import { type SeenSet } from '../verifier-hardening/index.js'; import type { AttestationFreshness } from '../../types/passport.js'; import type { RevocationFreshnessRecord } from '../../types/policy.js'; import type { PolicyContext, RiskClass } from '../types.js'; import type { ScopeOfClaim } from '../accountability/types/base.js'; import type { FreshnessPolicy, FreshnessDecision, EphemeralCapabilityToken, EphemeralTokenVerdict, RefreshOutcome, SecurityEventTokenClaims } from './types.js'; export * from './types.js'; /** * Apply a relying-party freshness policy to an M4 RevocationFreshnessRecord. * * The record's `result` ('fresh' | 'stale' | 'unavailable' | 'skipped') is * produced by {@link recordRevocationFreshness}; this function does not * re-derive it. A 'fresh' result always allows. For any non-fresh result the * decision follows the configured mode: * * - 'fail_open': allow (action_on_stale defaults to 'allow'; * 'deny' / 'downgrade' are honoured if set). * - 'fail_closed': deny, always (action_on_stale is forced to 'deny'). * - 'bounded_staleness': allow while the recorded age is within * boundedStalenessMs (INCLUSIVE boundary), otherwise * apply action_on_stale (default 'deny'). * * 'downgrade' resolves to an allow with `downgraded: true`, an advisory the * relying party computes; it is never read from or written to a receipt. */ export declare function decideFreshness(record: RevocationFreshnessRecord, policy: FreshnessPolicy, now?: Date): FreshnessDecision; /** * Convenience composition: consult a revocation source (via the M4 recorder), * then decide under a freshness policy in one call. The recorder inputs are * passed straight through; this only chains record → decide so a caller does * not have to thread the intermediate record by hand. */ export declare function enforceFreshnessPolicy(opts: { source: string; maxStalenessMs: number; checkedAt?: Date; freshness?: AttestationFreshness; unavailable?: boolean; allowDespiteStale?: boolean; }, policy: FreshnessPolicy): FreshnessDecision; /** * Mint a short-lived capability token for a high-risk action class. * * The lifetime is the reused 'rotating' {@link AttestationFreshness} shape: * `validAt` is the mint instant and `ttl` is the lifetime in seconds. No new * staleness type is introduced. The token is a FORMAT; the gateway distributes * and propagates revocation, this SDK only mints and checks. */ export declare function mintEphemeralToken(params: { delegation_id: string; trace_id: string; action_class: string; risk_class: RiskClass; /** Lifetime in seconds. Short by construction for high-risk classes. */ ttlSeconds: number; /** Mint instant; defaults to now. */ issuedAt?: Date; /** Token id; defaults to a random UUID. */ jti?: string; }): EphemeralCapabilityToken; /** * Validate an ephemeral token's lifetime and single-use. * * Expiry uses {@link isEvidenceFresh} on the token's 'rotating' lifetime, the * same helper M4 uses; no bespoke comparator. Single-use is enforced against * an M4 {@link SeenSet} via {@link checkReplay}. A token replayed inside its * lifetime is 'replayed'; an expired token is 'expired'. Expiry is checked * BEFORE replay so an expired token does not consume a seen-set slot. */ export declare function validateEphemeralToken(token: EphemeralCapabilityToken, seen: SeenSet, now?: Date): EphemeralTokenVerdict; /** * Refresh (reissue) a delegation behind an ephemeral token. * * Two preconditions, both mechanical: * - the original delegation MUST validate as not-revoked / not-superseded * (via {@link validateV2Delegation}); a revoked original is refused. * - the supplied trace_id MUST match the token's trace_id, binding the * refresh to the same trace. * * On success it reissues through the existing {@link renewV2Delegation} path, * which supersedes the original keeping its scope (no authority expansion). A * refresh therefore reissues authority that already existed; it does not mint * new authority. */ export declare function refreshDelegation(params: { token: EphemeralCapabilityToken; /** The trace_id presented with the refresh request. Must equal the token's. */ trace_id: string; /** New policy context for the reissued delegation (fresh validity window). */ policy_context: PolicyContext; delegator_private_key: string; renewal_reason: string; now?: Date; }): RefreshOutcome; /** * Build a Security Event Token claim set (RFC 8417 §2.2) carrying a CAEP * session-revoked event for a revoked delegation / agent. * * Returns the UNSIGNED claim set. The emitter signs it as a JWT using its * existing Signer (the SDK does not introduce a second JWT signer here), and * the gateway delivers it over a stream (out of scope). The `events` map is * keyed by the CAEP event-type URI per RFC 8417, so a standard SSF/CAEP * receiver can route it. */ export declare function buildRevocationSET(params: { /** SET issuer ('iss'). */ issuer: string; /** The revoked subject id (delegation id or agent id). */ subject_id: string; /** When the revocation took effect; defaults to issuedAt. */ revokedAt?: Date; /** SET issued-at; defaults to now. */ issuedAt?: Date; /** Intended audience ('aud'), when known. */ audience?: string | string[]; /** Reason recorded by the emitter (advisory; e.g. a validateV2Delegation * reason). The SET does not assert the reason is true. */ reason?: string; /** SET id ('jti'); defaults to a random UUID. */ jti?: string; }): SecurityEventTokenClaims; /** * Structural conformance check for a SET claim set against RFC 8417 §2.2 and * the CAEP event shape this module emits. Mechanical only: presence and type * of the required claims, exactly one recognized event-type URI, and a * well-formed event object. It does NOT verify a signature (the claim set is * unsigned here) and does not assert the revocation is true. */ export declare function isWellFormedSET(value: unknown): value is SecurityEventTokenClaims; /** The proof box rendered as a ScopeOfClaim, for callers that emit an * accountability receipt covering a revocation-enforcement decision. */ export declare function buildRevocationEnforcementScopeOfClaim(): ScopeOfClaim; //# sourceMappingURL=index.d.ts.map