import type { TaintLabel, TaintUsage, TaintSet, SignedAuthorityObject, CrossChainPermit, ExecutionFrame, FlowCheckResult, ExecutionReceipt, CrossChainViolation } from '../types/cross-chain.js'; /** * Create a taint label when data is accessed under a delegation. * Every read through the gateway produces a taint label. */ export declare function createTaintLabel(principalId: string, chainId: string, delegationId: string, usage?: TaintUsage): TaintLabel; /** * Merge multiple taint labels into a TaintSet. * Automatically detects cross-chain (multi-principal) taint. * Deduplicates labels by reference — callers spreading from overlapping * sources (e.g. inputTaint.labels + frame.frameTaint.labels when frame * already includes inputTaint) MUST NOT produce duplicated audit entries. */ export declare function mergeTaints(...labels: TaintLabel[]): TaintSet; /** * Wrap data in a Signed Authority Object. * The gateway calls this when returning data from a read operation. * The SAO binds the data to its delegation context cryptographically. */ export declare function createSAO(data: unknown, taint: TaintLabel, monitorPrivateKey: string, monitorPublicKey: string, expiresInMinutes?: number): SignedAuthorityObject; /** * Verify an SAO's integrity and monitor signature. */ export declare function verifySAO(sao: SignedAuthorityObject): boolean; /** * Check if an SAO has expired. */ export declare function isSAOExpired(sao: SignedAuthorityObject): boolean; /** * Create a new execution frame for tracking session-level taint. */ export declare function createExecutionFrame(agentId: string, opts?: { ttlMinutes?: number; epoch?: number; previousFrameChainHead?: string; residuePrincipals?: string[]; }): ExecutionFrame; /** * Compute the hash for an execution step. * step_hash = sha256(previousStepHash + canonical(taint) + stepIndex) * This creates a Merkle-like chain where each step is causally linked to its predecessor. */ export declare function computeStepHash(previousStepHash: string, taint: TaintLabel, stepIndex: number): string; /** * Record a data access in the execution frame with causal hash chaining. * Each step carries a cryptographic reference to its predecessor execution state. * This gives the frame a strict total order (<_exec) that is independently verifiable. */ export declare function recordAccess(frame: ExecutionFrame, taint: TaintLabel): ExecutionFrame; /** * Close an execution frame. No further accesses can be recorded. */ export declare function closeFrame(frame: ExecutionFrame): ExecutionFrame; /** * Check if an execution frame has expired based on its TTL. * Returns true if the frame is older than its ttlMinutes. * A ttlMinutes of 0 means no expiry. */ export declare function isFrameExpired(frame: ExecutionFrame): boolean; /** * Rotate an execution frame: seal the current one and create a fresh one. * The new frame links to the old frame's chainHead, creating a super-chain * across epochs. The old frame is returned sealed for archival. * * This solves the taint accumulation paralysis problem (F-2): * long-running agents get clean frames periodically while maintaining * a cryptographic audit trail linking all epochs. */ export declare function rotateFrame(frame: ExecutionFrame, opts?: { ttlMinutes?: number; }): { sealed: ExecutionFrame; fresh: ExecutionFrame; }; /** * Verify the causal hash chain of an execution frame. * Replays all recorded accesses and verifies each step hash matches. * If the chain is valid, the execution order is cryptographically proven. * This is the function that makes <_exec independently verifiable. */ export declare function verifyFrameChain(frame: ExecutionFrame): { valid: boolean; error?: string; }; /** * Verify the epoch super-chain across multiple frames. * Each frame's previousFrameChainHead must match the prior frame's chainHead. * Frames must be ordered by epoch (ascending). */ export declare function verifyEpochChain(frames: ExecutionFrame[]): { valid: boolean; error?: string; }; /** * Create a cross-chain permit (source principal signs first). * The permit authorizes data from sourceContext to flow into * actions governed by destinationContext. */ export declare function createCrossChainPermit(opts: { sourcePrincipalId: string; sourcePrincipalPublicKey: string; sourceDataClasses: string[]; destPrincipalId: string; destPrincipalPublicKey: string; destAllowedScopes: string[]; purpose: string; destinationConstraints?: string[]; expiresInHours?: number; sourcePrivateKey: string; }): Omit & { destinationSignature: ''; }; /** * Countersign a cross-chain permit (destination principal). * Both signatures required for the permit to be valid. */ export declare function countersignPermit(permit: Omit & { destinationSignature: ''; }, destPrivateKey: string): CrossChainPermit; /** * Verify a cross-chain permit: both signatures valid + not expired + not revoked. */ export declare function verifyCrossChainPermit(permit: CrossChainPermit): boolean; /** * Revoke a cross-chain permit. */ export declare function revokePermit(permit: CrossChainPermit): CrossChainPermit; /** * Check whether an outbound action is authorized given the taint * on its input data and the delegation chain authorizing the action. * * Logic: * 1. If all input data originated from the same principal as the * action's delegation chain → ALLOWED (same-context, no issue) * 2. If input data originated from a DIFFERENT principal → * check for a valid CrossChainPermit * - Permit found and valid → PERMITTED * - No permit → BLOCKED (confused deputy prevented) * 3. If execution frame taint includes other principals beyond * the SAO-level taint → BLOCKED (laundering prevention) */ export declare function checkDataFlow(opts: { /** Taint set on the data being passed to the outbound tool */ inputTaint: TaintSet; /** Principal ID of the delegation chain authorizing this action */ actionPrincipalId: string; /** Scope of the action being performed */ actionScope: string; /** All active (non-revoked, non-expired) cross-chain permits */ permits: CrossChainPermit[]; /** Current execution frame (for laundering detection) */ frame?: ExecutionFrame; }): FlowCheckResult; /** * Create a derived SAO from multiple source SAOs. * The derived SAO inherits the union of all source taints. * This ensures composed/summarized data can't launder its origins. */ export declare function deriveSAO(data: unknown, sourceSAOs: SignedAuthorityObject[], monitorPrivateKey: string, monitorPublicKey: string, expiresInMinutes?: number): SignedAuthorityObject; export declare function createExecutionReceipt(opts: { frame: ExecutionFrame; requestHash: string; tool: string; params: Record; delegationId: string; policyVersion: string; flowResult: FlowCheckResult; gatewayId: string; gatewayPrivateKey: string; expiresInMinutes?: number; }): ExecutionReceipt; /** * Verify an execution receipt's gateway signature. */ export declare function verifyExecutionReceipt(receipt: ExecutionReceipt, gatewayPublicKey: string): { valid: boolean; expired: boolean; error?: string; }; /** * Create a signed violation report when cross-chain flow is blocked. */ export declare function createCrossChainViolation(opts: { frame: ExecutionFrame; agentId: string; sourcePrincipalId: string; destinationPrincipalId: string; attemptedTool: string; attemptedScope: string; blockingLabels: TaintLabel[]; gatewayPrivateKey: string; }): CrossChainViolation; //# sourceMappingURL=cross-chain.d.ts.map