import type { RotatableDIDDocument, RotatableVerificationMethod } from '../types/passport.js'; /** * Parse a DID URI of the form `#` into its parts. The * agentId is the full DID (e.g. `did:aps:zABC`), keyRef is the fragment * after the first `#` (e.g. `key-2`). Returns null when the input is * not a valid DID URI with a fragment. */ export declare function parseDidUri(s: string): { agentId: string; keyRef: string; } | null; /** * Build a DID URI from agentId and keyRef. agentId must already be a * `did::` form; keyRef is the fragment without the '#'. */ export declare function buildDidUri(agentId: string, keyRef: string): string; export interface ResolveVerificationMethodResult { method: RotatableVerificationMethod; /** True when the key was retired BEFORE the receipt was signed * (compromise mode — verifier MUST reject). False when the key is * active OR was retired AFTER the receipt was signed (legitimate * post-rotation verification). */ retired: boolean; } /** * Resolve a DID URI against a RotatableDIDDocument and return the * verificationMethod entry plus a `retired` flag that takes signing * time into account. * * Returns: * - `null` if the keyRef does not exist in the document, or if the * URI's agentId does not match the document's id (caller passed * the wrong document). * - `{ method, retired: false }` when the key is currently active OR * was retired after `issuedAtMs` (the receipt was signed while the * key was still active — acceptable to verify post-rotation). * - `{ method, retired: true }` when the key was retired before * `issuedAtMs` (compromise mode — verifier MUST reject the * signature regardless of mathematical validity). * * @param didDoc The agent's RotatableDIDDocument. * @param didUri The DID URI carried in the receipt's signer_did. * @param nowMs Wall-clock at verification time. Defaults to Date.now(). * @param issuedAtMs Wall-clock when the receipt was signed. Defaults to * nowMs (which collapses to "key must be currently * active") when omitted. */ export declare function resolveVerificationMethod(didDoc: RotatableDIDDocument, didUri: string, nowMs?: number, issuedAtMs?: number): ResolveVerificationMethodResult | null; /** * Convenience: extract the raw hex Ed25519 pubkey from a resolved * verificationMethod entry. Wraps `multibaseToHex(method.publicKeyMultibase)` * so callers don't need to import from did.js. */ export declare function publicKeyHexFromMethod(method: RotatableVerificationMethod): string; /** Reasons an Ed25519 verification can fail BEFORE the cryptographic * step. Surfaced by rail verifiers under their own reason unions. */ export type DidUriVerifyFailure = 'did_resolver_missing' | 'did_uri_invalid' | 'did_doc_not_found' | 'did_key_not_in_doc' | 'did_key_retired'; //# sourceMappingURL=did-uri.d.ts.map