/** * Agent Identity Attestation Types and Validators (v0.9.25+) * * Provides cryptographic proof-of-control binding for agents, * distinguishing operator-verified bots from user-delegated agents. * * @see docs/specs/AGENT-IDENTITY.md for normative specification */ import { z } from 'zod'; import type { JsonValue } from '@peac/kernel'; /** * Control type distinguishes operator-verified bots from user-delegated agents. * * - 'operator': Bot/crawler operated by a known organization (e.g., Googlebot, GPTBot) * - 'user-delegated': Agent acting on behalf of a human user (e.g., browser extension, AI assistant) */ export declare const ControlTypeSchema: z.ZodEnum<{ operator: "operator"; "user-delegated": "user-delegated"; }>; export type ControlType = z.infer; /** * Array of valid control types for runtime checks */ export declare const CONTROL_TYPES: readonly ["operator", "user-delegated"]; /** * Details of what was included in the binding message for http-message-signature. * * This allows verifiers to reconstruct the binding message for verification. */ export declare const BindingDetailsSchema: z.ZodObject<{ method: z.ZodString; target: z.ZodString; headers_included: z.ZodArray; body_hash: z.ZodOptional; signed_at: z.ZodString; }, z.core.$strict>; export type BindingDetails = z.infer; /** * Proof of control binding - cryptographic evidence that the agent controls the key. */ export declare const AgentProofSchema: z.ZodObject<{ method: z.ZodEnum<{ "http-message-signature": "http-message-signature"; dpop: "dpop"; mtls: "mtls"; "jwk-thumbprint": "jwk-thumbprint"; }>; key_id: z.ZodString; alg: z.ZodDefault; signature: z.ZodOptional; dpop_proof: z.ZodOptional; cert_thumbprint: z.ZodOptional; binding: z.ZodOptional; body_hash: z.ZodOptional; signed_at: z.ZodString; }, z.core.$strict>>; }, z.core.$strict>; export type AgentProof = z.infer; /** * Agent identity evidence - the payload of an AgentIdentityAttestation. * * Contains the agent identifier, control type, capabilities, and optional * cryptographic proof of key control. */ export declare const AgentIdentityEvidenceSchema: z.ZodObject<{ agent_id: z.ZodString; control_type: z.ZodEnum<{ operator: "operator"; "user-delegated": "user-delegated"; }>; capabilities: z.ZodOptional>; delegation_chain: z.ZodOptional>; proof: z.ZodOptional; key_id: z.ZodString; alg: z.ZodDefault; signature: z.ZodOptional; dpop_proof: z.ZodOptional; cert_thumbprint: z.ZodOptional; binding: z.ZodOptional; body_hash: z.ZodOptional; signed_at: z.ZodString; }, z.core.$strict>>; }, z.core.$strict>>; key_directory_url: z.ZodOptional; operator: z.ZodOptional; user_id: z.ZodOptional; metadata: z.ZodOptional>>>; }, z.core.$strict>; export type AgentIdentityEvidence = z.infer; /** * Attestation type literal for agent identity */ export declare const AGENT_IDENTITY_TYPE: "peac/agent-identity"; /** * AgentIdentityAttestation - extends generic Attestation with agent-specific evidence. * * This attestation proves cryptographic control over an agent identity, * distinguishing operator-verified bots from user-delegated agents. * * @example * ```typescript * const attestation: AgentIdentityAttestation = { * type: 'peac/agent-identity', * issuer: 'https://crawler.example.com', * issued_at: '2026-01-03T12:00:00Z', * evidence: { * agent_id: 'bot:crawler-prod-001', * control_type: 'operator', * operator: 'Example Crawler Inc.', * capabilities: ['crawl', 'index'], * proof: { * method: 'http-message-signature', * key_id: 'key-2026-01', * alg: 'EdDSA', * }, * }, * }; * ``` */ export declare const AgentIdentityAttestationSchema: z.ZodObject<{ type: z.ZodLiteral<"peac/agent-identity">; issuer: z.ZodString; issued_at: z.ZodString; expires_at: z.ZodOptional; ref: z.ZodOptional; evidence: z.ZodObject<{ agent_id: z.ZodString; control_type: z.ZodEnum<{ operator: "operator"; "user-delegated": "user-delegated"; }>; capabilities: z.ZodOptional>; delegation_chain: z.ZodOptional>; proof: z.ZodOptional; key_id: z.ZodString; alg: z.ZodDefault; signature: z.ZodOptional; dpop_proof: z.ZodOptional; cert_thumbprint: z.ZodOptional; binding: z.ZodOptional; body_hash: z.ZodOptional; signed_at: z.ZodString; }, z.core.$strict>>; }, z.core.$strict>>; key_directory_url: z.ZodOptional; operator: z.ZodOptional; user_id: z.ZodOptional; metadata: z.ZodOptional>>>; }, z.core.$strict>; }, z.core.$strict>; export type AgentIdentityAttestation = z.infer; /** * Identity binding result from constructBindingMessage(). * * Used to tie an agent identity attestation to a specific HTTP request. */ export declare const IdentityBindingSchema: z.ZodObject<{ binding_message_hash: z.ZodString; signature: z.ZodString; key_id: z.ZodString; signed_at: z.ZodString; }, z.core.$strict>; export type IdentityBinding = z.infer; /** * Agent identity verification result to include in receipt evidence. * * This block is added by the publisher after verifying an agent identity * attestation, binding the verified identity to the issued receipt. */ export declare const AgentIdentityVerifiedSchema: z.ZodObject<{ agent_id: z.ZodString; control_type: z.ZodEnum<{ operator: "operator"; "user-delegated": "user-delegated"; }>; verified_at: z.ZodString; key_id: z.ZodString; binding_hash: z.ZodString; }, z.core.$strict>; export type AgentIdentityVerified = z.infer; /** * Validate an AgentIdentityAttestation. * * @param data - Unknown data to validate * @returns Result with validated attestation or error message * * @example * ```typescript * const result = validateAgentIdentityAttestation(data); * if (result.ok) { * console.log('Agent ID:', result.value.evidence.agent_id); * } else { * console.error('Validation error:', result.error); * } * ``` */ export declare function validateAgentIdentityAttestation(data: unknown): { ok: true; value: AgentIdentityAttestation; } | { ok: false; error: string; }; /** * Check if an object is an AgentIdentityAttestation. * * @param attestation - Object with a type field * @returns True if the type is 'peac/agent-identity' */ export declare function isAgentIdentityAttestation(attestation: { type: string; }): attestation is AgentIdentityAttestation; /** * Parameters for creating an AgentIdentityAttestation. */ export interface CreateAgentIdentityAttestationParams { /** Issuer of the attestation */ issuer: string; /** Stable agent identifier */ agent_id: string; /** Control type: operator or user-delegated */ control_type: ControlType; /** Cryptographic proof (optional) */ proof?: AgentProof; /** Agent capabilities (optional) */ capabilities?: string[]; /** Delegation chain for user-delegated (optional) */ delegation_chain?: string[]; /** Key directory URL (optional) */ key_directory_url?: string; /** Agent operator name (optional, for operator type) */ operator?: string; /** User ID (optional, for user-delegated type) */ user_id?: string; /** When the attestation expires (optional) */ expires_at?: string; /** External verification endpoint (optional) */ ref?: string; /** Additional metadata (optional, must be JSON-safe) */ metadata?: Record; } /** * Create an AgentIdentityAttestation with current timestamp. * * @param params - Attestation parameters * @returns A valid AgentIdentityAttestation * * @example * ```typescript * const attestation = createAgentIdentityAttestation({ * issuer: 'https://crawler.example.com', * agent_id: 'bot:crawler-prod-001', * control_type: 'operator', * operator: 'Example Crawler Inc.', * capabilities: ['crawl', 'index'], * }); * ``` */ export declare function createAgentIdentityAttestation(params: CreateAgentIdentityAttestationParams): AgentIdentityAttestation; /** * Validate an IdentityBinding. * * @param data - Unknown data to validate * @returns Result with validated binding or error message */ export declare function validateIdentityBinding(data: unknown): { ok: true; value: IdentityBinding; } | { ok: false; error: string; }; /** * Check if an agent identity attestation is expired. * * @param attestation - The attestation to check * @param clockSkew - Optional clock skew tolerance in milliseconds (default: 30000) * @returns True if the attestation has expired */ export declare function isAttestationExpired(attestation: AgentIdentityAttestation, clockSkew?: number): boolean; /** * Check if an agent identity attestation is not yet valid. * * @param attestation - The attestation to check * @param clockSkew - Optional clock skew tolerance in milliseconds (default: 30000) * @returns True if the attestation is not yet valid (issued_at in the future) */ export declare function isAttestationNotYetValid(attestation: AgentIdentityAttestation, clockSkew?: number): boolean; //# sourceMappingURL=agent-identity.d.ts.map