/**
 * Wire 0.2 Zod schemas and types (v0.12.0-preview.1)
 *
 * This file contains:
 *   - Wire02ClaimsSchema: the canonical Zod schema for Wire 0.2 envelopes
 *   - Wire02Claims: inferred TypeScript type (z.infer<typeof Wire02ClaimsSchema>)
 *   - Supporting schemas: EvidencePillarSchema, PillarsSchema, Wire02KindSchema,
 *     ReceiptTypeSchema, CanonicalIssSchema, PolicyBlockSchema
 *   - isCanonicalIss(): exported canonical-iss validator
 *   - isValidReceiptType(): exported type-grammar validator
 *   - checkOccurredAtSkew(): cross-field skew check helper
 *
 * Wire02Claims does NOT live in @peac/kernel (layer violation);
 * it lives here because it references schema-layer types (Correction 4).
 */
import { z } from 'zod';
import type { VerificationWarning } from '@peac/kernel';
/**
 * Validate that an issuer (iss) claim is in canonical form.
 *
 * Accepted schemes:
 *   - `https://`: ASCII origin (lowercase scheme+host, no explicit default port
 *     (:443 rejected), origin-only, no path/query/fragment/userinfo).
 *     Raw Unicode hosts are rejected; punycode (xn--...) is accepted.
 *   - `did:`: DID Core identifier (`did:<method>:<id>`) where method is
 *     `[a-z0-9]+` and the method-specific-id contains no `#`, `?`, or `/`.
 *
 * All other schemes produce E_ISS_NOT_CANONICAL.
 *
 * @param iss - Issuer claim value to validate
 * @returns true if canonical form; false otherwise
 */
export declare function isCanonicalIss(iss: string): boolean;
/**
 * Validate that a type claim conforms to the Wire 0.2 type grammar.
 *
 * Accepted forms:
 *   - Reverse-DNS notation: `<domain>/<segment>` where `<domain>` has at
 *     least one dot (e.g., `org.peacprotocol/commerce`, `com.example/flow`)
 *   - Absolute URI: starts with `scheme://` (e.g., `https://example.com/type`)
 *
 * @param value - Type claim value to validate
 * @returns true if valid type grammar; false otherwise
 */
export declare function isValidReceiptType(value: string): boolean;
export declare const EvidencePillarSchema: z.ZodEnum<{
    attribution: "attribution";
    identity: "identity";
    purpose: "purpose";
    access: "access";
    commerce: "commerce";
    compliance: "compliance";
    consent: "consent";
    privacy: "privacy";
    provenance: "provenance";
    safety: "safety";
}>;
export declare const PillarsSchema: z.ZodArray<z.ZodEnum<{
    attribution: "attribution";
    identity: "identity";
    purpose: "purpose";
    access: "access";
    commerce: "commerce";
    compliance: "compliance";
    consent: "consent";
    privacy: "privacy";
    provenance: "provenance";
    safety: "safety";
}>>;
export declare const Wire02KindSchema: z.ZodEnum<{
    evidence: "evidence";
    challenge: "challenge";
}>;
export declare const ReceiptTypeSchema: z.ZodString;
export declare const CanonicalIssSchema: z.ZodString;
export declare const PolicyBlockSchema: z.ZodObject<{
    digest: z.ZodString;
    uri: z.ZodOptional<z.ZodString>;
    version: z.ZodOptional<z.ZodString>;
}, z.core.$strip>;
export declare const Wire02ClaimsSchema: z.ZodObject<{
    peac_version: z.ZodLiteral<"0.2">;
    kind: z.ZodEnum<{
        evidence: "evidence";
        challenge: "challenge";
    }>;
    type: z.ZodString;
    iss: z.ZodString;
    iat: z.ZodNumber;
    jti: z.ZodString;
    sub: z.ZodOptional<z.ZodString>;
    pillars: z.ZodOptional<z.ZodArray<z.ZodEnum<{
        attribution: "attribution";
        identity: "identity";
        purpose: "purpose";
        access: "access";
        commerce: "commerce";
        compliance: "compliance";
        consent: "consent";
        privacy: "privacy";
        provenance: "provenance";
        safety: "safety";
    }>>>;
    actor: z.ZodOptional<z.ZodObject<{
        id: z.ZodString;
        proof_type: z.ZodEnum<{
            "ed25519-cert-chain": "ed25519-cert-chain";
            "eat-passport": "eat-passport";
            "eat-background-check": "eat-background-check";
            "sigstore-oidc": "sigstore-oidc";
            did: "did";
            spiffe: "spiffe";
            "x509-pki": "x509-pki";
            custom: "custom";
        }>;
        proof_ref: z.ZodOptional<z.ZodString>;
        origin: z.ZodString;
        intent_hash: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    policy: z.ZodOptional<z.ZodObject<{
        digest: z.ZodString;
        uri: z.ZodOptional<z.ZodString>;
        version: z.ZodOptional<z.ZodString>;
    }, z.core.$strip>>;
    representation: z.ZodOptional<z.ZodObject<{
        content_hash: z.ZodOptional<z.ZodString>;
        content_type: z.ZodOptional<z.ZodString>;
        content_length: z.ZodOptional<z.ZodNumber>;
    }, z.core.$strict>>;
    occurred_at: z.ZodOptional<z.ZodString>;
    purpose_declared: z.ZodOptional<z.ZodString>;
    extensions: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
}, z.core.$strict>;
/** Inferred type for Wire 0.2 receipt claims */
export type Wire02Claims = z.infer<typeof Wire02ClaimsSchema>;
/**
 * Check the occurred_at field for temporal consistency.
 *
 * Rules (evidence kind only; caller must not call for challenge kind):
 *   - If occurred_at > now + tolerance: hard error (E_OCCURRED_AT_FUTURE)
 *   - If occurred_at > iat (within tolerance): warning (occurred_at_skew)
 *   - If occurred_at <= iat: valid, no warning
 *   - If occurred_at is undefined: no check performed
 *
 * @param occurredAt - Value of the occurred_at claim, or undefined
 * @param iat - iat claim value (Unix seconds)
 * @param now - Current time (Unix seconds)
 * @param tolerance - Allowed future skew in seconds (default: OCCURRED_AT_TOLERANCE_SECONDS)
 * @returns 'future_error' for hard error, VerificationWarning for skew warning, null for valid
 */
export declare function checkOccurredAtSkew(occurredAt: string | undefined, iat: number, now: number, tolerance?: number): VerificationWarning | 'future_error' | null;
//# sourceMappingURL=wire-02-envelope.d.ts.map