/**
 * ZCAP-LD verifier: walk chain + enforce caveats.
 *
 * A request is allowed only when:
 *   1. Chain anchors at a root the verifier trusts.
 *   2. Each link's proof verifies against its parent's controller.
 *   3. Each capability's `expires` + `allowedAction` are respected.
 *   4. Every caveat on every capability in the chain `check()`s OK.
 *   5. The invocation target matches at every level.
 */
import { Capability, type InvocationContext } from './model';
export declare class ChainVerificationError extends Error {
    constructor(message: string);
}
/**
 * Allow-or-throw gate for a single invocation.
 *
 * @param chain - `[invocationCap, parent, ..., root]` ordered child-to-root.
 * @param context - Runtime request properties.
 * @param resolvePublicKey - `verificationMethod -> 32-byte Ed25519 pub`.
 * @param trustedRootController - DID that owns the resource; chain
 *   anchor's `controller` MUST equal this.
 */
export declare function verify({ chain, context, resolvePublicKey, trustedRootController, }: {
    chain: Capability[];
    context: InvocationContext;
    resolvePublicKey: (verificationMethod: string) => Uint8Array;
    trustedRootController: string;
}): void;