/** * PKCE (RFC 7636) helpers. * * Extracted from the OAuth endpoints so the cryptographic comparison can be * unit-tested in isolation. Production callers: * - api/oauth-authorize.ts โ†’ validateCodeChallenge * - api/oauth.ts โ†’ verifyPkce on authorization_code redemption * * Only S256 is implemented; `plain` is rejected upstream per ADR 0003 ยง2.2. * * Spec: https://datatracker.ietf.org/doc/html/rfc7636 */ /** * Validate the shape of a code_challenge submitted to /oauth/authorize. * Does NOT verify against any verifier โ€” that happens later at token redemption. */ export declare function isValidCodeChallenge(challenge: unknown): challenge is string; /** * Validate the shape of a code_verifier submitted to /oauth/token. */ export declare function isValidCodeVerifier(verifier: unknown): verifier is string; /** * Compute the S256 code_challenge from a code_verifier. * Returns the BASE64URL-encoded SHA-256 digest (no padding). */ export declare function s256(verifier: string): string; /** * Constant-time verification that `verifier` hashes to `expectedChallenge` * using S256. Returns false (without timing leak) if either input is malformed. */ export declare function verifyS256(verifier: string, expectedChallenge: string): boolean;