/** * Issuer-key loader for `peac record command`. * * Implements the same issuer-key reference convention used by other * PEAC tools: env:VAR_NAME and file:/path. Keeps the CLI signing UX * aligned with the existing PEAC convention without coupling * @peac/cli to any other package's loader implementation. * * Supported schemes: * env:VAR_NAME loads JSON from process.env.VAR_NAME (or * caller-supplied env) * file:/path loads JSON from the file path * * The value at the resolved location is a JSON-encoded * Ed25519PrivateJwk: * * { "kty": "OKP", "crv": "Ed25519", "x": , "d": , * "kid": "optional" } * * `kid` is extracted from the JWK if present, otherwise derived from * the public key (truncated SHA-256 of the base64url-encoded public * key) so runs are reproducible. * * The loader NEVER logs key bytes; error messages reference field * names and structural problems only. */ export declare class IssuerKeyLoadError extends Error { readonly cause?: unknown | undefined; readonly code = "cli.issuer_key_load_failed"; constructor(message: string, cause?: unknown | undefined); } export declare class IssuerKeyInvalidError extends Error { readonly cause?: unknown | undefined; readonly code = "cli.issuer_key_invalid"; constructor(message: string, cause?: unknown | undefined); } export interface LoadedIssuerKey { privateKey: Uint8Array; publicKey: Uint8Array; kid: string; } /** * Load the issuer key from a `--issuer-key` reference. * * @param schemeUri - One of `env:VAR` or `file:/path`. * @param env - Environment to consult for `env:` references. * Defaults to `process.env`. Tests inject custom env. */ export declare function loadIssuerKey(schemeUri: string, env?: NodeJS.ProcessEnv): Promise; /** * Derive a `kid` from a freshly-generated ephemeral public key. Same * formula as the loader's fallback so observation records are * consistent with the JWK-based path. */ export declare function deriveKidFromPublicKey(publicKey: Uint8Array): Promise; //# sourceMappingURL=issuer-key-loader.d.ts.map