add post-execution verification

package.json

@@ -16,7 +16,7 @@
   "license": "(MIT OR Apache-2.0)",
   "type": "module",
   "dependencies": {
-    "@predicatesystems/authority": "^0.3.3"
+    "@predicatesystems/authority": "^0.4.1"
   },
   "devDependencies": {
     "@types/node": "^25.3.0",

src/authority-client.ts

@@ -1,17 +1,31 @@
 import {
   AuthorityClient,
+  Verifier,
   type AuthorizationRequest,
+  type VerifyRequest,
+  type ActualOperation,
 } from "@predicatesystems/authority";
 import type { ProviderConfig } from "./config.js";
 
+export type { VerifyRequest, ActualOperation };
+
 export interface AuthorityDecision {
   allow: boolean;
   reason?: string;
   mandateId?: string;
 }
 
+export interface VerificationResult {
+  verified: boolean;
+  reason?: string;
+  auditId?: string;
+  authorized?: { action: string; resource: string };
+  actual?: { action: string; resource: string };
+}
+
 export interface AuthorityAdapter {
   authorize(request: AuthorizationRequest): Promise<AuthorityDecision>;
+  verify?(request: VerifyRequest): Promise<VerificationResult>;
 }
 
 interface SdkDecision {
@@ -46,5 +60,36 @@ export function createDefaultAuthorityAdapter(
     maxRetries: config.maxRetries,
     backoffInitialMs: config.backoffInitialMs,
   });
-  return createAuthorityAdapter(sdkClient);
+
+  // Create verifier for post-execution verification
+  const verifier = new Verifier({
+    baseUrl: config.baseUrl,
+    timeoutMs: config.timeoutMs,
+  });
+
+  return {
+    async authorize(request: AuthorizationRequest): Promise<AuthorityDecision> {
+      const decision = await sdkClient.authorize(request);
+      return {
+        allow: decision.allowed,
+        reason: decision.reason,
+        mandateId: decision.mandate_id ?? undefined,
+      };
+    },
+
+    async verify(request: VerifyRequest): Promise<VerificationResult> {
+      const result = await verifier.verify(request);
+      return {
+        verified: result.verified,
+        reason: result.reason,
+        auditId: result.auditId,
+        authorized: result.details?.authorized
+          ? { action: result.details.authorized.action, resource: result.details.authorized.resource }
+          : undefined,
+        actual: result.details?.actual
+          ? { action: result.details.actual.action, resource: result.details.actual.resource }
+          : undefined,
+      };
+    },
+  };
 }

src/provider.ts

@@ -2,11 +2,16 @@ import crypto from "node:crypto";
 import type { AuthorizationRequest } from "@predicatesystems/authority";
 import {
   type AuthorityAdapter,
+  type VerificationResult,
+  type VerifyRequest,
+  type ActualOperation,
   createDefaultAuthorityAdapter,
 } from "./authority-client.js";
 import { defaultProviderConfig, type ProviderConfig } from "./config.js";
 import { ActionDeniedError, SidecarUnavailableError } from "./errors.js";
 
+export type { VerificationResult, VerifyRequest, ActualOperation };
+
 export interface GuardRequest {
   action: string;
   resource: string;
@@ -144,6 +149,57 @@ export class GuardedProvider {
     }
   }
 
+  /**
+   * Verify that an actual operation matches what was authorized.
+   *
+   * Call this after executing an operation to confirm the agent
+   * did what it said it would do.
+   *
+   * @param mandateId - The mandate ID from authorization
+   * @param actual - The actual operation that was performed
+   * @returns Verification result
+   *
+   * @example
+   * ```typescript
+   * const mandateId = await provider.authorize({ action: 'fs.read', resource: '/src/index.ts', args: {} });
+   * const content = await fs.readFile('/src/index.ts');
+   * const result = await provider.verify(mandateId, {
+   *   action: 'fs.read',
+   *   resource: '/src/index.ts',
+   *   contentHash: sha256(content),
+   * });
+   * if (!result.verified) {
+   *   console.error('Verification failed:', result.reason);
+   * }
+   * ```
+   */
+  async verify(
+    mandateId: string,
+    actual: ActualOperation,
+  ): Promise<VerificationResult> {
+    if (!this.authorityClient.verify) {
+      // Verification not supported by this adapter
+      return {
+        verified: true,
+        reason: "verification_not_supported",
+      };
+    }
+
+    try {
+      return await this.authorityClient.verify({
+        mandateId,
+        actual,
+      });
+    } catch (error) {
+      // Best-effort verification; don't fail the operation
+      const message = error instanceof Error ? error.message : String(error);
+      return {
+        verified: false,
+        reason: `verification_error: ${message}`,
+      };
+    }
+  }
+
   private async emitDecisionEvent(event: DecisionTelemetryEvent): Promise<void> {
     this.telemetry?.onDecision?.(event);
     if (!this.auditExporter) {