import type { ProviderAttestation } from '../types/attestation.js'; export interface SPIFFESVIDInput { /** SPIFFE ID (spiffe://trust-domain/workload-path) */ spiffeId: string; /** Optional X.509 certificate (PEM or base64 DER) */ x509Cert?: string; /** Expiration timestamp (ISO 8601) */ expiresAt: string; } export interface ParsedSPIFFEID { trustDomain: string; workloadPath: string; } /** * Parse a SPIFFE ID into trust domain and workload path. * Format: spiffe://trust-domain/workload/path/segments */ export declare function parseSPIFFEID(spiffeId: string): ParsedSPIFFEID; /** * Import a SPIFFE SVID into an APS ProviderAttestation. * * SPIFFE SVIDs are infrastructure-level identity (Tier 1 in APS attestation model). * An agent presenting a valid SVID qualifies for Grade 2 (runtime_bound) because * the SVID proves the workload identity was attested by the trust domain's CA. * * The attestation uses: * - provider: trust domain (e.g., "cluster.example.com") * - subjectClass: "workload" * - subjectIdHash: SHA-256 of the full SPIFFE ID * - verificationMethod: "x509" if cert provided, "spiffe_bundle" otherwise */ export declare function importSPIFFESVID(svid: SPIFFESVIDInput): ProviderAttestation; /** * Convert OAuth scopes to APS delegation scopes. * * Matching rules: * 1. Exact match checked first (e.g., "read:users" against mapping key "read:users") * 2. Wildcard match: "read:users" matches "read:*" pattern * 3. Unmatched scopes are passed through as-is (preserves information) * * Custom mapping overrides defaults for overlapping keys. */ export declare function mapOAuthScopes(oauthScopes: string[], scopeMapping?: Record): string[]; export interface OAuthTokenInput { /** Subject identifier (user or client ID) */ sub: string; /** Space-separated scope string */ scope: string; /** Issuer URL */ iss: string; /** Expiration (Unix timestamp, seconds) */ exp: number; } export interface OAuthImportResult { /** APS agent ID derived from OAuth subject + issuer */ agentId: string; /** Delegation scope ceiling derived from OAuth scopes */ delegationScope: string[]; /** Expiration as ISO 8601 */ expiresAt: string; } /** * Convert an OAuth token's claims into APS delegation parameters. * * The OAuth scope becomes the delegation ceiling: the agent can never * exceed the authority granted by the OAuth token. This preserves * monotonic narrowing — the OAuth grant is the root of the delegation chain. * * Agent ID is deterministic: sha256(iss + sub) truncated, so the same * OAuth subject always maps to the same APS agent. */ export declare function importOAuthToken(token: OAuthTokenInput, scopeMapping?: Record): OAuthImportResult; //# sourceMappingURL=identity-bridge.d.ts.map