/**
 * Veridex Protocol SDK - Session Key Management Types
 *
 * Type definitions for ephemeral session keys that enable
 * native L1-speed transactions after initial biometric auth.
 */
/**
 * Ephemeral session key for fast software-backed signing
 *
 * Security model:
 * - Private key encrypted at rest (AES-GCM)
 * - Max 24-hour duration enforced on-chain
 * - Value limits prevent unlimited spending
 * - Chain scopes restrict cross-chain usage
 */
interface SessionKey {
    /** Public key of the session (secp256k1) */
    publicKey: Uint8Array;
    /** Private key (MUST be encrypted before storage) */
    privateKey: Uint8Array;
    /** Keccak256 hash of public key (on-chain identifier) */
    keyHash: string;
    /** Unix timestamp when session expires (milliseconds) */
    expiry: number;
    /** Maximum transaction value allowed (in token's base units) */
    maxValue: bigint;
    /** Wormhole chain IDs where this session is valid */
    chainScopes: number[];
    /** User's Passkey key hash (binds session to user) */
    userKeyHash: string;
}
/**
 * Configuration for session creation and lifecycle
 */
interface SessionConfig {
    /** Session duration in seconds (default: 3600 = 1 hour, max: 86400 = 24 hours) */
    duration: number;
    /**
     * Maximum per-transaction value in base units.
     *
     * `0` is accepted by the on-chain Hub contract and means **"no per-tx
     * limit from the session object"** — the transaction is then bounded
     * only by the vault's daily cap (and any off-chain relayer policy).
     * That is a deliberate protocol choice so callers can opt into
     * vault-level bounding, but for most apps it is a foot-gun: an attacker
     * who captures the session key can drain the vault up to the vault cap.
     *
     * The SDK therefore throws at `createSession` time when `maxValue === 0n`
     * unless `allowUnboundedMaxValue: true` is set explicitly on the config.
     */
    maxValue: bigint;
    /** Auto-refresh session before expiry (default: true) */
    autoRefresh: boolean;
    /** Refresh buffer time in seconds (refresh this many seconds before expiry, default: 300 = 5 min) */
    refreshBuffer?: number;
    /** Chain scopes - which Wormhole chain IDs can use this session (empty = all chains) */
    chainScopes?: number[];
    /**
     * Opt-in for `maxValue === 0n` ("unlimited per-tx, bounded only by the
     * vault daily cap"). Defaults to `false`. Set this only if you have
     * verified that the vault has a non-trivial daily cap configured and
     * that the risk of session-key compromise draining up to that cap is
     * acceptable for your threat model.
     */
    allowUnboundedMaxValue?: boolean;
}
/**
 * Signature produced by signing with a session key
 *
 * This is a lightweight software signature (secp256k1) that can be
 * validated on-chain via CCQ to Hub's isSessionActive() state.
 */
interface SessionSignature {
    /** ECDSA signature (r, s, v) from session private key */
    signature: Uint8Array;
    /** Session key hash (links signature to registered session) */
    sessionKeyHash: string;
    /** User's Passkey key hash (for Hub state query) */
    userKeyHash: string;
    /** Timestamp when signature was created (for replay prevention) */
    timestamp: number;
    /** Optional nonce for additional replay protection */
    nonce?: number;
}
/**
 * Configuration for SessionManager initialization
 */
interface SessionManagerConfig {
    /** Default session configuration */
    defaultSessionConfig: SessionConfig;
    /** Storage backend ('indexeddb' or 'localstorage', default: 'indexeddb') */
    storageBackend?: 'indexeddb' | 'localstorage';
    /** Enable debug logging */
    debug?: boolean;
    /** Custom encryption key derivation (for testing only) */
    encryptionKey?: CryptoKey;
}
/**
 * Events emitted during session lifecycle
 */
type SessionEvent = {
    type: 'session-created';
    session: SessionKey;
} | {
    type: 'session-loaded';
    session: SessionKey;
} | {
    type: 'session-expired';
    keyHash: string;
} | {
    type: 'session-refreshed';
    session: SessionKey;
} | {
    type: 'session-revoked';
    keyHash: string;
} | {
    type: 'all-sessions-revoked';
    count: number;
} | {
    type: 'session-error';
    error: Error;
};
type SessionEventCallback = (event: SessionEvent) => void;
/**
 * Interface for session storage implementations
 *
 * Implementations MUST:
 * - Encrypt private keys before storage
 * - Use secure key derivation (e.g., PBKDF2 or similar)
 * - Provide atomic read/write/delete operations
 */
interface SessionStorage {
    /**
     * Save a session (private key will be encrypted)
     */
    save(session: SessionKey): Promise<void>;
    /**
     * Load a session by key hash, or the most recent valid session when omitted
     */
    load(keyHash?: string): Promise<SessionKey | null>;
    /**
     * Load every valid stored session for this credential
     */
    loadAll(): Promise<SessionKey[]>;
    /**
     * Remove a specific session from storage
     */
    remove(keyHash: string): Promise<void>;
    /**
     * Clear all stored sessions
     */
    clear(): Promise<void>;
    /**
     * Check if a session exists
     */
    exists(keyHash?: string): Promise<boolean>;
}
/**
 * Parameters for an action to be signed with a session key
 */
interface ActionParams {
    /** Action type (transfer, execute, bridge, etc.) */
    action: string;
    /** Target chain (Wormhole chain ID) */
    targetChain: number;
    /** Transaction value in base units */
    value: bigint;
    /** Action-specific payload */
    payload: Uint8Array;
    /** Nonce for replay prevention */
    nonce: number;
    /** Optional deadline timestamp */
    deadline?: number;
}
/**
 * Result of session-signed action
 */
interface SessionSignedAction {
    /** Original action parameters */
    action: ActionParams;
    /** Session signature */
    signature: SessionSignature;
    /** Ready to submit to relayer or on-chain */
    readyToSubmit: boolean;
}
declare class SessionError extends Error {
    code: SessionErrorCode;
    details?: unknown | undefined;
    constructor(message: string, code: SessionErrorCode, details?: unknown | undefined);
}
declare enum SessionErrorCode {
    NO_ACTIVE_SESSION = "NO_ACTIVE_SESSION",
    SESSION_NOT_FOUND = "SESSION_NOT_FOUND",
    SESSION_EXPIRED = "SESSION_EXPIRED",
    VALUE_EXCEEDS_LIMIT = "VALUE_EXCEEDS_LIMIT",
    CHAIN_NOT_ALLOWED = "CHAIN_NOT_ALLOWED",
    STORAGE_ERROR = "STORAGE_ERROR",
    ENCRYPTION_ERROR = "ENCRYPTION_ERROR",
    INVALID_CONFIG = "INVALID_CONFIG",
    REGISTRATION_FAILED = "REGISTRATION_FAILED",
    REVOCATION_FAILED = "REVOCATION_FAILED",
    BATCH_REVOCATION_FAILED = "BATCH_REVOCATION_FAILED"
}

export { type ActionParams as A, type SessionStorage as S, type SessionKey as a, type SessionConfig as b, type SessionSignature as c, type SessionManagerConfig as d, type SessionEvent as e, type SessionEventCallback as f, type SessionSignedAction as g, SessionErrorCode as h, SessionError as i };