import type { RotatableDIDDocument } from '../../types/passport.js'; import type { EmitDenialInput, EmitReceiptInput, GovernanceHooks, PaymentDenial, PaymentRail, PaymentReceipt, PreAuthorizeInput, PreAuthorizeResult } from './types.js'; /** * Decide whether a delegation may authorize the requested spend on * the given rail. Pure function; no I/O. * * Order of checks (matches the denial_reason taxonomy precedence): * 1. wallet_revoked — rail.isWalletRevoked(delegation.wallet_id) * 2. no_commerce_scope — required_scope not in delegation.scope * 3. time_window_violation — outside [not_before, not_after] * 4. spend_limit_exceeded — amount > delegation.spend_limit_base_units * OR currency mismatch between delegation and request * * Currency mismatch maps to spend_limit_exceeded (the spend limit is * denominated in delegation.currency; a request in a different * currency cannot be measured against it). Rail integrators that * want a separate error code can wrap preAuthorize and re-route. */ export declare function preAuthorize(input: PreAuthorizeInput, rail: PaymentRail): PreAuthorizeResult; export declare function emitReceipt(input: EmitReceiptInput, issuerPrivateKeyHex: string): PaymentReceipt; export declare function emitDenial(input: EmitDenialInput, issuerPrivateKeyHex: string): PaymentDenial; export type ReceiptVerifyReason = 'INVALID_CLAIM_TYPE' | 'RECEIPT_ID_MISMATCH' | 'SIGNATURE_INVALID' | 'DID_RESOLVER_MISSING' | 'DID_URI_INVALID' | 'DID_DOC_NOT_FOUND' | 'DID_KEY_NOT_IN_DOC' | 'DID_KEY_RETIRED'; export interface ReceiptVerifyResult { valid: boolean; reason?: ReceiptVerifyReason; } /** Phase 4.1 / P12: caller-supplied DID document resolver. Verifier * invokes this when `signer_did` is a DID URI; returns the agent's * RotatableDIDDocument or null when the agent is unknown. */ export type ResolveDidDocument = (agentId: string) => Promise; export interface VerifyReceiptOptions { /** Required when `receipt.signer_did` is a DID URI. Omit for legacy * raw-hex receipts. */ resolveDidDocument?: ResolveDidDocument; /** Verification clock; defaults to Date.now(). */ now?: Date; } /** * Sync legacy verifier. Kept for backwards compatibility — receipts * carrying a raw hex signer_did continue to verify here without any * options. When `receipt.signer_did` is a DID URI (starts with 'did:'), * this path returns DID_RESOLVER_MISSING; callers must use the async * `verifyPaymentReceiptWithDID()` path with a resolveDidDocument. */ export declare function verifyPaymentReceipt(receipt: PaymentReceipt): ReceiptVerifyResult; /** * Phase 4.1 / P12: async verifier that resolves DID URIs against the * caller-supplied DID document resolver. Falls back to the legacy * raw-hex path when signer_did doesn't start with 'did:'. * * Failure reasons: * - DID_RESOLVER_MISSING — signer_did is a DID URI but no resolver supplied * - DID_URI_INVALID — signer_did is malformed (no `#`, etc.) * - DID_DOC_NOT_FOUND — resolver returned null for the agentId * - DID_KEY_NOT_IN_DOC — keyRef not present in verificationMethod[] * - DID_KEY_RETIRED — key was retired before the receipt was signed * - SIGNATURE_INVALID — Ed25519 verify failed */ export declare function verifyPaymentReceiptWithDID(receipt: PaymentReceipt, options?: VerifyReceiptOptions): Promise; export type DenialVerifyReason = 'INVALID_CLAIM_TYPE' | 'INVALID_DENIAL_REASON' | 'RECEIPT_ID_MISMATCH' | 'SIGNATURE_INVALID' | 'DID_RESOLVER_MISSING' | 'DID_URI_INVALID' | 'DID_DOC_NOT_FOUND' | 'DID_KEY_NOT_IN_DOC' | 'DID_KEY_RETIRED'; export interface DenialVerifyResult { valid: boolean; reason?: DenialVerifyReason; } export declare function verifyPaymentDenial(denial: PaymentDenial): DenialVerifyResult; export declare function verifyPaymentDenialWithDID(denial: PaymentDenial, options?: VerifyReceiptOptions): Promise; /** * Default GovernanceHooks implementation. Rails that want the * standard preAuthorize/emit semantics can use this; rails with * custom rules implement GovernanceHooks themselves. */ export declare function createDefaultGovernanceHooks(): GovernanceHooks; //# sourceMappingURL=hooks.d.ts.map