/** * Minimal ARC (RFC 8617) signer — ships just enough to produce a * valid ARC-Set (ARC-Authentication-Results, ARC-Message-Signature, * ARC-Seal) for an intermediary. Uses Web Crypto, no deps. * * Scope: sign-only. Verification happens at the final receiver; this * module helps the middle hop preserve auth-chain provenance. * * @module */ export type ArcAlgorithm = "rsa-sha256" | "ed25519-sha256"; export interface ArcSignerOptions { selector: string; domain: string; privateKey: string | CryptoKey; algorithm?: ArcAlgorithm; /** Current instance number (i=). Required — the intermediary * increments it each hop, starting at 1. */ instance: number; /** Authentication-Results payload as you observed it. e.g. * `"dkim=pass header.d=acme.com; spf=pass"`. */ authResults: string; /** Headers to include in the ARC-Message-Signature body. */ signedHeaders?: ReadonlyArray; } export interface ArcHeaders { "ARC-Authentication-Results": string; "ARC-Message-Signature": string; "ARC-Seal": string; } /** Produce the three ARC headers for one hop. Caller prepends them to * the outgoing message headers. Returns strings without trailing * CRLF. */ export declare function signArc(message: string, options: ArcSignerOptions): Promise;