import type { CognitiveAttestation, SignerRole } from './types.js'; /** * Verify that at least one signature entry for `signerDid` validates against * `publicKey`. Returns false on tamper, wrong DID, malformed signature, or * key mismatch. */ export declare function verifySignature(att: CognitiveAttestation, publicKey: Uint8Array, signerDid: string): boolean; export interface RequiredRoleCoverage { ok: boolean; missing: SignerRole[]; present: SignerRole[]; } /** * Confirm every role in `aggregation_policy.required_signer_roles` is * represented by at least one signature entry with that role. Structural * check only — does NOT verify signature cryptographically. Callers should * pair this with `verifySignature` per signer for full Stage 1. */ export declare function verifyRequiredSignerRoles(att: CognitiveAttestation): RequiredRoleCoverage; export interface RegistryResolver { /** Return true if the model_version_hash is known to the caller's model registry. */ isKnownModel(modelId: string, modelVersionHash: string): Promise; /** Return true if the dictionary_version_hash is known to the caller's SAE/feature-dict registry. */ isKnownDictionary(dictionaryId: string, dictionaryVersionHash: string): Promise; } export interface RegistryVerificationResult { ok: boolean; model_known: boolean; dictionary_known: boolean; errors: string[]; } /** * Stage 2. Checks that the referenced model and dictionary versions exist in * the resolver's registry view. The SDK ships no registry client — integrators * (or the private gateway) implement `RegistryResolver`. */ export declare function verifyAgainstRegistry(att: CognitiveAttestation, registryResolver: RegistryResolver): Promise; export interface ReplayBackend { /** * Replay the attested token range through the referenced model + SAE and * compare feature activations against the envelope within the policy's * attestation_epsilon. Implementations live outside the SDK. */ replay(att: CognitiveAttestation): Promise; } export interface ReplayVerificationResult { ok: boolean; /** Per-feature deltas keyed by feature_id. */ per_feature_delta: Record; /** Features whose |delta| exceeded aggregation_policy.attestation_epsilon. */ over_epsilon: number[]; /** Features claimed by the envelope but not observed during replay. */ missing_from_replay: number[]; /** Features observed above threshold during replay but absent from the envelope. */ unexpected_in_replay: number[]; } /** * Stage 3. Requires an injected `ReplayBackend`. Running an SAE live is * outside what a pure SDK primitive should bundle — use a private backend * or the gateway's replay service. * * TODO: Once a reference replay backend exists (gateway-side, not SDK), * document its contract here and ship test vectors covering * threshold-delta, missing-feature, and unexpected-feature cases. */ export declare function verifyByReplay(att: CognitiveAttestation, replayer: ReplayBackend): Promise; //# sourceMappingURL=verify.d.ts.map