/** * qntm Bridge — APS ↔ qntm E2E encrypted relay integration * * Enables APS agents to send SignedExecutionEnvelopes through the qntm * encrypted relay. Both sides use XChaCha20-Poly1305 with HKDF-derived * keys from shared invite tokens. * * Interop proven: 5/5 Ed25519→X25519 vectors, 3/3 HKDF key derivation * vectors match across TypeScript (APS), TypeScript (@noble), and Python (qntm). * * @module interop/qntm-bridge */ export interface QntmInvite { v: number; type: string; suite: string; conv_id: Uint8Array; invite_salt: Uint8Array; invite_secret: Uint8Array; inviter_ik_pk: Uint8Array; } export interface QntmConversationKeys { rootKey: Uint8Array; aeadKey: Uint8Array; nonceKey: Uint8Array; convId: Uint8Array; } export interface QntmEnvelope { v: number; conv: Uint8Array; sender: Uint8Array; seq: number; ts: number; msg_id: Uint8Array; ciphertext: Uint8Array; sig: Uint8Array; aad_hash: Uint8Array; did?: string; expiry_ts?: number; } export interface QntmRelayMessage { conv_id: string; envelope_b64: string; } /** Decode a qntm invite token (base64url-encoded CBOR) */ export declare function decodeQntmInvite(token: string): QntmInvite; /** Derive conversation keys from an invite token (HKDF-SHA-256) */ export declare function deriveQntmKeys(invite: QntmInvite): QntmConversationKeys; /** Derive nonce for a message: Trunc24(HMAC-SHA-256(nonceKey, msgId)) */ export declare function deriveNonce(nonceKey: Uint8Array, msgId: Uint8Array): Uint8Array; /** Encrypt plaintext with XChaCha20-Poly1305 using conversation keys */ export declare function qntmEncrypt(plaintext: Uint8Array, keys: QntmConversationKeys, senderKeyId: Uint8Array, seq: number, senderPrivateKey?: Uint8Array, did?: string): Promise; /** Decrypt a qntm envelope */ export declare function qntmDecrypt(envelope: QntmEnvelope, keys: QntmConversationKeys): Promise; /** Serialize a qntm envelope to base64 for relay transport (QSP-1 v1.0 canonical names) */ export declare function serializeEnvelope(envelope: QntmEnvelope): string; /** Build relay message payload */ export declare function buildRelayMessage(envelope: QntmEnvelope): QntmRelayMessage; /** Compute key ID: Trunc16(SHA-256(publicKey)) — matches qntm spec */ export declare function computeKeyId(publicKey: Uint8Array): Uint8Array; /** * High-level: Encrypt any payload and prepare for qntm relay. * * @param payload - Bytes to encrypt (e.g., serialized SignedExecutionEnvelope) * @param inviteToken - Base64url-encoded qntm invite token * @param senderPublicKey - Ed25519 public key of the sender (for key ID) * @param seq - Message sequence number * @param did - Optional DID to include in envelope (e.g., did:aps:z... or did:agentid:...) * @returns Relay-ready message payload */ export declare function encryptForRelay(payload: Uint8Array, inviteToken: string, senderPublicKey: Uint8Array, seq?: number, did?: string, senderPrivateKey?: Uint8Array): Promise; /** * High-level: Decrypt a relay message. * * @param envelopeB64 - Base64-encoded CBOR envelope from relay * @param inviteToken - Same invite token used for encryption * @returns Decrypted plaintext bytes */ export declare function decryptFromRelay(envelopeB64: string, inviteToken: string): Promise; /** * Extract the DID from a serialized relay envelope (without decrypting). * Returns undefined if no DID is present. */ export declare function extractEnvelopeDid(envelopeB64: string): string | undefined; /** * Verify that a DID matches the sender key ID in an envelope. * Resolves the DID to an Ed25519 public key, computes Trunc16(SHA-256(key)), * and compares with the envelope's sender field. * * @param envelopeB64 - Base64 CBOR envelope * @param publicKeyHex - Ed25519 public key hex resolved from the DID * @returns true if the key matches the sender key ID */ export declare function verifyEnvelopeDid(envelopeB64: string, publicKeyHex: string): boolean; /** Default relay URL */ export declare const QNTM_RELAY_URL = "https://inbox.qntm.corpo.llc"; //# sourceMappingURL=qntm-bridge.d.ts.map