/**
 * Recipient resolution for both sides of the JWE wire.
 *
 * Signer side (decrypt): given a received JWE, walk `recipients[]`
 * and pull the first X25519 private key the wallet actually holds.
 *
 * Operator side (encrypt): given a connection id, resolve the peer's
 * X25519 KeyAgreement public key into a `Recipient` ready for
 * `encrypt()`.
 *
 * Both functions are wallet-implementation agnostic — callers pass
 * async callbacks that bridge to Credo's wallet APIs.
 */
import { type JweGeneralJson, type Recipient } from '../jwe';
export declare class RecipientNotInWallet extends Error {
    constructor(message: string);
}
export declare class PeerKeyLookupFailed extends Error {
    constructor(message: string);
}
/** `(kid) -> 32-byte X25519 priv` or `null` if the wallet doesn't hold it. */
export type WalletPrivLookup = (kid: string) => Promise<Uint8Array | null | undefined>;
/** `(connection_id) -> (kid, 32-byte X25519 pub)` for the peer. */
export type PeerPubLookup = (connectionId: string) => Promise<{
    kid: string;
    publicKey: Uint8Array;
}>;
/**
 * Walk `jwe.recipients[]` for a key the wallet holds. First match
 * wins — multi-recipient JWEs can address the same wallet under
 * multiple kids (key rotation, did:peer rotation) and any match
 * decrypts the same CEK because the bulk body is shared.
 */
export declare function findDecryptionKey(args: {
    jwe: JweGeneralJson;
    walletLookup: WalletPrivLookup;
}): Promise<{
    kid: string;
    privateKey: Uint8Array;
}>;
/**
 * Resolve the peer's static X25519 KeyAgreement key into a
 * `Recipient`. The peer's pub key was published in their DID Document
 * at connection setup; we just look it up.
 *
 * Defaults to `alg: ECDH-ES`. Pass `alg` to use pq-hybrid later.
 */
export declare function resolveRecipientForConnection(args: {
    connectionId: string;
    peerLookup: PeerPubLookup;
    alg?: string;
}): Promise<Recipient>;