/** * Newton Privacy Module — Client-side HPKE encryption for privacy-preserving policy evaluation. * * Encryption suite: X25519 KEM + HKDF-SHA256 + ChaCha20-Poly1305 (RFC 9180, Base mode). * Compatible with the Rust gateway's `crates/core/src/crypto/hpke.rs`. * * Key design constraints: * - Zero network calls during encrypt/createSecureEnvelope * - Offline capable once the gateway public key is known * - Ephemeral keys zeroed after encryption */ import type { CreateSecureEnvelopeParams, Ed25519KeyPair, GetConfidentialDataResult, GetIdentityEncryptedResult, PrivacyAuthorizationResult, PrivacyPublicKeyResponse, SecretsPublicKeyResponse, SecureEnvelopeResult, SignPrivacyAuthorizationParams, StoreEncryptedSecretsParams, StoreEncryptedSecretsResponse, UploadConfidentialDataParams, UploadConfidentialDataResult, UploadIdentityEncryptedParams, UploadIdentityEncryptedResponse } from '../../types/privacy'; /** * Create a SecureEnvelope by encrypting plaintext with HPKE. * * This is a pure, offline function — zero network calls. * The ephemeral HPKE key is generated internally and zeroed after use. * * SECURITY: The caller owns the signingKey buffer lifecycle and must zeroize it when done. * This function copies the key internally and zeroes the copy after signing, but the * original Uint8Array remains in the caller's control. * * @param params - Encryption parameters * @param signingKey - Ed25519 private key seed (32 bytes as Uint8Array) * @returns Envelope + Ed25519 signature over the serialized envelope */ export declare function createSecureEnvelope(params: CreateSecureEnvelopeParams, signingKey: Uint8Array): Promise; /** * Fetch the gateway's X25519 HPKE public key. * * Clients call this once to discover which key to encrypt SecureEnvelopes to. * The result can be cached — the key only changes on gateway restart or key rotation. */ export declare function getPrivacyPublicKey(chainId: number, apiKey: string, gatewayApiUrlOverride?: string): Promise; /** * Upload encrypted identity data to the gateway. * * The caller must provide a pre-built SecureEnvelope (via createSecureEnvelope) * and an EIP-712 signature of the envelope JSON from the identity owner. * The gateway stores the envelope and returns a data_ref_id + gateway signature * for the on-chain registerIdentityData call. */ export declare function uploadIdentityEncrypted(chainId: number, apiKey: string, params: UploadIdentityEncryptedParams, gatewayApiUrlOverride?: string): Promise; /** * Fetch encrypted identity data by its content-hash reference ID. * * Used to resolve a data_ref_id (stored on-chain in IdentityRegistry) back to * the actual encrypted data blob (stored off-chain in the gateway). */ export declare function getIdentityEncrypted(chainId: number, apiKey: string, dataRefId: string, gatewayApiUrlOverride?: string): Promise; /** * Fetch the gateway's X25519 HPKE public key for WASM secrets encryption. * * In threshold DKG mode, this returns a different key than getPrivacyPublicKey. * Use this key when encrypting secrets via storeEncryptedSecrets. */ export declare function getSecretsPublicKey(chainId: number, apiKey: string, gatewayApiUrlOverride?: string): Promise; /** * Generate a random Ed25519 key pair for signing envelopes and privacy authorization. * * This is a pure offline function. The private key is generated from 32 bytes of * cryptographically secure randomness via `crypto.getRandomValues`. */ export declare function generateSigningKeyPair(): Ed25519KeyPair; /** * Upload HPKE-encrypted secrets for a policy client's PolicyData. * * The gateway decrypts the HPKE envelope, validates the plaintext against * the PolicyData schema, and stores the envelope for operator-side decryption * during policy evaluation. */ export declare function storeEncryptedSecrets(chainId: number, apiKey: string, params: StoreEncryptedSecretsParams, gatewayApiUrlOverride?: string): Promise; /** * Compute dual Ed25519 signatures for privacy-enabled task creation. * * Dual signatures prevent the app from forging user authorization, and ensure * the app explicitly acknowledges which encrypted data refs are being used. * The gateway validates both when `encrypted_data_refs` are present in `newt_createTask`. * * Signature scheme (must match `crates/gateway/src/processor/privacy_auth.rs`): * - User signs: keccak256(abi.encodePacked(policy_client, intent_hash, ref_id_1, ref_id_2, ...)) * - App signs: keccak256(abi.encodePacked(policy_client, intent_hash, user_signature)) * * This is a pure offline function — zero network calls. */ export declare function signPrivacyAuthorization(params: SignPrivacyAuthorizationParams): PrivacyAuthorizationResult; /** * Upload HPKE-encrypted confidential data (blacklists, allowlists, sanctions lists, etc.) * to the gateway. * * The provider encrypts data client-side using HPKE and uploads the envelope. * The gateway stores it and returns a content-hash data_ref_id. The provider * then calls ConfidentialDataRegistry.publishData(domain, dataRefId) on-chain. * * If recipientPublicKey is not provided, it is fetched from the gateway first * via newt_getPrivacyPublicKey. */ export declare function uploadConfidentialData(chainId: number, apiKey: string, params: UploadConfidentialDataParams, gatewayApiUrlOverride?: string): Promise; /** * Retrieve encrypted confidential data by its data reference ID. * * Returns the HPKE-encrypted envelope along with the domain and provider address. * The caller is responsible for decryption using their HPKE private key. */ export declare function getConfidentialData(chainId: number, apiKey: string, dataRefId: string, gatewayApiUrlOverride?: string): Promise;