@affectively/aeon 1.0.0

package/dist/index-C_4CMV5c.d.cts

@@ -0,0 +1,1207 @@
+import { EventEmitter } from 'eventemitter3';
+
+/**
+ * Aeon Crypto Types
+ *
+ * Type definitions for cryptographic operations in Aeon.
+ * These are compatible with @affectively/ucan and @affectively/zk-encryption.
+ */
+/**
+ * Decentralized Identifier (DID)
+ * Format: did:method:identifier
+ */
+type DID = `did:${string}:${string}`;
+/**
+ * Supported signing algorithms
+ */
+type SigningAlgorithm = 'ES256' | 'Ed25519' | 'ES384' | 'ES512';
+/**
+ * Key pair for signing and verification
+ */
+interface KeyPair {
+    algorithm: SigningAlgorithm;
+    publicKey: JsonWebKey;
+    privateKey?: JsonWebKey;
+    fingerprint: string;
+}
+/**
+ * Identity representing a user or node
+ */
+interface Identity {
+    did: DID;
+    signingKey: KeyPair;
+    encryptionKey?: KeyPair;
+    createdAt: number;
+    displayName?: string;
+}
+/**
+ * UCAN Capability structure
+ */
+interface Capability {
+    can: string;
+    with: string;
+    constraints?: Record<string, unknown>;
+}
+/**
+ * UCAN Token payload
+ */
+interface UCANPayload {
+    iss: DID;
+    aud: DID;
+    exp: number;
+    nbf?: number;
+    iat?: number;
+    nonce?: string;
+    jti?: string;
+    att: Capability[];
+    prf?: string[];
+    fct?: Record<string, unknown>;
+}
+/**
+ * Parsed UCAN Token
+ */
+interface UCANToken {
+    payload: UCANPayload;
+    raw: string;
+    signature: Uint8Array;
+    algorithm: string;
+}
+/**
+ * UCAN verification result
+ */
+interface VerificationResult {
+    valid: boolean;
+    payload?: UCANPayload;
+    error?: string;
+    expired?: boolean;
+    shouldRotate?: boolean;
+    expiresIn?: number;
+}
+/**
+ * Encryption algorithms supported
+ */
+type EncryptionAlgorithm = 'ECIES-P256' | 'AES-256-GCM';
+/**
+ * HKDF domain separator categories
+ */
+type DomainCategory = 'default' | 'sync' | 'message' | 'api-key' | 'personal-data' | string;
+/**
+ * EC Key pair for ECDH operations
+ */
+interface ECKeyPair {
+    publicKey: JsonWebKey;
+    privateKey: JsonWebKey;
+    keyId: string;
+    createdAt: string;
+}
+/**
+ * Encrypted data envelope
+ */
+interface EncryptedPayload {
+    alg: EncryptionAlgorithm;
+    ct: string;
+    iv: string;
+    tag: string;
+    epk?: JsonWebKey;
+    category?: DomainCategory;
+    nonce?: string;
+    encryptedAt: number;
+}
+/**
+ * Decryption result
+ */
+interface DecryptionResult {
+    plaintext: Uint8Array;
+    category?: DomainCategory;
+    encryptedAt: number;
+}
+/**
+ * Aeon encryption mode
+ */
+type AeonEncryptionMode = 'none' | 'transport' | 'at-rest' | 'end-to-end';
+/**
+ * Aeon sync capability namespace
+ */
+declare const AEON_CAPABILITIES: {
+    readonly SYNC_READ: "aeon:sync:read";
+    readonly SYNC_WRITE: "aeon:sync:write";
+    readonly SYNC_ADMIN: "aeon:sync:admin";
+    readonly NODE_REGISTER: "aeon:node:register";
+    readonly NODE_HEARTBEAT: "aeon:node:heartbeat";
+    readonly REPLICATE_READ: "aeon:replicate:read";
+    readonly REPLICATE_WRITE: "aeon:replicate:write";
+    readonly STATE_READ: "aeon:state:read";
+    readonly STATE_WRITE: "aeon:state:write";
+    readonly STATE_RECONCILE: "aeon:state:reconcile";
+};
+type AeonCapability = (typeof AEON_CAPABILITIES)[keyof typeof AEON_CAPABILITIES];
+/**
+ * Crypto configuration for Aeon
+ */
+interface AeonCryptoConfig {
+    /** Default encryption mode for sync messages */
+    defaultEncryptionMode: AeonEncryptionMode;
+    /** Require all messages to be signed */
+    requireSignatures: boolean;
+    /** Require UCAN capability verification */
+    requireCapabilities: boolean;
+    /** Allowed signature algorithms */
+    allowedSignatureAlgorithms: string[];
+    /** Allowed encryption algorithms */
+    allowedEncryptionAlgorithms: string[];
+    /** UCAN audience DID for verification */
+    ucanAudience?: string;
+    /** Session key expiration (ms) */
+    sessionKeyExpiration?: number;
+}
+/**
+ * Default crypto configuration
+ */
+declare const DEFAULT_CRYPTO_CONFIG: AeonCryptoConfig;
+/**
+ * Authenticated sync message fields
+ */
+interface AuthenticatedMessageFields {
+    /** Sender DID */
+    senderDID?: string;
+    /** Receiver DID */
+    receiverDID?: string;
+    /** UCAN token for capability verification */
+    ucan?: string;
+    /** Message signature (base64url) */
+    signature?: string;
+    /** Whether payload is encrypted */
+    encrypted?: boolean;
+}
+/**
+ * Secure sync session
+ */
+interface SecureSyncSession {
+    id: string;
+    initiator: string;
+    participants: string[];
+    sessionKey?: Uint8Array;
+    encryptionMode: AeonEncryptionMode;
+    requiredCapabilities: string[];
+    status: 'pending' | 'active' | 'completed' | 'failed';
+    startTime: string;
+    endTime?: string;
+}
+/**
+ * Node with identity information
+ */
+interface SecureNodeInfo {
+    id: string;
+    did?: string;
+    publicSigningKey?: JsonWebKey;
+    publicEncryptionKey?: JsonWebKey;
+    capabilities?: string[];
+    lastSeen?: number;
+}
+/**
+ * Capability verification result
+ */
+interface AeonCapabilityResult {
+    authorized: boolean;
+    error?: string;
+    issuer?: string;
+    grantedCapabilities?: Array<{
+        can: string;
+        with: string;
+    }>;
+}
+/**
+ * Signed data envelope for sync operations
+ */
+interface SignedSyncData<T = unknown> {
+    payload: T;
+    signature: string;
+    signer: string;
+    algorithm: string;
+    signedAt: number;
+}
+
+/**
+ * Aeon Crypto Provider Interface
+ *
+ * Abstract interface for cryptographic operations.
+ * Aeon core remains zero-dependency - crypto is injected through this interface.
+ */
+
+/**
+ * Abstract crypto provider interface
+ *
+ * Implementations use @affectively/ucan and @affectively/zk-encryption
+ * or other compatible libraries.
+ */
+interface ICryptoProvider {
+    /**
+     * Generate a new identity with DID and key pairs
+     */
+    generateIdentity(displayName?: string): Promise<{
+        did: string;
+        publicSigningKey: JsonWebKey;
+        publicEncryptionKey?: JsonWebKey;
+    }>;
+    /**
+     * Get the local identity's DID
+     */
+    getLocalDID(): string | null;
+    /**
+     * Export local identity's public info for sharing
+     */
+    exportPublicIdentity(): Promise<SecureNodeInfo | null>;
+    /**
+     * Register a known remote node's public keys
+     */
+    registerRemoteNode(node: SecureNodeInfo): Promise<void>;
+    /**
+     * Get a remote node's public key
+     */
+    getRemotePublicKey(did: string): Promise<JsonWebKey | null>;
+    /**
+     * Sign data with local identity's private key
+     */
+    sign(data: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Sign structured data and wrap in SignedSyncData envelope
+     */
+    signData<T>(data: T): Promise<SignedSyncData<T>>;
+    /**
+     * Verify a signature from a remote node
+     */
+    verify(did: string, signature: Uint8Array, data: Uint8Array): Promise<boolean>;
+    /**
+     * Verify a SignedSyncData envelope
+     */
+    verifySignedData<T>(signedData: SignedSyncData<T>): Promise<boolean>;
+    /**
+     * Encrypt data for a recipient
+     */
+    encrypt(plaintext: Uint8Array, recipientDID: string): Promise<{
+        alg: string;
+        ct: string;
+        iv: string;
+        tag: string;
+        epk?: JsonWebKey;
+        encryptedAt: number;
+    }>;
+    /**
+     * Decrypt data
+     */
+    decrypt(encrypted: {
+        alg: string;
+        ct: string;
+        iv: string;
+        tag: string;
+        epk?: JsonWebKey;
+    }, senderDID?: string): Promise<Uint8Array>;
+    /**
+     * Derive or get a session key for communication with a peer
+     */
+    getSessionKey(peerDID: string): Promise<Uint8Array>;
+    /**
+     * Encrypt with a session key
+     */
+    encryptWithSessionKey(plaintext: Uint8Array, sessionKey: Uint8Array): Promise<{
+        alg: string;
+        ct: string;
+        iv: string;
+        tag: string;
+        encryptedAt: number;
+    }>;
+    /**
+     * Decrypt with a session key
+     */
+    decryptWithSessionKey(encrypted: {
+        ct: string;
+        iv: string;
+        tag: string;
+    }, sessionKey: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Create a UCAN token
+     */
+    createUCAN(audience: string, capabilities: Array<{
+        can: string;
+        with: string;
+    }>, options?: {
+        expirationSeconds?: number;
+        proofs?: string[];
+    }): Promise<string>;
+    /**
+     * Verify a UCAN token
+     */
+    verifyUCAN(token: string, options?: {
+        expectedAudience?: string;
+        requiredCapabilities?: Array<{
+            can: string;
+            with: string;
+        }>;
+    }): Promise<AeonCapabilityResult>;
+    /**
+     * Delegate capabilities
+     */
+    delegateCapabilities(parentToken: string, audience: string, capabilities: Array<{
+        can: string;
+        with: string;
+    }>, options?: {
+        expirationSeconds?: number;
+    }): Promise<string>;
+    /**
+     * Compute hash of data
+     */
+    hash(data: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Generate random bytes
+     */
+    randomBytes(length: number): Uint8Array;
+    /**
+     * Check if crypto is properly initialized
+     */
+    isInitialized(): boolean;
+}
+/**
+ * Null crypto provider for when crypto is disabled
+ *
+ * All operations either throw or return permissive defaults.
+ */
+declare class NullCryptoProvider implements ICryptoProvider {
+    private notConfiguredError;
+    generateIdentity(): Promise<{
+        did: string;
+        publicSigningKey: JsonWebKey;
+        publicEncryptionKey?: JsonWebKey;
+    }>;
+    getLocalDID(): string | null;
+    exportPublicIdentity(): Promise<SecureNodeInfo | null>;
+    registerRemoteNode(): Promise<void>;
+    getRemotePublicKey(): Promise<JsonWebKey | null>;
+    sign(): Promise<Uint8Array>;
+    signData<T>(_data: T): Promise<SignedSyncData<T>>;
+    verify(): Promise<boolean>;
+    verifySignedData(): Promise<boolean>;
+    encrypt(): Promise<{
+        alg: string;
+        ct: string;
+        iv: string;
+        tag: string;
+        epk?: JsonWebKey;
+        encryptedAt: number;
+    }>;
+    decrypt(): Promise<Uint8Array>;
+    getSessionKey(): Promise<Uint8Array>;
+    encryptWithSessionKey(): Promise<{
+        alg: string;
+        ct: string;
+        iv: string;
+        tag: string;
+        encryptedAt: number;
+    }>;
+    decryptWithSessionKey(): Promise<Uint8Array>;
+    createUCAN(): Promise<string>;
+    verifyUCAN(): Promise<AeonCapabilityResult>;
+    delegateCapabilities(): Promise<string>;
+    hash(): Promise<Uint8Array>;
+    randomBytes(length: number): Uint8Array;
+    isInitialized(): boolean;
+}
+
+/**
+ * Sync Coordinator
+ *
+ * Coordinates synchronization between multiple nodes in a distributed system.
+ * Manages sync sessions, node registration, and synchronization workflows.
+ *
+ * Features:
+ * - Node registration and discovery
+ * - Sync session management
+ * - Synchronization workflow orchestration
+ * - Node health monitoring
+ * - Conflict detection and resolution coordination
+ * - DID-based node identification
+ * - Authenticated sync sessions
+ */
+
+interface SyncNode {
+    id: string;
+    address: string;
+    port: number;
+    status: 'online' | 'offline' | 'syncing';
+    lastHeartbeat: string;
+    version: string;
+    capabilities: string[];
+    did?: string;
+    publicSigningKey?: JsonWebKey;
+    publicEncryptionKey?: JsonWebKey;
+    grantedCapabilities?: string[];
+}
+interface SyncSession {
+    id: string;
+    initiatorId: string;
+    participantIds: string[];
+    status: 'pending' | 'active' | 'completed' | 'failed';
+    startTime: string;
+    endTime?: string;
+    itemsSynced: number;
+    itemsFailed: number;
+    conflictsDetected: number;
+    initiatorDID?: string;
+    participantDIDs?: string[];
+    encryptionMode?: AeonEncryptionMode;
+    requiredCapabilities?: string[];
+    sessionToken?: string;
+}
+interface SyncEvent {
+    type: 'node-joined' | 'node-left' | 'sync-started' | 'sync-completed' | 'conflict-detected';
+    sessionId?: string;
+    nodeId: string;
+    timestamp: string;
+    data?: unknown;
+}
+/**
+ * Sync Coordinator
+ * Coordinates synchronization across distributed nodes
+ */
+declare class SyncCoordinator extends EventEmitter {
+    private nodes;
+    private sessions;
+    private syncEvents;
+    private nodeHeartbeats;
+    private heartbeatInterval;
+    private cryptoProvider;
+    private nodesByDID;
+    constructor();
+    /**
+     * Configure cryptographic provider for authenticated sync
+     */
+    configureCrypto(provider: ICryptoProvider): void;
+    /**
+     * Check if crypto is configured
+     */
+    isCryptoEnabled(): boolean;
+    /**
+     * Register a node with DID-based identity
+     */
+    registerAuthenticatedNode(nodeInfo: Omit<SyncNode, 'did' | 'publicSigningKey' | 'publicEncryptionKey'> & {
+        did: string;
+        publicSigningKey: JsonWebKey;
+        publicEncryptionKey?: JsonWebKey;
+    }): Promise<SyncNode>;
+    /**
+     * Get node by DID
+     */
+    getNodeByDID(did: string): SyncNode | undefined;
+    /**
+     * Get all authenticated nodes (nodes with DIDs)
+     */
+    getAuthenticatedNodes(): SyncNode[];
+    /**
+     * Create an authenticated sync session with UCAN-based authorization
+     */
+    createAuthenticatedSyncSession(initiatorDID: string, participantDIDs: string[], options?: {
+        encryptionMode?: AeonEncryptionMode;
+        requiredCapabilities?: string[];
+    }): Promise<SyncSession>;
+    /**
+     * Verify a node's UCAN capabilities for a session
+     */
+    verifyNodeCapabilities(sessionId: string, nodeDID: string, token: string): Promise<{
+        authorized: boolean;
+        error?: string;
+    }>;
+    /**
+     * Register a node in the cluster
+     */
+    registerNode(node: SyncNode): void;
+    /**
+     * Deregister a node from the cluster
+     */
+    deregisterNode(nodeId: string): void;
+    /**
+     * Create a new sync session
+     */
+    createSyncSession(initiatorId: string, participantIds: string[]): SyncSession;
+    /**
+     * Update sync session
+     */
+    updateSyncSession(sessionId: string, updates: Partial<SyncSession>): void;
+    /**
+     * Record a conflict during sync
+     */
+    recordConflict(sessionId: string, nodeId: string, conflictData?: unknown): void;
+    /**
+     * Update node status
+     */
+    updateNodeStatus(nodeId: string, status: SyncNode['status']): void;
+    /**
+     * Record heartbeat from node
+     */
+    recordHeartbeat(nodeId: string): void;
+    /**
+     * Get all nodes
+     */
+    getNodes(): SyncNode[];
+    /**
+     * Get node by ID
+     */
+    getNode(nodeId: string): SyncNode | undefined;
+    /**
+     * Get online nodes
+     */
+    getOnlineNodes(): SyncNode[];
+    /**
+     * Get nodes by capability
+     */
+    getNodesByCapability(capability: string): SyncNode[];
+    /**
+     * Get sync session
+     */
+    getSyncSession(sessionId: string): SyncSession | undefined;
+    /**
+     * Get all sync sessions
+     */
+    getAllSyncSessions(): SyncSession[];
+    /**
+     * Get active sync sessions
+     */
+    getActiveSyncSessions(): SyncSession[];
+    /**
+     * Get sessions for a node
+     */
+    getSessionsForNode(nodeId: string): SyncSession[];
+    /**
+     * Get sync statistics
+     */
+    getStatistics(): {
+        totalNodes: number;
+        onlineNodes: number;
+        offlineNodes: number;
+        totalSessions: number;
+        activeSessions: number;
+        completedSessions: number;
+        failedSessions: number;
+        successRate: number;
+        totalItemsSynced: number;
+        totalConflicts: number;
+        averageConflictsPerSession: number;
+    };
+    /**
+     * Get sync events
+     */
+    getSyncEvents(limit?: number): SyncEvent[];
+    /**
+     * Get sync events for session
+     */
+    getSessionEvents(sessionId: string): SyncEvent[];
+    /**
+     * Check node health
+     */
+    getNodeHealth(): Record<string, {
+        isHealthy: boolean;
+        downtime: number;
+    }>;
+    /**
+     * Start heartbeat monitoring
+     */
+    startHeartbeatMonitoring(interval?: number): void;
+    /**
+     * Stop heartbeat monitoring
+     */
+    stopHeartbeatMonitoring(): void;
+    /**
+     * Clear all state (for testing)
+     */
+    clear(): void;
+    /**
+     * Get the crypto provider (for advanced usage)
+     */
+    getCryptoProvider(): ICryptoProvider | null;
+}
+
+/**
+ * Replication Manager
+ *
+ * Manages data replication across multiple nodes.
+ * Handles replication policies, consistency levels, and replica coordination.
+ *
+ * Features:
+ * - Replica set management
+ * - Replication policy enforcement
+ * - Consistency level tracking
+ * - Replication health monitoring
+ * - Replica synchronization coordination
+ * - End-to-end encryption for replicated data
+ * - DID-based replica authentication
+ */
+
+interface Replica {
+    id: string;
+    nodeId: string;
+    status: 'primary' | 'secondary' | 'syncing' | 'failed';
+    lastSyncTime: string;
+    lagBytes: number;
+    lagMillis: number;
+    did?: string;
+    encrypted?: boolean;
+}
+interface ReplicationPolicy {
+    id: string;
+    name: string;
+    replicationFactor: number;
+    consistencyLevel: 'eventual' | 'read-after-write' | 'strong';
+    syncInterval: number;
+    maxReplicationLag: number;
+    encryptionMode?: AeonEncryptionMode;
+    requiredCapabilities?: string[];
+}
+interface ReplicationEvent {
+    type: 'replica-added' | 'replica-removed' | 'replica-synced' | 'sync-failed';
+    replicaId: string;
+    nodeId: string;
+    timestamp: string;
+    details?: unknown;
+}
+/**
+ * Encrypted replication data envelope
+ */
+interface EncryptedReplicationData {
+    /** Encrypted ciphertext (base64) */
+    ct: string;
+    /** Initialization vector (base64) */
+    iv: string;
+    /** Authentication tag (base64) */
+    tag: string;
+    /** Ephemeral public key for ECIES */
+    epk?: JsonWebKey;
+    /** Sender DID */
+    senderDID?: string;
+    /** Target replica DID */
+    targetDID?: string;
+    /** Encryption timestamp */
+    encryptedAt: number;
+}
+/**
+ * Replication Manager
+ * Manages data replication across distributed nodes
+ */
+declare class ReplicationManager {
+    private replicas;
+    private policies;
+    private replicationEvents;
+    private syncStatus;
+    private cryptoProvider;
+    private replicasByDID;
+    /**
+     * Configure cryptographic provider for encrypted replication
+     */
+    configureCrypto(provider: ICryptoProvider): void;
+    /**
+     * Check if crypto is configured
+     */
+    isCryptoEnabled(): boolean;
+    /**
+     * Register an authenticated replica with DID
+     */
+    registerAuthenticatedReplica(replica: Omit<Replica, 'did' | 'encrypted'> & {
+        did: string;
+        publicSigningKey?: JsonWebKey;
+        publicEncryptionKey?: JsonWebKey;
+    }, encrypted?: boolean): Promise<Replica>;
+    /**
+     * Get replica by DID
+     */
+    getReplicaByDID(did: string): Replica | undefined;
+    /**
+     * Get all encrypted replicas
+     */
+    getEncryptedReplicas(): Replica[];
+    /**
+     * Encrypt data for replication to a specific replica
+     */
+    encryptForReplica(data: unknown, targetReplicaDID: string): Promise<EncryptedReplicationData>;
+    /**
+     * Decrypt data received from replication
+     */
+    decryptReplicationData<T>(encrypted: EncryptedReplicationData): Promise<T>;
+    /**
+     * Create an encrypted replication policy
+     */
+    createEncryptedPolicy(name: string, replicationFactor: number, consistencyLevel: 'eventual' | 'read-after-write' | 'strong', encryptionMode: AeonEncryptionMode, options?: {
+        syncInterval?: number;
+        maxReplicationLag?: number;
+        requiredCapabilities?: string[];
+    }): ReplicationPolicy;
+    /**
+     * Verify a replica's capabilities via UCAN
+     */
+    verifyReplicaCapabilities(replicaDID: string, token: string, policyId?: string): Promise<{
+        authorized: boolean;
+        error?: string;
+    }>;
+    /**
+     * Register a replica
+     */
+    registerReplica(replica: Replica): void;
+    /**
+     * Remove a replica
+     */
+    removeReplica(replicaId: string): void;
+    /**
+     * Create a replication policy
+     */
+    createPolicy(name: string, replicationFactor: number, consistencyLevel: 'eventual' | 'read-after-write' | 'strong', syncInterval?: number, maxReplicationLag?: number): ReplicationPolicy;
+    /**
+     * Update replica status
+     */
+    updateReplicaStatus(replicaId: string, status: Replica['status'], lagBytes?: number, lagMillis?: number): void;
+    /**
+     * Get replicas for node
+     */
+    getReplicasForNode(nodeId: string): Replica[];
+    /**
+     * Get healthy replicas
+     */
+    getHealthyReplicas(): Replica[];
+    /**
+     * Get syncing replicas
+     */
+    getSyncingReplicas(): Replica[];
+    /**
+     * Get failed replicas
+     */
+    getFailedReplicas(): Replica[];
+    /**
+     * Check replication health for policy
+     */
+    checkReplicationHealth(policyId: string): {
+        healthy: boolean;
+        replicasInPolicy: number;
+        healthyReplicas: number;
+        replicationLag: number;
+    };
+    /**
+     * Get consistency level
+     */
+    getConsistencyLevel(policyId: string): 'eventual' | 'read-after-write' | 'strong';
+    /**
+     * Get replica
+     */
+    getReplica(replicaId: string): Replica | undefined;
+    /**
+     * Get all replicas
+     */
+    getAllReplicas(): Replica[];
+    /**
+     * Get policy
+     */
+    getPolicy(policyId: string): ReplicationPolicy | undefined;
+    /**
+     * Get all policies
+     */
+    getAllPolicies(): ReplicationPolicy[];
+    /**
+     * Get replication statistics
+     */
+    getStatistics(): {
+        totalReplicas: number;
+        healthyReplicas: number;
+        syncingReplicas: number;
+        failedReplicas: number;
+        healthiness: number;
+        averageReplicationLagMs: number;
+        maxReplicationLagMs: number;
+        totalPolicies: number;
+    };
+    /**
+     * Get replication events
+     */
+    getReplicationEvents(limit?: number): ReplicationEvent[];
+    /**
+     * Get sync status for node
+     */
+    getSyncStatus(nodeId: string): {
+        synced: number;
+        failed: number;
+    };
+    /**
+     * Get replication lag distribution
+     */
+    getReplicationLagDistribution(): Record<string, number>;
+    /**
+     * Check if can satisfy consistency level
+     */
+    canSatisfyConsistency(policyId: string, _requiredAcks: number): boolean;
+    /**
+     * Clear all state (for testing)
+     */
+    clear(): void;
+    /**
+     * Get the crypto provider (for advanced usage)
+     */
+    getCryptoProvider(): ICryptoProvider | null;
+}
+
+/**
+ * Sync Protocol
+ *
+ * Handles synchronization protocol messages and handshaking.
+ * Manages message serialization, protocol versioning, and compatibility.
+ *
+ * Features:
+ * - Message serialization and deserialization
+ * - Protocol version management
+ * - Handshake handling
+ * - Message validation and error handling
+ * - Protocol state machine
+ * - Optional cryptographic authentication and encryption
+ */
+
+interface SyncMessage {
+    type: 'handshake' | 'sync-request' | 'sync-response' | 'ack' | 'error';
+    version: string;
+    sender: string;
+    receiver: string;
+    messageId: string;
+    timestamp: string;
+    payload?: unknown;
+    auth?: AuthenticatedMessageFields;
+}
+interface Handshake {
+    protocolVersion: string;
+    nodeId: string;
+    capabilities: string[];
+    state: 'initiating' | 'responding' | 'completed';
+    did?: string;
+    publicSigningKey?: JsonWebKey;
+    publicEncryptionKey?: JsonWebKey;
+    ucan?: string;
+}
+/**
+ * Crypto configuration for sync protocol
+ */
+interface SyncProtocolCryptoConfig {
+    /** Encryption mode for messages */
+    encryptionMode: AeonEncryptionMode;
+    /** Require all messages to be signed */
+    requireSignatures: boolean;
+    /** Require UCAN capability verification */
+    requireCapabilities: boolean;
+    /** Required capabilities for sync operations */
+    requiredCapabilities?: Array<{
+        can: string;
+        with: string;
+    }>;
+}
+interface SyncRequest {
+    sessionId: string;
+    fromVersion: string;
+    toVersion: string;
+    filter?: Record<string, unknown>;
+}
+interface SyncResponse {
+    sessionId: string;
+    fromVersion: string;
+    toVersion: string;
+    data: unknown[];
+    hasMore: boolean;
+    offset: number;
+}
+interface ProtocolError {
+    code: string;
+    message: string;
+    recoverable: boolean;
+}
+/**
+ * Sync Protocol
+ * Handles synchronization protocol messages and handshaking
+ */
+declare class SyncProtocol {
+    private version;
+    private messageQueue;
+    private messageMap;
+    private handshakes;
+    private protocolErrors;
+    private messageCounter;
+    private cryptoProvider;
+    private cryptoConfig;
+    /**
+     * Configure cryptographic provider for authenticated/encrypted messages
+     */
+    configureCrypto(provider: ICryptoProvider, config?: Partial<SyncProtocolCryptoConfig>): void;
+    /**
+     * Check if crypto is configured
+     */
+    isCryptoEnabled(): boolean;
+    /**
+     * Get crypto configuration
+     */
+    getCryptoConfig(): SyncProtocolCryptoConfig | null;
+    /**
+     * Get protocol version
+     */
+    getVersion(): string;
+    /**
+     * Create authenticated handshake message with DID and keys
+     */
+    createAuthenticatedHandshake(capabilities: string[], targetDID?: string): Promise<SyncMessage>;
+    /**
+     * Verify and process an authenticated handshake
+     */
+    verifyAuthenticatedHandshake(message: SyncMessage): Promise<{
+        valid: boolean;
+        handshake?: Handshake;
+        error?: string;
+    }>;
+    /**
+     * Sign and optionally encrypt a message payload
+     */
+    signMessage<T>(message: SyncMessage, payload: T, encrypt?: boolean): Promise<SyncMessage>;
+    /**
+     * Verify signature and optionally decrypt a message
+     */
+    verifyMessage<T>(message: SyncMessage): Promise<{
+        valid: boolean;
+        payload?: T;
+        error?: string;
+    }>;
+    /**
+     * Create handshake message
+     */
+    createHandshakeMessage(nodeId: string, capabilities: string[]): SyncMessage;
+    /**
+     * Create sync request message
+     */
+    createSyncRequestMessage(sender: string, receiver: string, sessionId: string, fromVersion: string, toVersion: string, filter?: Record<string, unknown>): SyncMessage;
+    /**
+     * Create sync response message
+     */
+    createSyncResponseMessage(sender: string, receiver: string, sessionId: string, fromVersion: string, toVersion: string, data: unknown[], hasMore?: boolean, offset?: number): SyncMessage;
+    /**
+     * Create acknowledgement message
+     */
+    createAckMessage(sender: string, receiver: string, messageId: string): SyncMessage;
+    /**
+     * Create error message
+     */
+    createErrorMessage(sender: string, receiver: string, error: ProtocolError, relatedMessageId?: string): SyncMessage;
+    /**
+     * Validate message
+     */
+    validateMessage(message: SyncMessage): {
+        valid: boolean;
+        errors: string[];
+    };
+    /**
+     * Serialize message
+     */
+    serializeMessage(message: SyncMessage): string;
+    /**
+     * Deserialize message
+     */
+    deserializeMessage(data: string): SyncMessage;
+    /**
+     * Process handshake
+     */
+    processHandshake(message: SyncMessage): Handshake;
+    /**
+     * Get message
+     */
+    getMessage(messageId: string): SyncMessage | undefined;
+    /**
+     * Get all messages
+     */
+    getAllMessages(): SyncMessage[];
+    /**
+     * Get messages by type
+     */
+    getMessagesByType(type: SyncMessage['type']): SyncMessage[];
+    /**
+     * Get messages from sender
+     */
+    getMessagesFromSender(sender: string): SyncMessage[];
+    /**
+     * Get pending messages
+     */
+    getPendingMessages(receiver: string): SyncMessage[];
+    /**
+     * Get handshakes
+     */
+    getHandshakes(): Map<string, Handshake>;
+    /**
+     * Get protocol statistics
+     */
+    getStatistics(): {
+        totalMessages: number;
+        messagesByType: Record<string, number>;
+        totalHandshakes: number;
+        totalErrors: number;
+        recoverableErrors: number;
+        unrecoverableErrors: number;
+    };
+    /**
+     * Get protocol errors
+     */
+    getErrors(): Array<{
+        error: ProtocolError;
+        timestamp: string;
+    }>;
+    /**
+     * Generate message ID
+     */
+    private generateMessageId;
+    /**
+     * Clear all state (for testing)
+     */
+    clear(): void;
+    /**
+     * Get the crypto provider (for advanced usage)
+     */
+    getCryptoProvider(): ICryptoProvider | null;
+}
+
+/**
+ * State Reconciler
+ *
+ * Reconciles conflicting state across multiple nodes in a distributed system.
+ * Applies merge strategies and resolves divergent state.
+ *
+ * Features:
+ * - State comparison and diff generation
+ * - Multiple merge strategies (last-write-wins, vector-clock based, custom)
+ * - Conflict detection and resolution
+ * - State validation and verification
+ * - Version tracking
+ * - Cryptographic verification of state versions
+ * - Signed state for tamper detection
+ */
+
+interface StateVersion {
+    version: string;
+    timestamp: string;
+    nodeId: string;
+    hash: string;
+    data: unknown;
+    signerDID?: string;
+    signature?: string;
+    signedAt?: number;
+}
+interface StateDiff {
+    added: Record<string, unknown>;
+    modified: Record<string, {
+        old: unknown;
+        new: unknown;
+    }>;
+    removed: string[];
+    timestamp: string;
+}
+interface ReconciliationResult {
+    success: boolean;
+    mergedState: unknown;
+    conflictsResolved: number;
+    strategy: string;
+    timestamp: string;
+}
+type MergeStrategy = 'last-write-wins' | 'vector-clock' | 'majority-vote' | 'custom';
+/**
+ * State Reconciler
+ * Reconciles state conflicts across distributed nodes
+ */
+declare class StateReconciler {
+    private stateVersions;
+    private reconciliationHistory;
+    private cryptoProvider;
+    private requireSignedVersions;
+    /**
+     * Configure cryptographic provider for signed state versions
+     */
+    configureCrypto(provider: ICryptoProvider, requireSigned?: boolean): void;
+    /**
+     * Check if crypto is configured
+     */
+    isCryptoEnabled(): boolean;
+    /**
+     * Record a signed state version with cryptographic verification
+     */
+    recordSignedStateVersion(key: string, version: string, data: unknown): Promise<StateVersion>;
+    /**
+     * Verify a state version's signature
+     */
+    verifyStateVersion(version: StateVersion): Promise<{
+        valid: boolean;
+        error?: string;
+    }>;
+    /**
+     * Reconcile with verification - only accept verified versions
+     */
+    reconcileWithVerification(key: string, strategy?: MergeStrategy): Promise<ReconciliationResult & {
+        verificationErrors: string[];
+    }>;
+    /**
+     * Record a state version
+     */
+    recordStateVersion(key: string, version: string, timestamp: string, nodeId: string, hash: string, data: unknown): void;
+    /**
+     * Detect conflicts in state versions
+     */
+    detectConflicts(key: string): boolean;
+    /**
+     * Compare two states and generate diff
+     */
+    compareStates(state1: Record<string, unknown>, state2: Record<string, unknown>): StateDiff;
+    /**
+     * Reconcile states using last-write-wins strategy
+     */
+    reconcileLastWriteWins(versions: StateVersion[]): ReconciliationResult;
+    /**
+     * Reconcile states using vector clock strategy
+     */
+    reconcileVectorClock(versions: StateVersion[]): ReconciliationResult;
+    /**
+     * Reconcile states using majority vote strategy
+     */
+    reconcileMajorityVote(versions: StateVersion[]): ReconciliationResult;
+    /**
+     * Merge multiple states
+     */
+    mergeStates(states: Record<string, unknown>[]): unknown;
+    /**
+     * Validate state after reconciliation
+     */
+    validateState(state: unknown): {
+        valid: boolean;
+        errors: string[];
+    };
+    /**
+     * Get state versions for a key
+     */
+    getStateVersions(key: string): StateVersion[];
+    /**
+     * Get all state versions
+     */
+    getAllStateVersions(): Record<string, StateVersion[]>;
+    /**
+     * Get reconciliation history
+     */
+    getReconciliationHistory(): ReconciliationResult[];
+    /**
+     * Get reconciliation statistics
+     */
+    getStatistics(): {
+        totalReconciliations: number;
+        successfulReconciliations: number;
+        totalConflictsResolved: number;
+        averageConflictsPerReconciliation: number;
+        strategyUsage: Record<string, number>;
+        trackedKeys: number;
+    };
+    /**
+     * Clear all state (for testing)
+     */
+    clear(): void;
+    /**
+     * Get the crypto provider (for advanced usage)
+     */
+    getCryptoProvider(): ICryptoProvider | null;
+}
+
+export { AEON_CAPABILITIES as A, type SyncRequest as B, type Capability as C, DEFAULT_CRYPTO_CONFIG as D, type ECKeyPair as E, type SyncResponse as F, type SyncSession as G, type Handshake as H, type ICryptoProvider as I, type UCANToken as J, type KeyPair as K, type MergeStrategy as M, NullCryptoProvider as N, type ProtocolError as P, type ReconciliationResult as R, type SecureNodeInfo as S, type UCANPayload as U, type VerificationResult as V, type AeonCapability as a, type AeonCapabilityResult as b, type AeonCryptoConfig as c, type AeonEncryptionMode as d, type AuthenticatedMessageFields as e, type DID as f, type DecryptionResult as g, type DomainCategory as h, type EncryptedPayload as i, type EncryptionAlgorithm as j, type Identity as k, type Replica as l, type ReplicationEvent as m, ReplicationManager as n, type ReplicationPolicy as o, type SecureSyncSession as p, type SignedSyncData as q, type SigningAlgorithm as r, type StateDiff as s, StateReconciler as t, type StateVersion as u, SyncCoordinator as v, type SyncEvent as w, type SyncMessage as x, type SyncNode as y, SyncProtocol as z };