/**
 * Repo whose attestations we'll fetch and trust. Locked to the canonical
 * agent-skills repo so a fork can't pretend to be us.
 */
export declare const ATTESTATION_REPO = "ably/agent-skills";
/**
 * Workflow file path that must have produced the attestation. The cert SAN
 * URI ends in `<repo>/<workflowPath>@<git-ref>`, so locking this prevents an
 * attestation from any *other* workflow file in the same repo from being
 * accepted (e.g. a malicious workflow added in a PR).
 */
export declare const ATTESTATION_WORKFLOW_PATH = ".github/workflows/release.yml";
export interface AttestationVerificationOptions {
    repo: string;
    workflowPath: string;
}
export interface AttestationVerificationResult {
    /** SHA-256 of the verified tarball, hex-encoded. */
    tarballSha256: string;
    /** Cert SAN identity that signed the attestation (the workflow URI). */
    signerIdentity: string;
}
/**
 * Verify a tarball against GitHub's published SLSA build-provenance attestation.
 *
 * Steps:
 *   1. SHA-256 the tarball.
 *   2. Pull the attestation bundle from `repos/<repo>/attestations/sha256:<digest>`.
 *   3. Verify cryptographically via sigstore (Sigstore Public Good trust root).
 *   4. Enforce a SAN-URI policy that locks the signer to `<repo>/<workflowPath>`
 *      on either a release tag (`refs/tags/v*`) or `refs/heads/main`
 *      (workflow_dispatch path).
 *
 * Throws on any verification failure — there is no fallback.
 */
export declare function verifyTarballAttestation(tarball: Buffer, opts: AttestationVerificationOptions): Promise<AttestationVerificationResult>;