@happyvertical/smrt-profiles 0.30.0

package/dist/index.d.ts

@@ -0,0 +1,1848 @@
+import { Asset } from '@happyvertical/smrt-assets';
+import { PromptDefinition } from '@happyvertical/smrt-prompts';
+import { ResolvedPromptAI } from '@happyvertical/smrt-prompts';
+import { SmrtCollection } from '@happyvertical/smrt-core';
+import { SmrtJunction } from '@happyvertical/smrt-core';
+import { SmrtObject } from '@happyvertical/smrt-core';
+import { SmrtObjectOptions } from '@happyvertical/smrt-core';
+
+export declare class ApiKey extends SmrtObject {
+    /**
+     * Link to the Profile (Person, Organization, Bot)
+     */
+    profileId?: string;
+    /**
+     * SHA-256 hash of the API key
+     */
+    keyHash: string;
+    /**
+     * First 8 characters of the key for identification (e.g., "sk_live_a1b2...")
+     */
+    keyPrefix: string;
+    /**
+     * Human-readable name for the key (e.g., "CI Bot", "Local CLI")
+     */
+    name: string;
+    /**
+     * Scopes/permissions for this key
+     */
+    scopes: string[];
+    /**
+     * Last time this key was used
+     */
+    lastUsedAt: Date | null;
+    /**
+     * When this key expires (null = never)
+     */
+    expiresAt: Date | null;
+    /**
+     * When this key was revoked (null = active)
+     */
+    revokedAt: Date | null;
+    constructor(options?: ApiKeyOptions);
+    /**
+     * Get the linked Profile
+     */
+    getProfile(): Promise<Profile | null>;
+    /**
+     * Check if this key is valid (not expired, not revoked)
+     */
+    isValid(): boolean;
+    /**
+     * Check if this key has a specific scope
+     */
+    hasScope(scope: string): boolean;
+    /**
+     * Revoke this key
+     */
+    revoke(): Promise<void>;
+    /**
+     * Record usage of this key
+     */
+    recordUsage(): Promise<void>;
+    /**
+     * Hash an API key
+     */
+    static hashKey(key: string): string;
+    /**
+     * Generate a new API key for a profile
+     */
+    static generate(profile: Profile, options: {
+        name: string;
+        scopes?: string[];
+        expiresAt?: Date | null;
+        db?: SmrtObjectOptions['db'];
+    }): Promise<GenerateKeyResult>;
+    /**
+     * Verify an API key and return the ApiKey record if valid
+     */
+    static verify(key: string, options?: SmrtObjectOptions): Promise<ApiKey | null>;
+}
+
+export declare class ApiKeyCollection extends SmrtCollection<ApiKey> {
+    static readonly _itemClass: typeof ApiKey;
+    /**
+     * Find all keys for a profile
+     */
+    findByProfile(profileId: string): Promise<ApiKey[]>;
+    /**
+     * Find active (non-revoked, non-expired) keys for a profile
+     */
+    findActiveByProfile(profileId: string): Promise<ApiKey[]>;
+    /**
+     * Find key by hash
+     */
+    findByHash(keyHash: string): Promise<ApiKey | null>;
+    /**
+     * Verify an API key string and return the record if valid
+     */
+    verify(key: string): Promise<ApiKey | null>;
+    /**
+     * Generate a new key for a profile
+     */
+    generateForProfile(profile: Profile, options: {
+        name: string;
+        scopes?: string[];
+        expiresAt?: Date | null;
+    }): Promise<GenerateKeyResult>;
+    /**
+     * Revoke all keys for a profile
+     */
+    revokeAllForProfile(profileId: string): Promise<number>;
+    /**
+     * Revoke a specific key by prefix
+     */
+    revokeByPrefix(keyPrefix: string): Promise<boolean>;
+    /**
+     * Clean up expired keys (soft delete by setting revokedAt)
+     */
+    cleanupExpired(): Promise<number>;
+}
+
+export declare interface ApiKeyOptions extends SmrtObjectOptions {
+    profileId?: string;
+    name?: string;
+    scopes?: string[];
+    expiresAt?: Date | null;
+}
+
+export declare class AuditLog extends SmrtObject {
+    tenantId: string | null;
+    /**
+     * The profile who performed the action
+     */
+    profileId?: string;
+    /**
+     * Action performed (e.g., 'issue.update', 'feedback.incorporate')
+     */
+    action: string;
+    /**
+     * Type of resource affected (e.g., 'Issue', 'Repository')
+     */
+    resourceType: string;
+    /**
+     * ID of the affected resource
+     */
+    resourceId: string;
+    /**
+     * Source of the action
+     */
+    source: AuditSource;
+    /**
+     * Additional context (CI run ID, request ID, etc.)
+     */
+    metadata: Record<string, any>;
+    /**
+     * For pass-through identity in CI - the actual person who triggered
+     */
+    onBehalfOfId?: string | null;
+    constructor(options?: AuditLogOptions);
+    /**
+     * Get the profile who performed the action
+     */
+    getProfile(): Promise<Profile | null>;
+    /**
+     * Get the profile on whose behalf the action was performed (if any)
+     */
+    getOnBehalfOf(): Promise<Profile | null>;
+    /**
+     * Get the effective actor (onBehalfOf if set, otherwise profile)
+     */
+    getEffectiveActor(): Promise<Profile | null>;
+    /**
+     * Create an audit log entry
+     */
+    static record(options: AuditLogOptions & {
+        profile: Profile;
+        onBehalfOf?: Profile | null;
+    }): Promise<AuditLog>;
+}
+
+export declare class AuditLogCollection extends SmrtCollection<AuditLog> {
+    static readonly _itemClass: typeof AuditLog;
+    /**
+     * Find logs for a profile (actions they performed)
+     */
+    findByProfile(profileId: string): Promise<AuditLog[]>;
+    /**
+     * Find logs for a resource
+     */
+    findByResource(resourceType: string, resourceId: string): Promise<AuditLog[]>;
+    /**
+     * Find logs by action type
+     */
+    findByAction(action: string): Promise<AuditLog[]>;
+    /**
+     * Find logs by source
+     */
+    findBySource(source: AuditSource): Promise<AuditLog[]>;
+    /**
+     * Find logs where actions were performed on behalf of someone
+     */
+    findOnBehalfOf(profileId: string): Promise<AuditLog[]>;
+    /**
+     * Record a new audit log entry
+     */
+    record(options: {
+        profile: Profile;
+        action: string;
+        resourceType: string;
+        resourceId: string;
+        source?: AuditSource;
+        metadata?: Record<string, any>;
+        onBehalfOf?: Profile | null;
+    }): Promise<AuditLog>;
+    /**
+     * Get recent activity for a profile
+     */
+    getRecentActivity(profileId: string, limit?: number): Promise<AuditLog[]>;
+    /**
+     * Get activity timeline for a resource
+     */
+    getResourceTimeline(resourceType: string, resourceId: string): Promise<AuditLog[]>;
+}
+
+export declare interface AuditLogOptions extends SmrtObjectOptions {
+    profileId?: string;
+    action?: string;
+    resourceType?: string;
+    resourceId?: string;
+    source?: AuditSource;
+    metadata?: Record<string, any>;
+    onBehalfOfId?: string | null;
+    tenantId?: string | null;
+}
+
+export declare type AuditSource = 'web' | 'cli' | 'ci' | 'webhook' | 'mcp';
+
+/**
+ * Context provided to resolveIdentity
+ */
+export declare interface AuthContext {
+    /**
+     * API key from X-API-Key header or similar
+     */
+    apiKey?: string | null;
+    /**
+     * OIDC session data (from @auth/sveltekit or similar)
+     */
+    oidcSession?: {
+        sub?: string;
+        iss?: string;
+        email?: string;
+        name?: string;
+    } | null;
+    /**
+     * Actor identifier for CI pass-through identity
+     * Usually the GitHub actor (username) who triggered the workflow
+     */
+    actor?: string | null;
+    /**
+     * Nostr authentication data (NIP-42 style)
+     */
+    nostrAuth?: {
+        /** Signed Nostr event for authentication */
+        event: NostrEvent;
+        /** Expected challenge (to prevent replay attacks) */
+        challenge: string;
+    } | null;
+    /**
+     * Database/persistence options
+     */
+    db?: SmrtObjectOptions['db'];
+}
+
+/**
+ * Bot profile type
+ *
+ * Represents automated agents, bots, and AI entities.
+ */
+export declare class Bot extends Profile {
+    constructor(options?: ProfileOptions);
+}
+
+/**
+ * Compute the event ID (SHA-256 hash of serialized event)
+ */
+export declare function computeEventId(event: NostrEvent): string;
+
+/**
+ * Create a Nostr event for authentication (NIP-42 style)
+ * @param privkey - Private key to sign with
+ * @param challenge - Server challenge string
+ * @param relay - Relay URL (optional)
+ */
+export declare function createAuthEvent(privkey: string, challenge: string, relay?: string): NostrEvent;
+
+/**
+ * Create a magic link service instance
+ */
+export declare function createMagicLinkService(config: MagicLinkConfig): MagicLinkService;
+
+/**
+ * Create a NIP-05 handler
+ *
+ * @example
+ * // SvelteKit
+ * import { createNip05Handler } from '@happyvertical/smrt-profiles';
+ *
+ * const handler = createNip05Handler({ db: { type: 'postgres', url: DATABASE_URL } });
+ *
+ * export async function GET({ url }) {
+ *   const result = await handler({ name: url.searchParams.get('name') });
+ *   return new Response(JSON.stringify(result.body), {
+ *     status: result.status,
+ *     headers: result.headers,
+ *   });
+ * }
+ *
+ * @example
+ * // Express
+ * import { createNip05Handler } from '@happyvertical/smrt-profiles';
+ *
+ * const handler = createNip05Handler({ db: { type: 'postgres', url: DATABASE_URL } });
+ *
+ * app.get('/.well-known/nostr.json', async (req, res) => {
+ *   const result = await handler({ name: req.query.name });
+ *   res.status(result.status).set(result.headers).json(result.body);
+ * });
+ */
+export declare function createNip05Handler(config: Nip05HandlerConfig): (request: Nip05Request) => Promise<Nip05HandlerResult>;
+
+/**
+ * Create a profile from Nostr identity (used by magic link service)
+ *
+ * This is typically called internally by the magic link service,
+ * but can be used directly if needed.
+ *
+ * @param email - Email address for the profile
+ * @param nostrData - Encrypted Nostr keypair data
+ * @param options - Database options
+ * @returns The created profile with linked Nostr identity
+ */
+export declare function createProfileFromNostr(email: string, nostrData: {
+    pubkey: string;
+    encryptedPrivkey: string;
+    encryptionIv: string;
+    encryptionTag: string;
+    nip05Username?: string;
+}, options: SmrtObjectOptions): Promise<{
+    profile: Profile;
+    nostrIdentity: NostrIdentity;
+    created: boolean;
+}>;
+
+/**
+ * Create a profile from OIDC claims if it doesn't exist
+ *
+ * Supports email-based account linking: if a user signs in with Google
+ * and later with GitHub using the same email, they get the same profile.
+ *
+ * Resolution order:
+ * 1. If OIDC identity (iss + sub) already exists → return linked profile
+ * 2. If verified email provided, check if profile with same email exists → link new identity
+ * 3. Otherwise, create new profile + identity
+ *
+ * Security considerations:
+ * - Email-based linking only occurs when `email_verified` is true. This prevents
+ *   attackers from claiming unverified emails to hijack accounts.
+ * - Linking is automatic and irreversible through this API. Multiple OIDC
+ *   identities from different providers sharing the same verified email will
+ *   be associated to the same Profile.
+ * - If an OIDC provider does not supply an email, or the email changes later,
+ *   existing links are not automatically updated. New sign-ins without an email
+ *   or with a different email may result in a new Profile being created.
+ * - This function trusts the OIDC provider to assert correct email_verified status.
+ *   Only use with trusted providers.
+ *
+ * @param claims - OIDC token claims
+ * @param provider - Provider name (e.g., 'keycloak', 'google', 'github')
+ * @param options - Database options
+ * @returns The created or existing profile with linked OIDC identity
+ */
+export declare function createProfileFromOidc(claims: {
+    sub: string;
+    iss: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    preferred_username?: string;
+}, provider: string, options: SmrtObjectOptions): Promise<{
+    profile: Profile;
+    oidcIdentity: OidcIdentity;
+    created: boolean;
+}>;
+
+/**
+ * Decrypt a private key using AES-256-GCM
+ * @param encrypted - Encrypted key data
+ * @param masterSecret - Server master secret (from env)
+ */
+export declare function decryptPrivkey(encrypted: EncryptedKey, masterSecret: string): string;
+
+/**
+ * Derive an encryption key from the master secret using HKDF
+ * @param masterSecret - Server master secret
+ */
+export declare function deriveEncryptionKey(masterSecret: string): Buffer;
+
+export declare interface EncryptedKey {
+    /** Base64-encoded ciphertext */
+    ciphertext: string;
+    /** Base64-encoded initialization vector */
+    iv: string;
+    /** Base64-encoded authentication tag */
+    tag: string;
+}
+
+/**
+ * Encrypt a private key using AES-256-GCM
+ * @param privkey - Hex-encoded private key
+ * @param masterSecret - Server master secret (from env)
+ */
+export declare function encryptPrivkey(privkey: string, masterSecret: string): EncryptedKey;
+
+export declare interface GenerateKeyResult {
+    key: string;
+    apiKey: ApiKey;
+}
+
+/**
+ * Generate a new Nostr keypair (secp256k1)
+ */
+export declare function generateNostrKeypair(): NostrKeypair;
+
+export declare interface GenerateTokenResult {
+    /** The plaintext token (only available at creation time) */
+    token: string;
+    /** The MagicLinkToken record */
+    magicLinkToken: MagicLinkToken;
+}
+
+/**
+ * Get public key from private key
+ */
+export declare function getPublicKey(privkey: string): string;
+
+export declare interface InitiateResult {
+    success: boolean;
+    /** The Nostr identity (existing or new) */
+    nostrIdentity?: NostrIdentity;
+    /** The profile (existing or new) */
+    profile?: Profile;
+    /** True if a new profile was created */
+    created: boolean;
+    /** Error message if success is false */
+    error?: string;
+    /** Error code for programmatic handling */
+    errorCode?: 'RATE_LIMITED_EMAIL' | 'RATE_LIMITED_IP' | 'EMAIL_SEND_FAILED';
+}
+
+/**
+ * Validate a NIP-05 identifier format
+ * @param identifier - The identifier to validate (e.g., "alice@example.com")
+ */
+export declare function isValidNip05Identifier(identifier: string): boolean;
+
+/**
+ * Validate a hex-encoded private key
+ */
+export declare function isValidPrivkey(privkey: string): boolean;
+
+/**
+ * Validate a hex-encoded public key
+ */
+export declare function isValidPubkey(pubkey: string): boolean;
+
+export declare interface MagicLinkConfig {
+    /** Base URL for magic links (e.g., "https://example.com") */
+    baseUrl: string;
+    /** Path for verification endpoint (default: "/auth/verify") */
+    verifyPath?: string;
+    /** Token expiration in minutes (default: 15) */
+    expiresInMinutes?: number;
+    /** Maximum tokens per email per hour (default: 5) */
+    maxTokensPerEmailPerHour?: number;
+    /** Maximum tokens per IP per hour (default: 10) */
+    maxTokensPerIpPerHour?: number;
+    /** Server master secret for encryption */
+    masterSecret: string;
+    /** Callback to send the email */
+    sendEmail: (to: string, magicLink: string) => Promise<void>;
+    /** Database options */
+    db: SmrtObjectOptions['db'];
+}
+
+export declare interface MagicLinkService {
+    /**
+     * Initiate magic link flow - generates token and sends email
+     */
+    initiate(email: string, options?: {
+        requestedFromIp?: string;
+        nip05Username?: string;
+    }): Promise<InitiateResult>;
+    /**
+     * Verify a magic link token and return decrypted keypair
+     */
+    verify(token: string): Promise<VerifyResult>;
+}
+
+export declare class MagicLinkToken extends SmrtObject {
+    /**
+     * Link to the NostrIdentity this token is for
+     */
+    nostrIdentityId?: string;
+    /**
+     * SHA-256 hash of the token (never store plaintext)
+     */
+    tokenHash: string;
+    /**
+     * Email this token was sent to
+     */
+    email: string;
+    /**
+     * When this token expires
+     */
+    expiresAt: Date;
+    /**
+     * When this token was used (null = unused)
+     */
+    usedAt: Date | null;
+    /**
+     * IP address that requested the token (for rate limiting)
+     */
+    requestedFromIp: string;
+    /**
+     * When this token was created (for rate limiting)
+     */
+    createdAt: Date;
+    constructor(options?: MagicLinkTokenOptions);
+    /**
+     * Hash a token using SHA-256
+     */
+    static hashToken(token: string): string;
+    /**
+     * Generate a new magic link token
+     * @param nostrIdentity - The identity this token is for
+     * @param email - The email address to send to
+     * @param options - Additional options
+     */
+    static generate(nostrIdentity: NostrIdentity, email: string, options?: {
+        expiresInMinutes?: number;
+        requestedFromIp?: string;
+        db?: SmrtObjectOptions['db'];
+    }): Promise<GenerateTokenResult>;
+    /**
+     * Verify a token and return the MagicLinkToken if valid
+     * @param token - The plaintext token to verify
+     * @param options - Database options
+     * @returns The MagicLinkToken if valid, null otherwise
+     */
+    static verify(token: string, options?: SmrtObjectOptions): Promise<MagicLinkToken | null>;
+    /**
+     * Check if this token is valid (not expired and not used)
+     */
+    isValid(): boolean;
+    /**
+     * Check if this token has expired
+     */
+    isExpired(): boolean;
+    /**
+     * Check if this token has been used
+     */
+    isUsed(): boolean;
+    /**
+     * Mark this token as used
+     */
+    markUsed(): Promise<void>;
+    /**
+     * Get the NostrIdentity this token is for
+     */
+    getNostrIdentity(): Promise<NostrIdentity | null>;
+    /**
+     * Get time remaining until expiration in seconds
+     */
+    getTimeRemainingSeconds(): number;
+}
+
+export declare class MagicLinkTokenCollection extends SmrtCollection<MagicLinkToken> {
+    static readonly _itemClass: typeof MagicLinkToken;
+    /**
+     * Find token by hash
+     */
+    findByTokenHash(tokenHash: string): Promise<MagicLinkToken | null>;
+    /**
+     * Find active (non-expired, non-used) tokens for an email
+     */
+    findActiveForEmail(email: string): Promise<MagicLinkToken[]>;
+    /**
+     * Find tokens for a NostrIdentity
+     */
+    findByIdentity(nostrIdentityId: string): Promise<MagicLinkToken[]>;
+    /**
+     * Count tokens created for an email within a time window (for rate limiting)
+     * @param email - Email address
+     * @param withinMinutes - Time window in minutes
+     */
+    countRecentByEmail(email: string, withinMinutes: number): Promise<number>;
+    /**
+     * Count tokens created from an IP within a time window (for rate limiting)
+     * @param ip - IP address
+     * @param withinMinutes - Time window in minutes
+     */
+    countRecentByIp(ip: string, withinMinutes: number): Promise<number>;
+    /**
+     * Verify a token and return it if valid
+     */
+    verify(token: string): Promise<MagicLinkToken | null>;
+    /**
+     * Clean up expired tokens by deleting them
+     * @returns Number of tokens deleted
+     */
+    cleanupExpired(): Promise<number>;
+    /**
+     * Revoke all tokens for a NostrIdentity (e.g., when identity is deleted)
+     */
+    revokeForIdentity(nostrIdentityId: string): Promise<number>;
+    /**
+     * Check if rate limit is exceeded for email
+     * @param email - Email address
+     * @param maxPerHour - Maximum tokens allowed per hour (default: 5)
+     */
+    isRateLimitedByEmail(email: string, maxPerHour?: number): Promise<boolean>;
+    /**
+     * Check if rate limit is exceeded for IP
+     * @param ip - IP address
+     * @param maxPerHour - Maximum tokens allowed per hour (default: 10)
+     */
+    isRateLimitedByIp(ip: string, maxPerHour?: number): Promise<boolean>;
+}
+
+export declare interface MagicLinkTokenOptions extends SmrtObjectOptions {
+    nostrIdentityId?: string;
+    tokenHash?: string;
+    email?: string;
+    expiresAt?: Date;
+    usedAt?: Date | null;
+    requestedFromIp?: string;
+    createdAt?: Date;
+}
+
+export declare interface Nip05HandlerConfig {
+    /** Database options */
+    db: SmrtObjectOptions['db'];
+    /** Optional: Additional relays to include for all users */
+    defaultRelays?: string[];
+    /** Optional: Cache TTL in seconds (default: 300 = 5 minutes) */
+    cacheTtlSeconds?: number;
+}
+
+export declare interface Nip05HandlerResult {
+    /** The NIP-05 response body */
+    body: Nip05Response;
+    /** Suggested headers for the response */
+    headers: Record<string, string>;
+    /** HTTP status code */
+    status: number;
+}
+
+export declare interface Nip05Request {
+    /** The 'name' query parameter from the request */
+    name?: string | null;
+}
+
+export declare interface Nip05Response {
+    names: Record<string, string>;
+    relays?: Record<string, string[]>;
+}
+
+export declare interface NostrEvent {
+    id?: string;
+    pubkey: string;
+    created_at: number;
+    kind: number;
+    tags: string[][];
+    content: string;
+    sig?: string;
+}
+
+export declare class NostrIdentity extends SmrtObject {
+    /**
+     * Link to the Profile (Person, Organization, Bot)
+     */
+    profileId?: string;
+    /**
+     * Hex-encoded secp256k1 public key (64 characters)
+     */
+    pubkey: string;
+    /**
+     * AES-256-GCM encrypted private key (base64-encoded ciphertext)
+     */
+    encryptedPrivkey: string;
+    /**
+     * Initialization vector for AES-GCM decryption (base64)
+     */
+    encryptionIv: string;
+    /**
+     * Authentication tag from AES-GCM (base64)
+     */
+    encryptionTag: string;
+    /**
+     * Email address associated with this identity
+     */
+    email: string;
+    /**
+     * Username for NIP-05 verification (e.g., "alice" for alice@domain.com)
+     */
+    nip05Username: string;
+    /**
+     * Last time this identity was used for authentication
+     */
+    lastUsedAt: Date | null;
+    /**
+     * When this identity was verified via magic link
+     */
+    verifiedAt: Date | null;
+    constructor(options?: NostrIdentityOptions);
+    /**
+     * Get the linked Profile
+     */
+    getProfile(): Promise<Profile | null>;
+    /**
+     * Find identity by public key
+     */
+    static findByPubkey(pubkey: string, options?: SmrtObjectOptions): Promise<NostrIdentity | null>;
+    /**
+     * Find identity by email
+     */
+    static findByEmail(email: string, options?: SmrtObjectOptions): Promise<NostrIdentity | null>;
+    /**
+     * Find identity by NIP-05 username
+     */
+    static findByNip05(username: string, options?: SmrtObjectOptions): Promise<NostrIdentity | null>;
+    /**
+     * Decrypt the private key using the server master secret
+     * @param masterSecret - SERVER_MASTER_SECRET from environment
+     * @returns Hex-encoded private key
+     */
+    decryptPrivkey(masterSecret: string): string;
+    /**
+     * Get the full keypair (requires master secret)
+     * @param masterSecret - SERVER_MASTER_SECRET from environment
+     */
+    getKeypair(masterSecret: string): {
+        pubkey: string;
+        privkey: string;
+        npub: string;
+        nsec: string;
+    };
+    /**
+     * Record usage of this identity
+     */
+    recordUsage(): Promise<void>;
+    /**
+     * Mark this identity as verified
+     */
+    markVerified(): Promise<void>;
+    /**
+     * Check if this identity is verified
+     */
+    isVerified(): boolean;
+    /**
+     * Get the NIP-05 identifier (username@domain)
+     * Note: Domain must be provided by the application
+     */
+    getNip05Identifier(domain: string): string;
+}
+
+export declare class NostrIdentityCollection extends SmrtCollection<NostrIdentity> {
+    static readonly _itemClass: typeof NostrIdentity;
+    /**
+     * Find identities for a profile
+     */
+    findByProfile(profileId: string): Promise<NostrIdentity[]>;
+    /**
+     * Find identity by public key
+     */
+    findByPubkey(pubkey: string): Promise<NostrIdentity | null>;
+    /**
+     * Find identity by email
+     */
+    findByEmail(email: string): Promise<NostrIdentity | null>;
+    /**
+     * Find identity by NIP-05 username
+     */
+    findByNip05(username: string): Promise<NostrIdentity | null>;
+    /**
+     * Link a new Nostr identity to a profile with a new keypair
+     * @param profile - The profile to link to
+     * @param email - Email address for this identity
+     * @param masterSecret - Server master secret for encryption
+     * @param nip05Username - Optional NIP-05 username (defaults to email local part)
+     */
+    createForProfile(profile: Profile, email: string, masterSecret: string, nip05Username?: string): Promise<NostrIdentity>;
+    /**
+     * Link an existing Nostr identity (with encrypted keypair) to a profile
+     */
+    linkToProfile(profile: Profile, nostrData: {
+        pubkey: string;
+        encryptedPrivkey: string;
+        encryptionIv: string;
+        encryptionTag: string;
+        email: string;
+        nip05Username?: string;
+    }): Promise<NostrIdentity>;
+    /**
+     * Unlink a Nostr identity from a profile
+     */
+    unlinkFromProfile(profileId: string, pubkey: string): Promise<boolean>;
+    /**
+     * Get NIP-05 response data for the /.well-known/nostr.json endpoint
+     * @param username - Optional username filter, returns all if not provided
+     */
+    getNip05Response(username?: string): Promise<Nip05Response>;
+    /**
+     * Check if a NIP-05 username is available
+     */
+    isNip05Available(username: string): Promise<boolean>;
+    /**
+     * Update NIP-05 username for an identity
+     */
+    updateNip05Username(identity: NostrIdentity, newUsername: string): Promise<NostrIdentity>;
+}
+
+export declare interface NostrIdentityOptions extends SmrtObjectOptions {
+    profileId?: string;
+    pubkey?: string;
+    encryptedPrivkey?: string;
+    encryptionIv?: string;
+    encryptionTag?: string;
+    email?: string;
+    nip05Username?: string;
+    lastUsedAt?: Date | null;
+    verifiedAt?: Date | null;
+}
+
+/**
+ * Nostr cryptographic utilities
+ *
+ * Handles keypair generation, encryption/decryption of private keys,
+ * signature verification, and bech32 encoding for Nostr authentication.
+ */
+export declare interface NostrKeypair {
+    /** Hex-encoded public key (64 characters) */
+    pubkey: string;
+    /** Hex-encoded private key (64 characters) */
+    privkey: string;
+}
+
+/**
+ * Convert npub (bech32) to hex public key
+ */
+export declare function npubToPubkey(npub: string): string;
+
+/**
+ * Convert nsec (bech32) to hex private key
+ */
+export declare function nsecToPrivkey(nsec: string): string;
+
+export declare class OidcIdentity extends SmrtObject {
+    /**
+     * Link to the Profile (Person, Organization, Bot)
+     */
+    profileId?: string;
+    /**
+     * Provider name (e.g., 'keycloak', 'google', 'github')
+     */
+    provider: string;
+    /**
+     * OIDC issuer URL (e.g., https://keycloak.example.com/realms/bmp)
+     */
+    issuer: string;
+    /**
+     * OIDC subject claim - unique identifier from the provider
+     */
+    subject: string;
+    /**
+     * Cached email from the IdP (for display/lookup)
+     */
+    email: string;
+    /**
+     * Last time this identity was used for authentication
+     */
+    lastUsedAt: Date | null;
+    constructor(options?: OidcIdentityOptions);
+    /**
+     * Get the linked Profile
+     */
+    getProfile(): Promise<Profile | null>;
+    /**
+     * Find identity by issuer and subject
+     */
+    static findBySubject(issuer: string, subject: string, options?: SmrtObjectOptions): Promise<OidcIdentity | null>;
+    /**
+     * Find or create identity for a profile
+     */
+    static findOrCreate(profile: Profile, oidcData: {
+        provider: string;
+        issuer: string;
+        subject: string;
+        email?: string;
+    }, options?: SmrtObjectOptions): Promise<OidcIdentity>;
+    /**
+     * Record usage of this identity
+     */
+    recordUsage(): Promise<void>;
+}
+
+export declare class OidcIdentityCollection extends SmrtCollection<OidcIdentity> {
+    static readonly _itemClass: typeof OidcIdentity;
+    /**
+     * Find identities for a profile
+     */
+    findByProfile(profileId: string): Promise<OidcIdentity[]>;
+    /**
+     * Find identity by issuer and subject
+     */
+    findBySubject(issuer: string, subject: string): Promise<OidcIdentity | null>;
+    /**
+     * Find identities by provider
+     */
+    findByProvider(provider: string): Promise<OidcIdentity[]>;
+    /**
+     * Link a new OIDC identity to a profile
+     */
+    linkToProfile(profile: Profile, oidcData: {
+        provider: string;
+        issuer: string;
+        subject: string;
+        email?: string;
+    }): Promise<OidcIdentity>;
+    /**
+     * Unlink an OIDC identity from a profile
+     */
+    unlinkFromProfile(profileId: string, issuer: string, subject: string): Promise<boolean>;
+}
+
+export declare interface OidcIdentityOptions extends SmrtObjectOptions {
+    profileId?: string;
+    provider?: string;
+    issuer?: string;
+    subject?: string;
+    email?: string;
+    lastUsedAt?: Date | null;
+}
+
+/**
+ * Organization profile type
+ *
+ * Represents companies, groups, institutions, and other organizational entities.
+ */
+export declare class Organization extends Profile {
+    constructor(options?: ProfileOptions);
+}
+
+/**
+ * Parse a NIP-05 identifier into its parts
+ * @param identifier - The identifier to parse (e.g., "alice@example.com")
+ */
+export declare function parseNip05Identifier(identifier: string): {
+    localPart: string;
+    domain: string;
+} | null;
+
+/**
+ * Person profile type
+ *
+ * Represents individual people/users.
+ */
+export declare class Person extends Profile {
+    constructor(options?: ProfileOptions);
+}
+
+/**
+ * Convert hex private key to nsec (bech32)
+ */
+export declare function privkeyToNsec(privkey: string): string;
+
+export declare class Profile extends SmrtObject {
+    tenantId: string | null;
+    typeId?: string;
+    email?: string;
+    name: string;
+    description?: string;
+    metadata: any[];
+    relationshipsFrom: any[];
+    relationshipsTo: any[];
+    constructor(options?: ProfileOptions);
+    /**
+     * Get the profile type slug for this profile
+     *
+     * @returns The slug of the profile type
+     */
+    getTypeSlug(): Promise<string>;
+    /**
+     * Set the profile type by slug
+     *
+     * @param slug - The slug of the profile type
+     * @throws Error if profile type not found
+     */
+    setTypeBySlug(slug: string): Promise<void>;
+    /**
+     * Add metadata to this profile
+     *
+     * @param metafieldSlug - The slug of the metafield
+     * @param value - The value to set
+     */
+    addMetadata(metafieldSlug: string, value: any): Promise<void>;
+    /**
+     * Get all metadata for this profile as key-value object
+     *
+     * @returns Object with metafield slugs as keys
+     */
+    getMetadata(): Promise<Record<string, any>>;
+    /**
+     * Update multiple metadata values
+     *
+     * @param metadata - Object with metafield slugs as keys and values
+     */
+    updateMetadata(metadata: Record<string, any>): Promise<void>;
+    /**
+     * Remove metadata by metafield slug
+     *
+     * @param metafieldSlug - The slug of the metafield to remove
+     */
+    removeMetadata(metafieldSlug: string): Promise<void>;
+    private getProfileAssetCollection;
+    getAssets(relationship?: string): Promise<Asset[]>;
+    addAsset(asset: Asset, relationship?: string, sortOrder?: number): Promise<void>;
+    removeAsset(assetId: string, relationship?: string): Promise<void>;
+    /**
+     * Add a relationship to another profile
+     *
+     * @param toProfile - The target profile
+     * @param relationshipSlug - The type of relationship
+     * @param contextProfile - Optional context profile for tertiary relationships
+     */
+    addRelationship(toProfile: Profile, relationshipSlug: string, contextProfile?: Profile): Promise<void>;
+    /**
+     * Get all relationships for this profile
+     *
+     * @param options - Filter options (typeSlug, direction)
+     * @returns Array of ProfileRelationship instances
+     */
+    getRelationships(options?: {
+        typeSlug?: string;
+        direction?: 'from' | 'to' | 'all';
+    }): Promise<ProfileRelationship[]>;
+    /**
+     * Get related profiles
+     *
+     * @param relationshipSlug - Optional filter by relationship type slug
+     * @returns Array of related Profile instances
+     */
+    getRelatedProfiles(relationshipSlug?: string): Promise<Profile[]>;
+    /**
+     * Remove a relationship to another profile
+     *
+     * @param toProfile - The target profile
+     * @param relationshipSlug - The type of relationship to remove
+     */
+    removeRelationship(toProfile: Profile, relationshipSlug: string): Promise<void>;
+    /**
+     * AI-powered: Generate a professional bio for this profile
+     *
+     * Uses the `smrtProfiles.profile.generateBio` prompt registered via
+     * `@happyvertical/smrt-prompts`, allowing tenant- or instance-level
+     * overrides of the template, model, and parameters at runtime.
+     *
+     * @returns Generated bio text
+     */
+    generateBio(): Promise<string>;
+    /**
+     * AI-powered: Check if profile matches criteria
+     *
+     * @param criteria - Criteria to match against
+     * @returns True if matches criteria
+     */
+    matches(criteria: string): Promise<boolean>;
+    /**
+     * Find profiles by metadata key-value pair
+     *
+     * @param metafieldSlug - The metafield slug to search
+     * @param value - The value to match
+     * @returns Array of matching profiles
+     */
+    static findByMetadata(_metafieldSlug: string, _value: any): Promise<Profile[]>;
+    /**
+     * Find profiles by type slug
+     *
+     * @param typeSlug - The profile type slug
+     * @returns Array of matching profiles
+     */
+    static findByType(_typeSlug: string): Promise<Profile[]>;
+    /**
+     * Find related profiles for a given profile
+     *
+     * @param profileId - The profile UUID
+     * @param relationshipSlug - Optional filter by relationship type
+     * @returns Array of related profiles
+     */
+    static findRelated(_profileId: string, _relationshipSlug?: string): Promise<Profile[]>;
+    /**
+     * Search profiles by email
+     *
+     * @param email - The email to search for
+     * @returns Profile or null if not found
+     */
+    static searchByEmail(_email: string): Promise<Profile | null>;
+    /**
+     * Get all API keys for this profile
+     *
+     * @returns Array of API keys
+     */
+    getApiKeys(): Promise<any[]>;
+    /**
+     * Get active (non-revoked, non-expired) API keys for this profile
+     *
+     * @returns Array of active API keys
+     */
+    getActiveApiKeys(): Promise<any[]>;
+    /**
+     * Generate a new API key for this profile
+     *
+     * @param options - Key options (name, scopes, expiration)
+     * @returns The generated key (plaintext) and ApiKey record
+     */
+    generateApiKey(options: {
+        name: string;
+        scopes?: string[];
+        expiresAt?: Date | null;
+    }): Promise<{
+        key: string;
+        apiKey: any;
+    }>;
+    /**
+     * Get all OIDC identities linked to this profile
+     *
+     * @returns Array of OIDC identity records
+     */
+    getOidcIdentities(): Promise<any[]>;
+    /**
+     * Link a new OIDC identity to this profile
+     *
+     * @param oidcData - OIDC provider data
+     * @returns The linked OIDC identity record
+     */
+    linkOidcIdentity(oidcData: {
+        provider: string;
+        issuer: string;
+        subject: string;
+        email?: string;
+    }): Promise<any>;
+    /**
+     * Get all Nostr identities linked to this profile
+     *
+     * @returns Array of Nostr identity records
+     */
+    getNostrIdentities(): Promise<any[]>;
+    /**
+     * Link a new Nostr identity to this profile
+     *
+     * @param nostrData - Nostr identity data (encrypted keypair)
+     * @returns The linked Nostr identity record
+     */
+    linkNostrIdentity(nostrData: {
+        pubkey: string;
+        encryptedPrivkey: string;
+        encryptionIv: string;
+        encryptionTag: string;
+        email: string;
+        nip05Username?: string;
+    }): Promise<any>;
+    /**
+     * Get audit logs for actions performed by this profile
+     *
+     * @param limit - Maximum number of logs to return
+     * @returns Array of audit log entries
+     */
+    getAuditLogs(limit?: number): Promise<any[]>;
+    /**
+     * Record an audit log entry for an action by this profile
+     *
+     * @param options - Audit log options
+     * @returns The created audit log entry
+     */
+    recordAction(options: {
+        action: string;
+        resourceType: string;
+        resourceId: string;
+        source?: 'web' | 'cli' | 'ci' | 'webhook' | 'mcp';
+        metadata?: Record<string, any>;
+        onBehalfOf?: Profile | null;
+    }): Promise<any>;
+}
+
+export declare class ProfileAsset extends SmrtObject {
+    tenantId: string | null;
+    profileId: string;
+    assetId: string;
+    relationship: string;
+    sortOrder: number;
+    constructor(options?: ProfileAssetOptions);
+}
+
+export declare class ProfileAssetCollection extends SmrtJunction<ProfileAsset> {
+    static readonly _itemClass: typeof ProfileAsset;
+    protected leftField: string;
+    protected rightField: string;
+    private profileCollectionPromise;
+    private getProfileCollection;
+    getAssets(profileId: string, relationship?: string): Promise<Asset[]>;
+    addAsset(profileId: string, asset: Asset, relationship?: string, sortOrder?: number): Promise<void>;
+    removeAsset(profileId: string, assetId: string, relationship?: string): Promise<void>;
+}
+
+export declare interface ProfileAssetOptions extends SmrtObjectOptions {
+    profileId?: string;
+    assetId?: string;
+    relationship?: string;
+    sortOrder?: number;
+    tenantId?: string | null;
+}
+
+export declare class ProfileCollection extends SmrtCollection<Profile> {
+    static readonly _itemClass: typeof Profile;
+    /**
+     * Find a profile by email address
+     *
+     * @param email - The email address to search for
+     * @returns The matching profile or null
+     */
+    findByEmail(email: string): Promise<Profile | null>;
+    /**
+     * Find profiles by type slug
+     *
+     * @param typeSlug - The profile type slug to filter by
+     * @returns Array of matching profiles
+     */
+    findByType(typeSlug: string): Promise<Profile[]>;
+    /**
+     * Batch get metadata for multiple profiles
+     *
+     * @param profileIds - Array of profile UUIDs
+     * @returns Map of profile ID to metadata object
+     */
+    batchGetMetadata(profileIds: string[]): Promise<Map<string, Record<string, any>>>;
+    /**
+     * Batch update metadata for multiple profiles
+     *
+     * @param updates - Array of { profileId, data } objects
+     */
+    batchUpdateMetadata(updates: Array<{
+        profileId: string;
+        data: Record<string, any>;
+    }>): Promise<void>;
+    /**
+     * Find related profiles for a given profile
+     *
+     * @param profileId - The profile UUID
+     * @param relationshipSlug - Optional filter by relationship type
+     * @returns Array of related profiles
+     */
+    findRelated(profileId: string, relationshipSlug?: string): Promise<Profile[]>;
+    getAssets(profileId: string, relationship?: string): Promise<Asset[]>;
+    addAsset(profileId: string, asset: Asset, relationship?: string, sortOrder?: number): Promise<void>;
+    removeAsset(profileId: string, assetId: string, relationship?: string): Promise<void>;
+    /**
+     * Get the relationship network for a profile up to a maximum depth
+     *
+     * @param profileId - The starting profile UUID
+     * @param options - Configuration options
+     * @returns Map of profile ID to depth level
+     */
+    getRelationshipNetwork(profileId: string, options?: {
+        maxDepth?: number;
+    }): Promise<Map<string, number>>;
+    /**
+     * Find all profiles belonging to a specific tenant
+     *
+     * @param tenantId - The tenant UUID to filter by
+     * @returns Array of profiles for this tenant
+     */
+    findByTenant(tenantId: string): Promise<Profile[]>;
+    /**
+     * Find all global profiles (without a tenant)
+     *
+     * @returns Array of profiles with null tenantId
+     */
+    findGlobal(): Promise<Profile[]>;
+    /**
+     * Find profiles belonging to a tenant plus all global profiles
+     *
+     * @param tenantId - The tenant UUID to include
+     * @returns Array of tenant-specific and global profiles
+     */
+    findWithGlobals(tenantId: string): Promise<Profile[]>;
+}
+
+export declare class ProfileMetadata extends SmrtObject {
+    tenantId: string | null;
+    profileId?: string;
+    metafieldId?: string;
+    value: string;
+    constructor(options?: ProfileMetadataOptions);
+    /**
+     * Validate this metadata value against the metafield's validation schema
+     *
+     * @returns True if valid, throws error if invalid
+     */
+    validate(): Promise<boolean>;
+    /**
+     * Get the metafield slug for this metadata
+     *
+     * @returns The slug of the metafield
+     */
+    getMetafieldSlug(): Promise<string>;
+}
+
+export declare class ProfileMetadataCollection extends SmrtCollection<ProfileMetadata> {
+    static readonly _itemClass: typeof ProfileMetadata;
+    /**
+     * Get all metadata for a profile
+     *
+     * @param profileId - The profile UUID
+     * @returns Array of ProfileMetadata instances
+     */
+    getByProfile(profileId: string): Promise<ProfileMetadata[]>;
+    /**
+     * Get metadata as key-value object for a profile
+     *
+     * @param profileId - The profile UUID
+     * @returns Object with metafield slugs as keys
+     */
+    getMetadataObject(profileId: string): Promise<Record<string, any>>;
+    /**
+     * Find all profiles with a specific metadata key-value pair
+     *
+     * @param metafieldId - The metafield UUID
+     * @param value - The value to match
+     * @returns Array of profile UUIDs
+     */
+    findProfilesByMetadata(metafieldId: string, value: any): Promise<string[]>;
+}
+
+export declare interface ProfileMetadataOptions extends SmrtObjectOptions {
+    profileId?: string;
+    metafieldId?: string;
+    value?: string;
+    tenantId?: string | null;
+}
+
+export declare class ProfileMetafield extends SmrtObject {
+    tenantId: string | null;
+    name: string;
+    description?: string;
+    validation?: Record<string, any>;
+    constructor(options?: ProfileMetafieldOptions);
+    /**
+     * Convenience method for slug-based lookup
+     *
+     * @param slug - The slug to search for
+     * @returns ProfileMetafield instance or null if not found
+     */
+    static getBySlug(_slug: string): Promise<ProfileMetafield | null>;
+    /**
+     * Register a custom validator function
+     *
+     * @param name - Name of the validator (used in validation.custom field)
+     * @param validator - The validator function
+     */
+    static registerValidator(name: string, validator: ValidatorFunction): void;
+    /**
+     * Get a registered custom validator
+     *
+     * @param name - Name of the validator
+     * @returns The validator function or undefined
+     */
+    static getValidator(name: string): ValidatorFunction | undefined;
+    /**
+     * Validate a value against this metafield's validation schema
+     *
+     * @param value - The value to validate
+     * @returns True if valid, throws ValidationError if invalid
+     */
+    validateValue(value: any): Promise<boolean>;
+}
+
+export declare class ProfileMetafieldCollection extends SmrtCollection<ProfileMetafield> {
+    static readonly _itemClass: typeof ProfileMetafield;
+    /**
+     * Get metafield by slug
+     *
+     * @param slug - The slug to search for
+     * @returns ProfileMetafield instance or null
+     */
+    getBySlug(slug: string): Promise<ProfileMetafield | null>;
+    /**
+     * Get or create a metafield by slug
+     *
+     * @param slug - The slug to search for
+     * @param defaults - Default values if creating
+     * @returns ProfileMetafield instance
+     */
+    getOrCreateBySlug(slug: string, defaults: {
+        name: string;
+        description?: string;
+        validation?: ValidationSchema;
+    }): Promise<ProfileMetafield>;
+}
+
+export declare interface ProfileMetafieldOptions extends SmrtObjectOptions {
+    slug?: string;
+    name?: string;
+    description?: string;
+    validation?: ValidationSchema;
+    tenantId?: string | null;
+}
+
+export declare interface ProfileOptions extends SmrtObjectOptions {
+    typeId?: string;
+    email?: string;
+    name?: string;
+    description?: string;
+    tenantId?: string | null;
+}
+
+export declare class ProfileRelationship extends SmrtObject {
+    tenantId: string | null;
+    fromProfileId?: string;
+    toProfileId?: string;
+    typeId?: string;
+    contextProfileId?: string;
+    terms: any[];
+    constructor(options?: ProfileRelationshipOptions);
+    /**
+     * Get the relationship type slug
+     *
+     * @returns The slug of the relationship type
+     */
+    getTypeSlug(): Promise<string>;
+    /**
+     * Add a term (time period) to this relationship
+     *
+     * @param startedAt - Start date of the term
+     * @param endedAt - Optional end date of the term
+     */
+    addTerm(startedAt: Date, endedAt?: Date): Promise<void>;
+    /**
+     * End the current active term
+     *
+     * @param endedAt - End date for the term
+     */
+    endCurrentTerm(endedAt: Date): Promise<void>;
+    /**
+     * Get all terms for this relationship
+     *
+     * @returns Array of ProfileRelationshipTerm instances
+     */
+    getTerms(): Promise<ProfileRelationshipTerm[]>;
+    /**
+     * Get the active term (no end date)
+     *
+     * @returns Current term or null if none active
+     */
+    getActiveTerm(): Promise<ProfileRelationshipTerm | null>;
+}
+
+export declare class ProfileRelationshipCollection extends SmrtCollection<ProfileRelationship> {
+    static readonly _itemClass: typeof ProfileRelationship;
+    /**
+     * Get all relationships from a profile
+     *
+     * @param fromProfileId - The origin profile UUID
+     * @param typeId - Optional filter by relationship type UUID
+     * @returns Array of ProfileRelationship instances
+     */
+    getFromProfile(fromProfileId: string, typeId?: string): Promise<ProfileRelationship[]>;
+    /**
+     * Get all relationships to a profile
+     *
+     * @param toProfileId - The target profile UUID
+     * @param typeId - Optional filter by relationship type UUID
+     * @returns Array of ProfileRelationship instances
+     */
+    getToProfile(toProfileId: string, typeId?: string): Promise<ProfileRelationship[]>;
+    /**
+     * Get all relationships for a profile (both directions)
+     *
+     * @param profileId - The profile UUID
+     * @param typeId - Optional filter by relationship type UUID
+     * @returns Array of ProfileRelationship instances
+     */
+    getForProfile(profileId: string, typeId?: string): Promise<ProfileRelationship[]>;
+    /**
+     * Check if a relationship exists between two profiles
+     *
+     * @param fromProfileId - The origin profile UUID
+     * @param toProfileId - The target profile UUID
+     * @param typeId - The relationship type UUID
+     * @returns True if relationship exists
+     */
+    exists(fromProfileId: string, toProfileId: string, typeId: string): Promise<boolean>;
+}
+
+export declare interface ProfileRelationshipOptions extends SmrtObjectOptions {
+    fromProfileId?: string;
+    toProfileId?: string;
+    typeId?: string;
+    contextProfileId?: string;
+    tenantId?: string | null;
+}
+
+export declare class ProfileRelationshipTerm extends SmrtObject {
+    relationshipId?: string;
+    startedAt: Date;
+    endedAt?: Date;
+    constructor(options?: ProfileRelationshipTermOptions);
+    /**
+     * Check if this term is currently active
+     *
+     * @returns True if active (no end date or end date in future)
+     */
+    isActive(): boolean;
+    /**
+     * End this term
+     *
+     * @param endedAt - End date for the term (defaults to now)
+     */
+    end(endedAt?: Date): Promise<void>;
+    /**
+     * Get the duration of this term in days
+     *
+     * @returns Duration in days
+     */
+    getDurationDays(): number;
+}
+
+export declare class ProfileRelationshipTermCollection extends SmrtCollection<ProfileRelationshipTerm> {
+    static readonly _itemClass: typeof ProfileRelationshipTerm;
+    /**
+     * Get all terms for a relationship
+     *
+     * @param relationshipId - The relationship UUID
+     * @returns Array of ProfileRelationshipTerm instances
+     */
+    getByRelationship(relationshipId: string): Promise<ProfileRelationshipTerm[]>;
+    /**
+     * Get the active term for a relationship (no end date or future end date)
+     *
+     * @param relationshipId - The relationship UUID
+     * @returns Active term or null
+     */
+    getActiveTerm(relationshipId: string): Promise<ProfileRelationshipTerm | null>;
+    /**
+     * Get all historical (ended) terms for a relationship
+     *
+     * @param relationshipId - The relationship UUID
+     * @returns Array of ended ProfileRelationshipTerm instances
+     */
+    getHistoricalTerms(relationshipId: string): Promise<ProfileRelationshipTerm[]>;
+}
+
+export declare interface ProfileRelationshipTermOptions extends SmrtObjectOptions {
+    relationshipId?: string;
+    startedAt?: Date;
+    endedAt?: Date;
+}
+
+export declare class ProfileRelationshipType extends SmrtObject {
+    name: string;
+    reciprocal: boolean;
+    constructor(options?: ProfileRelationshipTypeOptions);
+    /**
+     * Convenience method for slug-based lookup
+     *
+     * @param slug - The slug to search for
+     * @returns ProfileRelationshipType instance or null if not found
+     */
+    static getBySlug(_slug: string): Promise<ProfileRelationshipType | null>;
+    /**
+     * Register a custom reciprocal handler for a relationship type
+     *
+     * @param slug - The relationship type slug
+     * @param handler - The handler function to execute when creating reciprocal relationship
+     */
+    static registerReciprocalHandler(slug: string, handler: ReciprocalHandler): void;
+    /**
+     * Get the reciprocal handler for a relationship type
+     *
+     * @param slug - The relationship type slug
+     * @returns The handler function or undefined
+     */
+    static getReciprocalHandler(slug: string): ReciprocalHandler | undefined;
+    /**
+     * Check if a relationship type is reciprocal
+     *
+     * @param slug - The relationship type slug
+     * @returns True if reciprocal, false otherwise
+     */
+    static isReciprocal(slug: string): Promise<boolean>;
+}
+
+export declare class ProfileRelationshipTypeCollection extends SmrtCollection<ProfileRelationshipType> {
+    static readonly _itemClass: typeof ProfileRelationshipType;
+    /**
+     * Get relationship type by slug
+     *
+     * @param slug - The slug to search for
+     * @returns ProfileRelationshipType instance or null
+     */
+    getBySlug(slug: string): Promise<ProfileRelationshipType | null>;
+    /**
+     * Get or create a relationship type by slug
+     *
+     * @param slug - The slug to search for
+     * @param defaults - Default values if creating
+     * @returns ProfileRelationshipType instance
+     */
+    getOrCreateBySlug(slug: string, defaults: {
+        name: string;
+        reciprocal?: boolean;
+    }): Promise<ProfileRelationshipType>;
+    /**
+     * Get all reciprocal relationship types
+     *
+     * @returns Array of reciprocal ProfileRelationshipType instances
+     */
+    getReciprocal(): Promise<ProfileRelationshipType[]>;
+    /**
+     * Get all directional (non-reciprocal) relationship types
+     *
+     * @returns Array of directional ProfileRelationshipType instances
+     */
+    getDirectional(): Promise<ProfileRelationshipType[]>;
+}
+
+export declare interface ProfileRelationshipTypeOptions extends SmrtObjectOptions {
+    slug?: string;
+    name?: string;
+    reciprocal?: boolean;
+}
+
+export declare class ProfileType extends SmrtObject {
+    tenantId: string | null;
+    name: string;
+    description?: string;
+    constructor(options?: ProfileTypeOptions);
+    /**
+     * Convenience method for slug-based lookup
+     *
+     * @param slug - The slug to search for
+     * @returns ProfileType instance or null if not found
+     */
+    static getBySlug(_slug: string): Promise<ProfileType | null>;
+}
+
+export declare class ProfileTypeCollection extends SmrtCollection<ProfileType> {
+    static readonly _itemClass: typeof ProfileType;
+    /**
+     * Get profile type by slug
+     *
+     * @param slug - The slug to search for
+     * @returns ProfileType instance or null
+     */
+    getBySlug(slug: string): Promise<ProfileType | null>;
+    /**
+     * Get or create a profile type by slug
+     *
+     * @param slug - The slug to search for
+     * @param defaults - Default values if creating
+     * @returns ProfileType instance
+     */
+    getOrCreateBySlug(slug: string, defaults: {
+        name: string;
+        description?: string;
+    }): Promise<ProfileType>;
+}
+
+export declare interface ProfileTypeOptions extends SmrtObjectOptions {
+    slug?: string;
+    name?: string;
+    description?: string;
+    tenantId?: string | null;
+}
+
+export declare function promptMessageOptions(ai: ResolvedPromptAI): {
+    maxTokens?: number | undefined;
+    temperature?: number | undefined;
+    model?: string | undefined;
+};
+
+/**
+ * Convert hex public key to npub (bech32)
+ */
+export declare function pubkeyToNpub(pubkey: string): string;
+
+/**
+ * TypeScript type definitions for @have/profiles package
+ */
+/**
+ * Handler function interface for reciprocal relationships
+ *
+ * @param from - The profile initiating the relationship
+ * @param to - The target profile
+ * @param context - Optional context profile for tertiary relationships
+ * @param options - Additional options for the handler
+ */
+export declare type ReciprocalHandler = (from: any, to: any, context?: any, options?: any) => Promise<void>;
+
+/**
+ * Resolve authentication context to a Profile
+ *
+ * @param context - The authentication context from the request
+ * @returns The resolved profile and metadata
+ *
+ * @example
+ * ```typescript
+ * // In SvelteKit hooks.server.ts
+ * import { resolveIdentity } from '@happyvertical/smrt-profiles';
+ *
+ * const identityMiddleware: Handle = async ({ event, resolve }) => {
+ *   const session = await event.locals.auth();
+ *
+ *   const { profile, source } = await resolveIdentity({
+ *     oidcSession: session,
+ *     apiKey: event.request.headers.get('X-API-Key'),
+ *     actor: event.request.headers.get('X-Actor'),
+ *     db: { type: 'postgres', url: DATABASE_URL },
+ *   });
+ *
+ *   event.locals.profile = profile;
+ *   event.locals.authSource = source;
+ *
+ *   return resolve(event);
+ * };
+ * ```
+ */
+export declare function resolveIdentity(context: AuthContext): Promise<ResolveIdentityResult>;
+
+/**
+ * Result of identity resolution
+ */
+export declare interface ResolveIdentityResult {
+    /**
+     * The resolved profile, or null if not authenticated
+     */
+    profile: Profile | null;
+    /**
+     * How the identity was resolved
+     */
+    source: 'api_key' | 'oidc' | 'nostr' | 'actor' | 'none';
+    /**
+     * The API key record if authenticated via API key
+     */
+    apiKey?: ApiKey;
+    /**
+     * The OIDC identity record if authenticated via OIDC
+     */
+    oidcIdentity?: OidcIdentity;
+    /**
+     * The Nostr identity record if authenticated via Nostr
+     */
+    nostrIdentity?: NostrIdentity;
+}
+
+/**
+ * Sign a Nostr event using Schnorr signatures (BIP-340)
+ * @param event - Event to sign (without id and sig)
+ * @param privkey - Hex-encoded private key
+ */
+export declare function signEvent(event: Omit<NostrEvent, 'id' | 'sig'>, privkey: string): NostrEvent;
+
+export declare const smrtProfilesGenerateBioPrompt: PromptDefinition;
+
+/**
+ * Validation schema structure for profile metadata fields
+ */
+export declare interface ValidationSchema {
+    /** Type constraint */
+    type?: 'string' | 'number' | 'boolean' | 'date' | 'json';
+    /** Regex pattern for string validation */
+    pattern?: string;
+    /** Minimum string length */
+    minLength?: number;
+    /** Maximum string length */
+    maxLength?: number;
+    /** Minimum numeric value */
+    min?: number;
+    /** Maximum numeric value */
+    max?: number;
+    /** Custom validator function name */
+    custom?: string;
+    /** Custom validation error message */
+    message?: string;
+}
+
+/**
+ * Custom validator function type
+ */
+export declare type ValidatorFunction = (value: any) => boolean | Promise<boolean>;
+
+/**
+ * Verify an authentication event
+ * @param event - Auth event to verify
+ * @param expectedChallenge - Expected challenge string
+ * @param maxAgeSeconds - Maximum age of the event in seconds (default: 300 = 5 minutes)
+ */
+export declare function verifyAuthEvent(event: NostrEvent, expectedChallenge: string, maxAgeSeconds?: number): {
+    valid: boolean;
+    error?: string;
+};
+
+/**
+ * Verify a Nostr event Schnorr signature (BIP-340)
+ * @param event - Nostr event object with sig field
+ */
+export declare function verifyNostrSignature(event: NostrEvent): boolean;
+
+export declare interface VerifyResult {
+    success: boolean;
+    /** The profile */
+    profile?: Profile;
+    /** The Nostr identity */
+    nostrIdentity?: NostrIdentity;
+    /** The decrypted keypair (only on success) */
+    keypair?: {
+        pubkey: string;
+        privkey: string;
+        npub: string;
+        nsec: string;
+    };
+    /** Error message if success is false */
+    error?: string;
+    /** Error code for programmatic handling */
+    errorCode?: 'INVALID_TOKEN' | 'EXPIRED_TOKEN' | 'USED_TOKEN' | 'NOT_FOUND';
+}
+
+export { }