import type { PassportGrade, AttestationFlag, EvidenceQuality, IssuanceChallenge, IssuanceEvidenceRecord, IssuanceContext, PassportAttestationSummary, RuntimeAttestation, ProviderAttestation, ObservedContext, SignalVerificationResult, DerivedSignal, AttestationClass, WorkspaceManifest } from '../types/attestation.js'; import type { SignedPassport } from '../types/passport.js'; export declare function createIssuanceChallenge(publicKeyHash: string, options?: { requestedClasses?: AttestationClass[]; expiresInSeconds?: number; }): IssuanceChallenge; export declare function verifyRuntimeAttestation(attestation: RuntimeAttestation, challenge: IssuanceChallenge, trustedAttesterKeys: Map): SignalVerificationResult; /** Map evidence quality level to passport grade number. */ export declare function evidenceQualityToGrade(quality: EvidenceQuality): PassportGrade; /** * Classify evidence quality from attestation metadata. * * Precedence (highest to lowest): * 1. Principal binding → 'principal_bound' * 2. Infrastructure evidence (SPIFFE method, TPM quote, hardware attestation, * TEE proof, or any known infrastructure-binding key in evidence) → 'infrastructure' * 3. Issuer signature → 'issuer_vouched' * 4. None * * This is where a did:key with TPM evidence gets elevated to Grade 2. */ export declare function classifyEvidenceQuality(opts: { /** Identity method prefix (e.g. "did:key", "spiffe", "oauth"). Fallback signal. */ method?: string; hasIssuerSignature?: boolean; hasPrincipalBinding?: boolean; /** Raw evidence payload — checked loosely for infrastructure-binding keys. */ evidence?: Record; }): EvidenceQuality; export declare function computePassportGrade(evidence: IssuanceEvidenceRecord, options?: { hasIssuerSignature?: boolean; hasVerifiedRuntime?: boolean; hasVerifiedProvider?: boolean; hasPrincipalEndorsement?: boolean; }): PassportGrade; export declare function computeAttestationFlags(grade: PassportGrade, evidence: IssuanceEvidenceRecord): AttestationFlag[]; export declare function computeAttestationBundleHash(evidence: IssuanceEvidenceRecord): string; export declare function createIssuanceContext(evidence: IssuanceEvidenceRecord, options?: { hasIssuerSignature?: boolean; hasVerifiedRuntime?: boolean; hasVerifiedProvider?: boolean; hasPrincipalEndorsement?: boolean; verificationResults?: SignalVerificationResult[]; derivedSignals?: DerivedSignal[]; }): IssuanceContext; export declare function bindAttestation(signedPassport: SignedPassport, context: IssuanceContext): SignedPassport & { attestation: PassportAttestationSummary; }; export declare function createWorkspaceManifest(entries: Array<{ path: string; sizeBytes: number; lastModified: Date; }>): WorkspaceManifest; export declare function createEmptyEvidenceRecord(observed?: Partial): IssuanceEvidenceRecord; export declare function isChallengeFresh(challenge: IssuanceChallenge): boolean; export declare function isGradeAtLeast(grade: PassportGrade, minimum: PassportGrade): boolean; export declare function importProviderAttestation(input: { /** JWS compact serialization (header.payload.signature) OR raw JSON string OR object */ attestation: string | Record; /** Provider identifier (e.g. 'red-team-harness', 'cloud-provider', 'oauth-issuer') */ provider: string; /** What kind of subject was attested */ subjectClass?: string; /** Verification method used by the provider */ verificationMethod?: string; /** Typed staleness metadata (A2A#1712): snapshot (TPM) vs rotating (SPIFFE) vs static. */ freshness?: import('../types/passport.js').AttestationFreshness; }): ProviderAttestation; export declare function addIdentityBoundary>(obj: T, fields?: string[]): T & { _identityBoundary: string[]; _contentHash: string; }; //# sourceMappingURL=attestation.d.ts.map