/**
 * Normative kernel constraints for PEAC receipts.
 *
 * These limits are formalized from existing ad-hoc limits already
 * enforced in the codebase:
 * - JSON_EVIDENCE_LIMITS (json.ts): depth, array, keys, string, nodes
 * - CLOCK_SKEW_SECONDS: temporal validity tolerance
 *
 * String length is measured in code units (.length), matching the semantics
 * of assertJsonSafeIterative(). UTF-8 byte-length caps may be introduced
 * as an explicit tightening in a future version.
 *
 * Payment/rail-specific limits (x402 DoS guards) are intentionally
 * NOT included here -- they belong in the rail/adapter layer.
 */
/**
 * Kernel constraints governing PEAC receipt structure and validation.
 * All packages MUST respect these limits.
 *
 * Provenance:
 * - MAX_NESTED_DEPTH..MAX_TOTAL_NODES: from JSON_EVIDENCE_LIMITS (json.ts)
 * - CLOCK_SKEW_SECONDS: from temporal validity
 */
export declare const KERNEL_CONSTRAINTS: {
    /** Maximum nesting depth for JSON evidence */
    readonly MAX_NESTED_DEPTH: 32;
    /** Maximum array length in evidence */
    readonly MAX_ARRAY_LENGTH: 10000;
    /** Maximum object keys in a single object */
    readonly MAX_OBJECT_KEYS: 1000;
    /** Maximum string length in code units (JS .length). Matches assertJsonSafeIterative. */
    readonly MAX_STRING_LENGTH: 65536;
    /** Maximum total nodes to visit during traversal */
    readonly MAX_TOTAL_NODES: 100000;
    /** Temporal validity clock skew tolerance in seconds */
    readonly CLOCK_SKEW_SECONDS: 60;
};
export type KernelConstraintKey = keyof typeof KERNEL_CONSTRAINTS;
export interface ConstraintViolation {
    constraint: KernelConstraintKey;
    actual: number;
    limit: number;
    path?: string;
}
export interface ConstraintValidationResult {
    valid: boolean;
    violations: ConstraintViolation[];
}
/**
 * Validate claims against structural kernel constraints using iterative
 * (stack-safe) traversal. Checks depth, array length, object keys, string
 * length, and total node count. Semantic constraints like CLOCK_SKEW_SECONDS
 * are enforced by receipt verification, not this structural validator.
 *
 * Traversal semantics are aligned with assertJsonSafeIterative(): every value
 * (including primitives) is pushed to the stack and counted when popped.
 * String length uses .length (code units), matching assertJsonSafeIterative.
 *
 * **Cycle safety:** This function assumes acyclic input (e.g., the output of
 * JSON.parse(), which is acyclic by construction). If passed a cyclic object
 * graph, traversal will terminate when MAX_TOTAL_NODES is reached -- it will
 * not hang -- but the violation report may be misleading. Callers with
 * potentially cyclic inputs should pre-check with a WeakSet guard.
 *
 * Never throws -- always returns a result object.
 */
export declare function validateKernelConstraints(claims: unknown): ConstraintValidationResult;
//# sourceMappingURL=constraints.d.ts.map