@astrasyncai/verification-gateway 2.3.10 → 2.4.0

package/README.md

@@ -1,18 +1,26 @@
 # @astrasyncai/verification-gateway
 
-Universal Verification Gateway for AstraSync KYA Platform - verify AI agents across any counterparty type.
+The AstraSync KYA Platform SDK. One package, two roles: register agents with the KYA backend, and verify agents at any counterparty type (API / MCP / website / agent-to-agent).
 
-## Which package do I install?
+## What's in this package?
 
-AstraSync ships two npm packages with deliberately distinct roles. Pick by who you are, not by what you're building:
+As of v2.4.0 this is the only npm package you need for AstraSync integration. Pick the subpath that matches what you're doing:
 
-| You are…                                                                                      | Install                                                       | Use it for                                                                                                               |
-| --------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
-| **A merchant / counterparty** running an API, MCP server, or website that AI agents call into | `@astrasyncai/verification-gateway` (this package)            | Verifying inbound agents before they hit your endpoint. Express + Next.js middleware, Commerce Shield, webhook verifier. |
-| **An agent author** building an AI agent that calls out to other people's services            | `@astrasyncai/sdk` (the agent-side SDK on npm, separate repo) | Registering your agent with AstraSync, attaching credentials to outbound HTTP / MCP / A2A calls, KYD onboarding.         |
-| **A platform / orchestrator** doing both ends in one place                                    | Both                                                          | The two roles compose: each side's flow is independent.                                                                  |
+| If you're…                                                                                | Import from                                      | Get                                                                                           |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------ | --------------------------------------------------------------------------------------------- |
+| **Registering an agent with the KYA backend**                                             | `@astrasyncai/verification-gateway/registration` | `AstraSync` class — `register()`, `verify()`, `health()`. The `astrasync` CLI is bundled too. |
+| **Building an agent that calls out to other services** (per-request credential injection) | `@astrasyncai/verification-gateway/agent`        | `AgentClient`, `ChallengeHandler`, ownership validation, runtime PDLSS shape.                 |
+| **Running an Express API that AI agents call into**                                       | `@astrasyncai/verification-gateway/express`      | `createMiddleware()` — protect routes, attach verification context.                           |
+| **Running a Next.js app that AI agents call into**                                        | `@astrasyncai/verification-gateway/nextjs`       | `createMiddleware()`, Commerce Shield wiring.                                                 |
+| **Running an MCP server that AI agents call into**                                        | `@astrasyncai/verification-gateway/mcp`          | MCP tool gates + inner-hop dedupe headers.                                                    |
+| **Doing direct verification (no framework)**                                              | `@astrasyncai/verification-gateway/sdk`          | `VerificationGatewayClient` with retry / backoff / timeout.                                   |
+| **Parsing protocol-level credentials** (HTTP / A2A / MCP / x402 / AP2 / MPP)              | `@astrasyncai/verification-gateway/transport`    | Cross-protocol credential extraction + injection.                                             |
+| **Evaluating PDLSS offline** (local / hybrid mode)                                        | `@astrasyncai/verification-gateway/gateway`      | `AstraSyncGateway` (online / local / hybrid).                                                 |
+| **Receiving webhook callbacks**                                                           | `@astrasyncai/verification-gateway/webhooks`     | `verifyAstraSyncWebhook()`, `signAstraSyncWebhook()`.                                         |
 
-> Both packages talk to the same backend — `POST /agents/verify-access`. The contract is shared; the role is just which side you're sitting on.
+> All subpaths talk to the same backend — `POST /agents/verify-access` for verification, `POST /agents/register` for registration. The contract is shared; the role is just which side of the handshake you're sitting on.
+
+Before v2.4.0 the agent-registration half shipped as a separate package (`@astrasyncai/agent-registration`, briefly; `@astrasyncai/sdk` before that). It was merged in to stop the two-package version drift and to give partners one install instead of two. The legacy `@astrasyncai/sdk` package on npm is deprecated with a pointer to this package; `@astrasyncai/agent-registration` was never published.
 
 ## Overview
 
@@ -95,6 +103,53 @@ if (result.verified && result.accessLevel !== 'none') {
 }
 ```
 
+### Agent Registration
+
+Register an AI agent with the KYA backend in code (the `astrasync` CLI does the same thing from a shell).
+
+```typescript
+import { AstraSync } from '@astrasyncai/verification-gateway/registration';
+
+const astrasync = new AstraSync({
+  apiKey: process.env.ASTRASYNC_API_KEY, // or { email, password }
+  // Optional: privateKey for secp256k1 request signing
+  privateKey: process.env.ASTRASYNC_PRIVATE_KEY,
+});
+
+const result = await astrasync.register({
+  name: 'invoice-bot',
+  description: 'Reconciles AP/AR across accounting systems.',
+  agentType: 'autonomous',
+  model: { modelProvider: 'anthropic', modelName: 'claude-sonnet-4-5' },
+  framework: { frameworkName: 'langchain', frameworkVersion: '0.3.0' },
+  protocols: ['a2a', 'mcp'],
+  pdlss: {
+    purpose: { allowed: ['accounting.read', 'accounting.write'] },
+    duration: { requested: 'P30D' },
+    limits: { transactionValue: 5000, currency: 'USD' },
+    scope: { resources: ['xero.invoices', 'quickbooks.bills'] },
+    selfInstantiation: { allowed: false },
+  },
+});
+
+console.log(`Agent registered: ${result.agent.astraId}`);
+console.log(`Trust score: ${result.agent.trustScore}`); // dynamic; recomputed on every verify-access call
+```
+
+CLI equivalent — same surface from a shell, also via `npx`:
+
+```bash
+npx astrasync register --name invoice-bot --agent-type autonomous \
+  --model-provider anthropic --model-name claude-sonnet-4-5 \
+  --framework-name langchain --framework-version 0.3.0 \
+  --protocols a2a,mcp \
+  --pdlss '{"purpose":{"allowed":["accounting.read","accounting.write"]}, ...}'
+```
+
+> `/registration` is for **one-shot onboarding** — register an agent, look up its public profile, check API health. For **per-request credential injection** (attaching ASTRA-id, sessionId, PDLSS to outgoing HTTP / A2A / MCP calls from an already-registered agent), use `/agent` (`AgentClient`). The two roles are deliberately separate concerns: registration is identity, `/agent` is runtime.
+
+> A `PDLSSConfig` type exists in both `/registration` and `/agent`, with **different shapes**. `/registration`'s `PDLSSConfig` is the boundary declaration submitted at register time; `/agent`'s `PDLSSConfig` is the per-request runtime request shape. Disambiguate via the import path — the root export deliberately does not re-export either.
+
 ### Inner-hop verification (MCP → REST dedupe with X-Astra-Verified-Hop)
 
 When an MCP tool calls an inner REST endpoint that ALSO runs the

package/dist/bin/astrasync.js

@@ -0,0 +1,348 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/registration/errors.ts
+var AstraSyncError = class extends Error {
+  constructor(message, statusCode, code) {
+    super(message);
+    this.name = "AstraSyncError";
+    this.statusCode = statusCode;
+    this.code = code;
+  }
+};
+var KYDRequiredError = class extends AstraSyncError {
+  constructor(response) {
+    const kydUrl = response.kydUrl || "https://astrasync.ai/developer-profile";
+    super(
+      `KYD verification required before registering agents.
+Complete your KYD profile at: ${kydUrl}`,
+      403,
+      "KYD_REQUIRED"
+    );
+    this.name = "KYDRequiredError";
+    this.kydUrl = kydUrl;
+    this.ownerNotified = response.ownerNotified || false;
+  }
+};
+var AuthenticationError = class extends AstraSyncError {
+  constructor(message) {
+    super(message, 401, "AUTH_FAILED");
+    this.name = "AuthenticationError";
+  }
+};
+
+// src/registration/api.ts
+var DEFAULT_BASE_URL = "https://astrasync.ai";
+var AstraSync = class {
+  constructor(config = {}) {
+    this.baseUrl = (config.baseUrl || process.env.ASTRASYNC_API_URL || DEFAULT_BASE_URL).replace(
+      /\/+$/,
+      ""
+    );
+    this.apiKey = config.apiKey || process.env.ASTRASYNC_API_KEY;
+    this.email = config.email;
+    this.password = config.password;
+    this.privateKey = config.privateKey;
+    if (!this.apiKey && !this.email) {
+      throw new AuthenticationError(
+        "Authentication required. Provide apiKey, or email+password. Set ASTRASYNC_API_KEY env var or pass config to constructor."
+      );
+    }
+    if (this.email && !this.password) {
+      throw new AuthenticationError("Password is required when using email authentication.");
+    }
+  }
+  /**
+   * Register a new AI agent on the AstraSync KYA Platform.
+   * Sends full payload including model, framework, PDLSS, and metadata.
+   */
+  async register(options) {
+    const body = {
+      name: options.name,
+      ...options.description && { description: options.description },
+      ...options.agentType && { agentType: options.agentType },
+      ...options.apiEndpoint && { apiEndpoint: options.apiEndpoint },
+      ...options.model && { model: options.model },
+      ...options.framework && { framework: options.framework },
+      ...options.protocols && { protocols: options.protocols },
+      ...options.metadata && { metadata: options.metadata },
+      ...options.pdlss && { pdlss: options.pdlss }
+    };
+    return this.request("POST", "/api/agents/register", body);
+  }
+  /**
+   * Look up an agent's public profile by ASTRA ID or UUID.
+   */
+  async verify(agentId) {
+    return this.request("GET", `/api/agents/verify/${agentId}`);
+  }
+  /**
+   * Check API health.
+   */
+  async health() {
+    const res = await fetch(`${this.baseUrl}/api/health/`);
+    if (!res.ok) {
+      throw new AstraSyncError(`Health check failed: ${res.status}`, res.status);
+    }
+    return res.json();
+  }
+  // ── Private helpers ──────────────────────────────────────────────
+  async request(method, endpoint, body) {
+    const url = `${this.baseUrl}${endpoint}`;
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    const token = await this.getAuthToken();
+    headers["Authorization"] = `Bearer ${token}`;
+    if (this.privateKey) {
+      const signature = await this.signRequest(method, endpoint, body || {});
+      headers["X-AstraSync-Signature"] = signature;
+    }
+    const res = await fetch(url, {
+      method,
+      headers,
+      ...body ? { body: JSON.stringify(body) } : {}
+    });
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({ error: res.statusText }));
+      if (res.status === 403 && errorBody.code === "KYD_REQUIRED") {
+        throw new KYDRequiredError(errorBody);
+      }
+      throw new AstraSyncError(
+        errorBody.error || `Request failed: ${res.status}`,
+        res.status,
+        errorBody.code
+      );
+    }
+    return res.json();
+  }
+  async getAuthToken() {
+    if (this.apiKey) {
+      return this.apiKey;
+    }
+    if (this.cachedJwt && this.jwtExpiresAt && Date.now() < this.jwtExpiresAt) {
+      return this.cachedJwt;
+    }
+    const res = await fetch(`${this.baseUrl}/api/auth/login`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email: this.email, password: this.password })
+    });
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthenticationError(
+        errorBody.message || errorBody.error || "Login failed"
+      );
+    }
+    const data = await res.json();
+    this.cachedJwt = data.data.token;
+    this.jwtExpiresAt = Date.now() + 6 * 24 * 60 * 60 * 1e3;
+    return this.cachedJwt;
+  }
+  /**
+   * Sign a request using secp256k1 (ethers.js).
+   * Canonical message format: METHOD:ENDPOINT:SORTED_JSON_BODY
+   * Must match apps/backend/src/services/signature-verify.service.ts exactly.
+   */
+  async signRequest(method, endpoint, body) {
+    const { Wallet } = await import("ethers");
+    const sorted = this.sortObjectKeys(body);
+    const canonical = `${method}:${endpoint}:${JSON.stringify(sorted)}`;
+    const wallet = new Wallet(this.privateKey);
+    return wallet.signMessage(canonical);
+  }
+  /** Recursively sort object keys for canonical JSON representation. */
+  sortObjectKeys(obj) {
+    if (obj === null || typeof obj !== "object") {
+      return obj;
+    }
+    if (Array.isArray(obj)) {
+      return obj.map((item) => this.sortObjectKeys(item));
+    }
+    const sorted = {};
+    for (const key of Object.keys(obj).sort()) {
+      sorted[key] = this.sortObjectKeys(obj[key]);
+    }
+    return sorted;
+  }
+};
+
+// src/bin/astrasync.ts
+function usage() {
+  console.log(`
+astrasync - AstraSync KYA Platform CLI
+
+USAGE:
+  astrasync [options] <command> [args]
+
+GLOBAL OPTIONS:
+  --api-key <key>       API key (kya_ prefixed). Also reads ASTRASYNC_API_KEY env.
+  --email <email>       Email for login auth
+  --password <pass>     Password for login auth
+  --private-key <key>   secp256k1 private key for crypto signing
+  --base-url <url>      API base URL (default: https://astrasync.ai; use https://staging.astrasync.ai for staging)
+  --help                Show this help message
+
+COMMANDS:
+  register              Register a new AI agent
+  verify <id>           Look up an agent by ASTRA ID or UUID
+  health                Check API health
+
+REGISTER OPTIONS:
+  --name <name>                 Agent name (required)
+  --description <desc>          Agent description
+  --agent-type <type>           Agent type (default: general)
+  --api-endpoint <url>          Agent API endpoint URL
+  --model-name <name>           LLM model name (e.g. claude-opus-4.6)
+  --model-provider <provider>   Model provider (e.g. anthropic, openai)
+  --model-type <type>           Model type (default: llm)
+  --framework-name <name>       Framework name (e.g. langchain, crewai)
+  --framework-version <ver>     Framework version
+
+EXAMPLES:
+  astrasync --api-key kya_xxx register --name "My Agent"
+  astrasync register --name "My Agent" --model-name gpt-4o --model-provider openai
+  astrasync verify ASTRA-abc123
+  astrasync health
+`);
+}
+function parseArgs(args) {
+  const globals = {};
+  const commandArgs = {};
+  let command = "";
+  let inCommand = false;
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (!inCommand && !arg.startsWith("--")) {
+      command = arg;
+      inCommand = true;
+      continue;
+    }
+    if (arg === "--help" || arg === "-h") {
+      globals["help"] = "true";
+      continue;
+    }
+    if (arg.startsWith("--")) {
+      const key = arg.slice(2);
+      const value = args[++i] || "";
+      if (inCommand) {
+        commandArgs[key] = value;
+      } else {
+        globals[key] = value;
+      }
+    }
+  }
+  return { globals, command, commandArgs };
+}
+async function main() {
+  const { globals, command, commandArgs } = parseArgs(process.argv.slice(2));
+  if (globals["help"] || !command) {
+    usage();
+    process.exit(command ? 0 : 1);
+  }
+  const config = {
+    apiKey: globals["api-key"],
+    email: globals["email"],
+    password: globals["password"],
+    privateKey: globals["private-key"],
+    baseUrl: globals["base-url"]
+  };
+  try {
+    if (command === "health") {
+      const client2 = new AstraSync({
+        apiKey: config.apiKey || "health-check",
+        baseUrl: config.baseUrl
+      });
+      const result = await client2.health();
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    const client = new AstraSync({
+      apiKey: config.apiKey,
+      email: config.email,
+      password: config.password,
+      privateKey: config.privateKey,
+      baseUrl: config.baseUrl
+    });
+    if (command === "register") {
+      const name = commandArgs["name"];
+      if (!name) {
+        console.error("Error: --name is required for register command");
+        process.exit(1);
+      }
+      const options = {
+        name,
+        ...commandArgs["description"] && { description: commandArgs["description"] },
+        ...commandArgs["agent-type"] && { agentType: commandArgs["agent-type"] },
+        ...commandArgs["api-endpoint"] && { apiEndpoint: commandArgs["api-endpoint"] }
+      };
+      if (commandArgs["model-name"] && commandArgs["model-provider"]) {
+        options.model = {
+          modelName: commandArgs["model-name"],
+          modelProvider: commandArgs["model-provider"],
+          ...commandArgs["model-type"] && {
+            modelType: commandArgs["model-type"]
+          }
+        };
+      }
+      if (commandArgs["framework-name"] && commandArgs["framework-version"]) {
+        options.framework = {
+          frameworkName: commandArgs["framework-name"],
+          frameworkVersion: commandArgs["framework-version"]
+        };
+      }
+      const result = await client.register(options);
+      console.log(JSON.stringify(result, null, 2));
+    } else if (command === "verify") {
+      const agentId = commandArgs["id"] || process.argv[process.argv.length - 1];
+      if (!agentId || agentId.startsWith("--")) {
+        console.error("Error: agent ID is required for verify command");
+        process.exit(1);
+      }
+      const result = await client.verify(agentId);
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      console.error(`Unknown command: ${command}`);
+      usage();
+      process.exit(1);
+    }
+  } catch (error) {
+    if (error instanceof KYDRequiredError) {
+      console.error(`
+Error: ${error.message}`);
+      if (error.ownerNotified) {
+        console.error("A reminder email has been sent to your registered email address.");
+      }
+      process.exit(1);
+    }
+    if (error instanceof AstraSyncError) {
+      console.error(`
+Error [${error.code || error.statusCode}]: ${error.message}`);
+      process.exit(1);
+    }
+    throw error;
+  }
+}
+main();

package/dist/registration/index.d.mts

@@ -0,0 +1,218 @@
+/** Configuration for the AstraSync SDK client. */
+interface AstraSyncConfig {
+    /** API key (kya_ prefixed). Used as Bearer token. */
+    apiKey?: string;
+    /** Email for email+password authentication. */
+    email?: string;
+    /** Password for email+password authentication. */
+    password?: string;
+    /** secp256k1 private key for crypto signing. Used WITH apiKey or email+password. */
+    privateKey?: string;
+    /**
+     * Base URL for the AstraSync API.
+     * Defaults to ASTRASYNC_API_URL env or `https://astrasync.ai` (production).
+     * For staging, pass `https://staging.astrasync.ai`.
+     */
+    baseUrl?: string;
+}
+/**
+ * Multi-protocol declarations the agent participates in.
+ * Promoted from `metadata.protocols[]` to a first-class field in agent-registration v1.0.0.
+ */
+type AgentProtocol = 'a2a' | 'acp' | 'ap2' | 'ucp' | 'mpp' | 'x402' | 'erc8004' | 'vi' | 'agentpay' | 'tap' | 'other';
+/** PDLSS purpose configuration. */
+interface PDLSSPurpose {
+    categories: string[];
+    allowedActions?: string[];
+    deniedActions?: string[];
+}
+/** PDLSS duration configuration. */
+interface PDLSSDuration {
+    startTime?: string | null;
+    endTime?: string | null;
+    timezone?: string | null;
+    maxSessionDuration?: number | null;
+    ttl?: number | null;
+    allowedDays?: number[] | null;
+    allowedHours?: {
+        start: number;
+        end: number;
+    } | null;
+}
+/** PDLSS limits configuration. */
+interface PDLSSLimits {
+    autonomousThreshold?: number | null;
+    stepUpThreshold?: number | null;
+    approvalThreshold?: number | null;
+    maxTransactionsPerDay?: number | null;
+    maxTransactionsPerHour?: number | null;
+    maxTotalValue?: number | null;
+    currency?: string;
+}
+/** PDLSS scope configuration. */
+interface PDLSSScope {
+    resources?: string[];
+    resourceTypes?: string[];
+    jurisdictions?: string[];
+    excludedResources?: string[];
+    counterparties?: string[];
+    excludedCounterparties?: string[];
+}
+/** PDLSS self-instantiation configuration. */
+interface PDLSSSelfInstantiation {
+    allowed: boolean;
+    maxSubAgents?: number | null;
+    inheritPermissions?: boolean | null;
+    allowedPurposes?: string[] | null;
+    requireApproval?: boolean | null;
+    maxDepth?: number | null;
+}
+/** Full PDLSS configuration. */
+interface PDLSSConfig {
+    purpose: PDLSSPurpose;
+    duration?: PDLSSDuration;
+    limits?: PDLSSLimits;
+    scope?: PDLSSScope;
+    selfInstantiation?: PDLSSSelfInstantiation;
+}
+/** Model metadata for registration. */
+interface ModelConfig {
+    modelName: string;
+    modelProvider: string;
+    modelType?: 'llm' | 'embedding' | 'image' | 'audio' | 'multimodal' | 'code' | 'other';
+    contextWindow?: number;
+    maxTokens?: number;
+}
+/** Framework metadata for registration. */
+interface FrameworkConfig {
+    frameworkName: string;
+    frameworkVersion: string;
+}
+/** Options for agent registration. */
+interface RegisterOptions {
+    name: string;
+    description?: string;
+    agentType?: string;
+    apiEndpoint?: string;
+    model?: ModelConfig;
+    framework?: FrameworkConfig;
+    /** Multi-protocol declarations (e.g. ['acp', 'ap2', 'a2a']). First-class as of v1.0.0. */
+    protocols?: AgentProtocol[];
+    metadata?: Record<string, unknown>;
+    pdlss?: PDLSSConfig;
+}
+/** Response from agent registration. */
+interface RegistrationResponse {
+    success: boolean;
+    message: string;
+    data: {
+        agent: AgentRecord;
+    };
+}
+/** Agent record from the API. */
+interface AgentRecord {
+    kyaAgentId: string;
+    name: string;
+    description?: string;
+    agentType: string;
+    agentStatus: string;
+    trustScore: number;
+    astrasyncIdLevel1?: string | null;
+    tempId?: string | null;
+    metadata?: Record<string, unknown>;
+    createdAt: string;
+    updatedAt: string;
+}
+/** Public agent verification response. */
+interface VerifyResponse {
+    success: boolean;
+    data: {
+        agentUuid: string;
+        agentName: string;
+        agentDescription: string;
+        agentTrustScore: number;
+        agentStatus: string;
+        ownerName?: string;
+    };
+}
+/** Health check response. */
+interface HealthResponse {
+    status: string;
+    service: string;
+    version: string;
+}
+/** Error response from the API. */
+interface ApiErrorResponse {
+    success: false;
+    error: string;
+    code?: string;
+    kydUrl?: string;
+    ownerNotified?: boolean;
+}
+
+/**
+ * AstraSync SDK client for registering and managing AI agents.
+ *
+ * @example
+ * ```typescript
+ * const client = new AstraSync({ apiKey: 'kya_your_api_key' });
+ * const result = await client.register({
+ *   name: 'My Agent',
+ *   model: { modelName: 'gpt-4o', modelProvider: 'openai', modelType: 'llm' },
+ * });
+ * ```
+ *
+ * For staging, pass `baseUrl: 'https://staging.astrasync.ai'`.
+ */
+declare class AstraSync {
+    private readonly baseUrl;
+    private readonly apiKey?;
+    private readonly email?;
+    private readonly password?;
+    private readonly privateKey?;
+    private cachedJwt?;
+    private jwtExpiresAt?;
+    constructor(config?: AstraSyncConfig);
+    /**
+     * Register a new AI agent on the AstraSync KYA Platform.
+     * Sends full payload including model, framework, PDLSS, and metadata.
+     */
+    register(options: RegisterOptions): Promise<RegistrationResponse>;
+    /**
+     * Look up an agent's public profile by ASTRA ID or UUID.
+     */
+    verify(agentId: string): Promise<VerifyResponse>;
+    /**
+     * Check API health.
+     */
+    health(): Promise<HealthResponse>;
+    private request;
+    private getAuthToken;
+    /**
+     * Sign a request using secp256k1 (ethers.js).
+     * Canonical message format: METHOD:ENDPOINT:SORTED_JSON_BODY
+     * Must match apps/backend/src/services/signature-verify.service.ts exactly.
+     */
+    private signRequest;
+    /** Recursively sort object keys for canonical JSON representation. */
+    private sortObjectKeys;
+}
+
+/** Base error class for AstraSync SDK errors. */
+declare class AstraSyncError extends Error {
+    readonly code?: string;
+    readonly statusCode: number;
+    constructor(message: string, statusCode: number, code?: string);
+}
+/** Thrown when KYD verification is required before agent registration. */
+declare class KYDRequiredError extends AstraSyncError {
+    readonly kydUrl: string;
+    readonly ownerNotified: boolean;
+    constructor(response: ApiErrorResponse);
+}
+/** Thrown when authentication fails. */
+declare class AuthenticationError extends AstraSyncError {
+    constructor(message: string);
+}
+
+export { type AgentProtocol, type AgentRecord, AstraSync, type AstraSyncConfig, AstraSyncError, AuthenticationError, type FrameworkConfig, type HealthResponse, KYDRequiredError, type ModelConfig, type PDLSSConfig, type PDLSSDuration, type PDLSSLimits, type PDLSSPurpose, type PDLSSScope, type PDLSSSelfInstantiation, type RegisterOptions, type RegistrationResponse, type VerifyResponse };