate_limit_headers",
+    "resolve_priority",
+    "select_broker_by_priority",
+    "select_broker_random",
+    "select_topology",
+    "validate_broker_entry",
+    "validate_broker_relay_audit_record",
+    "validate_relay_preconditions",
+    # audit (Layer 5)
+    "AUDIT_EVENT_TYPES",
+    "build_audit_record",
+    "compute_payload_hash",
+    "derive_event_type_from_intent",
+    "validate_audit_record",
+    # idempotency (Layer 5)
+    "DuplicateIdempotencyKey",
+    "DuplicateRequestInProgress",
+    "HEADER_ONLY_RETENTION_HOURS",
+    "IDEMPOTENCY_KEY_MAX_LENGTH",
+    "IDEMPOTENCY_KEY_MIN_LENGTH",
+    "IdempotencyKeySource",
+    "IdempotencyRecord",
+    "IdempotencyScope",
+    "IdempotencyStatus",
+    "IdempotencyStore",
+    "compute_idempotency_expiry",
+    "extract_envelope_idempotency",
+    "is_idempotency_record_expired",
+    "is_valid_idempotency_key",
+    "resolve_idempotency_key",
+    "resolve_idempotency_source",
+    "scope_tuple",
+    "validate_idempotency_key",
+]