import type { Delegation, ActionReceipt, RevocationRecord, DelegationStatus, CascadeRevocationResult, DelegationChainValidation, RevocationEvent } from '../types/passport.js'; export interface CreateDelegationOptions { delegatedTo: string; delegatedBy: string; scope: string[]; scopeInterpretation?: 'exact' | 'glob' | 'hierarchical'; spendLimit?: number; spendLimitUnit?: 'currency' | 'invocations'; maxDepth?: number; currentDepth?: number; expiresInHours?: number; /** Absolute expiry (ISO 8601). When present it WINS over expiresInHours (strict * precedence) and is used directly as the signed expiresAt field. Input only; * never stored as a relative field. subDelegate uses this to pass an * already-capped, absolute child expiry rather than a re-basable duration. */ expiresAt?: string; notBefore?: string; derivation_rights?: import('../types/passport.js').DerivationRights; observation_policy?: import('../types/passport.js').ObservationPolicy; credentialCheckPolicy?: import('../v2/credential-check-policy/types.js').CredentialCheckPolicy; privateKey: string; } export declare function createDelegation(opts: CreateDelegationOptions): Delegation; export interface SubDelegateOptions { parentDelegation: Delegation; delegatedTo: string; scope: string[]; spendLimit?: number; spendLimitUnit?: 'currency' | 'invocations'; derivation_rights?: import('../types/passport.js').DerivationRights; privateKey: string; } export declare function subDelegate(opts: SubDelegateOptions): Delegation; export type RevocationCheckPolicy = 'fail_open' | 'fail_closed' | 'cache_grace'; export declare function verifyDelegation(delegation: Delegation, opts?: { /** How to handle revocation check failures. Default: 'fail_open' (backward compat) */ revocationCheckPolicy?: RevocationCheckPolicy; /** Cached revocation state (for cache_grace mode or stateless verification) */ cachedRevocationState?: { revoked: boolean; checkedAt: string; }; /** Cache grace period in ms (for cache_grace mode). Default: 300000 (5 min) */ cacheGraceMs?: number; /** Walk parent chain and check each ancestor's revocation status. * No-op without a DelegationStore; the option is preserved for API * compatibility but ancestor walks now require store.validateChain(). */ checkAncestors?: boolean; }): DelegationStatus; export declare function verifyRevocation(revocation: RevocationRecord): boolean; export interface CreateReceiptOptions { agentId: string; delegationId: string; delegation: Delegation; action: ActionReceipt['action']; result: ActionReceipt['result']; delegationChain: string[]; privateKey: string; } export declare function createReceipt(opts: CreateReceiptOptions): ActionReceipt; export declare function verifyReceipt(receipt: ActionReceipt, agentPublicKey: string): { valid: boolean; errors: string[]; }; export declare function scopeCovers(granted: string, required: string): boolean; export declare function scopeAuthorizes(delegationScope: string[], required: string): boolean; export declare function revokeDelegation(_delegationId: string, _revokedBy: string, _reason: string, _privateKey: string): RevocationRecord; export declare function cascadeRevoke(_delegationId: string, _revokedBy: string, _reason: string, _privateKey: string): CascadeRevocationResult; export declare function revokeByAgent(_agentPublicKey: string, _revokedBy: string, _reason: string, _privateKey: string): RevocationRecord[]; export declare function validateChain(_delegationIds: string[]): DelegationChainValidation; export declare function getDescendants(_delegationId: string): string[]; export declare function getChainEntry(_delegationId: string): undefined; export declare function onRevocation(_listener: (event: RevocationEvent) => void): () => void; export declare function getReceipts(_agentId?: string): ActionReceipt[]; export declare function getRevocation(_delegationId: string): RevocationRecord | undefined; export declare function getSpent(_delegation: Delegation): number; /** * Back-compat no-op. The SDK no longer holds module-scope state, so there * is nothing to clear. Still exported because test suites historically * called it in beforeEach hooks. */ export declare function clearStores(): void; //# sourceMappingURL=delegation.d.ts.map