import type { Ed25519JWK, JWKS } from './types.js'; export interface ParsedDIDCycles { /** Lowercase hex sha256 of `server_id`, as carried in the DID subject. * A BINDING value: the cycles verify layer checks it against * sha256(envelope.server_id). Not a locator. */ serverIdHash: string; /** kid taken from the DID-URL fragment, if present. */ kid?: string; } /** * Parse a did:cycles identifier (optionally with a #fragment) into its * `server_id` hash and kid. The fragment is split off BEFORE the subject * is read so a `#` never lands inside the hash. * * Throws on a structurally invalid did:cycles string (wrong method, or a * subject that is not a 64-char lowercase hex sha256). */ export declare function parseDIDCycles(did: string): ParsedDIDCycles; /** True if the value looks like a did:cycles identifier. */ export declare function isDIDCycles(value: string): boolean; /** * The JWK Set URL for a Cycles server, API-base-relative: append * `/.well-known/cycles-jwks.json` to the verbatim `server_id` (collapsing * only a doubled `/` at the join). Deliberately NOT origin-rooted — * `server_id` carries its path (e.g. `https://cycles.example.com/v1`), so * the set lives at `…/v1/.well-known/cycles-jwks.json`, keeping key * authority anchored to the base the DID hash commits to. */ export declare function cyclesJwksUrl(serverId: string): string; export type JWKSelection = { ok: true; jwk: Ed25519JWK; publicKeyHex: string; kid?: string; } | { ok: false; status: 'not_found' | 'ambiguous' | 'malformed'; reason: string; }; /** Selection criteria. Legacy callers pass a bare kid string; the cycles * path passes the window + raw-key form. */ export interface SelectKeyOptions { /** Match the JWK whose kid strictly equals this (exact, case-sensitive). */ kid?: string; /** Window gate: keep only keys whose [cycles_nbf_ms, cycles_exp_ms) covers * this issuance time (epoch ms). Omitted ⇒ no window gate (legacy). */ issuedAtMs?: number; /** Raw-hex signer match: keep only keys whose `x` decodes to these 32 bytes * (64-char hex). Used when the envelope's signer_did is a raw key. */ publicKeyHex?: string; } /** * Select exactly one Ed25519 verification key from a JWKS. Filters, in * order: Ed25519 signing candidacy, optional raw-hex `x` match, optional * kid match, optional validity-window gate; then requires the survivor to * be unique. Never silently falls back to a different key. Legacy callers * may pass a bare kid string. */ export declare function selectKey(jwks: JWKS, sel?: string | SelectKeyOptions): JWKSelection; /** * Validate that a parsed object is a well-formed JWKS with a non-empty * `keys` array. Returns the JWKS on success or null on any structural * problem. */ export declare function asJWKS(body: unknown): JWKS | null; //# sourceMappingURL=did-cycles.d.ts.map