import type { BuildFieldDisclosureProfileInput, FieldDisclosureProfile, FieldDisclosureVerification } from './types.js'; /** * Build a field-disclosure profile from a source payload and a per-field * policy map. The builder NEVER embeds a raw sensitive value: * * - A field named in `sensitive_fields` MUST NOT have policy 'public'. If it * does, the build is rejected. This is the guard against raw PII reaching * the signed body. * - For 'hash_only' and 'redacted', only the hash binding is kept; the value * is absent ('redacted' additionally records the '[REDACTED]' sentinel as * the visible placeholder, matching the storage tombstone convention). * - For 'encrypted', the caller-supplied ciphertext is kept; the value is * absent. A missing ciphertext for an 'encrypted' field is rejected. * - Every field carries a hash binding regardless of policy, so a hidden or * redacted field still leaves the signature verifiable. * * The optional whole-payload commitment hashes the canonical payload and pairs * it with the supplied URI. */ export declare function buildFieldDisclosureProfile(input: BuildFieldDisclosureProfileInput): FieldDisclosureProfile; /** * Verify a field-disclosure profile. * * With no second argument this checks INTERNAL consistency only: every field * carries a hash, public/redacted fields are shaped correctly, encrypted fields * carry ciphertext. With a `disclosed` map of field name to claimed cleartext * value, each supplied value is re-hashed and checked against the bound hash: * a match proves the discloser knew the committed value; a mismatch is flagged. * With a `payload` it re-hashes the canonical payload against the whole-payload * commitment. * * This reports mechanical facts. It does not fetch the URI and makes no * availability claim. */ export declare function verifyFieldDisclosureProfile(profile: FieldDisclosureProfile, opts?: { /** Claimed cleartext values for hidden fields, to test against bindings. */ disclosed?: Record; /** A full payload to test against the whole-payload commitment. */ payload?: Record; }): FieldDisclosureVerification; /** * Canonical bytes a receipt signs when it carries a field-disclosure profile. * Exposed so a receipt builder can fold the profile into its signed body using * the same canonicalization every other builder uses, without this module * owning a signing key. Adding this to a body changes nothing for receipts that * omit the profile. */ export declare function canonicalProfileBytes(profile: FieldDisclosureProfile): string; //# sourceMappingURL=profile.d.ts.map