import type { EncryptionKeyAnnouncement, EncryptionKeypair, EncryptedAgoraMessage, DecryptedPayload } from '../types/encrypted-messaging.js'; /** * Generate a dedicated X25519 encryption keypair. * Separate from Ed25519 identity key (consensus: key separation). */ export declare function generateEncryptionKeypair(): Promise; /** * Derive X25519 encryption keypair deterministically from an Ed25519 identity key. * Uses the birational equivalence (RFC 7748 §4.1) to map Ed25519 → X25519. * This enables identity key reuse: same Ed25519 passport key serves as both * signing key and encryption key derivation source. * * @param ed25519SeedHex - 32-byte Ed25519 private key seed (hex string) * @returns X25519 keypair (base64) + derived Ed25519 public key (hex) */ export declare function deriveEncryptionKeypair(ed25519SeedHex: string): Promise; /** * Create a Key Announcement: agent signs its X25519 public key * with its Ed25519 identity key and publishes it. */ export declare function createKeyAnnouncement(agentId: string, encryptionPublicKey: string, identityPublicKey: string, identityPrivateKey: string): EncryptionKeyAnnouncement; /** * Verify a Key Announcement: Ed25519 signature over (agentId + encryptionPublicKey). */ export declare function verifyKeyAnnouncement(announcement: EncryptionKeyAnnouncement): boolean; /** * Pad data to nearest power-of-2 block size. * Mitigates message-size side channel. */ export declare function padToBlock(data: Uint8Array): Uint8Array; /** * Remove padding. Reads the real length from the last 4 bytes. */ export declare function unpad(padded: Uint8Array): Uint8Array; /** * Encrypt a message using ephemeral-static ECDH. * Sender generates fresh ephemeral X25519 keypair per message. * Shared secret = X25519(ephemeral_private, recipient_static_public). */ export declare function encryptPayload(plaintext: string, recipientEncryptionPublicKey: string): Promise<{ ciphertext: string; nonce: string; ephemeralPublicKey: string; }>; /** * Decrypt a message using recipient's static private key + sender's ephemeral public key. */ export declare function decryptPayload(ciphertext: string, nonce: string, ephemeralPublicKey: string, recipientEncryptionPrivateKey: string): Promise; /** * Create a fully encrypted Agora message with double signature. * Inner signature: Ed25519 over plaintext + recipient + nonce (prevents stripping) * Outer signature: Ed25519 over ciphertext envelope (public verifiability) */ export declare function createEncryptedAgoraMessage(opts: { subject: string; content: string; senderAgentId: string; senderIdentityPublicKey: string; senderIdentityPrivateKey: string; senderEncryptionPublicKey: string; recipientAgentId: string; recipientIdentityPublicKey: string; recipientEncryptionPublicKey: string; topic: string; delegationId: string; taintPrincipalIds?: string[]; permitId?: string; sequenceNumber: number; metadata?: Record; }): Promise; /** * Decrypt an encrypted Agora message and verify both signatures. * 1. Verify outer signature (public verifiability — no decryption needed) * 2. Decrypt payload * 3. Verify inner signature (sender authored this for this recipient) * 4. Check recipient matches (prevents surreptitious forwarding) */ export declare function decryptAgoraMessage(msg: EncryptedAgoraMessage, recipientEncryptionPrivateKey: string, recipientAgentId: string): Promise<{ payload: DecryptedPayload; valid: boolean; errors: string[]; }>; /** * Verify only the outer signature on an encrypted message. * The gateway calls this to confirm sender identity without decrypting. */ export declare function verifyOuterSignature(msg: EncryptedAgoraMessage): boolean; //# sourceMappingURL=encrypted-messaging.d.ts.map