interface MovePackageFetchLocalContext { dependencyName: string; parentPackageName: string; parentSource?: { type: string; git?: string; rev?: string; subdir?: string; local?: string; }; network: "mainnet" | "testnet" | "devnet"; } /** Abstract interface for fetching package content. */ declare class MovePackageFetcher { /** * Optional host-provided local package loader. * * Browser callers should implement this with a supplied snapshot, * File System Access API, or a server endpoint. The library does not read the * host filesystem directly. */ fetchLocal?: (localPath: string, context: MovePackageFetchLocalContext) => Promise>; /** Fetch a package. Return map of path -> content. */ fetch(_gitUrl: string, _rev: string, _subdir?: string): Promise>; /** Fetch a single file from a repository. */ fetchFile(_gitUrl: string, _rev: string, _path: string): Promise; /** Get the resolved commit SHA for a git URL and rev (after fetch). */ getResolvedSha(_gitUrl: string, _rev: string): string | undefined; } interface MovePackageStageReport { stage: string; packageId?: string; environment: string; modes: string[]; nodeCount?: number; edgeCount?: number; activeEdgeCount?: number; linkedNodeCount?: number; code?: string; } interface MovePackageFetchFailedSource { type: string; git?: string; rev?: string; subdir?: string; local?: string; address?: string; } interface MovePackageFetchFailedReport { dependencyName: string; source: MovePackageFetchFailedSource; parentPackageName?: string; parentSource?: MovePackageFetchFailedSource; error: string; code?: string; } /** Build progress event types for tracking build status */ type MovePackageProgressEvent = { type: "resolve_start"; } | { type: "resolve_dep"; name: string; source: string; current: number; total: number; } | { type: "resolve_complete"; count: number; } | { type: "compile_start"; } | { type: "compile_complete"; } | { type: "lockfile_generate"; } | ({ type: "fetch_failed"; } & MovePackageFetchFailedReport) | ({ type: "stage_trace"; } & MovePackageStageReport); /** Callback function for receiving build progress events */ type MovePackageProgressCallback = (event: MovePackageProgressEvent) => void; interface MovePackageResolvedDependencies { /** JSON string of resolved files for the root package */ files: string; /** JSON string of resolved dependencies (linkage applied, for compilation) */ dependencies: string; /** JSON string of all dependencies including diamond duplicates (for lockfile) */ lockfileDependencies: string; } declare const MOVE_PACKAGE_INTENTS: readonly ["dump", "publish", "upgrade"]; type MovePackageIntent = (typeof MOVE_PACKAGE_INTENTS)[number]; interface MovePackageGitSource { git: string; rev: string; subdir?: string; } interface MovePackageInput { /** Virtual file system contents. Keys are paths (e.g. "Move.toml", "sources/Module.move"). */ files: Record; /** Optional custom URL for the wasm binary. Defaults to bundled wasm next to this module. */ wasm?: string | URL | BufferSource; /** Optional root package git source for resolving relative local deps from Move.lock. */ rootGit?: MovePackageGitSource; /** Optional GitHub token to raise API limits when resolving dependencies. */ githubToken?: string; /** Optional dependency fetcher. Defaults to GitHubMovePackageFetcher. */ fetcher?: MovePackageFetcher; /** Emit ANSI color codes in diagnostics when available. */ ansiColor?: boolean; /** Network environment (mainnet, testnet, devnet). Defaults to mainnet. */ network?: "mainnet" | "testnet" | "devnet"; /** Optional pre-resolved dependencies. If provided, dependency resolution will be skipped. */ resolvedDependencies?: MovePackageResolvedDependencies; /** Use this option to silence warnings. */ silenceWarnings?: boolean; /** Compile with unpublished dependencies using the CLI BuildConfig behavior. */ withUnpublishedDependencies?: boolean; /** Arbitrary Move compiler modes, equivalent to CLI --mode values. */ modes?: string[]; /** Move compiler lint level. Accepted values: "none", "default", "all". */ lintFlag?: "none" | "default" | "all"; /** Reserved for metadata stripping; not applied by the current WASM compiler path. */ stripMetadata?: boolean; /** Optional progress callback for build events */ onProgress?: MovePackageProgressCallback; } type VerificationStatus = "verified" | "bytecode_version_mismatch" | "mismatch" | "build_failure" | "invalid_reference"; type VerificationVerdict = "exact_bytecode_match" | "root_address_substitution_match" | "bytecode_version_header_mismatch" | "bytecode_format_drift" | "semantic_mismatch" | "unverified"; type VerificationFailureStage = "wasm_init" | "dependency_resolution" | "input_validation" | "compile" | "compiler_output" | "verification_output"; interface ReferenceArtifact { modules: string[]; dependencies?: string[]; digest?: number[] | string; /** Root package address for on-chain package module comparison. */ rootAddress?: string; /** Deployed package object ID metadata. Does not request root-address substitution. */ packageId?: string; /** Declared Sui CLI version for evidence only. Bytecode comparison remains authoritative. */ cliVersion?: string; /** Declared build config for evidence only. */ buildConfig?: VerificationBuildConfig; } interface VerificationBuildConfig { edition?: string; flavor?: string; } interface VerificationSelectedVerifier { verifierId: string; epochId?: string; suiVersion?: string; decodedBytecodeVersion?: number; bytecodeFlavor?: number | null; } type VerificationCandidateOutcome = "selected" | "tried_but_not_exact" | "compile_failed"; interface VerificationCandidateAttempt { verifierId: string; epochId?: string; suiVersion?: string; outcome: VerificationCandidateOutcome; status?: VerificationStatus; verdict?: VerificationVerdict; failureStage?: VerificationFailureStage; } interface VerificationReferenceBytecode { decodedVersion?: number; flavor?: number | null; moduleCount: number; } interface VerificationSourceEditionEvidence { source: "root" | "dependency"; packageName?: string; manifestPath?: string; declaredEdition?: string; effectiveEdition: string; defaulted: boolean; supported: boolean; } interface VerificationSourceCompatibility { supportedEditions: string[]; defaultEdition: string; root?: VerificationSourceEditionEvidence; dependencies?: VerificationSourceEditionEvidence[]; unsupportedEditions: VerificationSourceEditionEvidence[]; } interface VerificationModuleSummary { length: number; version: number; flavor?: number; sha256: string; name?: string; address?: string; originalAddress?: string; functionCount?: number; structCount?: number; constantCount?: number; deserializeError?: string; } interface VerificationArtifactSummary { moduleCount: number; perModule: VerificationModuleSummary[]; dependencies: string[]; digest?: string; cliVersion?: string; buildConfig?: VerificationBuildConfig; } interface VerificationHeaderEvidence { name?: string; address?: string; version: number; flavor?: number; } interface VerificationBytecodeHeaderEvidence { source: "binary_header" | "metadata+binary_header"; reference: VerificationHeaderEvidence[]; currentBuild: VerificationHeaderEvidence[]; /** Caller-declared Sui CLI version for the reference artifact, when provided. */ referenceCliVersion?: string; /** Sui source version baked into the verifier WASM, not a local CLI probe. */ currentVerifierSuiVersion?: string; referenceBuildConfig?: VerificationBuildConfig; } interface VerificationBytecodeDiff { module?: string; classification: VerificationVerdict; firstDiffOffset?: number; changedSections?: string[]; changedTables?: VerificationChangedTable[]; rawBytesMatch: boolean; semanticMatch: boolean; rootAddressSubstitutionApplied: boolean; rootAddressConflict?: VerificationRootAddressConflict; sameExceptVersionWord: boolean; identity: VerificationBytecodeIdentityEvidence; shape: VerificationBytecodeShapeEvidence; reference: VerificationModuleSummary; currentBuild: VerificationModuleSummary; } interface VerificationChangedTable { name: string; referenceBytes?: number; currentBuildBytes?: number; referenceSha256?: string; currentBuildSha256?: string; sameSha256: boolean; sameBytes: boolean; } interface VerificationRootAddressConflict { requestedRootAddress: string; currentBuildAddress: string; } interface VerificationBytecodeIdentityEvidence { matches: boolean; referenceName?: string; currentBuildName?: string; referenceAddress?: string; currentBuildAddress?: string; referenceOriginalAddress?: string; currentBuildOriginalAddress?: string; } interface VerificationBytecodeShapeEvidence { matches: boolean; referenceFunctionCount?: number; currentBuildFunctionCount?: number; referenceStructCount?: number; currentBuildStructCount?: number; referenceConstantCount?: number; currentBuildConstantCount?: number; } interface VerificationCurrentBuild { modules: string[]; dependencies: string[]; digest: number[] | string; warnings?: string; } interface MovePackageProvenanceResult { status: VerificationStatus; verdict?: VerificationVerdict; summary?: string; displayMessage?: string; failureStage?: VerificationFailureStage; selectedVerifier?: VerificationSelectedVerifier; candidatesConsidered?: VerificationCandidateAttempt[]; referenceBytecode?: VerificationReferenceBytecode; sourceCompatibility?: VerificationSourceCompatibility; currentBuild?: VerificationCurrentBuild; referenceSummary?: VerificationArtifactSummary; currentSummary?: VerificationArtifactSummary; bytecodeHeaderEvidence?: VerificationBytecodeHeaderEvidence; differences?: string[]; bytecodeDiffs?: VerificationBytecodeDiff[]; error?: string; } interface MovePackageProvenanceInput extends MovePackageInput { /** * Rebuild policy for the current source. * Transaction callers pass the externally extracted Publish or Upgrade kind. * Publish keeps the package root address; upgrade uses root-as-zero. */ intent: VerificationProvenanceIntent; reference: ReferenceArtifact; /** * Browser asset base for bundled routed verifier modules. * Accepts root-relative paths such as "/assets" or absolute HTTP(S) URLs. */ verifierAssetBaseUrl?: string | URL; /** * Evidence label for a caller-provided verification WASM. * This does not affect compiler behavior; it only identifies custom WASM results. */ wasmVerifier?: VerificationSelectedVerifier; } type VerificationProvenanceIntent = Extract; /** Initialize the verification WASM module (idempotent). */ declare function initMovePackageVerifier(options?: { wasm?: string | URL | BufferSource; }): Promise; /** Sui Move version baked into the verification WASM. */ declare function getPinnedSuiMoveVersion(options?: { wasm?: string | URL | BufferSource; }): Promise; /** Sui repo version baked into the verification WASM. */ declare function getPinnedSuiVersion(options?: { wasm?: string | URL | BufferSource; }): Promise; /** * Rebuild source and compare it to caller-provided reference bytecode. * Browser WASM builds use declared host/crypto/network compatibility boundaries; see SECURITY.md. * `failureStage` is a failure-only diagnostic and is absent from verified, mismatch, and bytecode-version-mismatch results. */ declare function verifyMovePackageProvenance(input: MovePackageProvenanceInput): Promise; export { type MovePackageProvenanceInput, type MovePackageProvenanceResult, type ReferenceArtifact, type VerificationArtifactSummary, type VerificationBuildConfig, type VerificationBytecodeDiff, type VerificationBytecodeHeaderEvidence, type VerificationBytecodeIdentityEvidence, type VerificationBytecodeShapeEvidence, type VerificationCandidateAttempt, type VerificationCandidateOutcome, type VerificationChangedTable, type VerificationCurrentBuild, type VerificationFailureStage, type VerificationHeaderEvidence, type VerificationModuleSummary, type VerificationProvenanceIntent, type VerificationReferenceBytecode, type VerificationRootAddressConflict, type VerificationSelectedVerifier, type VerificationSourceCompatibility, type VerificationSourceEditionEvidence, type VerificationStatus, type VerificationVerdict, getPinnedSuiMoveVersion, getPinnedSuiVersion, initMovePackageVerifier, verifyMovePackageProvenance };