/** * A2A Mutual Authentication Adapter * * Layers APS mutual-auth on top of Google A2A Agent Cards. A2A v1.0 * introduced Signed Agent Cards, which let an agent cryptographically * present itself. This adapter closes the asymmetry by also letting * an information system present a certificate the agent verifies. * * Composition boundary: * A2A Agent Card — identity discovery (agent → network) * APS passport — identity + delegation + attestation grade * MutualAuthCert — binding of either party into the handshake * * This adapter does NOT replace A2A's signed cards. It carries an * additional MutualAuthCertificate alongside the card, for scenarios * where the peer is an IS (not another agent) and downgrade-proof * mutual auth is required. */ import type { A2AAgentCard } from '../types/a2a.js'; import type { MutualAuthCertificate, MutualAuthPolicy, TrustAnchor, MutualAuthHello, MutualAuthAttest, MutualAuthResult } from '../v2/mutual-auth/index.js'; /** Envelope carrying an A2A card + the mutual-auth certificate that * binds its identity into handshake scope. */ export interface A2AMutualAuthEnvelope { card: A2AAgentCard; certificate: MutualAuthCertificate; } /** Initiate an A2A mutual-auth exchange from the agent side. * Caller owns the nonce supply (or pass none to auto-generate). */ export declare function a2aBeginHandshake(envelope: A2AMutualAuthEnvelope, now_ms: number, nonce_b64?: string): { hello: MutualAuthHello; envelope: A2AMutualAuthEnvelope; }; /** The IS side: given the agent's hello, build the IS's attest. */ export declare function a2aRespondHandshake(peer_hello: MutualAuthHello, own_envelope: A2AMutualAuthEnvelope, own_sk_hex: string, accepted_versions: string[], now_ms: number, own_nonce_b64?: string): MutualAuthAttest | { error: 'version_unsupported'; }; /** Agent side: verify the IS's attest, then produce the agent's own * attest. */ export declare function a2aCounterAttest(is_attest: MutualAuthAttest, agent_envelope: A2AMutualAuthEnvelope, agent_sk_hex: string, policy: MutualAuthPolicy, trust_anchors: TrustAnchor[], now_ms: number, agent_nonce_b64: string, is_nonce_b64: string, revoked_anchor_ids?: string[]): MutualAuthAttest | { error: string; }; /** Final step on the IS side: verify the agent's attest, then derive * the shared session. */ export declare function a2aFinalizeSession(agent_attest: MutualAuthAttest, is_attest: MutualAuthAttest, policy: MutualAuthPolicy, trust_anchors: TrustAnchor[], now_ms: number, expected_is_nonce: string, expected_agent_nonce: string, revoked_anchor_ids?: string[]): MutualAuthResult; /** Attach an APS mutual-auth certificate to an A2A Agent Card as an * extension block. Does not modify core card fields. */ export declare function attachMutualAuthToA2ACard(card: A2AAgentCard, cert: MutualAuthCertificate): A2AAgentCard & { agentPassport: Record; }; /** Extract an APS mutual-auth certificate from an A2A Agent Card * extension, or null if absent. */ export declare function extractMutualAuthFromA2ACard(card: A2AAgentCard): MutualAuthCertificate | null; //# sourceMappingURL=mutual-auth-a2a.d.ts.map