@efsf/typescript 0.1.0

package/dist/index.d.mts

@@ -0,0 +1,990 @@
+/**
+ * EFSF Destruction Certificates
+ *
+ * Provides cryptographically signed proof of data destruction
+ * for compliance and audit purposes (GDPR, CCPA, HIPAA, SOX).
+ */
+/**
+ * Methods used to destroy data.
+ */
+declare enum DestructionMethod {
+    /** Encryption key destroyed, data unrecoverable */
+    CRYPTO_SHRED = "crypto_shred",
+    /** Memory overwritten with zeros */
+    MEMORY_ZERO = "memory_zero",
+    /** Multiple overwrites (secure deletion) */
+    SECURE_DELETE = "secure_delete",
+    /** Trusted Execution Environment terminated */
+    TEE_EXIT = "tee_exit",
+    /** Storage TTL triggered automatic expiration */
+    TTL_EXPIRE = "ttl_expire",
+    /** Explicit deletion request */
+    MANUAL = "manual"
+}
+/**
+ * Serialized format for resource info.
+ */
+interface ResourceInfoData {
+    type: string;
+    id: string;
+    classification: string;
+    metadata: Record<string, unknown>;
+}
+/**
+ * Describes a resource that was destroyed.
+ */
+declare class ResourceInfo {
+    readonly resourceType: string;
+    readonly resourceId: string;
+    readonly classification: string;
+    readonly metadata: Record<string, unknown>;
+    constructor(resourceType: string, resourceId: string, classification: string, metadata?: Record<string, unknown>);
+    /**
+     * Convert to a plain object for serialization.
+     */
+    toDict(): ResourceInfoData;
+}
+/**
+ * An access event in the chain of custody.
+ */
+interface AccessEvent {
+    timestamp: string;
+    accessor: string;
+    action: string;
+}
+/**
+ * Serialized format for chain of custody.
+ */
+interface ChainOfCustodyData {
+    created_at: string;
+    created_by: string | null;
+    access_count: number;
+    hash_chain: string[];
+}
+/**
+ * Tracks the lifecycle of a resource with tamper-evident logging.
+ *
+ * The hash chain provides cryptographic proof that the access log
+ * has not been modified after the fact.
+ */
+declare class ChainOfCustody {
+    readonly createdAt: Date;
+    readonly createdBy: string | null;
+    readonly accessLog: AccessEvent[];
+    readonly hashChain: string[];
+    constructor(createdAt: Date, createdBy?: string | null);
+    /**
+     * Record an access event and extend the hash chain.
+     *
+     * @param accessor - Identity of the accessor
+     * @param action - Action performed (create, read, destroy, etc.)
+     * @param timestamp - Optional timestamp (defaults to now)
+     */
+    addAccess(accessor: string, action: string, timestamp?: Date): void;
+    /**
+     * Convert to a plain object for serialization.
+     * Returns only the last 5 hashes for brevity.
+     */
+    toDict(): ChainOfCustodyData;
+}
+/**
+ * Serialized format for destruction certificates.
+ */
+interface DestructionCertificateData {
+    version: string;
+    certificate_id: string;
+    resource: ResourceInfoData;
+    destruction: {
+        method: string;
+        timestamp: string;
+        verified_by: string;
+    };
+    chain_of_custody?: ChainOfCustodyData;
+    signature?: string;
+}
+/**
+ * Cryptographically signed proof of data destruction.
+ *
+ * Destruction certificates provide verifiable evidence for compliance
+ * with data protection regulations (GDPR Article 17, CCPA, HIPAA, SOX).
+ */
+declare class DestructionCertificate {
+    readonly certificateId: string;
+    readonly version: string;
+    readonly resource: ResourceInfo;
+    readonly destructionMethod: DestructionMethod;
+    readonly destructionTimestamp: Date;
+    verifiedBy: string;
+    readonly chainOfCustody: ChainOfCustody | null;
+    signature: string | null;
+    constructor(certificateId: string, version: string, resource: ResourceInfo, destructionMethod: DestructionMethod, destructionTimestamp: Date, verifiedBy: string, chainOfCustody?: ChainOfCustody | null, signature?: string | null);
+    /**
+     * Factory method to create a new destruction certificate.
+     *
+     * @param resource - The destroyed resource info
+     * @param destructionMethod - How the data was destroyed
+     * @param verifiedBy - Authority that verified the destruction
+     * @param chainOfCustody - Optional chain of custody
+     */
+    static create(resource: ResourceInfo, destructionMethod: DestructionMethod, verifiedBy?: string, chainOfCustody?: ChainOfCustody | null): DestructionCertificate;
+    /**
+     * Convert to a plain object for serialization.
+     *
+     * @param includeSignature - Whether to include the signature field
+     */
+    toDict(includeSignature?: boolean): DestructionCertificateData;
+    /**
+     * Convert to JSON string.
+     */
+    toJSON(indent?: number): string;
+    /**
+     * Get canonical byte representation for signing.
+     *
+     * Uses deterministic JSON serialization (sorted keys, no whitespace)
+     * to ensure consistent signatures.
+     */
+    canonicalBytes(): Buffer;
+    /**
+     * Compute SHA-256 hash of the certificate.
+     */
+    computeHash(): string;
+}
+/**
+ * Authority that issues and verifies destruction certificates.
+ *
+ * Uses Ed25519 digital signatures for non-repudiation.
+ */
+declare class AttestationAuthority {
+    readonly authorityId: string;
+    private readonly privateKey;
+    private readonly publicKey;
+    private readonly issuedCertificates;
+    /**
+     * Create a new AttestationAuthority.
+     *
+     * @param authorityId - Identifier for this authority
+     */
+    constructor(authorityId?: string);
+    /**
+     * Get the public key as raw bytes.
+     */
+    get publicKeyBytes(): Buffer;
+    /**
+     * Get the public key as base64-encoded string.
+     */
+    get publicKeyB64(): string;
+    /**
+     * Sign a destruction certificate.
+     *
+     * @param certificate - The certificate to sign
+     * @returns The signed certificate
+     */
+    signCertificate(certificate: DestructionCertificate): DestructionCertificate;
+    /**
+     * Verify a certificate's signature.
+     *
+     * @param certificate - The certificate to verify
+     * @returns true if the signature is valid
+     * @throws AttestationError if verification fails
+     */
+    verifyCertificate(certificate: DestructionCertificate): boolean;
+    /**
+     * Issue a new signed destruction certificate.
+     *
+     * @param resourceType - Type of resource (ephemeral_data, sealed_compute, etc.)
+     * @param resourceId - Unique identifier of the resource
+     * @param classification - Data classification level
+     * @param destructionMethod - How the data was destroyed
+     * @param chainOfCustody - Optional chain of custody
+     * @param metadata - Optional additional metadata
+     * @returns The signed certificate
+     */
+    issueCertificate(resourceType: string, resourceId: string, classification: string, destructionMethod: DestructionMethod, chainOfCustody?: ChainOfCustody | null, metadata?: Record<string, unknown>): DestructionCertificate;
+    /**
+     * Retrieve a previously issued certificate by ID.
+     *
+     * @param certificateId - The certificate ID
+     * @returns The certificate or null if not found
+     */
+    getCertificate(certificateId: string): DestructionCertificate | null;
+    /**
+     * List issued certificates with optional filtering.
+     *
+     * @param resourceId - Optional resource ID to filter by
+     * @param since - Optional date to filter certificates issued after
+     * @returns List of certificates sorted by destruction timestamp (newest first)
+     */
+    listCertificates(resourceId?: string, since?: Date): DestructionCertificate[];
+}
+
+/**
+ * EFSF Cryptographic Operations
+ *
+ * Provides encryption, decryption, and key management for ephemeral data.
+ * Uses AES-256-GCM for authenticated encryption via Node.js crypto module.
+ */
+/**
+ * Serialized format for encrypted payloads.
+ */
+interface EncryptedPayloadData {
+    ciphertext: string;
+    nonce: string;
+    key_id: string;
+    algorithm: string;
+}
+/**
+ * Container for encrypted data with all necessary decryption metadata.
+ */
+declare class EncryptedPayload {
+    readonly ciphertext: string;
+    readonly nonce: string;
+    readonly keyId: string;
+    readonly algorithm: string;
+    constructor(ciphertext: string, // base64 encoded (includes auth tag)
+    nonce: string, // base64 encoded
+    keyId: string, algorithm?: string);
+    /**
+     * Convert to a plain object for serialization.
+     */
+    toDict(): EncryptedPayloadData;
+    /**
+     * Reconstruct from serialized data.
+     */
+    static fromDict(data: EncryptedPayloadData): EncryptedPayload;
+}
+/**
+ * Data Encryption Key (DEK) with lifecycle tracking.
+ *
+ * Each DEK is tied to the TTL of the data it protects. When the DEK
+ * is destroyed (crypto-shredding), all data encrypted with it becomes
+ * permanently unrecoverable.
+ */
+declare class DataEncryptionKey {
+    readonly keyId: string;
+    private _keyMaterial;
+    readonly createdAt: Date;
+    readonly expiresAt: Date;
+    private _destroyed;
+    private _destroyedAt;
+    constructor(keyId: string, _keyMaterial: Buffer, createdAt: Date, expiresAt: Date);
+    /**
+     * Generate a new DEK with the specified TTL.
+     *
+     * @param ttlMs - Time-to-live in milliseconds
+     * @param keyId - Optional key identifier (auto-generated if not provided)
+     */
+    static generate(ttlMs: number, keyId?: string): DataEncryptionKey;
+    /**
+     * Get the key material for cryptographic operations.
+     * @throws CryptoError if the key has been destroyed
+     */
+    get keyMaterial(): Buffer;
+    /**
+     * Check if the key has been destroyed.
+     */
+    get destroyed(): boolean;
+    /**
+     * Get the timestamp when the key was destroyed, if applicable.
+     */
+    get destroyedAt(): Date | null;
+    /**
+     * Check if the key is expired or destroyed.
+     */
+    get isExpired(): boolean;
+    /**
+     * Securely destroy the key material (crypto-shredding).
+     *
+     * This overwrites the key material with random data then zeros,
+     * making any data encrypted with this key permanently unrecoverable.
+     *
+     * Note: In JavaScript/Node.js, we cannot guarantee memory is fully
+     * zeroed due to garbage collection. This is best-effort. For true
+     * security guarantees, use hardware security modules (HSM).
+     */
+    destroy(): void;
+}
+/**
+ * Cryptographic provider for ephemeral data encryption.
+ *
+ * Manages Data Encryption Keys (DEKs) and provides AES-256-GCM
+ * authenticated encryption for protecting ephemeral data.
+ */
+declare class CryptoProvider {
+    private readonly masterKey;
+    private readonly keys;
+    /**
+     * Create a new CryptoProvider.
+     *
+     * @param masterKey - Optional master key for key derivation.
+     *                    If not provided, a random key is generated.
+     *                    In production, this should come from a KMS.
+     */
+    constructor(masterKey?: Buffer);
+    /**
+     * Generate a new Data Encryption Key with the specified TTL.
+     *
+     * @param ttlMs - Time-to-live in milliseconds
+     * @returns The generated DEK
+     */
+    generateDEK(ttlMs: number): DataEncryptionKey;
+    /**
+     * Retrieve a DEK by its identifier.
+     *
+     * @param keyId - The key identifier
+     * @returns The DEK if found and valid, null otherwise
+     */
+    getDEK(keyId: string): DataEncryptionKey | null;
+    /**
+     * Destroy a DEK (crypto-shredding).
+     *
+     * After destruction, any data encrypted with this key becomes
+     * permanently unrecoverable.
+     *
+     * @param keyId - The key identifier
+     * @returns true if the key was found and destroyed, false otherwise
+     */
+    destroyDEK(keyId: string): boolean;
+    /**
+     * Encrypt plaintext using AES-256-GCM.
+     *
+     * @param plaintext - The data to encrypt
+     * @param dek - The Data Encryption Key to use
+     * @param associatedData - Optional additional authenticated data (AAD)
+     * @returns The encrypted payload
+     * @throws CryptoError if the key is destroyed or expired
+     */
+    encrypt(plaintext: Buffer, dek: DataEncryptionKey, associatedData?: Buffer): EncryptedPayload;
+    /**
+     * Decrypt an encrypted payload.
+     *
+     * @param payload - The encrypted payload to decrypt
+     * @param associatedData - Optional additional authenticated data (must match encryption)
+     * @returns The decrypted plaintext
+     * @throws CryptoError if decryption fails or key is unavailable
+     */
+    decrypt(payload: EncryptedPayload, associatedData?: Buffer): Buffer;
+    /**
+     * Encrypt a JSON-serializable object.
+     *
+     * @param data - The object to encrypt
+     * @param dek - The Data Encryption Key to use
+     * @returns The encrypted payload
+     */
+    encryptJSON(data: Record<string, unknown>, dek: DataEncryptionKey): EncryptedPayload;
+    /**
+     * Decrypt a payload and parse as JSON.
+     *
+     * @param payload - The encrypted payload
+     * @returns The decrypted object
+     */
+    decryptJSON(payload: EncryptedPayload): Record<string, unknown>;
+    /**
+     * Derive a key from the master key using HKDF.
+     *
+     * @param context - Context bytes for domain separation
+     * @param length - Desired key length in bytes (default: 32)
+     * @returns The derived key material
+     */
+    deriveKey(context: Buffer, length?: number): Buffer;
+}
+/**
+ * Compare two buffers in constant time to prevent timing attacks.
+ *
+ * @param a - First buffer
+ * @param b - Second buffer
+ * @returns true if buffers are equal, false otherwise
+ */
+declare function constantTimeCompare(a: Buffer, b: Buffer): boolean;
+
+/**
+ * EFSF Record Types
+ *
+ * Defines the EphemeralRecord class and related data structures
+ * for managing ephemeral data with classification and TTL policies.
+ */
+/**
+ * Data classification levels with associated TTL policies.
+ *
+ * Each classification defines default and maximum TTL values:
+ * - TRANSIENT: Short-lived data (sessions, tokens) - max 24 hours
+ * - SHORT_LIVED: Temporary data (carts, uploads) - max 7 days
+ * - RETENTION_BOUND: Compliance data (invoices, logs) - max 7 years
+ * - PERSISTENT: Permanent data (legal holds) - no TTL limit
+ */
+declare enum DataClassification {
+    TRANSIENT = "TRANSIENT",
+    SHORT_LIVED = "SHORT_LIVED",
+    RETENTION_BOUND = "RETENTION_BOUND",
+    PERSISTENT = "PERSISTENT"
+}
+/**
+ * Get the default TTL for a classification in milliseconds.
+ */
+declare function getDefaultTTL(classification: DataClassification): number | null;
+/**
+ * Get the maximum TTL for a classification in milliseconds.
+ */
+declare function getMaxTTL(classification: DataClassification): number | null;
+/**
+ * Serialized record format for storage.
+ */
+interface EphemeralRecordData {
+    id: string;
+    classification: string;
+    created_at: string;
+    expires_at: string;
+    ttl_seconds: number;
+    encrypted: boolean;
+    key_id: string | null;
+    access_count: number;
+    metadata: Record<string, unknown>;
+}
+/**
+ * Options for creating an ephemeral record.
+ */
+interface EphemeralRecordCreateOptions {
+    classification?: DataClassification;
+    ttl?: number;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Represents metadata for an ephemeral record stored in the system.
+ *
+ * EphemeralRecord tracks the lifecycle of stored data including:
+ * - Unique identifier and encryption key reference
+ * - Classification and TTL policy
+ * - Creation and expiration timestamps
+ * - Access count for auditing
+ */
+declare class EphemeralRecord {
+    readonly id: string;
+    readonly classification: DataClassification;
+    readonly createdAt: Date;
+    readonly expiresAt: Date;
+    readonly ttl: number;
+    readonly encrypted: boolean;
+    keyId: string | null;
+    accessCount: number;
+    readonly metadata: Record<string, unknown>;
+    constructor(id: string, classification: DataClassification, createdAt: Date, expiresAt: Date, ttl: number, // milliseconds
+    encrypted?: boolean, keyId?: string | null, accessCount?: number, metadata?: Record<string, unknown>);
+    /**
+     * Factory method to create a new ephemeral record.
+     *
+     * @param options - Configuration options for the record
+     * @returns A new EphemeralRecord instance
+     * @throws Error if TTL exceeds the classification's maximum
+     */
+    static create(options?: EphemeralRecordCreateOptions): EphemeralRecord;
+    /**
+     * Check if the record has expired.
+     */
+    get isExpired(): boolean;
+    /**
+     * Get remaining time until expiration in milliseconds.
+     */
+    get timeRemaining(): number;
+    /**
+     * Convert to a plain object for serialization.
+     */
+    toDict(): EphemeralRecordData;
+    /**
+     * Reconstruct an EphemeralRecord from serialized data.
+     */
+    static fromDict(data: EphemeralRecordData): EphemeralRecord;
+}
+/**
+ * Parse a human-readable TTL string into milliseconds.
+ *
+ * Supported formats:
+ * - Seconds: "30s", "30sec", "30second", "30seconds"
+ * - Minutes: "5m", "5min", "5minute", "5minutes"
+ * - Hours: "2h", "2hr", "2hour", "2hours"
+ * - Days: "7d", "7day", "7days"
+ *
+ * @param ttlString - Human-readable TTL string
+ * @returns TTL in milliseconds
+ * @throws Error if the string cannot be parsed
+ *
+ * @example
+ * parseTTL("30s")  // 30000
+ * parseTTL("5m")   // 300000
+ * parseTTL("2h")   // 7200000
+ * parseTTL("7d")   // 604800000
+ */
+declare function parseTTL(ttlString: string): number;
+
+/**
+ * EFSF Ephemeral Store
+ *
+ * The primary interface for storing and retrieving ephemeral data
+ * with automatic TTL enforcement and crypto-shredding.
+ */
+
+/**
+ * Interface for pluggable storage backends.
+ *
+ * Implementations must support TTL-based expiration.
+ */
+interface StorageBackend {
+    /**
+     * Store a value with TTL.
+     * @param key - Storage key
+     * @param value - Value to store (JSON string)
+     * @param ttlSeconds - Time-to-live in seconds
+     */
+    set(key: string, value: string, ttlSeconds: number): Promise<boolean>;
+    /**
+     * Retrieve a value by key.
+     * @param key - Storage key
+     * @returns The value or null if not found/expired
+     */
+    get(key: string): Promise<string | null>;
+    /**
+     * Delete a value by key.
+     * @param key - Storage key
+     * @returns true if deleted, false if not found
+     */
+    delete(key: string): Promise<boolean>;
+    /**
+     * Check if a key exists.
+     * @param key - Storage key
+     */
+    exists(key: string): Promise<boolean>;
+    /**
+     * Get remaining TTL in seconds.
+     * @param key - Storage key
+     * @returns Remaining seconds or null if not found
+     */
+    ttl(key: string): Promise<number | null>;
+    /**
+     * Close the backend and release resources.
+     */
+    close(): Promise<void>;
+}
+/**
+ * In-memory storage backend for testing and development.
+ *
+ * TTL is enforced on access (not automatically expired).
+ */
+declare class MemoryBackend implements StorageBackend {
+    private readonly data;
+    set(key: string, value: string, ttlSeconds: number): Promise<boolean>;
+    get(key: string): Promise<string | null>;
+    delete(key: string): Promise<boolean>;
+    exists(key: string): Promise<boolean>;
+    ttl(key: string): Promise<number | null>;
+    close(): Promise<void>;
+}
+/**
+ * Redis storage backend for production use.
+ *
+ * Uses native Redis TTL for automatic expiration.
+ * Requires the 'ioredis' package.
+ */
+declare class RedisBackend implements StorageBackend {
+    private client;
+    private readonly prefix;
+    constructor(url: string, options?: Record<string, unknown>);
+    private key;
+    set(key: string, value: string, ttlSeconds: number): Promise<boolean>;
+    get(key: string): Promise<string | null>;
+    delete(key: string): Promise<boolean>;
+    exists(key: string): Promise<boolean>;
+    ttl(key: string): Promise<number | null>;
+    close(): Promise<void>;
+}
+/**
+ * Create a storage backend from a URL.
+ *
+ * Supported schemes:
+ * - memory:// - In-memory storage (for testing)
+ * - redis://host:port/db - Redis storage
+ * - rediss://host:port/db - Redis over TLS
+ *
+ * @param backendUrl - Backend URL
+ * @returns Storage backend instance
+ */
+declare function createBackend(backendUrl: string): StorageBackend;
+/**
+ * Options for creating an EphemeralStore.
+ */
+interface EphemeralStoreOptions {
+    /** Backend URL or instance */
+    backend?: string | StorageBackend;
+    /** Default TTL (string like "1h" or milliseconds) */
+    defaultTTL?: string | number;
+    /** Enable destruction certificate generation */
+    attestation?: boolean;
+    /** Custom crypto provider */
+    cryptoProvider?: CryptoProvider;
+    /** Custom attestation authority */
+    attestationAuthority?: AttestationAuthority;
+}
+/**
+ * Options for the put() method.
+ */
+interface PutOptions {
+    /** TTL (string like "30m" or milliseconds) */
+    ttl?: string | number;
+    /** Data classification level */
+    classification?: DataClassification | string;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Store statistics.
+ */
+interface StoreStats {
+    /** Number of active (non-expired) records */
+    activeRecords: number;
+    /** Number of destruction certificates issued */
+    certificatesIssued: number;
+    /** Whether attestation is enabled */
+    attestationEnabled: boolean;
+}
+/**
+ * The primary interface for storing and retrieving ephemeral data.
+ *
+ * Features:
+ * - Automatic encryption with per-record keys (AES-256-GCM)
+ * - TTL enforcement with crypto-shredding on expiration
+ * - Destruction certificates for compliance
+ * - Chain of custody tracking
+ *
+ * @example
+ * ```typescript
+ * const store = new EphemeralStore({
+ *   backend: 'memory://',
+ *   defaultTTL: '1h',
+ *   attestation: true,
+ * });
+ *
+ * // Store sensitive data
+ * const record = await store.put(
+ *   { user_id: '123', token: 'secret' },
+ *   { ttl: '30m', classification: DataClassification.TRANSIENT }
+ * );
+ *
+ * // Retrieve data
+ * const data = await store.get(record.id);
+ *
+ * // Destroy with certificate
+ * const cert = await store.destroy(record.id);
+ * ```
+ */
+declare class EphemeralStore {
+    private readonly backend;
+    private readonly defaultTTL;
+    private readonly crypto;
+    private readonly attestationEnabled;
+    private readonly authority;
+    private readonly records;
+    private readonly custody;
+    private readonly certificates;
+    constructor(options?: EphemeralStoreOptions);
+    /**
+     * Store data with automatic encryption and TTL.
+     *
+     * @param data - Data to store (must be JSON-serializable)
+     * @param options - Storage options (TTL, classification, metadata)
+     * @returns The ephemeral record metadata
+     */
+    put(data: Record<string, unknown>, options?: PutOptions): Promise<EphemeralRecord>;
+    /**
+     * Retrieve data by record ID.
+     *
+     * @param recordId - The record identifier
+     * @returns The decrypted data
+     * @throws RecordNotFoundError if the record doesn't exist
+     * @throws RecordExpiredError if the record has expired
+     */
+    get(recordId: string): Promise<Record<string, unknown>>;
+    /**
+     * Check if a record exists and is not expired.
+     *
+     * @param recordId - The record identifier
+     */
+    exists(recordId: string): Promise<boolean>;
+    /**
+     * Get remaining TTL for a record in milliseconds.
+     *
+     * @param recordId - The record identifier
+     * @returns Remaining TTL in milliseconds, or null if not found
+     */
+    ttl(recordId: string): Promise<number | null>;
+    /**
+     * Manually destroy a record immediately (crypto-shredding).
+     *
+     * This destroys the encryption key, making the data permanently
+     * unrecoverable, and generates a destruction certificate.
+     *
+     * @param recordId - The record identifier
+     * @returns The destruction certificate, or null if attestation is disabled
+     */
+    destroy(recordId: string): Promise<DestructionCertificate | null>;
+    /**
+     * Handle record expiration or destruction.
+     */
+    private handleExpiration;
+    /**
+     * Get the destruction certificate for a destroyed record.
+     *
+     * @param recordId - The record identifier
+     * @returns The certificate or null if not found
+     */
+    getDestructionCertificate(recordId: string): DestructionCertificate | null;
+    /**
+     * List all destruction certificates.
+     *
+     * @param since - Optional date to filter certificates issued after
+     * @returns List of certificates sorted by destruction timestamp (newest first)
+     */
+    listCertificates(since?: Date): DestructionCertificate[];
+    /**
+     * Get store statistics.
+     */
+    stats(): StoreStats;
+    /**
+     * Close the store and release resources.
+     */
+    close(): Promise<void>;
+    /** @internal */
+    get _crypto(): CryptoProvider;
+    /** @internal */
+    get _authority(): AttestationAuthority | null;
+    /** @internal */
+    get _records(): Map<string, EphemeralRecord>;
+}
+
+/**
+ * EFSF Sealed Execution
+ *
+ * Provides sealed execution contexts where all state is guaranteed
+ * to be destroyed upon exit.
+ *
+ * Note: In pure JavaScript without hardware TEE support, memory zeroing
+ * is best-effort. For production use with sensitive data, integrate
+ * with Intel SGX, AMD SEV, or AWS Nitro Enclaves.
+ */
+
+/**
+ * Attempt to securely zero memory containing sensitive data.
+ *
+ * WARNING: This is best-effort in JavaScript due to:
+ * - Garbage collection may have already copied data
+ * - String interning
+ * - Immutable types cannot be modified
+ *
+ * For true security guarantees, use hardware enclaves or HSMs.
+ *
+ * @param data - The data to zero
+ */
+declare function secureZeroMemory(data: unknown): void;
+/**
+ * Options for creating a SealedContext.
+ */
+interface SealedContextOptions {
+    executionId?: string;
+}
+/**
+ * Execution context for sealed code blocks.
+ *
+ * Tracks objects for cleanup and allows registration of
+ * cleanup callbacks.
+ */
+declare class SealedContext {
+    readonly executionId: string;
+    readonly startedAt: Date;
+    private readonly sensitiveRefs;
+    private readonly cleanupCallbacks;
+    constructor(options?: SealedContextOptions);
+    /**
+     * Track an object for cleanup on context exit.
+     *
+     * @param obj - Object to track
+     * @returns The same object for chaining
+     */
+    track<T extends object>(obj: T): T;
+    /**
+     * Register a cleanup callback to run on context exit.
+     *
+     * @param callback - Function to call during cleanup
+     */
+    onCleanup(callback: () => void): void;
+    /**
+     * Internal: Run cleanup routines.
+     */
+    _cleanup(): void;
+}
+/**
+ * Options for SealedExecution.
+ */
+interface SealedExecutionOptions {
+    /** Generate destruction certificate on exit */
+    attestation?: boolean;
+    /** Custom attestation authority */
+    authority?: AttestationAuthority;
+    /** Additional metadata for the certificate */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Sealed execution manager that guarantees state destruction on exit.
+ *
+ * Can be used with the run() method for automatic cleanup:
+ * ```typescript
+ * const seal = new SealedExecution({ attestation: true });
+ * const result = await seal.run((ctx) => {
+ *   const sensitive = ctx.track({ ssn: '123-45-6789' });
+ *   return processData(sensitive);
+ * });
+ * // All tracked state is now destroyed
+ * // seal.certificate contains the destruction proof
+ * ```
+ */
+declare class SealedExecution {
+    private static defaultAuthority;
+    readonly attestation: boolean;
+    readonly authority: AttestationAuthority | null;
+    readonly metadata: Record<string, unknown>;
+    context: SealedContext | null;
+    certificate: DestructionCertificate | null;
+    private chainOfCustody;
+    constructor(options?: SealedExecutionOptions);
+    /**
+     * Enter the sealed execution context.
+     *
+     * Use with try/finally or the run() method for automatic cleanup.
+     *
+     * @returns The sealed context for tracking objects
+     */
+    enter(): SealedContext;
+    /**
+     * Exit the sealed execution context and destroy all state.
+     *
+     * @param error - Optional error if exiting due to an exception
+     */
+    exit(error?: Error): void;
+    /**
+     * Run a function within the sealed context.
+     *
+     * Automatically handles enter/exit and cleanup.
+     *
+     * @param fn - Function to execute within the sealed context
+     * @returns The function's return value
+     */
+    run<T>(fn: (ctx: SealedContext) => T | Promise<T>): Promise<T>;
+}
+/**
+ * Options for the sealed decorator.
+ */
+interface SealedDecoratorOptions {
+    /** Generate destruction certificate on exit */
+    attestation?: boolean;
+    /** Custom attestation authority */
+    authority?: AttestationAuthority;
+    /** Additional metadata for the certificate */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Higher-order function that wraps a function in a sealed execution context.
+ *
+ * All arguments are tracked for cleanup, and the function executes within
+ * a sealed context that is destroyed on return.
+ *
+ * @example
+ * ```typescript
+ * const processPayment = sealed({ attestation: true })(
+ *   async (cardNumber: string, amount: number) => {
+ *     // All local state destroyed on return
+ *     return { success: true, masked: `****${cardNumber.slice(-4)}` };
+ *   }
+ * );
+ *
+ * const result = await processPayment('4111-1111-1111-1234', 99.99);
+ * // result._destruction_certificate contains the proof
+ * ```
+ *
+ * @param options - Sealed execution options
+ * @returns A function wrapper
+ */
+declare function sealed<TArgs extends unknown[], TReturn>(options?: SealedDecoratorOptions): (fn: (...args: TArgs) => TReturn | Promise<TReturn>) => (...args: TArgs) => Promise<TReturn>;
+
+/**
+ * EFSF Exceptions
+ *
+ * Custom error classes for the Ephemeral-First Security Framework.
+ * All errors extend from the base EFSFError class.
+ */
+/**
+ * Base error class for all EFSF errors.
+ */
+declare class EFSFError extends Error {
+    constructor(message: string);
+}
+/**
+ * Raised when a record cannot be found in the store.
+ */
+declare class RecordNotFoundError extends EFSFError {
+    readonly recordId: string;
+    constructor(recordId: string, message?: string);
+}
+/**
+ * Raised when attempting to access an expired record.
+ */
+declare class RecordExpiredError extends EFSFError {
+    readonly recordId: string;
+    readonly expiredAt?: string | undefined;
+    constructor(recordId: string, expiredAt?: string | undefined);
+}
+/**
+ * Raised when a cryptographic operation fails.
+ */
+declare class CryptoError extends EFSFError {
+    readonly operation: string;
+    constructor(operation: string, message?: string);
+}
+/**
+ * Raised when attestation or certificate operations fail.
+ */
+declare class AttestationError extends EFSFError {
+    constructor(message?: string);
+}
+/**
+ * Raised when a storage backend operation fails.
+ */
+declare class BackendError extends EFSFError {
+    readonly backend: string;
+    constructor(backend: string, message?: string);
+}
+/**
+ * Raised when input validation fails.
+ */
+declare class ValidationError extends EFSFError {
+    readonly field: string;
+    constructor(field: string, message?: string);
+}
+/**
+ * Raised when a TTL policy is violated.
+ */
+declare class TTLViolationError extends EFSFError {
+    readonly recordId: string;
+    readonly expectedTTL: string;
+    readonly actualTTL?: string | undefined;
+    constructor(recordId: string, expectedTTL: string, actualTTL?: string | undefined);
+}
+
+/**
+ * EFSF - Ephemeral-First Security Framework
+ *
+ * A framework for building systems where data transience is a first-class
+ * security primitive. Implements the core thesis that "data that no longer
+ * exists cannot be stolen."
+ *
+ * @packageDocumentation
+ */
+
+/** SDK version */
+declare const VERSION = "0.1.0";
+
+export { type AccessEvent, AttestationAuthority, AttestationError, BackendError, ChainOfCustody, type ChainOfCustodyData, CryptoError, CryptoProvider, DataClassification, DataEncryptionKey, DestructionCertificate, type DestructionCertificateData, DestructionMethod, EFSFError, EncryptedPayload, type EncryptedPayloadData, EphemeralRecord, type EphemeralRecordCreateOptions, type EphemeralRecordData, EphemeralStore, type EphemeralStoreOptions, MemoryBackend, type PutOptions, RecordExpiredError, RecordNotFoundError, RedisBackend, ResourceInfo, type ResourceInfoData, SealedContext, type SealedContextOptions, type SealedDecoratorOptions, SealedExecution, type SealedExecutionOptions, type StorageBackend, type StoreStats, TTLViolationError, VERSION, ValidationError, constantTimeCompare, createBackend, getDefaultTTL, getMaxTTL, parseTTL, sealed, secureZeroMemory };