import type { AgentPassport, KeyPair, CascadeRevocationResult } from '../types/passport.js'; import type { RotatableDIDDocument, RotationMode, RotationState } from '../types/passport.js'; /** * Create a rotation-capable DID Document for a passport. * One verificationMethod, empty rotationLog, no pending rotation. */ export declare function createDIDDocument(passport: AgentPassport): RotatableDIDDocument; /** * Announce a key rotation. Old key signs the rotation entry. * * planned mode: configurable overlap (default 24h). Both keys valid until activationTime. * emergency mode: old key immediately retired. New key is sole authority. */ export declare function announceKeyRotation(doc: RotatableDIDDocument, oldPrivateKey: string, newKeyPair: KeyPair, options: { mode: RotationMode; activationDelayMs?: number; }): RotatableDIDDocument; /** * Activate a pending planned rotation after activationTime. * Removes old key from auth/assertion/capabilityDelegation, sets retiredAt. */ export declare function activateKeyRotation(doc: RotatableDIDDocument, now?: Date): RotatableDIDDocument; /** * Walk rotationLog and verify each entry's rotationSignature. * Returns true if ALL entries have valid signatures, false if any fail. */ export declare function verifyRotationChain(doc: RotatableDIDDocument): boolean; /** * Check if a public key is currently authorized for active operations. * NOTE: This is SDK convenience. Gateway enforcement is authoritative. */ export declare function isKeyActive(doc: RotatableDIDDocument, publicKey: string, now?: Date): boolean; export interface RotationResult { didDocument: RotatableDIDDocument; rotationState: RotationState; revocationResults: Array<{ delegationId: string; cascadeCount: number; error?: string; }>; } /** Gateway-side cascade revocation callback. `cascadeRevoke` lives on * `DelegationStore` in @aeoess/gateway; callers pass the bound method in. * When omitted, `rotateAndInvalidate` rotates the key but records every * delegation ID as an error ("cascade revocation unavailable"), so * partial-failure semantics are preserved. */ export type CascadeRevokeFn = (delegationId: string, revokedBy: string, reason: string, privateKey: string) => CascadeRevocationResult; /** * Full rotation with delegation invalidation. Explicit state machine: * announced → revocation_in_progress → revocation_complete → activated * * Partial failure is VISIBLE. If 3 of 5 delegations revoke but 2 fail, * state stays 'revocation_in_progress' and the caller sees which failed. */ export declare function rotateAndInvalidate(doc: RotatableDIDDocument, oldPrivateKey: string, newKeyPair: KeyPair, delegationIdsToRevoke: string[], options: { mode: RotationMode; activationDelayMs?: number; cascadeRevoke?: CascadeRevokeFn; }): RotationResult; //# sourceMappingURL=key-rotation.d.ts.map