/**
 * ActorBinding and MVIS (Minimum Viable Identity Set) Schemas (v0.11.3+)
 *
 * Implements (ActorBinding) (Multi-Root Proof Types),
 * and (MVIS) for the Agent Identity Profile.
 *
 * ActorBinding lives in ext["org.peacprotocol/actor_binding"] in Wire 0.1.
 * ProofTypeSchema (trust-root taxonomy) is SEPARATE from the transport-binding
 * method enum on AgentProofSchema.method (agent-identity.ts). Unifying them
 * into a single taxonomy was considered and rejected in v0.13.0 (DD-185):
 * transport-binding and trust-root concerns are semantically distinct and
 * remain separate surfaces. The ProofMethodSchema / PROOF_METHODS / ProofMethod
 * standalone exports were removed in v0.13.0; the four transport-binding
 * values are now inlined directly on AgentProofSchema.method.
 *
 * @see docs/specs/AGENT-IDENTITY-PROFILE.md for normative specification
 */
import { z } from 'zod';
/**
 * Proof types for ActorBinding.
 *
 * 8 methods covering attestation chains, RATS, keyless signing,
 * decentralized identity, workload identity, PKI, and vendor-defined.
 *
 * SEPARATE from the transport-binding method enum inlined on
 * AgentProofSchema.method (agent-identity.ts). That enum covers how proof
 * is transported (HTTP signatures, DPoP, mTLS, JWK thumbprint).
 * ProofTypeSchema covers the trust-root model used to establish identity.
 * The two concerns compose rather than conflict; see
 * docs/specs/AGENT-IDENTITY-PROFILE.md §3.4 for the mapping table.
 *
 * The 'custom' type: implementers MUST document their proof semantics externally.
 * proof_ref SHOULD use a reverse-DNS namespace (e.g., 'com.example.vendor/proof-type-v1').
 */
export declare const PROOF_TYPES: readonly ["ed25519-cert-chain", "eat-passport", "eat-background-check", "sigstore-oidc", "did", "spiffe", "x509-pki", "custom"];
export declare const ProofTypeSchema: z.ZodEnum<{
    "ed25519-cert-chain": "ed25519-cert-chain";
    "eat-passport": "eat-passport";
    "eat-background-check": "eat-background-check";
    "sigstore-oidc": "sigstore-oidc";
    did: "did";
    spiffe: "spiffe";
    "x509-pki": "x509-pki";
    custom: "custom";
}>;
export type ProofType = z.infer<typeof ProofTypeSchema>;
/**
 * Validate that a string is an origin-only URL (scheme + host + optional port).
 * Rejects URLs with path (other than '/'), query, or fragment components.
 * This prevents correlation leakage and ambiguity in ActorBinding.
 *
 * Valid: "https://example.com", "https://example.com:8443"
 * Invalid: "https://example.com/api/v1", "https://example.com?q=1", "https://example.com#frag"
 */
export declare function isOriginOnly(value: string): boolean;
/**
 * Extension key for ActorBinding in Wire 0.1 ext[].
 */
export declare const ACTOR_BINDING_EXTENSION_KEY: "org.peacprotocol/actor_binding";
/**
 * ActorBinding schema.
 *
 * Binds an actor identity to a receipt via ext["org.peacprotocol/actor_binding"].
 * Wire 0.2 moves this to a kernel field.
 *
 * - id: Stable actor identifier (opaque, no PII)
 * - proof_type: Trust root model from vocabulary
 * - proof_ref: Optional URI or hash of external proof artifact
 * - origin: Origin-only URL (scheme + host + optional port; no path/query/fragment)
 * - intent_hash: Optional SHA-256 hash of the intent (hash-first per )
 */
export declare const ActorBindingSchema: z.ZodObject<{
    id: z.ZodString;
    proof_type: z.ZodEnum<{
        "ed25519-cert-chain": "ed25519-cert-chain";
        "eat-passport": "eat-passport";
        "eat-background-check": "eat-background-check";
        "sigstore-oidc": "sigstore-oidc";
        did: "did";
        spiffe: "spiffe";
        "x509-pki": "x509-pki";
        custom: "custom";
    }>;
    proof_ref: z.ZodOptional<z.ZodString>;
    origin: z.ZodString;
    intent_hash: z.ZodOptional<z.ZodString>;
}, z.core.$strict>;
export type ActorBinding = z.infer<typeof ActorBindingSchema>;
/**
 * MVIS (Minimum Viable Identity Set) fields.
 *
 * 5 required fields for any identity receipt to be considered complete.
 * validateMVIS() is a pure validation function with zero I/O.
 *
 * Fields:
 * - issuer: Who issued the identity assertion
 * - subject: Who the identity is about (opaque identifier)
 * - key_binding: Cryptographic binding to a key (kid or thumbprint)
 * - time_bounds: Validity period with not_before and not_after
 * - replay_protection: Unique token ID (jti) and optional nonce
 */
export declare const MVISTimeBoundsSchema: z.ZodObject<{
    not_before: z.ZodString;
    not_after: z.ZodString;
}, z.core.$strict>;
export type MVISTimeBounds = z.infer<typeof MVISTimeBoundsSchema>;
export declare const MVISReplayProtectionSchema: z.ZodObject<{
    jti: z.ZodString;
    nonce: z.ZodOptional<z.ZodString>;
}, z.core.$strict>;
export type MVISReplayProtection = z.infer<typeof MVISReplayProtectionSchema>;
export declare const MVISFieldsSchema: z.ZodObject<{
    issuer: z.ZodString;
    subject: z.ZodString;
    key_binding: z.ZodString;
    time_bounds: z.ZodObject<{
        not_before: z.ZodString;
        not_after: z.ZodString;
    }, z.core.$strict>;
    replay_protection: z.ZodObject<{
        jti: z.ZodString;
        nonce: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
}, z.core.$strict>;
export type MVISFields = z.infer<typeof MVISFieldsSchema>;
/**
 * Validate an ActorBinding object.
 *
 * @param data - Unknown data to validate
 * @returns Result with validated ActorBinding or error message
 */
export declare function validateActorBinding(data: unknown): {
    ok: true;
    value: ActorBinding;
} | {
    ok: false;
    error: string;
};
/**
 * Validate MVIS fields.
 *
 * Pure validation function with zero I/O.
 * Checks that all 5 required fields are present and valid.
 * Also validates that time_bounds.not_before < time_bounds.not_after.
 *
 * @param data - Unknown data to validate
 * @returns Result with validated MVIS fields or error message
 */
export declare function validateMVIS(data: unknown): {
    ok: true;
    value: MVISFields;
} | {
    ok: false;
    error: string;
};
//# sourceMappingURL=actor-binding.d.ts.map