/**
 * Agent Request Verifier (POC)
 *
 * Implements the 7-step trust chain verification for incoming agent requests:
 * 1. Verify HTTP signature (RFC 9421)
 * 2. Fetch key directory
 * 3. Verify agent credential
 * 4. Check key binding (signing key matches credential)
 * 5. Verify delegation (if present)
 * 6. Match delegation.sub to agent
 * 7. Check scopes
 */
import * as jose from 'jose';
import { type DelegationCredential, type AgentCredential } from '@belticlabs/kya-core';
import { type IncomingHttpRequest, type HttpVerificationResult } from './http-verify.js';
/**
 * Error codes for verification failures.
 */
export declare const VERIFICATION_ERROR_CODES: {
    readonly HTTP_SIGNATURE_INVALID: "HTTP_SIGNATURE_INVALID";
    readonly HTTP_SIGNATURE_EXPIRED: "HTTP_SIGNATURE_EXPIRED";
    readonly KEY_DIRECTORY_FETCH_FAILED: "KEY_DIRECTORY_FETCH_FAILED";
    readonly KEY_NOT_FOUND: "KEY_NOT_FOUND";
    readonly AGENT_CREDENTIAL_INVALID: "AGENT_CREDENTIAL_INVALID";
    readonly AGENT_CREDENTIAL_EXPIRED: "AGENT_CREDENTIAL_EXPIRED";
    readonly KEY_MISMATCH: "KEY_MISMATCH";
    readonly DIRECTORY_MISMATCH: "DIRECTORY_MISMATCH";
    readonly DELEGATION_INVALID: "DELEGATION_INVALID";
    readonly DELEGATION_EXPIRED: "DELEGATION_EXPIRED";
    readonly DELEGATION_AGENT_MISMATCH: "DELEGATION_AGENT_MISMATCH";
    readonly DELEGATION_AUDIENCE_MISMATCH: "DELEGATION_AUDIENCE_MISMATCH";
    readonly SCOPE_INSUFFICIENT: "SCOPE_INSUFFICIENT";
    readonly CREDENTIALS_MISSING: "CREDENTIALS_MISSING";
    readonly PLATFORM_JWKS_FETCH_FAILED: "PLATFORM_JWKS_FETCH_FAILED";
};
export type VerificationErrorCode = typeof VERIFICATION_ERROR_CODES[keyof typeof VERIFICATION_ERROR_CODES];
/**
 * Options for verifying an agent request.
 */
export interface VerifyAgentRequestOptions {
    /** Platform JWKS URL for verifying agent credentials */
    platformJwksUrl: string;
    /** Required scope for this request (if checking scopes) */
    requiredScope?: string;
    /** Required scopes for this request (alternative to single scope) */
    requiredScopes?: string[];
    /** Audience to validate in delegation (usually this service's URL) */
    audience?: string;
    /** Whether delegation is required (default: false for POC) */
    requireDelegation?: boolean;
    /** Cache for platform JWKS (optional) */
    jwksCache?: Map<string, jose.JWK[]>;
    /** Custom fetch function for HTTP requests */
    fetch?: typeof fetch;
}
/**
 * Result of agent request verification.
 */
export interface AgentVerificationResult {
    /** Whether the request is verified */
    verified: boolean;
    /** Error code if verification failed */
    errorCode?: VerificationErrorCode;
    /** Error message if verification failed */
    errorMessage?: string;
    /** The verified agent ID */
    agentId?: string;
    /** The verified developer credential ID */
    developerId?: string;
    /** The agent credential (decoded) */
    agentCredential?: AgentCredential;
    /** The delegation credential (if present and valid) */
    delegation?: DelegationCredential;
    /** HTTP signature verification result */
    httpSignature?: HttpVerificationResult;
    /** The key thumbprint used for signing */
    keyThumbprint?: string;
}
/**
 * Verify an incoming agent request.
 *
 * This implements the 7-step trust chain verification:
 * 1. Verify HTTP signature
 * 2. Fetch key directory
 * 3. Verify agent credential
 * 4. Check key binding
 * 5. Verify delegation (if present)
 * 6. Match delegation.sub to agent
 * 7. Check scopes
 *
 * @param request - The incoming HTTP request
 * @param options - Verification options
 * @returns Verification result
 *
 * @example
 * ```typescript
 * const result = await verifyAgentRequest(req, {
 *   platformJwksUrl: 'https://kya.beltic.app/.well-known/jwks.json',
 *   requiredScope: 'shopping:browse',
 *   audience: 'https://api.myservice.com',
 * });
 *
 * if (!result.verified) {
 *   return res.status(401).json({ error: result.errorCode });
 * }
 *
 * console.log('Agent:', result.agentId);
 * ```
 */
export declare function verifyAgentRequest(request: IncomingHttpRequest, options: VerifyAgentRequestOptions): Promise<AgentVerificationResult>;
/**
 * Create a middleware-style verifier for Express/Hono/etc.
 *
 * @param options - Base verification options
 * @returns A function that verifies requests
 *
 * @example
 * ```typescript
 * const verifier = createAgentVerifier({
 *   platformJwksUrl: 'https://kya.beltic.app/.well-known/jwks.json',
 * });
 *
 * app.use('/api', async (req, res, next) => {
 *   const result = await verifier(req, { requiredScope: 'shopping:browse' });
 *   if (!result.verified) {
 *     return res.status(401).json({ error: result.errorCode });
 *   }
 *   req.agent = result;
 *   next();
 * });
 * ```
 */
export declare function createAgentVerifier(baseOptions: Omit<VerifyAgentRequestOptions, 'requiredScope' | 'requiredScopes'>): (request: IncomingHttpRequest, overrideOptions?: Partial<VerifyAgentRequestOptions>) => Promise<AgentVerificationResult>;
/**
 * Clear the platform JWKS cache.
 */
export declare function clearPlatformJwksCache(): void;
//# sourceMappingURL=verifier.d.ts.map