import type { EncryptedAgoraMessage } from '../types/encrypted-messaging.js'; export interface MessageAuditRecord { auditId: string; /** SHA-256 hash of the full ciphertext — verifiable without decrypting */ ciphertextHash: string; /** Sender identity (public, not secret) */ senderAgentId: string; senderPublicKey: string; /** Recipient identity */ recipientAgentId: string; recipientPublicKey: string; /** Delegation authorizing this communication */ delegationId: string; /** Taint hashes from the encrypted message (already cleartext in Module 19) */ taintHashes: string[]; /** Padded ciphertext size in bytes */ messageSize: number; /** Sequence number (monotonic within conversation) */ sequenceNumber: number; /** Topic (cleartext metadata in Module 19) */ topic: string; /** When the audit record was created */ timestamp: string; /** Ed25519 signature by the gateway over this record */ gatewaySignature: string; /** Gateway public key */ gatewayPublicKey: string; } export interface AuditVerification { valid: boolean; /** Whether the ciphertext hash matches the encrypted message */ hashMatches: boolean; /** Whether the gateway signature is valid */ signatureValid: boolean; /** Reason if invalid */ reason?: string; } export interface MessageAuditLog { records: MessageAuditRecord[]; gatewayPublicKey: string; createdAt: string; } export declare function createMessageAuditLog(gatewayPublicKey: string): MessageAuditLog; /** * Create an audit record from an encrypted message. * Extracts ONLY metadata + hash — never touches plaintext. * The gateway signs the record as proof it observed the message. */ export declare function createAuditRecord(message: EncryptedAgoraMessage, gatewayPrivateKey: string, gatewayPublicKey: string): MessageAuditRecord; /** * Verify an audit record: * 1. Gateway signature is valid * 2. Optionally: ciphertext hash matches original message */ export declare function verifyAuditRecord(record: MessageAuditRecord, originalMessage?: EncryptedAgoraMessage): AuditVerification; export declare function appendToAuditLog(log: MessageAuditLog, record: MessageAuditRecord): MessageAuditLog; /** * Query audit log by sender — how many messages did this agent send? */ export declare function queryBySender(log: MessageAuditLog, senderAgentId: string): MessageAuditRecord[]; /** * Query audit log for cross-chain messages (those with taint hashes). */ export declare function queryCrossChainMessages(log: MessageAuditLog): MessageAuditRecord[]; /** * Total bytes sent by a specific agent — for quota enforcement. */ export declare function totalBytesBySender(log: MessageAuditLog, senderAgentId: string): number; //# sourceMappingURL=messaging-audit.d.ts.map