/** Registry entry for a verified tool */ export interface ToolRegistryEntry { /** Tool name (must match the name in delegation scope) */ toolName: string; /** SHA-256 hash of the tool implementation (binary, source, or endpoint descriptor) */ implementationHash: string; /** Who attested this tool's integrity (runtime, registry, or auditor DID) */ attestorId: string; /** When the tool hash was last verified */ verifiedAt: string; /** Ed25519 signature over {toolName, implementationHash, attestorId, verifiedAt} */ signature: string; } /** Per-invocation trust requirements — tools declare what they need * Source: ymc182/MeshCap on A2A#1628 */ export interface ToolRequirements { /** Minimum passport grade required (0-3) */ minGrade?: number; /** Required delegation scopes */ requiredScopes?: string[]; /** Minimum trust score (0-1) */ minTrustScore?: number; /** Whether the tool requires a verified wallet */ requiresWallet?: boolean; /** Custom requirements (key-value, tool-specific) */ custom?: Record; } /** Result of tool integrity + requirements check */ export interface ToolIntegrityResult { /** Whether the tool passed all checks */ valid: boolean; /** Whether the implementation hash matches */ implementationVerified: boolean; /** Whether the attestor signature is valid */ attestorSignatureValid: boolean; /** Whether the agent meets tool requirements (if any) */ requirementsMet: boolean; /** Which requirements failed */ failedRequirements: string[]; /** Errors */ errors: string[]; } /** * Register a tool in the integrity registry. * The runtime/attestor signs that this tool implementation is known and approved. */ export declare function createToolRegistryEntry(input: { toolName: string; /** Raw content to hash (source code, binary, or endpoint descriptor JSON) */ implementation: string | Buffer; attestorId: string; attestorPrivateKey: string; }): ToolRegistryEntry; /** * Verify tool integrity: is this the same tool that was approved? * Also checks per-invocation requirements if provided. */ export declare function verifyToolIntegrity(input: { /** The registry entry to verify against */ registryEntry: ToolRegistryEntry; /** Current implementation to check (will be hashed) */ currentImplementation: string | Buffer; /** Attestor's public key for signature verification */ attestorPublicKey: string; /** Optional: tool requirements to check against agent capabilities */ requirements?: ToolRequirements; /** Optional: agent's current capabilities (for requirements check) */ agentCapabilities?: { grade: number; scopes: string[]; trustScore: number; hasWallet: boolean; }; }): ToolIntegrityResult; /** * Trust roots (D1). The APS-native DID is the default and needs zero * external dependency — the Ed25519 key is embedded in the did:key / * did:aps identifier itself. `did:web` (domain-anchored) and `raw-key` * are accepted external roots so the integrity claim holds for * real-world registries. */ export type ToolTrustRoot = { type: 'aps'; ref: string; } | { type: 'did:web'; ref: string; } | { type: 'raw-key'; ref: string; }; /** Metadata block — description, declared schema, declared permissions. */ export interface ToolMetadata { description?: string; schema?: unknown; permissions?: string[]; } /** * Signed tool manifest — the artifact a publisher/registry publishes. * Canonical surface for publisher identity, namespace and re-approval. */ export interface ToolManifest { /** Tool name (matches the name in delegation scope) */ toolName: string; /** Optional declared namespace, e.g. `acme/*` */ namespace?: string; /** `sha256:` of the implementation (existing semantics) */ implementationHash: string; /** `sha256:` of the canonicalized metadata block — DISTINCT from * implementationHash so a description/schema/permissions change is * detectable even when the implementation is byte-identical. */ metadataHash: string; /** Asserted publisher identity (DID). When present, a publisher check runs. */ publisherDid?: string; /** How the publisher key is resolved (D1). Default when absent: APS-native. */ trustRoot?: ToolTrustRoot; /** Asserted attestor identity (DID). When present, the manifest signature * is verified against the RESOLVED attestor key — a caller-supplied * `attestorPublicKey` cannot override or substitute for it. */ attestorDid?: string; /** How the attestor key is resolved (D1). Default when absent: APS-native. */ attestorTrustRoot?: ToolTrustRoot; /** Monotonic integer; bumped on every substantive revision. */ metadataVersion: number; /** Approval state — `pending-reapproval` blocks verification. */ approvalState?: 'approved' | 'pending-reapproval'; /** When this manifest was attested */ verifiedAt: string; /** Ed25519 attestor signature over the canonical manifest body */ signature: string; /** Ed25519 publisher signature over the SAME canonical body, when a * publisher identity is asserted */ publisherSignature?: string; } /** A signed claim of ownership over a tool-name namespace (anti-typosquat). */ export interface NamespaceClaim { /** Claimed namespace, e.g. `acme/*` */ namespace: string; /** DID of the namespace owner */ ownerDid: string; /** How the owner key resolves (D1) */ trustRoot: ToolTrustRoot; /** Ed25519 signature by the owner over canonical `{namespace, ownerDid}` */ signature: string; } /** Result of `verifyToolManifest`. */ export interface ToolManifestResult { /** All checks passed */ valid: boolean; /** Attestor signature over the manifest body is valid (against the * authoritative key — resolved when attestorDid is set, else the * caller-supplied attestorPublicKey) */ attestorSignatureValid: boolean; /** Manifest signature verified against a RESOLVED attestor identity. * True only when `attestorDid` is asserted, resolves, and the signature * checks out. False when no attestorDid is asserted (no DID binding). */ attestorVerified: boolean; /** How the attestor key was resolved, or `caller-supplied-key` when no * attestorDid is asserted */ attestorResolutionMethod: string; /** Implementation hash matched (true if no current implementation supplied) */ implementationVerified: boolean; /** Metadata hash matched (true if no current metadata supplied) */ metadataVerified: boolean; /** Publisher signature verified (false when no publisher identity asserted) */ publisherVerified: boolean; /** How the publisher key was resolved, or why it was not */ publisherResolutionMethod: string; /** Namespace governance passed (true when no claims supplied or no match) */ namespaceVerified: boolean; /** Tool name collides with a namespace owned by a different DID */ namespaceViolation: boolean; /** Manifest is pending re-approval after a metadata change */ reapprovalRequired: boolean; /** Errors */ errors: string[]; } /** Optional injected did:web resolver — lets callers (and tests) resolve a * did:web document without live network access. Defaults to `resolveDIDWeb`. */ export interface ToolResolveOpts { didWebResolver?: (didWeb: string) => Promise; } /** * Create a signed tool manifest. The attestor signs the canonical body; if a * publisher private key is supplied, the publisher co-signs the same body. */ export declare function createToolManifest(input: { toolName: string; namespace?: string; /** Raw implementation content to hash */ implementation: string | Buffer; /** Metadata block to hash (distinct from the implementation) */ metadata: ToolMetadata; attestorPrivateKey: string; /** Asserted attestor identity (DID) — when set, the manifest carries it and * verification binds the signature to the resolved attestor key */ attestorDid?: string; /** Trust root for resolving the attestor key, optional */ attestorTrustRoot?: ToolTrustRoot; /** Asserted publisher identity, optional */ publisherDid?: string; /** Trust root for resolving the publisher key, optional */ trustRoot?: ToolTrustRoot; /** Publisher private key — when present, the manifest is publisher co-signed */ publisherPrivateKey?: string; /** Monotonic metadata version (default 1) */ metadataVersion?: number; /** Approval state (default 'approved') */ approvalState?: 'approved' | 'pending-reapproval'; /** Override timestamp — for deterministic conformance fixtures */ verifiedAt?: string; }): ToolManifest; /** * Verify a tool manifest — attestor signature, optional implementation and * metadata hashes, publisher identity (Part 1b), namespace governance * (Part 2) and re-approval state (Part 3). Async because did:web resolution * is async; the APS-native and raw-key paths resolve synchronously. */ export declare function verifyToolManifest(input: { manifest: ToolManifest; /** Attestor public key — used ONLY when the manifest asserts no * `attestorDid`. When `attestorDid` is set the resolved key is * authoritative and this key cannot override or substitute for it (G1). */ attestorPublicKey?: string; /** Current implementation to hash-check, optional */ currentImplementation?: string | Buffer; /** Current metadata to hash-check, optional */ currentMetadata?: ToolMetadata; /** Known namespace claims — namespace check runs only when supplied */ namespaceClaims?: NamespaceClaim[]; /** Optional injected did:web resolver (offline use / tests) */ didWebResolver?: (didWeb: string) => Promise; }): Promise; /** Create a signed namespace ownership claim. */ export declare function createNamespaceClaim(input: { namespace: string; ownerDid: string; trustRoot: ToolTrustRoot; ownerPrivateKey: string; }): NamespaceClaim; /** * Verify a namespace claim — resolve the owner key via the claim's own trust * root and check the owner signature over canonical `{namespace, ownerDid}`. * `resolveOpts` carries an optional injected did:web resolver. */ export declare function verifyNamespaceClaim(claim: NamespaceClaim, resolveOpts?: ToolResolveOpts): Promise<{ valid: boolean; ownerVerified: boolean; resolutionMethod: string; errors: string[]; }>; /** * Revise a tool manifest (Part 3). Produces a new manifest re-signed by the * attestor. Hash-delta rule — the concrete link between Part 1a and Part 3: * the revision moves to `pending-reapproval` with `metadataVersion + 1` IFF * the implementation hash OR the metadata hash differs from the previous * manifest. If neither hash changed it is not a substantive revision and the * version / approval state are unchanged. * * The attestor identity (`attestorDid` / `attestorTrustRoot`) is carried * forward. If the previous manifest asserts a `publisherDid`, a * `publisherPrivateKey` MUST be supplied so the publisher field is re-signed * over the revised body — revising a publisher-bearing manifest without it * throws rather than emit a manifest with a stale publisher signature. */ export declare function reviseToolManifest(prevManifest: ToolManifest, changes: { implementation?: string | Buffer; metadata?: ToolMetadata; }, attestorPrivateKey: string, opts?: { verifiedAt?: string; publisherPrivateKey?: string; }): ToolManifest; /** * Re-approve a manifest pending re-approval (Part 3). Only an attestor can move * `pending-reapproval` -> `approved`. * * The approval is bound to a resolved attestor identity, not merely any * caller-provided keypair: the returned manifest carries `attestorDid` / * `attestorTrustRoot`, and its signature then verifies against the resolved * attestor key in `verifyToolManifest`. If `opts.attestorDid` is omitted the * attestor identity already on the manifest is carried forward. * * If the manifest asserts a `publisherDid`, a `publisherPrivateKey` is required * so the publisher field is re-signed over the approved body. Throws if the * manifest is not pending re-approval, or on a missing required publisher key. */ export declare function reapproveToolManifest(manifest: ToolManifest, opts: { attestorPrivateKey: string; attestorDid?: string; attestorTrustRoot?: ToolTrustRoot; publisherPrivateKey?: string; verifiedAt?: string; }): ToolManifest; //# sourceMappingURL=tool-integrity.d.ts.map