@vess-id/ai-identity 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +33 -12
  2. package/dist/index.d.mts +3004 -0
  3. package/dist/index.d.ts +3004 -0
  4. package/dist/index.js +266 -54
  5. package/dist/index.js.map +1 -1
  6. package/dist/index.mjs +261 -54
  7. package/dist/index.mjs.map +1 -1
  8. package/package.json +4 -2
package/dist/index.d.ts ADDED
@@ -0,0 +1,3004 @@
1
+ import { VerifiablePresentation, VPRequest, Agent, DIDDocument, VCTemplate, ConnectorResponse, ToolPermissionRequest, OrganizationConfig, Grant, CreateGrantRequest, GrantStatus, CheckGrantPermissionRequest, CheckGrantPermissionResult, UpdateGrantRequest, CredentialType, IssueSDJWTVCRequest, IssueSDJWTVCResult, VerifySDJWTVCResult, GrantConstraints, EvaluationContext, ConstraintEvaluationResult, ConstraintViolation, ConstraintWarning, TimeWindowConstraint, RiskLevel } from '@vess-id/ai-identity-types';
2
+ export * from '@vess-id/ai-identity-types';
3
+ import Ajv from 'ajv';
4
+ import * as jose from 'jose';
5
+ import { JWK } from 'jose';
6
+ import { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
7
+ import { DisclosureFrame } from '@sd-jwt/types';
8
+
9
+ /**
10
+ * Interface for key storage persistence
11
+ * Allows different storage backends (filesystem, database, memory, etc.)
12
+ */
13
+ interface KeyStorageProvider {
14
+ /**
15
+ * Store an encrypted key
16
+ * @param id Unique identifier for the key (e.g., DID hash)
17
+ * @param encryptedKey Encrypted key data
18
+ */
19
+ store(id: string, encryptedKey: string): Promise<void>;
20
+ /**
21
+ * Retrieve an encrypted key
22
+ * @param id Unique identifier for the key
23
+ * @returns Encrypted key data, or null if not found
24
+ */
25
+ retrieve(id: string): Promise<string | null>;
26
+ /**
27
+ * Delete a key
28
+ * @param id Unique identifier for the key
29
+ */
30
+ delete(id: string): Promise<void>;
31
+ /**
32
+ * List all stored key identifiers
33
+ * @returns Array of key identifiers
34
+ */
35
+ list(): Promise<string[]>;
36
+ /**
37
+ * Check if the storage is available and initialized
38
+ */
39
+ isAvailable(): Promise<boolean>;
40
+ }
41
+ /**
42
+ * Configuration for key storage
43
+ */
44
+ interface KeyStorageConfig {
45
+ /** Storage type identifier */
46
+ type: string;
47
+ /** Storage-specific options */
48
+ options?: Record<string, any>;
49
+ }
50
+
51
+ /**
52
+ * Filesystem-based key storage provider
53
+ */
54
+ declare class FilesystemKeyStorage implements KeyStorageProvider {
55
+ private keyStorePath;
56
+ constructor(config?: KeyStorageConfig);
57
+ store(id: string, encryptedKey: string): Promise<void>;
58
+ retrieve(id: string): Promise<string | null>;
59
+ delete(id: string): Promise<void>;
60
+ list(): Promise<string[]>;
61
+ isAvailable(): Promise<boolean>;
62
+ private ensureKeyStoreExists;
63
+ private getKeyPath;
64
+ }
65
+
66
+ /**
67
+ * In-memory key storage provider (for testing)
68
+ */
69
+ declare class MemoryKeyStorage implements KeyStorageProvider {
70
+ private keys;
71
+ store(id: string, encryptedKey: string): Promise<void>;
72
+ retrieve(id: string): Promise<string | null>;
73
+ delete(id: string): Promise<void>;
74
+ list(): Promise<string[]>;
75
+ isAvailable(): Promise<boolean>;
76
+ /**
77
+ * Clear all stored keys (for testing)
78
+ */
79
+ clear(): void;
80
+ }
81
+
82
+ declare class KeyManager {
83
+ private encryptionKey?;
84
+ private storageProvider;
85
+ constructor(password?: string, storageProvider?: KeyStorageProvider);
86
+ private createDefaultStorageProvider;
87
+ storeKey(did: string, privateKey: any): Promise<void>;
88
+ getKey(did: string): Promise<any | null>;
89
+ deleteKey(did: string): Promise<void>;
90
+ listDids(): Promise<string[]>;
91
+ /**
92
+ * Check if storage is available
93
+ */
94
+ isAvailable(): Promise<boolean>;
95
+ private didFromKeyId;
96
+ private encrypt;
97
+ private decrypt;
98
+ }
99
+
100
+ declare class VPManager {
101
+ private keyManager;
102
+ constructor(keyManager?: KeyManager);
103
+ /**
104
+ * Create a SD-JWT presentation using the present() method
105
+ * This properly binds the holder's key to the SD-JWT VC
106
+ */
107
+ create(vcs: string[], // Array of SD-JWT VC strings
108
+ options: {
109
+ holderDid: string;
110
+ challenge: string;
111
+ domain: string;
112
+ purpose?: string;
113
+ }): Promise<string>;
114
+ /**
115
+ * Verify a Verifiable Presentation
116
+ */
117
+ verify(vpJwt: string, options: {
118
+ expectedChallenge: string;
119
+ expectedDomain: string;
120
+ expectedHolder?: string;
121
+ }): Promise<VerifiablePresentation>;
122
+ /**
123
+ * Create a VP request
124
+ */
125
+ createRequest(domain: string, query?: {
126
+ type?: string;
127
+ credentialQuery?: any;
128
+ }): VPRequest;
129
+ /**
130
+ * Submit VP to a verifier
131
+ */
132
+ submit(vpJwt: string, verifierEndpoint: string): Promise<{
133
+ verified: boolean;
134
+ result?: any;
135
+ }>;
136
+ }
137
+
138
+ interface MemoryDocument {
139
+ id: string;
140
+ namespace: string;
141
+ content: string;
142
+ metadata?: Record<string, any>;
143
+ embedding?: number[];
144
+ createdAt: string;
145
+ updatedAt: string;
146
+ }
147
+ interface MemoryQuery {
148
+ query: string;
149
+ namespace?: string;
150
+ limit?: number;
151
+ filter?: Record<string, any>;
152
+ includeEmbedding?: boolean;
153
+ }
154
+ interface MemoryQueryResult {
155
+ documents: MemoryDocument[];
156
+ scores?: number[];
157
+ total: number;
158
+ }
159
+ declare class MemoryManager {
160
+ private vpManager;
161
+ private proxyApiUrl;
162
+ constructor(vpManager?: VPManager);
163
+ /**
164
+ * Write a document to memory
165
+ */
166
+ write(content: string, options: {
167
+ namespace: string;
168
+ metadata?: Record<string, any>;
169
+ vcs: string[];
170
+ holderDid: string;
171
+ }): Promise<MemoryDocument>;
172
+ /**
173
+ * Query memory with vector search
174
+ */
175
+ query(query: string, options: {
176
+ namespace?: string;
177
+ limit?: number;
178
+ filter?: Record<string, any>;
179
+ vcs: string[];
180
+ holderDid: string;
181
+ }): Promise<MemoryQueryResult>;
182
+ /**
183
+ * Delete a document from memory
184
+ */
185
+ delete(documentId: string, options: {
186
+ namespace: string;
187
+ vcs: string[];
188
+ holderDid: string;
189
+ }): Promise<void>;
190
+ /**
191
+ * List documents in a namespace
192
+ */
193
+ list(options: {
194
+ namespace: string;
195
+ limit?: number;
196
+ offset?: number;
197
+ vcs: string[];
198
+ holderDid: string;
199
+ }): Promise<MemoryQueryResult>;
200
+ /**
201
+ * Check if VCs authorize memory access
202
+ */
203
+ checkAuthorization(vcs: string[], action: 'read' | 'write' | 'delete', resource: string): Promise<boolean>;
204
+ private matchResource;
205
+ private generateChallenge;
206
+ }
207
+
208
+ interface AIdentityConfig {
209
+ didApi?: {
210
+ baseUrl: string;
211
+ apiKey?: string;
212
+ bearerToken?: string;
213
+ };
214
+ issuerApi?: {
215
+ baseUrl: string;
216
+ apiKey?: string;
217
+ bearerToken?: string;
218
+ };
219
+ verifierApi?: {
220
+ baseUrl: string;
221
+ apiKey?: string;
222
+ bearerToken?: string;
223
+ };
224
+ proxyApi?: {
225
+ baseUrl: string;
226
+ };
227
+ storage?: {
228
+ keyStorePath?: string;
229
+ };
230
+ }
231
+ declare function configure(config: AIdentityConfig): void;
232
+
233
+ declare class AgentManager {
234
+ private keyManager;
235
+ private agentDIDManager;
236
+ constructor(keyManager?: KeyManager);
237
+ /**
238
+ * Create a new AI agent with unique ID and DID
239
+ */
240
+ create(metadata?: Record<string, any>): Promise<Agent & {
241
+ id: string;
242
+ }>;
243
+ /**
244
+ * Get agent DID by agent ID
245
+ */
246
+ getAgentDID(agentId: string): Promise<string>;
247
+ /**
248
+ * Get agent by ID
249
+ */
250
+ getAgent(agentId: string): Promise<Agent & {
251
+ id: string;
252
+ }>;
253
+ /**
254
+ * Delete an agent and its DID
255
+ */
256
+ deleteAgent(agentId: string): Promise<void>;
257
+ /**
258
+ * Resolve a DID to get DID Document
259
+ */
260
+ resolve(did: string): Promise<DIDDocument>;
261
+ /**
262
+ * Export agent with private key (for backup)
263
+ */
264
+ export(did: string): Promise<{
265
+ agent: Agent;
266
+ privateKey: any;
267
+ }>;
268
+ /**
269
+ * Import agent from backup
270
+ */
271
+ import(agent: Agent, privateKey: any): Promise<void>;
272
+ /**
273
+ * List all locally stored agents
274
+ */
275
+ list(): Promise<Array<Agent & {
276
+ id: string;
277
+ }>>;
278
+ private createDidDocument;
279
+ private resolveDidJwkLocally;
280
+ private registerDid;
281
+ }
282
+
283
+ /**
284
+ * User Identity Manager
285
+ * Manages DID generation and lifecycle for Users (Issuers) specifically
286
+ * Separate from Agent management to avoid confusion
287
+ */
288
+ declare class UserIdentityManager {
289
+ private keyManager;
290
+ private currentUserDID;
291
+ constructor(keyManager?: KeyManager);
292
+ /**
293
+ * Get or create current user DID
294
+ * This represents the user who will be the issuer of VCs
295
+ */
296
+ getCurrentUserDID(): Promise<string>;
297
+ /**
298
+ * Create a new user DID (for issuing VCs)
299
+ */
300
+ createUserDID(): Promise<string>;
301
+ /**
302
+ * Get user's key pair
303
+ */
304
+ getUserKeyPair(): Promise<any>;
305
+ /**
306
+ * Resolve user DID to DID Document
307
+ */
308
+ resolveUserDID(did?: string): Promise<DIDDocument>;
309
+ /**
310
+ * Export user identity for backup
311
+ */
312
+ exportUserIdentity(): Promise<{
313
+ did: string;
314
+ privateKey: any;
315
+ didDocument: DIDDocument;
316
+ }>;
317
+ /**
318
+ * Import user identity from backup
319
+ */
320
+ importUserIdentity(backup: {
321
+ did: string;
322
+ privateKey: any;
323
+ }): Promise<void>;
324
+ /**
325
+ * Reset user identity (create new DID)
326
+ */
327
+ resetUserIdentity(): Promise<string>;
328
+ /**
329
+ * Resolve did:jwk locally
330
+ */
331
+ private resolveDidJwkLocally;
332
+ /**
333
+ * Create DID Document
334
+ */
335
+ private createDidDocument;
336
+ /**
337
+ * Save current user DID to persistent storage
338
+ */
339
+ private saveUserDID;
340
+ /**
341
+ * Load current user DID from persistent storage
342
+ */
343
+ private loadUserDID;
344
+ /**
345
+ * Clear saved user DID
346
+ */
347
+ private clearUserDID;
348
+ }
349
+
350
+ declare class VCManager {
351
+ private keyManager;
352
+ private templates;
353
+ private agentManager;
354
+ private userIdentityManager;
355
+ constructor(keyManager?: KeyManager, agentManager?: AgentManager, userIdentityManager?: UserIdentityManager);
356
+ /**
357
+ * Get fields that should be selectively disclosable based on VC type
358
+ */
359
+ private getSelectivelyDisclosableFields;
360
+ /**
361
+ * Issue a Verifiable Credential as SD-JWT VC
362
+ * Enhanced to support User/Agent DID separation
363
+ */
364
+ issue(template: string, claims: any, options: {
365
+ issuerDid?: string;
366
+ subjectDid?: string;
367
+ agentId?: string;
368
+ expiresIn?: string;
369
+ }): Promise<string>;
370
+ /**
371
+ * Get subject's public key for cnf claim
372
+ */
373
+ private getSubjectPublicKey;
374
+ /**
375
+ * Issue using existing Issuer API (OID4VCI)
376
+ */
377
+ issueViaAPI(credentialType: string, claims: any, options: {
378
+ issuerDid: string;
379
+ subjectDid: string;
380
+ }): Promise<string>;
381
+ /**
382
+ * Verify a SD-JWT VC
383
+ */
384
+ verify(sdjwtVc: string, options?: {
385
+ expectedIssuer?: string;
386
+ expectedSubject?: string;
387
+ requiredClaims?: string[];
388
+ }): Promise<any>;
389
+ /**
390
+ * Revoke a Verifiable Credential
391
+ */
392
+ revoke(_vcId: string, _issuerDid: string): Promise<void>;
393
+ /**
394
+ * Register a custom VC template
395
+ */
396
+ registerTemplate(template: VCTemplate): void;
397
+ private registerDefaultTemplates;
398
+ private calculateExpirationDate;
399
+ }
400
+
401
+ interface ToolDefinition {
402
+ name: string;
403
+ description: string;
404
+ actions: {
405
+ name: string;
406
+ description: string;
407
+ parameters: Record<string, any>;
408
+ }[];
409
+ }
410
+ declare class ToolManager {
411
+ private vpManager;
412
+ private tools;
413
+ private proxyApiUrl;
414
+ constructor(vpManager?: VPManager);
415
+ /**
416
+ * Invoke a tool action with VC authorization
417
+ */
418
+ invoke<T = any>(tool: string, action: string, params: Record<string, any>, options: {
419
+ vcs: string[];
420
+ holderDid: string;
421
+ }): Promise<ConnectorResponse<T>>;
422
+ /**
423
+ * List available tools
424
+ */
425
+ list(): ToolDefinition[];
426
+ /**
427
+ * Get a specific tool definition
428
+ */
429
+ getTool(name: string): ToolDefinition | undefined;
430
+ /**
431
+ * Register a custom tool
432
+ */
433
+ registerTool(tool: ToolDefinition): void;
434
+ /**
435
+ * Check if VCs authorize a tool action
436
+ */
437
+ checkAuthorization(vcs: string[], tool: string, action: string, resourceScope?: Record<string, any>): Promise<boolean>;
438
+ private matchScope;
439
+ private generateChallenge;
440
+ private registerDefaultTools;
441
+ }
442
+
443
+ declare class OrganizationManager {
444
+ private vpManager;
445
+ private vcManager;
446
+ private apiBaseUrl;
447
+ constructor(vpManager?: VPManager, vcManager?: VCManager);
448
+ /**
449
+ * Request tool permissions using employee VC
450
+ */
451
+ requestToolPermissions(employeeVCJWT: string, requestedTools: ToolPermissionRequest[], holderDid: string): Promise<{
452
+ permittedPermissions: ToolPermissionRequest[];
453
+ employee: any;
454
+ }>;
455
+ /**
456
+ * Issue tool permissions to AI Agent based on organization approval
457
+ */
458
+ issueOrganizationDelegatedPermissions(agentDid: string, employeeVCJWT: string, requestedTools: ToolPermissionRequest[], issuerDid: string): Promise<string[]>;
459
+ /**
460
+ * Create simplified workflow for employee to AI Agent delegation
461
+ */
462
+ delegateToAIAgent(employeeVCJWT: string, agentDid: string, tools: string[], // ['slack', 'gmail', 'github']
463
+ issuerDid: string, options?: {
464
+ duration?: string;
465
+ justification?: string;
466
+ }): Promise<{
467
+ issuedVCs: string[];
468
+ permissionSummary: Record<string, string[]>;
469
+ }>;
470
+ /**
471
+ * Register organization with AIdentity
472
+ */
473
+ registerOrganization(config: OrganizationConfig): Promise<void>;
474
+ private generateChallenge;
475
+ private extractActionFromVC;
476
+ }
477
+
478
+ /**
479
+ * Grant提案レスポンス
480
+ */
481
+ interface GrantSuggestion {
482
+ id: string;
483
+ oauthTokenId: string;
484
+ targetUserId?: string;
485
+ projectId: string;
486
+ provider: string;
487
+ suggestedActions: string[];
488
+ suggestedResources: Array<{
489
+ type: string;
490
+ id?: string;
491
+ pattern?: string;
492
+ name?: string;
493
+ }>;
494
+ metadata: {
495
+ providerInfo: any;
496
+ scopes: string[];
497
+ };
498
+ createdAt: string;
499
+ }
500
+ /**
501
+ * Grant提案確認リクエスト
502
+ */
503
+ interface ConfirmGrantRequest {
504
+ suggestionId: string;
505
+ selectedActions: string[];
506
+ selectedResources: Array<{
507
+ type: string;
508
+ id?: string;
509
+ pattern?: string;
510
+ name?: string;
511
+ selected: boolean;
512
+ }>;
513
+ constraints: {
514
+ maxInvocations?: number;
515
+ expiresAt?: string;
516
+ timeWindow?: {
517
+ start: string;
518
+ end: string;
519
+ timezone: string;
520
+ daysOfWeek: number[];
521
+ };
522
+ };
523
+ name?: string;
524
+ description?: string;
525
+ }
526
+ /**
527
+ * GrantManager
528
+ * Grants APIを操作するSDKクライアント
529
+ */
530
+ declare class GrantManager {
531
+ constructor(_vpManager: VPManager);
532
+ /**
533
+ * Grant提案を取得
534
+ * @param options - 提案オプション
535
+ * @param options.oauthTokenId - OAuthトークンID
536
+ * @param options.targetUserId - 対象ユーザーID
537
+ * @param options.projectId - プロジェクトID
538
+ * @param authOptions - 認証オプション(VP or issuerDid)
539
+ */
540
+ suggest(options: {
541
+ oauthTokenId: string;
542
+ targetUserId: string;
543
+ projectId: string;
544
+ }, authOptions: {
545
+ vpJwt?: string;
546
+ issuerDid?: string;
547
+ }): Promise<GrantSuggestion>;
548
+ /**
549
+ * Grant提案を確認して作成
550
+ * @param request - 確認リクエスト
551
+ * @param authOptions - 認証オプション
552
+ */
553
+ confirm(request: ConfirmGrantRequest, authOptions: {
554
+ vpJwt?: string;
555
+ issuerDid?: string;
556
+ }): Promise<Grant>;
557
+ /**
558
+ * Grantを直接作成
559
+ * @param request - Grant作成リクエスト
560
+ * @param authOptions - 認証オプション
561
+ */
562
+ create(request: CreateGrantRequest, authOptions: {
563
+ vpJwt?: string;
564
+ issuerDid?: string;
565
+ }): Promise<Grant>;
566
+ /**
567
+ * ユーザー用のGrant一覧を取得
568
+ * @param userId - ユーザーID
569
+ * @param status - フィルタするステータス(オプション)
570
+ */
571
+ listForUser(userId: string, status?: GrantStatus): Promise<{
572
+ grants: Grant[];
573
+ total: number;
574
+ }>;
575
+ /**
576
+ * Issuer用のGrant一覧を取得
577
+ * @param issuerDid - IssuerのDID
578
+ * @param status - フィルタするステータス(オプション)
579
+ */
580
+ listForIssuer(issuerDid: string, status?: GrantStatus): Promise<{
581
+ grants: Grant[];
582
+ total: number;
583
+ }>;
584
+ /**
585
+ * Grantを取得
586
+ * @param grantId - GrantのID
587
+ */
588
+ get(grantId: string): Promise<Grant>;
589
+ /**
590
+ * Grantを取り消し
591
+ * @param grantId - GrantのID
592
+ * @param reason - 取り消し理由
593
+ * @param authOptions - 認証オプション
594
+ */
595
+ revoke(grantId: string, reason: string, authOptions: {
596
+ vpJwt?: string;
597
+ issuerDid?: string;
598
+ }): Promise<Grant>;
599
+ /**
600
+ * Grant権限をチェック
601
+ * @param request - 権限チェックリクエスト
602
+ */
603
+ checkPermission(request: CheckGrantPermissionRequest): Promise<CheckGrantPermissionResult>;
604
+ /**
605
+ * Grant更新
606
+ * @param grantId - GrantのID
607
+ * @param request - 更新リクエスト
608
+ * @param authOptions - 認証オプション
609
+ */
610
+ update(grantId: string, request: UpdateGrantRequest, authOptions: {
611
+ vpJwt?: string;
612
+ issuerDid?: string;
613
+ }): Promise<Grant>;
614
+ }
615
+
616
+ declare class AIdentityClient {
617
+ readonly agent: AgentManager;
618
+ readonly user: UserIdentityManager;
619
+ readonly vc: VCManager;
620
+ readonly vp: VPManager;
621
+ readonly tool: ToolManager;
622
+ readonly memory: MemoryManager;
623
+ readonly organization: OrganizationManager;
624
+ readonly grant: GrantManager;
625
+ private keyManager;
626
+ private currentAgent?;
627
+ constructor(config?: AIdentityConfig, password?: string);
628
+ /**
629
+ * Quick setup: Create or load an agent
630
+ */
631
+ setup(did?: string): Promise<Agent>;
632
+ /**
633
+ * Get current agent
634
+ */
635
+ getCurrentAgent(): Agent | undefined;
636
+ /**
637
+ * Get current user DID
638
+ */
639
+ getCurrentUserDID(): Promise<string>;
640
+ /**
641
+ * Create or reset user identity
642
+ */
643
+ resetUserIdentity(): Promise<string>;
644
+ /**
645
+ * Issue a VC for tool permission
646
+ * Enhanced to support User → Agent delegation pattern
647
+ */
648
+ issueToolPermission(tool: string, action: string, options: {
649
+ subjectDid?: string;
650
+ agentId?: string;
651
+ issuerDid?: string;
652
+ resourceScope?: Record<string, any>;
653
+ expiresIn?: string;
654
+ }): Promise<string>;
655
+ /**
656
+ * Issue a VC for data access
657
+ * Enhanced to support User → Agent delegation pattern
658
+ */
659
+ issueDataAccess(resource: string, actions: ('read' | 'write' | 'delete')[], options: {
660
+ subjectDid?: string;
661
+ agentId?: string;
662
+ issuerDid?: string;
663
+ expiresIn?: string;
664
+ }): Promise<string>;
665
+ /**
666
+ * Invoke a tool with automatic VP creation
667
+ */
668
+ invokeTool<T = any>(tool: string, action: string, params: Record<string, any>, vcs: string[]): Promise<ConnectorResponse<T>>;
669
+ /**
670
+ * Write to memory with automatic VP creation
671
+ */
672
+ writeMemory(content: string, namespace: string, vcs: string[], metadata?: Record<string, any>): Promise<MemoryDocument>;
673
+ /**
674
+ * Query memory with automatic VP creation
675
+ */
676
+ queryMemory(query: string, vcs: string[], options?: {
677
+ namespace?: string;
678
+ limit?: number;
679
+ filter?: Record<string, any>;
680
+ }): Promise<MemoryQueryResult>;
681
+ }
682
+ declare function getClient(config?: AIdentityConfig, password?: string): AIdentityClient;
683
+
684
+ /**
685
+ * Agent DID Manager
686
+ * Manages DID generation and lifecycle for AI Agents specifically
687
+ */
688
+ declare class AgentDIDManager {
689
+ private keyManager;
690
+ private agentDIDMap;
691
+ constructor(keyManager?: KeyManager);
692
+ /**
693
+ * Generate a new DID for an AI Agent
694
+ */
695
+ generateAgentDID(agentId: string): Promise<string>;
696
+ /**
697
+ * Get DID for a specific agent
698
+ */
699
+ getAgentDID(agentId: string): Promise<string>;
700
+ /**
701
+ * Check if agent has a DID
702
+ */
703
+ hasAgentDID(agentId: string): Promise<boolean>;
704
+ /**
705
+ * Get agent's key pair
706
+ */
707
+ getAgentKeyPair(agentId: string): Promise<any>;
708
+ /**
709
+ * Delete agent DID and associated keys
710
+ */
711
+ deleteAgentDID(agentId: string): Promise<void>;
712
+ /**
713
+ * List all agent DIDs
714
+ */
715
+ listAgentDIDs(): Promise<Array<{
716
+ agentId: string;
717
+ did: string;
718
+ }>>;
719
+ /**
720
+ * Save agent ID -> DID mapping to persistent storage
721
+ */
722
+ private saveAgentDIDMapping;
723
+ /**
724
+ * Load agent ID -> DID mapping from persistent storage
725
+ */
726
+ private loadAgentDIDMapping;
727
+ /**
728
+ * Delete agent ID -> DID mapping from persistent storage
729
+ */
730
+ private deleteAgentDIDMapping;
731
+ }
732
+
733
+ interface OrganizationDisclosureConfig {
734
+ organizationDid: string;
735
+ defaultFields: string[];
736
+ credentialTypeConfigs: Map<CredentialType, CredentialDisclosureConfig>;
737
+ createdAt: Date;
738
+ updatedAt: Date;
739
+ }
740
+ interface CredentialDisclosureConfig {
741
+ type: CredentialType;
742
+ mandatoryFields: string[];
743
+ selectiveFields: string[];
744
+ neverDisclose: string[];
745
+ decoyFields?: number;
746
+ }
747
+ declare class DisclosureConfigManager {
748
+ private configs;
749
+ /**
750
+ * Set disclosure configuration for an organization
751
+ */
752
+ setOrganizationConfig(organizationDid: string, config: Partial<OrganizationDisclosureConfig>): Promise<void>;
753
+ /**
754
+ * Get disclosure configuration for an organization
755
+ */
756
+ getOrganizationConfig(organizationDid: string): Promise<OrganizationDisclosureConfig | null>;
757
+ /**
758
+ * Set credential type specific disclosure configuration
759
+ */
760
+ setCredentialTypeConfig(organizationDid: string, credentialType: CredentialType, config: CredentialDisclosureConfig): Promise<void>;
761
+ /**
762
+ * Get selective disclosure fields for a specific credential type and organization
763
+ */
764
+ getSelectiveDisclosureFields(organizationDid: string, credentialType: CredentialType, requestedFields?: string[]): Promise<{
765
+ selectiveFields: string[];
766
+ mandatoryFields: string[];
767
+ neverDisclose: string[];
768
+ decoyCount: number;
769
+ }>;
770
+ /**
771
+ * Get default configuration for credential types
772
+ */
773
+ private getDefaultConfiguration;
774
+ /**
775
+ * Validate disclosure request against organization policy
776
+ */
777
+ validateDisclosureRequest(organizationDid: string, credentialType: CredentialType, requestedFields: string[]): Promise<{
778
+ valid: boolean;
779
+ allowedFields: string[];
780
+ rejectedFields: string[];
781
+ errors: string[];
782
+ }>;
783
+ /**
784
+ * Get all organization configurations (for admin purposes)
785
+ */
786
+ getAllConfigurations(): Promise<OrganizationDisclosureConfig[]>;
787
+ /**
788
+ * Delete organization configuration
789
+ */
790
+ deleteOrganizationConfig(organizationDid: string): Promise<boolean>;
791
+ }
792
+
793
+ /**
794
+ * API-focused VC Manager for server-side operations
795
+ * Provides stateless SD-JWT operations without local persistence
796
+ */
797
+ declare class APIVCManager {
798
+ private keyManager;
799
+ private disclosureManager;
800
+ constructor(keyManager?: KeyManager, disclosureManager?: DisclosureConfigManager);
801
+ /**
802
+ * Issue an SD-JWT VC with selective disclosure
803
+ */
804
+ issueSDJWTVC(request: IssueSDJWTVCRequest): Promise<IssueSDJWTVCResult>;
805
+ /**
806
+ * Verify an SD-JWT VC
807
+ */
808
+ verifySDJWTVC(credential: string): Promise<VerifySDJWTVCResult>;
809
+ /**
810
+ * Issue a project access credential
811
+ */
812
+ issueProjectAccessCredential(agentDid: string, projectId: string, permissions: string[], issuerDid: string, expirationHours?: number): Promise<IssueSDJWTVCResult>;
813
+ /**
814
+ * Issue a tool access credential
815
+ */
816
+ issueToolAccessCredential(agentDid: string, toolName: string, actions: string[], projectId: string, issuerDid: string, expirationHours?: number): Promise<IssueSDJWTVCResult>;
817
+ /**
818
+ * Issue a multi-tool access credential
819
+ */
820
+ issueMultiToolCredential(agentDid: string, toolPermissions: Array<{
821
+ tool: string;
822
+ actions: string[];
823
+ }>, projectId: string, issuerDid: string, expirationHours?: number): Promise<IssueSDJWTVCResult>;
824
+ /**
825
+ * Issue an admin credential
826
+ */
827
+ issueAdminCredential(agentDid: string, scope: 'project' | 'global', projectId: string | undefined, issuerDid: string, expirationHours?: number): Promise<IssueSDJWTVCResult>;
828
+ }
829
+
830
+ interface KeyRotationConfig {
831
+ /** How often keys should be rotated (in hours) */
832
+ rotationInterval: number;
833
+ /** How many old keys to keep for verification */
834
+ keepOldKeys: number;
835
+ /** Warning threshold before rotation (in hours) */
836
+ warningThreshold: number;
837
+ }
838
+ interface KeyRotationInfo {
839
+ currentKeyId: string;
840
+ nextRotationDate: Date;
841
+ oldKeys: Array<{
842
+ keyId: string;
843
+ rotatedAt: Date;
844
+ expiresAt: Date;
845
+ }>;
846
+ needsRotation: boolean;
847
+ warningActive: boolean;
848
+ }
849
+ declare class KeyRotationManager {
850
+ private keyManager;
851
+ private config;
852
+ constructor(keyManager: KeyManager, config?: Partial<KeyRotationConfig>);
853
+ /**
854
+ * Check if organization keys need rotation
855
+ */
856
+ checkRotationStatus(organizationDid: string): Promise<KeyRotationInfo>;
857
+ /**
858
+ * Rotate organization keys
859
+ * NOTE: Currently not implemented for did:jwk
860
+ */
861
+ rotateOrganizationKeys(organizationDid: string): Promise<{
862
+ newDid: string;
863
+ newPrivateKey: any;
864
+ rotationDate: Date;
865
+ }>;
866
+ /**
867
+ * Get old keys for verification (useful for grace periods)
868
+ */
869
+ getOldKeysForVerification(organizationDid: string): Promise<Array<{
870
+ keyId: string;
871
+ publicKey: any;
872
+ validUntil: Date;
873
+ }>>;
874
+ /**
875
+ * Plan future key rotation (for did:web or other mutable DID methods)
876
+ */
877
+ planKeyRotation(organizationDid: string): Promise<{
878
+ plannedRotationDate: Date;
879
+ currentKeyAge: number;
880
+ recommendedAction: 'none' | 'prepare' | 'rotate_now' | 'urgent';
881
+ }>;
882
+ /**
883
+ * Update rotation configuration
884
+ */
885
+ updateConfig(newConfig: Partial<KeyRotationConfig>): void;
886
+ /**
887
+ * Get current configuration
888
+ */
889
+ getConfig(): KeyRotationConfig;
890
+ }
891
+
892
+ interface SDJWTMetrics {
893
+ issuanceCount: number;
894
+ verificationCount: number;
895
+ failedIssuances: number;
896
+ failedVerifications: number;
897
+ averageIssuanceTime: number;
898
+ averageVerificationTime: number;
899
+ cacheHitRate: number;
900
+ lastActivity: Date;
901
+ }
902
+ interface OperationMetric {
903
+ operation: 'issue' | 'verify';
904
+ startTime: number;
905
+ endTime: number;
906
+ success: boolean;
907
+ error?: string;
908
+ issuerDid?: string;
909
+ credentialType?: string;
910
+ }
911
+ declare class MetricsManager {
912
+ private metrics;
913
+ private operations;
914
+ private maxOperationHistory;
915
+ /**
916
+ * Start tracking an operation
917
+ */
918
+ startOperation(operation: 'issue' | 'verify', metadata?: Record<string, any>): string;
919
+ /**
920
+ * End tracking an operation
921
+ */
922
+ endOperation(_operationId: string, success: boolean, error?: string): void;
923
+ /**
924
+ * Update aggregated metrics
925
+ */
926
+ private updateMetrics;
927
+ /**
928
+ * Get metrics for a specific issuer or global
929
+ */
930
+ getMetrics(issuerDid?: string): SDJWTMetrics | null;
931
+ /**
932
+ * Get all metrics
933
+ */
934
+ getAllMetrics(): Map<string, SDJWTMetrics>;
935
+ /**
936
+ * Get recent operations
937
+ */
938
+ getRecentOperations(limit?: number): OperationMetric[];
939
+ /**
940
+ * Get operation statistics
941
+ */
942
+ getOperationStats(): {
943
+ totalOperations: number;
944
+ successRate: number;
945
+ averageResponseTime: number;
946
+ operationsPerMinute: number;
947
+ };
948
+ /**
949
+ * Update cache hit rate
950
+ */
951
+ updateCacheHitRate(issuerDid: string, hit: boolean): void;
952
+ /**
953
+ * Reset metrics
954
+ */
955
+ resetMetrics(issuerDid?: string): void;
956
+ /**
957
+ * Export metrics as JSON
958
+ */
959
+ exportMetrics(): {
960
+ aggregatedMetrics: Record<string, SDJWTMetrics>;
961
+ recentOperations: OperationMetric[];
962
+ summary: ReturnType<any>;
963
+ };
964
+ }
965
+
966
+ interface RevocationListEntry {
967
+ credentialId: string;
968
+ revocationDate: Date;
969
+ reason?: string;
970
+ revokedBy: string;
971
+ }
972
+ interface RevocationList {
973
+ id: string;
974
+ issuer: string;
975
+ type: 'StatusList2021' | 'BitStringStatusList';
976
+ statusPurpose: 'revocation' | 'suspension';
977
+ encodedList: string;
978
+ entries: RevocationListEntry[];
979
+ createdAt: Date;
980
+ updatedAt: Date;
981
+ }
982
+ interface CredentialStatusInfo {
983
+ id: string;
984
+ type: string;
985
+ statusListIndex: number;
986
+ statusListCredential: string;
987
+ revocationReason?: string;
988
+ revocationDate?: Date;
989
+ }
990
+ declare class RevocationManager {
991
+ private revocationLists;
992
+ private credentialStatuses;
993
+ /**
994
+ * Create a new revocation list
995
+ */
996
+ createRevocationList(issuer: string, type?: 'StatusList2021' | 'BitStringStatusList', purpose?: 'revocation' | 'suspension'): Promise<RevocationList>;
997
+ /**
998
+ * Add credential to revocation list
999
+ */
1000
+ addCredentialToRevocationList(credentialId: string, listId: string, statusIndex?: number): Promise<CredentialStatusInfo>;
1001
+ /**
1002
+ * Revoke a credential
1003
+ */
1004
+ revokeCredential(credentialId: string, reason?: string, revokedBy?: string): Promise<boolean>;
1005
+ /**
1006
+ * Check if credential is revoked
1007
+ */
1008
+ isCredentialRevoked(credentialId: string): Promise<{
1009
+ revoked: boolean;
1010
+ reason?: string;
1011
+ revokedDate?: Date;
1012
+ revokedBy?: string;
1013
+ }>;
1014
+ /**
1015
+ * Get credential status info
1016
+ */
1017
+ getCredentialStatus(credentialId: string): Promise<CredentialStatusInfo | null>;
1018
+ /**
1019
+ * Get revocation list
1020
+ */
1021
+ getRevocationList(listId: string): Promise<RevocationList | null>;
1022
+ /**
1023
+ * Get all revocation lists for an issuer
1024
+ */
1025
+ getIssuerRevocationLists(issuer: string): Promise<RevocationList[]>;
1026
+ /**
1027
+ * Restore/unreovke a credential
1028
+ */
1029
+ restoreCredential(credentialId: string): Promise<boolean>;
1030
+ /**
1031
+ * Create empty bit string
1032
+ */
1033
+ private createEmptyBitString;
1034
+ /**
1035
+ * Set bit in encoded string
1036
+ */
1037
+ private setBitInString;
1038
+ /**
1039
+ * Get bit from encoded string
1040
+ */
1041
+ private getBitFromString;
1042
+ /**
1043
+ * Find next available index in revocation list
1044
+ */
1045
+ private findNextAvailableIndex;
1046
+ /**
1047
+ * Export revocation list in standard format
1048
+ */
1049
+ exportRevocationList(listId: string): Promise<{
1050
+ '@context': string[];
1051
+ id: string;
1052
+ type: string[];
1053
+ issuer: string;
1054
+ validFrom: string;
1055
+ credentialSubject: {
1056
+ id: string;
1057
+ type: string;
1058
+ statusPurpose: string;
1059
+ encodedList: string;
1060
+ };
1061
+ } | null>;
1062
+ }
1063
+
1064
+ /**
1065
+ * ConstraintEvaluator
1066
+ * Grant制約の評価ロジック
1067
+ */
1068
+
1069
+ interface ConstraintEvaluatorOptions {
1070
+ /** 警告を発する残り実行回数の閾値 */
1071
+ invocationWarningThreshold?: number;
1072
+ /** 警告を発するリスクスコアの閾値(riskThresholdに対する割合) */
1073
+ riskWarningRatio?: number;
1074
+ /** デフォルトタイムゾーン */
1075
+ defaultTimezone?: string;
1076
+ }
1077
+ /**
1078
+ * 制約評価クラス
1079
+ */
1080
+ declare class ConstraintEvaluator {
1081
+ private options;
1082
+ constructor(options?: Partial<ConstraintEvaluatorOptions>);
1083
+ /**
1084
+ * 制約を総合評価
1085
+ */
1086
+ evaluate(constraints: GrantConstraints, context: EvaluationContext, currentInvocations: number, expiresAt?: Date): ConstraintEvaluationResult;
1087
+ /**
1088
+ * 期限チェック
1089
+ */
1090
+ checkExpiration(grantExpiresAt?: Date, constraintExpiresAt?: string): {
1091
+ violation?: ConstraintViolation;
1092
+ };
1093
+ /**
1094
+ * 実行回数チェック
1095
+ */
1096
+ checkInvocationLimit(maxInvocations?: number, currentInvocations?: number): {
1097
+ violation?: ConstraintViolation;
1098
+ warning?: ConstraintWarning;
1099
+ };
1100
+ /**
1101
+ * 時間帯チェック
1102
+ */
1103
+ checkTimeWindow(timeWindow: TimeWindowConstraint, currentTime: Date): {
1104
+ violation?: ConstraintViolation;
1105
+ warning?: ConstraintWarning;
1106
+ };
1107
+ /**
1108
+ * IPアドレスチェック
1109
+ */
1110
+ checkIpAllowlist(allowlist: string[], ipAddress: string): {
1111
+ violation?: ConstraintViolation;
1112
+ };
1113
+ /**
1114
+ * リスクスコアチェック
1115
+ */
1116
+ checkRiskThreshold(threshold: number, currentScore: number): {
1117
+ violation?: ConstraintViolation;
1118
+ warning?: ConstraintWarning;
1119
+ };
1120
+ private getDayOfWeekInTimezone;
1121
+ private getTimeInTimezone;
1122
+ private getDayName;
1123
+ private timeToMinutes;
1124
+ private isIpInCidr;
1125
+ private ipToNumber;
1126
+ }
1127
+ /**
1128
+ * デフォルトのConstraintEvaluatorインスタンス
1129
+ */
1130
+ declare const defaultConstraintEvaluator: ConstraintEvaluator;
1131
+ /**
1132
+ * 簡易評価関数
1133
+ */
1134
+ declare function evaluateConstraints(constraints: GrantConstraints, context: EvaluationContext, currentInvocations: number, expiresAt?: Date): ConstraintEvaluationResult;
1135
+
1136
+ type Relation = 'viewer' | 'editor' | 'admin' | 'owner' | 'act_as';
1137
+ /** MVPの対象リソース(必要に応じて拡張) */
1138
+ type ResourceType = 'SlackChannel' | 'GitHubRepo' | 'DriveFile';
1139
+ /** JSON Schema を受け取るための型。Ajvで別途メタ検証します。 */
1140
+ type JsonSchema = Record<string, unknown>;
1141
+ interface ActionMeta {
1142
+ action: string;
1143
+ resource_type: ResourceType;
1144
+ required_relations: Relation[];
1145
+ required_scopes: string[];
1146
+ capability?: string;
1147
+ input_schema?: JsonSchema;
1148
+ constraints?: Record<string, unknown>;
1149
+ effects?: string[];
1150
+ risk?: RiskLevel;
1151
+ version: string;
1152
+ }
1153
+ interface CapabilityMeta {
1154
+ capability: string;
1155
+ description?: string;
1156
+ includes: string[];
1157
+ version: string;
1158
+ }
1159
+ interface ActionRegistry {
1160
+ registry_version: string;
1161
+ actions: ActionMeta[];
1162
+ capabilities?: CapabilityMeta[];
1163
+ }
1164
+
1165
+ /**
1166
+ * Ajv インスタンスを作成。
1167
+ * - 本体スキーマ(registry/actions/capabilities)を登録
1168
+ * - formats 追加
1169
+ * - $id付きで利用
1170
+ */
1171
+ declare function createAjv(): Ajv;
1172
+ /**
1173
+ * Registry全体の構文検証 + 各Actionの input_schema を「JSON Schemaとして」検証。
1174
+ * @returns { ok, errors } 失敗時は diag を含む
1175
+ */
1176
+ declare function validateRegistryObject(registry: unknown): {
1177
+ ok: boolean;
1178
+ errors?: string[];
1179
+ };
1180
+ /**
1181
+ * JSONファイルからAction Registryを読み込み、完全検証して返す。
1182
+ * @throws Error 検証エラー時は詳細メッセージ付きでthrow
1183
+ */
1184
+ declare function loadActionRegistryFromFile(filePath: string): Promise<ActionRegistry>;
1185
+ /**
1186
+ * 既にパース済みのオブジェクトを検証して返す。
1187
+ * @throws Error 検証エラー時は詳細メッセージ付きでthrow
1188
+ */
1189
+ declare function loadActionRegistryFromObject(obj: unknown): ActionRegistry;
1190
+ /** アクション名→ActionMeta のルックアップを作成 */
1191
+ declare function indexActions(reg: ActionRegistry): Map<string, ActionMeta>;
1192
+ /** Capability名→CapabilityMeta のルックアップを作成 */
1193
+ declare function indexCapabilities(reg: ActionRegistry): Map<string, CapabilityMeta>;
1194
+ /** 指定アクションの required_scopes を取得(無ければ空配列) */
1195
+ declare function getRequiredScopes(regIndex: Map<string, ActionMeta>, action: string): string[];
1196
+ /** 指定アクションの required_relations(OR解釈)を取得(無ければ空配列) */
1197
+ declare function getRequiredRelations(regIndex: Map<string, ActionMeta>, action: string): Relation[];
1198
+
1199
+ /** ReBAC: 関係性チェック(SpiceDB/Zanzibar想定)。OR解釈で複数relationのいずれか成立でtrue */
1200
+ interface ReBACChecker {
1201
+ check(subjectDid: string, // User DID or Agent DID
1202
+ relations: Relation[], // ["editor","act_as"] など
1203
+ resourceRef: ResourceRef): Promise<boolean>;
1204
+ }
1205
+ /** ABAC: 条件判定(Cerbos/OPA想定)。trueなら許可。 */
1206
+ interface ABACPolicyEngine {
1207
+ evaluate(input: AbacInput): Promise<AbacDecision>;
1208
+ }
1209
+ interface AbacInput {
1210
+ principal: {
1211
+ id: string;
1212
+ roles?: string[];
1213
+ claims?: Record<string, unknown>;
1214
+ };
1215
+ resource: {
1216
+ kind: ResourceType;
1217
+ id: string;
1218
+ attr?: Record<string, unknown>;
1219
+ };
1220
+ action: string;
1221
+ context?: Record<string, unknown>;
1222
+ }
1223
+ interface AbacDecision {
1224
+ allow: boolean;
1225
+ ruleId?: string;
1226
+ reason?: string;
1227
+ }
1228
+ /** Credential選択:最小スコープを満たす外部トークンを取得(Bot/Installation/OAuth) */
1229
+ interface CredentialStore {
1230
+ pickMinimal(provider: Provider, // "slack" | "github" | "google"
1231
+ iaId: string, // IntegrationAccount ID
1232
+ requiredScopes: string[], subjectDid: string): Promise<CredentialRef | null>;
1233
+ }
1234
+ type Provider = 'slack' | 'github' | 'google';
1235
+ interface CredentialRef {
1236
+ id: string;
1237
+ provider: Provider;
1238
+ scopes: string[];
1239
+ }
1240
+ /** VP検証(SD-JWT/ISO 23220/mdoc/OID4VP):成功時にVCクレームを返す */
1241
+ interface VpVerifier {
1242
+ verifyAndExtractClaims(vpToken: string): Promise<VerifiedVcClaims>;
1243
+ }
1244
+ /** 発行した Delegation VC に含めることを想定した最小構造 */
1245
+ interface VerifiedVcClaims {
1246
+ allowed_actions: string[];
1247
+ resource_scope: ResourceScope[];
1248
+ expires_at?: string;
1249
+ actor?: string;
1250
+ assurance_level?: number;
1251
+ cnf?: {
1252
+ jwk_thumbprint?: string;
1253
+ };
1254
+ [k: string]: unknown;
1255
+ }
1256
+ interface ResourceRef {
1257
+ /** プロバイダ別のリソース識別子(例:Slack channel id, GitHub repo full_name, Drive file id) */
1258
+ id: string;
1259
+ type: ResourceType;
1260
+ /** 紐づくIntegrationAccountのID(どのSlackワークスペース/どのGitHub Orgか) */
1261
+ iaId: string;
1262
+ /** 追加属性(機密度など) */
1263
+ attr?: Record<string, unknown>;
1264
+ }
1265
+ /** VCに刻む「スコープ」表現の一例(最小定義) */
1266
+ type ResourceScope = {
1267
+ kind: 'Workspace';
1268
+ id: string;
1269
+ } | {
1270
+ kind: 'IntegrationAccount';
1271
+ id: string;
1272
+ } | {
1273
+ kind: 'Resource';
1274
+ type: ResourceType;
1275
+ id: string;
1276
+ };
1277
+ /** 監査用の判定理由 */
1278
+ interface DecisionTrace {
1279
+ rebac?: {
1280
+ ok: boolean;
1281
+ relations: Relation[];
1282
+ };
1283
+ delegation?: {
1284
+ ok: boolean;
1285
+ matched_action?: boolean;
1286
+ in_scope?: boolean;
1287
+ notExpired?: boolean;
1288
+ };
1289
+ abac?: {
1290
+ ok: boolean;
1291
+ ruleId?: string;
1292
+ reason?: string;
1293
+ };
1294
+ scope?: {
1295
+ ok: boolean;
1296
+ required: string[];
1297
+ chosenCredentialId?: string;
1298
+ };
1299
+ }
1300
+ /** Capability名やAction名(混在OK)から、実アクション配列に解決 */
1301
+ declare function resolveActionsFromSelection(registry: ActionRegistry, selection: string[]): string[];
1302
+ interface PlanDelegationInput {
1303
+ registry: ActionRegistry;
1304
+ issuerUserDid: string;
1305
+ delegateAgentDid: string;
1306
+ /** ユーザーが UI 等で選んだアクション/ケイパビリティ */
1307
+ requested: string[];
1308
+ /** この委任が及ぶスコープ(Workspace/IA/Resource) */
1309
+ resourceScope: ResourceScope[];
1310
+ /** 有効期限(ISO) */
1311
+ expiresAt?: string;
1312
+ /** ABAC前提で要求する最小アシュアランス等(必要なら) */
1313
+ minAssuranceLevel?: number;
1314
+ /** ABAC/Cerbos用のruntime context(時間帯/場所/リスク等) */
1315
+ context?: Record<string, unknown>;
1316
+ /** Provider 推測のためのヒント(Credential選択時に使う) */
1317
+ providerByIa?: Record<string, Provider>;
1318
+ /** 実行時に用いるReBAC/ABAC/Credentialのハンドラ */
1319
+ rebac: ReBACChecker;
1320
+ abac: ABACPolicyEngine;
1321
+ creds: CredentialStore;
1322
+ }
1323
+ interface PlanDelegationResult {
1324
+ granted_actions: string[];
1325
+ rejected_actions: string[];
1326
+ traceByAction: Record<string, DecisionTrace>;
1327
+ }
1328
+ /**
1329
+ * VC発行前に、リクエストされたアクション群を
1330
+ * - Registryに存在
1331
+ * - ReBAC(委任元=issuerUserDid が十分な関係を持つ)
1332
+ * - ABACポリシー適合
1333
+ * - 必要スコープを満たすクレデンシャルが存在
1334
+ * の観点で絞り込み、発行して良いものだけ返す。
1335
+ */
1336
+ declare function planDelegationForVC(input: PlanDelegationInput): Promise<PlanDelegationResult>;
1337
+ interface CheckPermissionInput {
1338
+ registry: ActionRegistry;
1339
+ actorDid: string;
1340
+ onBehalfOfDid?: string;
1341
+ action: string;
1342
+ resource: ResourceRef;
1343
+ vpToken: string;
1344
+ context?: Record<string, unknown>;
1345
+ rebac: ReBACChecker;
1346
+ abac: ABACPolicyEngine;
1347
+ creds: CredentialStore;
1348
+ vpVerifier: VpVerifier;
1349
+ }
1350
+ interface CheckPermissionResult {
1351
+ allow: boolean;
1352
+ reason?: string;
1353
+ trace: DecisionTrace;
1354
+ credential?: CredentialRef | null;
1355
+ }
1356
+ /**
1357
+ * 実行直前のフル判定。
1358
+ * 1) ReBAC: actor がresourceに対する 基本関係/act_as を満たすか
1359
+ * 2) Delegation(VC): actionがallowedか / resourceがscope内か / 期限内か
1360
+ * 3) ABAC: コンテキストやassurance levelに適合するか
1361
+ * 4) Scope/Credential: 必要スコープを満たすクレデンシャルが取得できるか
1362
+ */
1363
+ declare function checkPermissionWithVP(input: CheckPermissionInput): Promise<CheckPermissionResult>;
1364
+ declare class AllowAllAbac implements ABACPolicyEngine {
1365
+ evaluate(): Promise<AbacDecision>;
1366
+ }
1367
+ declare class SimpleRebac implements ReBACChecker {
1368
+ private allowRelations;
1369
+ constructor(allowRelations?: Relation[]);
1370
+ check(_sub: string, relations: Relation[]): Promise<boolean>;
1371
+ }
1372
+ declare class DummyCreds implements CredentialStore {
1373
+ pickMinimal(provider: Provider, _iaId: string, requiredScopes: string[]): Promise<CredentialRef | null>;
1374
+ }
1375
+ declare class DummyVpVerifier implements VpVerifier {
1376
+ private vc;
1377
+ constructor(vc: VerifiedVcClaims);
1378
+ verifyAndExtractClaims(): Promise<VerifiedVcClaims>;
1379
+ }
1380
+
1381
+ declare const ACTION_REGISTRY: {
1382
+ registry_version: string;
1383
+ actions: ({
1384
+ action: string;
1385
+ resource_type: string;
1386
+ required_relations: string[];
1387
+ required_scopes: string[];
1388
+ capability: string;
1389
+ input_schema: {
1390
+ type: string;
1391
+ properties: {
1392
+ text: {
1393
+ type: string;
1394
+ minLength: number;
1395
+ maxLength: number;
1396
+ };
1397
+ thread_ts: {
1398
+ type: string;
1399
+ };
1400
+ attachments: {
1401
+ type: string;
1402
+ };
1403
+ latest?: undefined;
1404
+ oldest?: undefined;
1405
+ limit?: undefined;
1406
+ name?: undefined;
1407
+ timestamp?: undefined;
1408
+ path?: undefined;
1409
+ ref?: undefined;
1410
+ title?: undefined;
1411
+ body?: undefined;
1412
+ labels?: undefined;
1413
+ assignees?: undefined;
1414
+ issue_number?: undefined;
1415
+ head?: undefined;
1416
+ base?: undefined;
1417
+ draft?: undefined;
1418
+ pr_number?: undefined;
1419
+ merge_method?: undefined;
1420
+ fields?: undefined;
1421
+ mimeType?: undefined;
1422
+ content_base64?: undefined;
1423
+ parent_folder_id?: undefined;
1424
+ folder_id?: undefined;
1425
+ q?: undefined;
1426
+ page_size?: undefined;
1427
+ jql?: undefined;
1428
+ maxResults?: undefined;
1429
+ startAt?: undefined;
1430
+ issueIdOrKey?: undefined;
1431
+ recent?: undefined;
1432
+ projectKeyOrId?: undefined;
1433
+ type?: undefined;
1434
+ boardId?: undefined;
1435
+ state?: undefined;
1436
+ sprintId?: undefined;
1437
+ projectKey?: undefined;
1438
+ summary?: undefined;
1439
+ description?: undefined;
1440
+ issueType?: undefined;
1441
+ priority?: undefined;
1442
+ assignee?: undefined;
1443
+ };
1444
+ required: string[];
1445
+ additionalProperties: boolean;
1446
+ };
1447
+ constraints: {
1448
+ rate_bucket: string;
1449
+ requires_reviews_passed?: undefined;
1450
+ max_size_mb?: undefined;
1451
+ };
1452
+ effects: string[];
1453
+ risk: string;
1454
+ version: string;
1455
+ } | {
1456
+ action: string;
1457
+ resource_type: string;
1458
+ required_relations: string[];
1459
+ required_scopes: string[];
1460
+ capability: string;
1461
+ input_schema: {
1462
+ type: string;
1463
+ properties: {
1464
+ latest: {
1465
+ type: string;
1466
+ };
1467
+ oldest: {
1468
+ type: string;
1469
+ };
1470
+ limit: {
1471
+ type: string;
1472
+ minimum: number;
1473
+ maximum: number;
1474
+ };
1475
+ text?: undefined;
1476
+ thread_ts?: undefined;
1477
+ attachments?: undefined;
1478
+ name?: undefined;
1479
+ timestamp?: undefined;
1480
+ path?: undefined;
1481
+ ref?: undefined;
1482
+ title?: undefined;
1483
+ body?: undefined;
1484
+ labels?: undefined;
1485
+ assignees?: undefined;
1486
+ issue_number?: undefined;
1487
+ head?: undefined;
1488
+ base?: undefined;
1489
+ draft?: undefined;
1490
+ pr_number?: undefined;
1491
+ merge_method?: undefined;
1492
+ fields?: undefined;
1493
+ mimeType?: undefined;
1494
+ content_base64?: undefined;
1495
+ parent_folder_id?: undefined;
1496
+ folder_id?: undefined;
1497
+ q?: undefined;
1498
+ page_size?: undefined;
1499
+ jql?: undefined;
1500
+ maxResults?: undefined;
1501
+ startAt?: undefined;
1502
+ issueIdOrKey?: undefined;
1503
+ recent?: undefined;
1504
+ projectKeyOrId?: undefined;
1505
+ type?: undefined;
1506
+ boardId?: undefined;
1507
+ state?: undefined;
1508
+ sprintId?: undefined;
1509
+ projectKey?: undefined;
1510
+ summary?: undefined;
1511
+ description?: undefined;
1512
+ issueType?: undefined;
1513
+ priority?: undefined;
1514
+ assignee?: undefined;
1515
+ };
1516
+ additionalProperties: boolean;
1517
+ required?: undefined;
1518
+ };
1519
+ constraints: {
1520
+ rate_bucket: string;
1521
+ requires_reviews_passed?: undefined;
1522
+ max_size_mb?: undefined;
1523
+ };
1524
+ effects: string[];
1525
+ risk: string;
1526
+ version: string;
1527
+ } | {
1528
+ action: string;
1529
+ resource_type: string;
1530
+ required_relations: string[];
1531
+ required_scopes: string[];
1532
+ capability: string;
1533
+ input_schema: {
1534
+ type: string;
1535
+ properties: {
1536
+ name: {
1537
+ type: string;
1538
+ minLength: number;
1539
+ };
1540
+ timestamp: {
1541
+ type: string;
1542
+ };
1543
+ text?: undefined;
1544
+ thread_ts?: undefined;
1545
+ attachments?: undefined;
1546
+ latest?: undefined;
1547
+ oldest?: undefined;
1548
+ limit?: undefined;
1549
+ path?: undefined;
1550
+ ref?: undefined;
1551
+ title?: undefined;
1552
+ body?: undefined;
1553
+ labels?: undefined;
1554
+ assignees?: undefined;
1555
+ issue_number?: undefined;
1556
+ head?: undefined;
1557
+ base?: undefined;
1558
+ draft?: undefined;
1559
+ pr_number?: undefined;
1560
+ merge_method?: undefined;
1561
+ fields?: undefined;
1562
+ mimeType?: undefined;
1563
+ content_base64?: undefined;
1564
+ parent_folder_id?: undefined;
1565
+ folder_id?: undefined;
1566
+ q?: undefined;
1567
+ page_size?: undefined;
1568
+ jql?: undefined;
1569
+ maxResults?: undefined;
1570
+ startAt?: undefined;
1571
+ issueIdOrKey?: undefined;
1572
+ recent?: undefined;
1573
+ projectKeyOrId?: undefined;
1574
+ type?: undefined;
1575
+ boardId?: undefined;
1576
+ state?: undefined;
1577
+ sprintId?: undefined;
1578
+ projectKey?: undefined;
1579
+ summary?: undefined;
1580
+ description?: undefined;
1581
+ issueType?: undefined;
1582
+ priority?: undefined;
1583
+ assignee?: undefined;
1584
+ };
1585
+ required: string[];
1586
+ additionalProperties: boolean;
1587
+ };
1588
+ constraints: {
1589
+ rate_bucket: string;
1590
+ requires_reviews_passed?: undefined;
1591
+ max_size_mb?: undefined;
1592
+ };
1593
+ effects: string[];
1594
+ risk: string;
1595
+ version: string;
1596
+ } | {
1597
+ action: string;
1598
+ resource_type: string;
1599
+ required_relations: string[];
1600
+ required_scopes: string[];
1601
+ capability: string;
1602
+ input_schema: {
1603
+ type: string;
1604
+ properties: {
1605
+ path: {
1606
+ type: string;
1607
+ };
1608
+ ref: {
1609
+ type: string;
1610
+ };
1611
+ text?: undefined;
1612
+ thread_ts?: undefined;
1613
+ attachments?: undefined;
1614
+ latest?: undefined;
1615
+ oldest?: undefined;
1616
+ limit?: undefined;
1617
+ name?: undefined;
1618
+ timestamp?: undefined;
1619
+ title?: undefined;
1620
+ body?: undefined;
1621
+ labels?: undefined;
1622
+ assignees?: undefined;
1623
+ issue_number?: undefined;
1624
+ head?: undefined;
1625
+ base?: undefined;
1626
+ draft?: undefined;
1627
+ pr_number?: undefined;
1628
+ merge_method?: undefined;
1629
+ fields?: undefined;
1630
+ mimeType?: undefined;
1631
+ content_base64?: undefined;
1632
+ parent_folder_id?: undefined;
1633
+ folder_id?: undefined;
1634
+ q?: undefined;
1635
+ page_size?: undefined;
1636
+ jql?: undefined;
1637
+ maxResults?: undefined;
1638
+ startAt?: undefined;
1639
+ issueIdOrKey?: undefined;
1640
+ recent?: undefined;
1641
+ projectKeyOrId?: undefined;
1642
+ type?: undefined;
1643
+ boardId?: undefined;
1644
+ state?: undefined;
1645
+ sprintId?: undefined;
1646
+ projectKey?: undefined;
1647
+ summary?: undefined;
1648
+ description?: undefined;
1649
+ issueType?: undefined;
1650
+ priority?: undefined;
1651
+ assignee?: undefined;
1652
+ };
1653
+ additionalProperties: boolean;
1654
+ required?: undefined;
1655
+ };
1656
+ constraints: {
1657
+ rate_bucket: string;
1658
+ requires_reviews_passed?: undefined;
1659
+ max_size_mb?: undefined;
1660
+ };
1661
+ effects: string[];
1662
+ risk: string;
1663
+ version: string;
1664
+ } | {
1665
+ action: string;
1666
+ resource_type: string;
1667
+ required_relations: string[];
1668
+ required_scopes: string[];
1669
+ capability: string;
1670
+ input_schema: {
1671
+ type: string;
1672
+ properties: {
1673
+ title: {
1674
+ type: string;
1675
+ minLength: number;
1676
+ };
1677
+ body: {
1678
+ type: string;
1679
+ minLength?: undefined;
1680
+ };
1681
+ labels: {
1682
+ type: string;
1683
+ items: {
1684
+ type: string;
1685
+ };
1686
+ };
1687
+ assignees: {
1688
+ type: string;
1689
+ items: {
1690
+ type: string;
1691
+ };
1692
+ };
1693
+ text?: undefined;
1694
+ thread_ts?: undefined;
1695
+ attachments?: undefined;
1696
+ latest?: undefined;
1697
+ oldest?: undefined;
1698
+ limit?: undefined;
1699
+ name?: undefined;
1700
+ timestamp?: undefined;
1701
+ path?: undefined;
1702
+ ref?: undefined;
1703
+ issue_number?: undefined;
1704
+ head?: undefined;
1705
+ base?: undefined;
1706
+ draft?: undefined;
1707
+ pr_number?: undefined;
1708
+ merge_method?: undefined;
1709
+ fields?: undefined;
1710
+ mimeType?: undefined;
1711
+ content_base64?: undefined;
1712
+ parent_folder_id?: undefined;
1713
+ folder_id?: undefined;
1714
+ q?: undefined;
1715
+ page_size?: undefined;
1716
+ jql?: undefined;
1717
+ maxResults?: undefined;
1718
+ startAt?: undefined;
1719
+ issueIdOrKey?: undefined;
1720
+ recent?: undefined;
1721
+ projectKeyOrId?: undefined;
1722
+ type?: undefined;
1723
+ boardId?: undefined;
1724
+ state?: undefined;
1725
+ sprintId?: undefined;
1726
+ projectKey?: undefined;
1727
+ summary?: undefined;
1728
+ description?: undefined;
1729
+ issueType?: undefined;
1730
+ priority?: undefined;
1731
+ assignee?: undefined;
1732
+ };
1733
+ required: string[];
1734
+ additionalProperties: boolean;
1735
+ };
1736
+ constraints: {
1737
+ rate_bucket: string;
1738
+ requires_reviews_passed?: undefined;
1739
+ max_size_mb?: undefined;
1740
+ };
1741
+ effects: string[];
1742
+ risk: string;
1743
+ version: string;
1744
+ } | {
1745
+ action: string;
1746
+ resource_type: string;
1747
+ required_relations: string[];
1748
+ required_scopes: string[];
1749
+ capability: string;
1750
+ input_schema: {
1751
+ type: string;
1752
+ properties: {
1753
+ issue_number: {
1754
+ type: string;
1755
+ minimum: number;
1756
+ };
1757
+ body: {
1758
+ type: string;
1759
+ minLength: number;
1760
+ };
1761
+ text?: undefined;
1762
+ thread_ts?: undefined;
1763
+ attachments?: undefined;
1764
+ latest?: undefined;
1765
+ oldest?: undefined;
1766
+ limit?: undefined;
1767
+ name?: undefined;
1768
+ timestamp?: undefined;
1769
+ path?: undefined;
1770
+ ref?: undefined;
1771
+ title?: undefined;
1772
+ labels?: undefined;
1773
+ assignees?: undefined;
1774
+ head?: undefined;
1775
+ base?: undefined;
1776
+ draft?: undefined;
1777
+ pr_number?: undefined;
1778
+ merge_method?: undefined;
1779
+ fields?: undefined;
1780
+ mimeType?: undefined;
1781
+ content_base64?: undefined;
1782
+ parent_folder_id?: undefined;
1783
+ folder_id?: undefined;
1784
+ q?: undefined;
1785
+ page_size?: undefined;
1786
+ jql?: undefined;
1787
+ maxResults?: undefined;
1788
+ startAt?: undefined;
1789
+ issueIdOrKey?: undefined;
1790
+ recent?: undefined;
1791
+ projectKeyOrId?: undefined;
1792
+ type?: undefined;
1793
+ boardId?: undefined;
1794
+ state?: undefined;
1795
+ sprintId?: undefined;
1796
+ projectKey?: undefined;
1797
+ summary?: undefined;
1798
+ description?: undefined;
1799
+ issueType?: undefined;
1800
+ priority?: undefined;
1801
+ assignee?: undefined;
1802
+ };
1803
+ required: string[];
1804
+ additionalProperties: boolean;
1805
+ };
1806
+ constraints: {
1807
+ rate_bucket: string;
1808
+ requires_reviews_passed?: undefined;
1809
+ max_size_mb?: undefined;
1810
+ };
1811
+ effects: string[];
1812
+ risk: string;
1813
+ version: string;
1814
+ } | {
1815
+ action: string;
1816
+ resource_type: string;
1817
+ required_relations: string[];
1818
+ required_scopes: string[];
1819
+ capability: string;
1820
+ input_schema: {
1821
+ type: string;
1822
+ properties: {
1823
+ title: {
1824
+ type: string;
1825
+ minLength: number;
1826
+ };
1827
+ head: {
1828
+ type: string;
1829
+ minLength: number;
1830
+ };
1831
+ base: {
1832
+ type: string;
1833
+ minLength: number;
1834
+ };
1835
+ body: {
1836
+ type: string;
1837
+ minLength?: undefined;
1838
+ };
1839
+ draft: {
1840
+ type: string;
1841
+ };
1842
+ text?: undefined;
1843
+ thread_ts?: undefined;
1844
+ attachments?: undefined;
1845
+ latest?: undefined;
1846
+ oldest?: undefined;
1847
+ limit?: undefined;
1848
+ name?: undefined;
1849
+ timestamp?: undefined;
1850
+ path?: undefined;
1851
+ ref?: undefined;
1852
+ labels?: undefined;
1853
+ assignees?: undefined;
1854
+ issue_number?: undefined;
1855
+ pr_number?: undefined;
1856
+ merge_method?: undefined;
1857
+ fields?: undefined;
1858
+ mimeType?: undefined;
1859
+ content_base64?: undefined;
1860
+ parent_folder_id?: undefined;
1861
+ folder_id?: undefined;
1862
+ q?: undefined;
1863
+ page_size?: undefined;
1864
+ jql?: undefined;
1865
+ maxResults?: undefined;
1866
+ startAt?: undefined;
1867
+ issueIdOrKey?: undefined;
1868
+ recent?: undefined;
1869
+ projectKeyOrId?: undefined;
1870
+ type?: undefined;
1871
+ boardId?: undefined;
1872
+ state?: undefined;
1873
+ sprintId?: undefined;
1874
+ projectKey?: undefined;
1875
+ summary?: undefined;
1876
+ description?: undefined;
1877
+ issueType?: undefined;
1878
+ priority?: undefined;
1879
+ assignee?: undefined;
1880
+ };
1881
+ required: string[];
1882
+ additionalProperties: boolean;
1883
+ };
1884
+ constraints: {
1885
+ rate_bucket: string;
1886
+ requires_reviews_passed?: undefined;
1887
+ max_size_mb?: undefined;
1888
+ };
1889
+ effects: string[];
1890
+ risk: string;
1891
+ version: string;
1892
+ } | {
1893
+ action: string;
1894
+ resource_type: string;
1895
+ required_relations: string[];
1896
+ required_scopes: string[];
1897
+ capability: string;
1898
+ input_schema: {
1899
+ type: string;
1900
+ properties: {
1901
+ pr_number: {
1902
+ type: string;
1903
+ minimum: number;
1904
+ };
1905
+ merge_method: {
1906
+ type: string;
1907
+ enum: string[];
1908
+ };
1909
+ text?: undefined;
1910
+ thread_ts?: undefined;
1911
+ attachments?: undefined;
1912
+ latest?: undefined;
1913
+ oldest?: undefined;
1914
+ limit?: undefined;
1915
+ name?: undefined;
1916
+ timestamp?: undefined;
1917
+ path?: undefined;
1918
+ ref?: undefined;
1919
+ title?: undefined;
1920
+ body?: undefined;
1921
+ labels?: undefined;
1922
+ assignees?: undefined;
1923
+ issue_number?: undefined;
1924
+ head?: undefined;
1925
+ base?: undefined;
1926
+ draft?: undefined;
1927
+ fields?: undefined;
1928
+ mimeType?: undefined;
1929
+ content_base64?: undefined;
1930
+ parent_folder_id?: undefined;
1931
+ folder_id?: undefined;
1932
+ q?: undefined;
1933
+ page_size?: undefined;
1934
+ jql?: undefined;
1935
+ maxResults?: undefined;
1936
+ startAt?: undefined;
1937
+ issueIdOrKey?: undefined;
1938
+ recent?: undefined;
1939
+ projectKeyOrId?: undefined;
1940
+ type?: undefined;
1941
+ boardId?: undefined;
1942
+ state?: undefined;
1943
+ sprintId?: undefined;
1944
+ projectKey?: undefined;
1945
+ summary?: undefined;
1946
+ description?: undefined;
1947
+ issueType?: undefined;
1948
+ priority?: undefined;
1949
+ assignee?: undefined;
1950
+ };
1951
+ required: string[];
1952
+ additionalProperties: boolean;
1953
+ };
1954
+ constraints: {
1955
+ rate_bucket: string;
1956
+ requires_reviews_passed: boolean;
1957
+ max_size_mb?: undefined;
1958
+ };
1959
+ effects: string[];
1960
+ risk: string;
1961
+ version: string;
1962
+ } | {
1963
+ action: string;
1964
+ resource_type: string;
1965
+ required_relations: string[];
1966
+ required_scopes: string[];
1967
+ capability: string;
1968
+ input_schema: {
1969
+ type: string;
1970
+ properties: {
1971
+ fields: {
1972
+ type: string;
1973
+ };
1974
+ text?: undefined;
1975
+ thread_ts?: undefined;
1976
+ attachments?: undefined;
1977
+ latest?: undefined;
1978
+ oldest?: undefined;
1979
+ limit?: undefined;
1980
+ name?: undefined;
1981
+ timestamp?: undefined;
1982
+ path?: undefined;
1983
+ ref?: undefined;
1984
+ title?: undefined;
1985
+ body?: undefined;
1986
+ labels?: undefined;
1987
+ assignees?: undefined;
1988
+ issue_number?: undefined;
1989
+ head?: undefined;
1990
+ base?: undefined;
1991
+ draft?: undefined;
1992
+ pr_number?: undefined;
1993
+ merge_method?: undefined;
1994
+ mimeType?: undefined;
1995
+ content_base64?: undefined;
1996
+ parent_folder_id?: undefined;
1997
+ folder_id?: undefined;
1998
+ q?: undefined;
1999
+ page_size?: undefined;
2000
+ jql?: undefined;
2001
+ maxResults?: undefined;
2002
+ startAt?: undefined;
2003
+ issueIdOrKey?: undefined;
2004
+ recent?: undefined;
2005
+ projectKeyOrId?: undefined;
2006
+ type?: undefined;
2007
+ boardId?: undefined;
2008
+ state?: undefined;
2009
+ sprintId?: undefined;
2010
+ projectKey?: undefined;
2011
+ summary?: undefined;
2012
+ description?: undefined;
2013
+ issueType?: undefined;
2014
+ priority?: undefined;
2015
+ assignee?: undefined;
2016
+ };
2017
+ additionalProperties: boolean;
2018
+ required?: undefined;
2019
+ };
2020
+ constraints: {
2021
+ rate_bucket: string;
2022
+ requires_reviews_passed?: undefined;
2023
+ max_size_mb?: undefined;
2024
+ };
2025
+ effects: string[];
2026
+ risk: string;
2027
+ version: string;
2028
+ } | {
2029
+ action: string;
2030
+ resource_type: string;
2031
+ required_relations: string[];
2032
+ required_scopes: string[];
2033
+ capability: string;
2034
+ input_schema: {
2035
+ type: string;
2036
+ properties: {
2037
+ mimeType: {
2038
+ type: string;
2039
+ };
2040
+ content_base64: {
2041
+ type: string;
2042
+ };
2043
+ text?: undefined;
2044
+ thread_ts?: undefined;
2045
+ attachments?: undefined;
2046
+ latest?: undefined;
2047
+ oldest?: undefined;
2048
+ limit?: undefined;
2049
+ name?: undefined;
2050
+ timestamp?: undefined;
2051
+ path?: undefined;
2052
+ ref?: undefined;
2053
+ title?: undefined;
2054
+ body?: undefined;
2055
+ labels?: undefined;
2056
+ assignees?: undefined;
2057
+ issue_number?: undefined;
2058
+ head?: undefined;
2059
+ base?: undefined;
2060
+ draft?: undefined;
2061
+ pr_number?: undefined;
2062
+ merge_method?: undefined;
2063
+ fields?: undefined;
2064
+ parent_folder_id?: undefined;
2065
+ folder_id?: undefined;
2066
+ q?: undefined;
2067
+ page_size?: undefined;
2068
+ jql?: undefined;
2069
+ maxResults?: undefined;
2070
+ startAt?: undefined;
2071
+ issueIdOrKey?: undefined;
2072
+ recent?: undefined;
2073
+ projectKeyOrId?: undefined;
2074
+ type?: undefined;
2075
+ boardId?: undefined;
2076
+ state?: undefined;
2077
+ sprintId?: undefined;
2078
+ projectKey?: undefined;
2079
+ summary?: undefined;
2080
+ description?: undefined;
2081
+ issueType?: undefined;
2082
+ priority?: undefined;
2083
+ assignee?: undefined;
2084
+ };
2085
+ required: string[];
2086
+ additionalProperties: boolean;
2087
+ };
2088
+ constraints: {
2089
+ rate_bucket: string;
2090
+ max_size_mb: number;
2091
+ requires_reviews_passed?: undefined;
2092
+ };
2093
+ effects: string[];
2094
+ risk: string;
2095
+ version: string;
2096
+ } | {
2097
+ action: string;
2098
+ resource_type: string;
2099
+ required_relations: string[];
2100
+ required_scopes: string[];
2101
+ capability: string;
2102
+ input_schema: {
2103
+ type: string;
2104
+ properties: {
2105
+ name: {
2106
+ type: string;
2107
+ minLength: number;
2108
+ };
2109
+ mimeType: {
2110
+ type: string;
2111
+ };
2112
+ parent_folder_id: {
2113
+ type: string;
2114
+ };
2115
+ content_base64: {
2116
+ type: string;
2117
+ };
2118
+ text?: undefined;
2119
+ thread_ts?: undefined;
2120
+ attachments?: undefined;
2121
+ latest?: undefined;
2122
+ oldest?: undefined;
2123
+ limit?: undefined;
2124
+ timestamp?: undefined;
2125
+ path?: undefined;
2126
+ ref?: undefined;
2127
+ title?: undefined;
2128
+ body?: undefined;
2129
+ labels?: undefined;
2130
+ assignees?: undefined;
2131
+ issue_number?: undefined;
2132
+ head?: undefined;
2133
+ base?: undefined;
2134
+ draft?: undefined;
2135
+ pr_number?: undefined;
2136
+ merge_method?: undefined;
2137
+ fields?: undefined;
2138
+ folder_id?: undefined;
2139
+ q?: undefined;
2140
+ page_size?: undefined;
2141
+ jql?: undefined;
2142
+ maxResults?: undefined;
2143
+ startAt?: undefined;
2144
+ issueIdOrKey?: undefined;
2145
+ recent?: undefined;
2146
+ projectKeyOrId?: undefined;
2147
+ type?: undefined;
2148
+ boardId?: undefined;
2149
+ state?: undefined;
2150
+ sprintId?: undefined;
2151
+ projectKey?: undefined;
2152
+ summary?: undefined;
2153
+ description?: undefined;
2154
+ issueType?: undefined;
2155
+ priority?: undefined;
2156
+ assignee?: undefined;
2157
+ };
2158
+ required: string[];
2159
+ additionalProperties: boolean;
2160
+ };
2161
+ constraints: {
2162
+ rate_bucket: string;
2163
+ max_size_mb: number;
2164
+ requires_reviews_passed?: undefined;
2165
+ };
2166
+ effects: string[];
2167
+ risk: string;
2168
+ version: string;
2169
+ } | {
2170
+ action: string;
2171
+ resource_type: string;
2172
+ required_relations: string[];
2173
+ required_scopes: string[];
2174
+ capability: string;
2175
+ input_schema: {
2176
+ type: string;
2177
+ properties: {
2178
+ folder_id: {
2179
+ type: string;
2180
+ };
2181
+ q: {
2182
+ type: string;
2183
+ };
2184
+ page_size: {
2185
+ type: string;
2186
+ minimum: number;
2187
+ maximum: number;
2188
+ };
2189
+ text?: undefined;
2190
+ thread_ts?: undefined;
2191
+ attachments?: undefined;
2192
+ latest?: undefined;
2193
+ oldest?: undefined;
2194
+ limit?: undefined;
2195
+ name?: undefined;
2196
+ timestamp?: undefined;
2197
+ path?: undefined;
2198
+ ref?: undefined;
2199
+ title?: undefined;
2200
+ body?: undefined;
2201
+ labels?: undefined;
2202
+ assignees?: undefined;
2203
+ issue_number?: undefined;
2204
+ head?: undefined;
2205
+ base?: undefined;
2206
+ draft?: undefined;
2207
+ pr_number?: undefined;
2208
+ merge_method?: undefined;
2209
+ fields?: undefined;
2210
+ mimeType?: undefined;
2211
+ content_base64?: undefined;
2212
+ parent_folder_id?: undefined;
2213
+ jql?: undefined;
2214
+ maxResults?: undefined;
2215
+ startAt?: undefined;
2216
+ issueIdOrKey?: undefined;
2217
+ recent?: undefined;
2218
+ projectKeyOrId?: undefined;
2219
+ type?: undefined;
2220
+ boardId?: undefined;
2221
+ state?: undefined;
2222
+ sprintId?: undefined;
2223
+ projectKey?: undefined;
2224
+ summary?: undefined;
2225
+ description?: undefined;
2226
+ issueType?: undefined;
2227
+ priority?: undefined;
2228
+ assignee?: undefined;
2229
+ };
2230
+ required: string[];
2231
+ additionalProperties: boolean;
2232
+ };
2233
+ constraints: {
2234
+ rate_bucket: string;
2235
+ requires_reviews_passed?: undefined;
2236
+ max_size_mb?: undefined;
2237
+ };
2238
+ effects: string[];
2239
+ risk: string;
2240
+ version: string;
2241
+ } | {
2242
+ action: string;
2243
+ resource_type: string;
2244
+ required_relations: string[];
2245
+ required_scopes: string[];
2246
+ capability: string;
2247
+ input_schema: {
2248
+ type: string;
2249
+ properties: {
2250
+ jql: {
2251
+ type: string;
2252
+ minLength: number;
2253
+ };
2254
+ maxResults: {
2255
+ type: string;
2256
+ minimum: number;
2257
+ maximum: number;
2258
+ };
2259
+ startAt: {
2260
+ type: string;
2261
+ minimum: number;
2262
+ };
2263
+ text?: undefined;
2264
+ thread_ts?: undefined;
2265
+ attachments?: undefined;
2266
+ latest?: undefined;
2267
+ oldest?: undefined;
2268
+ limit?: undefined;
2269
+ name?: undefined;
2270
+ timestamp?: undefined;
2271
+ path?: undefined;
2272
+ ref?: undefined;
2273
+ title?: undefined;
2274
+ body?: undefined;
2275
+ labels?: undefined;
2276
+ assignees?: undefined;
2277
+ issue_number?: undefined;
2278
+ head?: undefined;
2279
+ base?: undefined;
2280
+ draft?: undefined;
2281
+ pr_number?: undefined;
2282
+ merge_method?: undefined;
2283
+ fields?: undefined;
2284
+ mimeType?: undefined;
2285
+ content_base64?: undefined;
2286
+ parent_folder_id?: undefined;
2287
+ folder_id?: undefined;
2288
+ q?: undefined;
2289
+ page_size?: undefined;
2290
+ issueIdOrKey?: undefined;
2291
+ recent?: undefined;
2292
+ projectKeyOrId?: undefined;
2293
+ type?: undefined;
2294
+ boardId?: undefined;
2295
+ state?: undefined;
2296
+ sprintId?: undefined;
2297
+ projectKey?: undefined;
2298
+ summary?: undefined;
2299
+ description?: undefined;
2300
+ issueType?: undefined;
2301
+ priority?: undefined;
2302
+ assignee?: undefined;
2303
+ };
2304
+ required: string[];
2305
+ additionalProperties: boolean;
2306
+ };
2307
+ constraints: {
2308
+ rate_bucket: string;
2309
+ requires_reviews_passed?: undefined;
2310
+ max_size_mb?: undefined;
2311
+ };
2312
+ effects: string[];
2313
+ risk: string;
2314
+ version: string;
2315
+ } | {
2316
+ action: string;
2317
+ resource_type: string;
2318
+ required_relations: string[];
2319
+ required_scopes: string[];
2320
+ capability: string;
2321
+ input_schema: {
2322
+ type: string;
2323
+ properties: {
2324
+ issueIdOrKey: {
2325
+ type: string;
2326
+ minLength: number;
2327
+ };
2328
+ text?: undefined;
2329
+ thread_ts?: undefined;
2330
+ attachments?: undefined;
2331
+ latest?: undefined;
2332
+ oldest?: undefined;
2333
+ limit?: undefined;
2334
+ name?: undefined;
2335
+ timestamp?: undefined;
2336
+ path?: undefined;
2337
+ ref?: undefined;
2338
+ title?: undefined;
2339
+ body?: undefined;
2340
+ labels?: undefined;
2341
+ assignees?: undefined;
2342
+ issue_number?: undefined;
2343
+ head?: undefined;
2344
+ base?: undefined;
2345
+ draft?: undefined;
2346
+ pr_number?: undefined;
2347
+ merge_method?: undefined;
2348
+ fields?: undefined;
2349
+ mimeType?: undefined;
2350
+ content_base64?: undefined;
2351
+ parent_folder_id?: undefined;
2352
+ folder_id?: undefined;
2353
+ q?: undefined;
2354
+ page_size?: undefined;
2355
+ jql?: undefined;
2356
+ maxResults?: undefined;
2357
+ startAt?: undefined;
2358
+ recent?: undefined;
2359
+ projectKeyOrId?: undefined;
2360
+ type?: undefined;
2361
+ boardId?: undefined;
2362
+ state?: undefined;
2363
+ sprintId?: undefined;
2364
+ projectKey?: undefined;
2365
+ summary?: undefined;
2366
+ description?: undefined;
2367
+ issueType?: undefined;
2368
+ priority?: undefined;
2369
+ assignee?: undefined;
2370
+ };
2371
+ required: string[];
2372
+ additionalProperties: boolean;
2373
+ };
2374
+ constraints: {
2375
+ rate_bucket: string;
2376
+ requires_reviews_passed?: undefined;
2377
+ max_size_mb?: undefined;
2378
+ };
2379
+ effects: string[];
2380
+ risk: string;
2381
+ version: string;
2382
+ } | {
2383
+ action: string;
2384
+ resource_type: string;
2385
+ required_relations: string[];
2386
+ required_scopes: string[];
2387
+ capability: string;
2388
+ input_schema: {
2389
+ type: string;
2390
+ properties: {
2391
+ recent: {
2392
+ type: string;
2393
+ };
2394
+ text?: undefined;
2395
+ thread_ts?: undefined;
2396
+ attachments?: undefined;
2397
+ latest?: undefined;
2398
+ oldest?: undefined;
2399
+ limit?: undefined;
2400
+ name?: undefined;
2401
+ timestamp?: undefined;
2402
+ path?: undefined;
2403
+ ref?: undefined;
2404
+ title?: undefined;
2405
+ body?: undefined;
2406
+ labels?: undefined;
2407
+ assignees?: undefined;
2408
+ issue_number?: undefined;
2409
+ head?: undefined;
2410
+ base?: undefined;
2411
+ draft?: undefined;
2412
+ pr_number?: undefined;
2413
+ merge_method?: undefined;
2414
+ fields?: undefined;
2415
+ mimeType?: undefined;
2416
+ content_base64?: undefined;
2417
+ parent_folder_id?: undefined;
2418
+ folder_id?: undefined;
2419
+ q?: undefined;
2420
+ page_size?: undefined;
2421
+ jql?: undefined;
2422
+ maxResults?: undefined;
2423
+ startAt?: undefined;
2424
+ issueIdOrKey?: undefined;
2425
+ projectKeyOrId?: undefined;
2426
+ type?: undefined;
2427
+ boardId?: undefined;
2428
+ state?: undefined;
2429
+ sprintId?: undefined;
2430
+ projectKey?: undefined;
2431
+ summary?: undefined;
2432
+ description?: undefined;
2433
+ issueType?: undefined;
2434
+ priority?: undefined;
2435
+ assignee?: undefined;
2436
+ };
2437
+ additionalProperties: boolean;
2438
+ required?: undefined;
2439
+ };
2440
+ constraints: {
2441
+ rate_bucket: string;
2442
+ requires_reviews_passed?: undefined;
2443
+ max_size_mb?: undefined;
2444
+ };
2445
+ effects: string[];
2446
+ risk: string;
2447
+ version: string;
2448
+ } | {
2449
+ action: string;
2450
+ resource_type: string;
2451
+ required_relations: string[];
2452
+ required_scopes: string[];
2453
+ capability: string;
2454
+ input_schema: {
2455
+ type: string;
2456
+ properties: {
2457
+ projectKeyOrId: {
2458
+ type: string;
2459
+ };
2460
+ type: {
2461
+ type: string;
2462
+ };
2463
+ text?: undefined;
2464
+ thread_ts?: undefined;
2465
+ attachments?: undefined;
2466
+ latest?: undefined;
2467
+ oldest?: undefined;
2468
+ limit?: undefined;
2469
+ name?: undefined;
2470
+ timestamp?: undefined;
2471
+ path?: undefined;
2472
+ ref?: undefined;
2473
+ title?: undefined;
2474
+ body?: undefined;
2475
+ labels?: undefined;
2476
+ assignees?: undefined;
2477
+ issue_number?: undefined;
2478
+ head?: undefined;
2479
+ base?: undefined;
2480
+ draft?: undefined;
2481
+ pr_number?: undefined;
2482
+ merge_method?: undefined;
2483
+ fields?: undefined;
2484
+ mimeType?: undefined;
2485
+ content_base64?: undefined;
2486
+ parent_folder_id?: undefined;
2487
+ folder_id?: undefined;
2488
+ q?: undefined;
2489
+ page_size?: undefined;
2490
+ jql?: undefined;
2491
+ maxResults?: undefined;
2492
+ startAt?: undefined;
2493
+ issueIdOrKey?: undefined;
2494
+ recent?: undefined;
2495
+ boardId?: undefined;
2496
+ state?: undefined;
2497
+ sprintId?: undefined;
2498
+ projectKey?: undefined;
2499
+ summary?: undefined;
2500
+ description?: undefined;
2501
+ issueType?: undefined;
2502
+ priority?: undefined;
2503
+ assignee?: undefined;
2504
+ };
2505
+ additionalProperties: boolean;
2506
+ required?: undefined;
2507
+ };
2508
+ constraints: {
2509
+ rate_bucket: string;
2510
+ requires_reviews_passed?: undefined;
2511
+ max_size_mb?: undefined;
2512
+ };
2513
+ effects: string[];
2514
+ risk: string;
2515
+ version: string;
2516
+ } | {
2517
+ action: string;
2518
+ resource_type: string;
2519
+ required_relations: string[];
2520
+ required_scopes: string[];
2521
+ capability: string;
2522
+ input_schema: {
2523
+ type: string;
2524
+ properties: {
2525
+ boardId: {
2526
+ type: string;
2527
+ minimum: number;
2528
+ };
2529
+ state: {
2530
+ type: string;
2531
+ };
2532
+ text?: undefined;
2533
+ thread_ts?: undefined;
2534
+ attachments?: undefined;
2535
+ latest?: undefined;
2536
+ oldest?: undefined;
2537
+ limit?: undefined;
2538
+ name?: undefined;
2539
+ timestamp?: undefined;
2540
+ path?: undefined;
2541
+ ref?: undefined;
2542
+ title?: undefined;
2543
+ body?: undefined;
2544
+ labels?: undefined;
2545
+ assignees?: undefined;
2546
+ issue_number?: undefined;
2547
+ head?: undefined;
2548
+ base?: undefined;
2549
+ draft?: undefined;
2550
+ pr_number?: undefined;
2551
+ merge_method?: undefined;
2552
+ fields?: undefined;
2553
+ mimeType?: undefined;
2554
+ content_base64?: undefined;
2555
+ parent_folder_id?: undefined;
2556
+ folder_id?: undefined;
2557
+ q?: undefined;
2558
+ page_size?: undefined;
2559
+ jql?: undefined;
2560
+ maxResults?: undefined;
2561
+ startAt?: undefined;
2562
+ issueIdOrKey?: undefined;
2563
+ recent?: undefined;
2564
+ projectKeyOrId?: undefined;
2565
+ type?: undefined;
2566
+ sprintId?: undefined;
2567
+ projectKey?: undefined;
2568
+ summary?: undefined;
2569
+ description?: undefined;
2570
+ issueType?: undefined;
2571
+ priority?: undefined;
2572
+ assignee?: undefined;
2573
+ };
2574
+ required: string[];
2575
+ additionalProperties: boolean;
2576
+ };
2577
+ constraints: {
2578
+ rate_bucket: string;
2579
+ requires_reviews_passed?: undefined;
2580
+ max_size_mb?: undefined;
2581
+ };
2582
+ effects: string[];
2583
+ risk: string;
2584
+ version: string;
2585
+ } | {
2586
+ action: string;
2587
+ resource_type: string;
2588
+ required_relations: string[];
2589
+ required_scopes: string[];
2590
+ capability: string;
2591
+ input_schema: {
2592
+ type: string;
2593
+ properties: {
2594
+ sprintId: {
2595
+ type: string;
2596
+ minimum: number;
2597
+ };
2598
+ maxResults: {
2599
+ type: string;
2600
+ minimum: number;
2601
+ maximum: number;
2602
+ };
2603
+ text?: undefined;
2604
+ thread_ts?: undefined;
2605
+ attachments?: undefined;
2606
+ latest?: undefined;
2607
+ oldest?: undefined;
2608
+ limit?: undefined;
2609
+ name?: undefined;
2610
+ timestamp?: undefined;
2611
+ path?: undefined;
2612
+ ref?: undefined;
2613
+ title?: undefined;
2614
+ body?: undefined;
2615
+ labels?: undefined;
2616
+ assignees?: undefined;
2617
+ issue_number?: undefined;
2618
+ head?: undefined;
2619
+ base?: undefined;
2620
+ draft?: undefined;
2621
+ pr_number?: undefined;
2622
+ merge_method?: undefined;
2623
+ fields?: undefined;
2624
+ mimeType?: undefined;
2625
+ content_base64?: undefined;
2626
+ parent_folder_id?: undefined;
2627
+ folder_id?: undefined;
2628
+ q?: undefined;
2629
+ page_size?: undefined;
2630
+ jql?: undefined;
2631
+ startAt?: undefined;
2632
+ issueIdOrKey?: undefined;
2633
+ recent?: undefined;
2634
+ projectKeyOrId?: undefined;
2635
+ type?: undefined;
2636
+ boardId?: undefined;
2637
+ state?: undefined;
2638
+ projectKey?: undefined;
2639
+ summary?: undefined;
2640
+ description?: undefined;
2641
+ issueType?: undefined;
2642
+ priority?: undefined;
2643
+ assignee?: undefined;
2644
+ };
2645
+ required: string[];
2646
+ additionalProperties: boolean;
2647
+ };
2648
+ constraints: {
2649
+ rate_bucket: string;
2650
+ requires_reviews_passed?: undefined;
2651
+ max_size_mb?: undefined;
2652
+ };
2653
+ effects: string[];
2654
+ risk: string;
2655
+ version: string;
2656
+ } | {
2657
+ action: string;
2658
+ resource_type: string;
2659
+ required_relations: string[];
2660
+ required_scopes: string[];
2661
+ capability: string;
2662
+ input_schema: {
2663
+ type: string;
2664
+ properties: {
2665
+ projectKey: {
2666
+ type: string;
2667
+ minLength: number;
2668
+ };
2669
+ summary: {
2670
+ type: string;
2671
+ minLength: number;
2672
+ };
2673
+ description: {
2674
+ type: string;
2675
+ };
2676
+ issueType: {
2677
+ type: string;
2678
+ minLength: number;
2679
+ };
2680
+ priority: {
2681
+ type: string;
2682
+ };
2683
+ assignee: {
2684
+ type: string;
2685
+ };
2686
+ text?: undefined;
2687
+ thread_ts?: undefined;
2688
+ attachments?: undefined;
2689
+ latest?: undefined;
2690
+ oldest?: undefined;
2691
+ limit?: undefined;
2692
+ name?: undefined;
2693
+ timestamp?: undefined;
2694
+ path?: undefined;
2695
+ ref?: undefined;
2696
+ title?: undefined;
2697
+ body?: undefined;
2698
+ labels?: undefined;
2699
+ assignees?: undefined;
2700
+ issue_number?: undefined;
2701
+ head?: undefined;
2702
+ base?: undefined;
2703
+ draft?: undefined;
2704
+ pr_number?: undefined;
2705
+ merge_method?: undefined;
2706
+ fields?: undefined;
2707
+ mimeType?: undefined;
2708
+ content_base64?: undefined;
2709
+ parent_folder_id?: undefined;
2710
+ folder_id?: undefined;
2711
+ q?: undefined;
2712
+ page_size?: undefined;
2713
+ jql?: undefined;
2714
+ maxResults?: undefined;
2715
+ startAt?: undefined;
2716
+ issueIdOrKey?: undefined;
2717
+ recent?: undefined;
2718
+ projectKeyOrId?: undefined;
2719
+ type?: undefined;
2720
+ boardId?: undefined;
2721
+ state?: undefined;
2722
+ sprintId?: undefined;
2723
+ };
2724
+ required: string[];
2725
+ additionalProperties: boolean;
2726
+ };
2727
+ constraints: {
2728
+ rate_bucket: string;
2729
+ requires_reviews_passed?: undefined;
2730
+ max_size_mb?: undefined;
2731
+ };
2732
+ effects: string[];
2733
+ risk: string;
2734
+ version: string;
2735
+ })[];
2736
+ capabilities: {
2737
+ capability: string;
2738
+ description: string;
2739
+ includes: string[];
2740
+ version: string;
2741
+ }[];
2742
+ };
2743
+
2744
+ interface KeyPair {
2745
+ publicKey: any;
2746
+ privateKey: any;
2747
+ }
2748
+ declare function generateKeyPair(): Promise<KeyPair>;
2749
+ declare function signJWT(payload: any, privateKey: any, options?: {
2750
+ issuer?: string;
2751
+ audience?: string;
2752
+ expiresIn?: string;
2753
+ notBefore?: string;
2754
+ subject?: string;
2755
+ jti?: string;
2756
+ }): Promise<string>;
2757
+ declare function verifyJWT(jwt: string, publicKey: any, options?: {
2758
+ issuer?: string;
2759
+ audience?: string;
2760
+ }): Promise<jose.JWTPayload>;
2761
+ declare function generateNonce(): string;
2762
+
2763
+ declare class SDJwtClient {
2764
+ private static instances;
2765
+ private static keyManager;
2766
+ private static signerCache;
2767
+ private static verifierCache;
2768
+ private constructor();
2769
+ /**
2770
+ * Initialize with KeyManager for DID-based key management
2771
+ */
2772
+ static setKeyManager(keyManager: KeyManager): void;
2773
+ /**
2774
+ * Get SDJwtVcInstance for issuer role (VC issuance)
2775
+ */
2776
+ static getIssuerInstance(issuerDid: string): Promise<SDJwtVcInstance>;
2777
+ /**
2778
+ * Get SDJwtVcInstance for holder role (VP presentation)
2779
+ */
2780
+ static getHolderInstance(holderDid: string): Promise<SDJwtVcInstance>;
2781
+ /**
2782
+ * Get SDJwtVcInstance with specified role (backward compatibility)
2783
+ */
2784
+ static getSDJwtInstance(did: string, options?: {
2785
+ role?: 'issuer' | 'holder';
2786
+ }): Promise<SDJwtVcInstance>;
2787
+ /**
2788
+ * Create a new SDJwtVcInstance with DID-based keys and role
2789
+ */
2790
+ private static createInstance;
2791
+ /**
2792
+ * Create disclosure frame for selective disclosure
2793
+ */
2794
+ static createDisclosureFrame<T extends Record<string, any>>(claims: T, selectivelyDisclosable?: string[]): DisclosureFrame<T>;
2795
+ /**
2796
+ * Issue an SD-JWT with selective disclosure
2797
+ */
2798
+ static issueSDJWT(payload: Record<string, any>, _privateKey: any, // Not used since we get key from KeyManager based on issuer DID
2799
+ selectiveDisclosureFields?: string[]): Promise<string>;
2800
+ /**
2801
+ * Verify an SD-JWT
2802
+ */
2803
+ static verifySDJWT(credential: string): Promise<{
2804
+ valid: boolean;
2805
+ payload?: any;
2806
+ error?: string;
2807
+ }>;
2808
+ /**
2809
+ * Legacy methods for backward compatibility
2810
+ */
2811
+ static createSignerVerifier(): Promise<{
2812
+ signer: (data: string) => Promise<string>;
2813
+ verifier: (data: string, signatureBase64url: string) => Promise<boolean>;
2814
+ }>;
2815
+ static generateKeyPair(): Promise<KeyPair>;
2816
+ /**
2817
+ * Clear caches for optimization
2818
+ */
2819
+ static clearCaches(): void;
2820
+ /**
2821
+ * Clear cache for specific issuer
2822
+ */
2823
+ static clearIssuerCache(issuerDid: string): void;
2824
+ /**
2825
+ * Get cache statistics
2826
+ */
2827
+ static getCacheStats(): {
2828
+ instanceCount: number;
2829
+ signerCount: number;
2830
+ verifierCount: number;
2831
+ };
2832
+ /**
2833
+ * Create a verifier function from an external public key
2834
+ * This is used for verifying SD-JWTs when you don't have the private key
2835
+ * (e.g., API side verifying credentials issued by MCP)
2836
+ */
2837
+ private static getVerifierFromPublicKey;
2838
+ /**
2839
+ * Get SDJwtVcInstance for verification with an external public key
2840
+ * Used when verifying credentials without having the issuer's private key
2841
+ */
2842
+ private static getVerificationInstance;
2843
+ /**
2844
+ * Get SDJwtVcInstance for decoding without verification
2845
+ */
2846
+ private static getDecodingInstance;
2847
+ /**
2848
+ * Verify an SD-JWT with an external public key
2849
+ * Use this when you have the issuer's public key but not their private key
2850
+ *
2851
+ * @param credential - The SD-JWT credential string
2852
+ * @param publicKey - The issuer's public key (JWK format)
2853
+ * @returns Verification result with valid flag and payload
2854
+ *
2855
+ * @example
2856
+ * ```typescript
2857
+ * const publicKey = extractPublicKeyFromDid(issuerDid)
2858
+ * const result = await SDJwtClient.verifyWithExternalKey(credential, publicKey)
2859
+ * if (result.valid) {
2860
+ * console.log('Verified claims:', result.payload.claims)
2861
+ * }
2862
+ * ```
2863
+ */
2864
+ static verifyWithExternalKey(credential: string, publicKey: JWK): Promise<{
2865
+ valid: boolean;
2866
+ payload?: any;
2867
+ claims?: any;
2868
+ error?: string;
2869
+ }>;
2870
+ /**
2871
+ * Verify an SD-JWT by extracting the issuer's public key from the DID
2872
+ * Automatically resolves did:jwk DIDs
2873
+ *
2874
+ * @param credential - The SD-JWT credential string
2875
+ * @returns Verification result with valid flag and payload
2876
+ *
2877
+ * @example
2878
+ * ```typescript
2879
+ * const result = await SDJwtClient.verifyWithIssuerDid(credential)
2880
+ * if (result.valid) {
2881
+ * console.log('Issuer:', result.payload.iss)
2882
+ * }
2883
+ * ```
2884
+ */
2885
+ static verifyWithIssuerDid(credential: string): Promise<{
2886
+ valid: boolean;
2887
+ payload?: any;
2888
+ claims?: any;
2889
+ issuerDid?: string;
2890
+ error?: string;
2891
+ }>;
2892
+ /**
2893
+ * Decode an SD-JWT without verification
2894
+ * Use this when you need to inspect the credential before verification
2895
+ * or when you don't have the issuer's public key
2896
+ *
2897
+ * WARNING: The returned payload has not been verified!
2898
+ * Only use this for inspection purposes, not for authorization decisions.
2899
+ *
2900
+ * @param credential - The SD-JWT credential string
2901
+ * @returns Decoded JWT payload, header, and disclosures
2902
+ *
2903
+ * @example
2904
+ * ```typescript
2905
+ * const decoded = await SDJwtClient.decodeWithoutVerification(credential)
2906
+ * console.log('Issuer (unverified):', decoded.payload?.iss)
2907
+ * console.log('Disclosures:', decoded.disclosures?.length)
2908
+ * ```
2909
+ */
2910
+ static decodeWithoutVerification(credential: string): Promise<{
2911
+ payload?: any;
2912
+ header?: any;
2913
+ disclosures?: any[];
2914
+ claims?: any;
2915
+ error?: string;
2916
+ }>;
2917
+ /**
2918
+ * Extract issuer DID from an SD-JWT without verification
2919
+ * Useful for determining the issuer before verification
2920
+ *
2921
+ * @param credential - The SD-JWT credential string
2922
+ * @returns The issuer DID or null if not found
2923
+ */
2924
+ static extractIssuerDid(credential: string): string | null;
2925
+ }
2926
+
2927
+ /**
2928
+ * DID Utilities
2929
+ *
2930
+ * Common utility functions for DID operations.
2931
+ * These functions are shared across AgentDIDManager, EphemeralDIDManager,
2932
+ * UserIdentityManager, and UserRootDIDManager.
2933
+ */
2934
+
2935
+ /**
2936
+ * Public key JWK properties for did:jwk creation
2937
+ */
2938
+ interface PublicKeyJWK {
2939
+ kty: string;
2940
+ crv?: string;
2941
+ x?: string;
2942
+ y?: string;
2943
+ use?: string;
2944
+ alg?: string;
2945
+ }
2946
+ /**
2947
+ * Create did:jwk from a public key JWK
2948
+ *
2949
+ * @param publicKey - The public key JWK (can include private key fields, they will be filtered)
2950
+ * @returns The did:jwk string
2951
+ *
2952
+ * @example
2953
+ * ```typescript
2954
+ * const keyPair = await SDJwtClient.generateKeyPair()
2955
+ * const did = createDidJwk(keyPair.publicKey)
2956
+ * // => did:jwk:eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ii4uLiIsInkiOiIuLi4ifQ
2957
+ * ```
2958
+ */
2959
+ declare function createDidJwk(publicKey: JWK | PublicKeyJWK): string;
2960
+ /**
2961
+ * Extract public key JWK from a private key JWK
2962
+ *
2963
+ * @param privateKey - The private key JWK containing the 'd' parameter
2964
+ * @returns The public key JWK (without private key material)
2965
+ *
2966
+ * @example
2967
+ * ```typescript
2968
+ * const keyPair = await SDJwtClient.generateKeyPair()
2969
+ * const publicKey = extractPublicKey(keyPair.privateKey)
2970
+ * ```
2971
+ */
2972
+ declare function extractPublicKey(privateKey: JWK): JWK;
2973
+ /**
2974
+ * Extract public key JWK from a did:jwk string
2975
+ *
2976
+ * @param did - The did:jwk string
2977
+ * @returns The public key JWK decoded from the DID
2978
+ * @throws Error if the DID is not in did:jwk format
2979
+ *
2980
+ * @example
2981
+ * ```typescript
2982
+ * const publicKey = extractPublicKeyFromDid('did:jwk:eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ii4uLiIsInkiOiIuLi4ifQ')
2983
+ * ```
2984
+ */
2985
+ declare function extractPublicKeyFromDid(did: string): JWK;
2986
+ /**
2987
+ * Validate that a string is a valid did:jwk
2988
+ *
2989
+ * @param did - The string to validate
2990
+ * @returns true if valid did:jwk, false otherwise
2991
+ */
2992
+ declare function isValidDidJwk(did: string): boolean;
2993
+ /**
2994
+ * Get the key ID (kid) from a did:jwk
2995
+ * Following the did:jwk specification, the key ID is the DID with #0 appended
2996
+ *
2997
+ * @param did - The did:jwk string
2998
+ * @returns The key ID
2999
+ */
3000
+ declare function getKeyIdFromDid(did: string): string;
3001
+
3002
+ declare const version = "0.0.1";
3003
+
3004
+ export { type ABACPolicyEngine, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, APIVCManager, type AbacDecision, type AbacInput, type ActionMeta, type ActionRegistry, AgentDIDManager, AgentManager, AllowAllAbac, type CapabilityMeta, type CheckPermissionInput, type CheckPermissionResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type CredentialDisclosureConfig, type CredentialRef, type CredentialStatusInfo, type CredentialStore, type DecisionTrace, DisclosureConfigManager, DummyCreds, DummyVpVerifier, FilesystemKeyStorage, type JsonSchema, KeyManager, type KeyRotationConfig, type KeyRotationInfo, KeyRotationManager, type KeyStorageConfig, type KeyStorageProvider, type MemoryDocument, MemoryKeyStorage, MemoryManager, type MemoryQuery, type MemoryQueryResult, MetricsManager, type OperationMetric, type OrganizationDisclosureConfig, type PlanDelegationInput, type PlanDelegationResult, type Provider, type ReBACChecker, type Relation, type ResourceRef, type ResourceScope, type ResourceType, type RevocationList, type RevocationListEntry, RevocationManager, type SDJWTMetrics, SDJwtClient, SimpleRebac, type ToolDefinition, ToolManager, UserIdentityManager, VCManager, VPManager, type VerifiedVcClaims, type VpVerifier, checkPermissionWithVP, configure, createAjv, createDidJwk, defaultConstraintEvaluator, evaluateConstraints, extractPublicKey, extractPublicKeyFromDid, generateKeyPair, generateNonce, getClient, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, indexActions, indexCapabilities, isValidDidJwk, loadActionRegistryFromFile, loadActionRegistryFromObject, planDelegationForVC, resolveActionsFromSelection, signJWT, validateRegistryObject, verifyJWT, version };