@vorionsys/contracts 0.1.0 → 0.1.1

package/dist/car/jwt-claims.d.ts

@@ -0,0 +1,1364 @@
+/**
+ * @fileoverview CAR JWT Claims for OpenID Connect
+ *
+ * Defines JWT claim structures for CAR-aware authentication and authorization.
+ * These claims extend standard OIDC claims with CAR-specific information,
+ * enabling capability-based access control in JWT tokens.
+ *
+ * @module @vorionsys/contracts/car/jwt-claims
+ */
+import { z } from 'zod';
+import { type DomainCode } from './domains.js';
+import { CapabilityLevel } from './levels.js';
+import { CertificationTier, RuntimeTier } from './tiers.js';
+import { type ParsedCAR } from './car-string.js';
+/**
+ * Standard JWT claims (RFC 7519).
+ */
+export interface StandardJWTClaims {
+    /** Issuer */
+    iss?: string;
+    /** Subject */
+    sub?: string;
+    /** Audience */
+    aud?: string | string[];
+    /** Expiration time (Unix timestamp) */
+    exp?: number;
+    /** Not before (Unix timestamp) */
+    nbf?: number;
+    /** Issued at (Unix timestamp) */
+    iat?: number;
+    /** JWT ID */
+    jti?: string;
+}
+/**
+ * Zod schema for StandardJWTClaims.
+ */
+export declare const standardJWTClaimsSchema: z.ZodObject<{
+    iss: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+    exp: z.ZodOptional<z.ZodNumber>;
+    nbf: z.ZodOptional<z.ZodNumber>;
+    iat: z.ZodOptional<z.ZodNumber>;
+    jti: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    sub?: string | undefined;
+    jti?: string | undefined;
+    iss?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+}, {
+    sub?: string | undefined;
+    jti?: string | undefined;
+    iss?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+}>;
+/**
+ * CAR-specific JWT claims.
+ *
+ * These claims encode agent capabilities in JWT tokens for use in
+ * authentication and authorization flows.
+ *
+ * NOTE: `car_trust` is OPTIONAL because trust tier is NOT embedded in the CAR.
+ * Trust comes from attestations at runtime. If attestations are included,
+ * the highest valid attestation tier should be used for `car_trust`.
+ */
+export interface CARJWTClaims extends StandardJWTClaims {
+    /** Full CAR string (immutable identifier, no trust info) */
+    car: string;
+    /** @deprecated Use car instead */
+    aci?: string;
+    /** Domain bitmask for efficient validation */
+    car_domains: number;
+    /** @deprecated Use car_domains instead */
+    aci_domains?: number;
+    /** Domain codes array for readability */
+    car_domains_list: DomainCode[];
+    /** @deprecated Use car_domains_list instead */
+    aci_domains_list?: DomainCode[];
+    /** Capability level */
+    car_level: CapabilityLevel;
+    /** @deprecated Use car_level instead */
+    aci_level?: CapabilityLevel;
+    /**
+     * Certification tier from attestations (OPTIONAL).
+     * This is NOT from the CAR itself - it comes from valid attestations.
+     * Defaults to T0 if no attestations exist.
+     */
+    car_trust?: CertificationTier;
+    /** @deprecated Use car_trust instead */
+    aci_trust?: CertificationTier;
+    /** Registry */
+    car_registry: string;
+    /** @deprecated Use car_registry instead */
+    aci_registry?: string;
+    /** Organization */
+    car_org: string;
+    /** @deprecated Use car_org instead */
+    aci_org?: string;
+    /** Agent class */
+    car_class: string;
+    /** @deprecated Use car_class instead */
+    aci_class?: string;
+    /** CAR version */
+    car_version: string;
+    /** @deprecated Use car_version instead */
+    aci_version?: string;
+    /** Agent DID (optional) */
+    car_did?: string;
+    /** @deprecated Use car_did instead */
+    aci_did?: string;
+    /** Runtime tier in current context (optional) */
+    car_runtime_tier?: RuntimeTier;
+    /** @deprecated Use car_runtime_tier instead */
+    aci_runtime_tier?: RuntimeTier;
+    /** Attestation summaries - source of car_trust value */
+    car_attestations?: CARAttestationClaim[];
+    /** @deprecated Use car_attestations instead */
+    aci_attestations?: CARAttestationClaim[];
+    /** Effective permission ceiling (optional) */
+    car_permission_ceiling?: number;
+    /** @deprecated Use car_permission_ceiling instead */
+    aci_permission_ceiling?: number;
+    /** Session-specific constraints (optional) */
+    car_constraints?: CARConstraintsClaim;
+    /** @deprecated Use car_constraints instead */
+    aci_constraints?: CARConstraintsClaim;
+}
+/** @deprecated Use CARJWTClaims instead */
+export type ACIJWTClaims = CARJWTClaims;
+/**
+ * Attestation claim for JWT.
+ * Attestations are the SOURCE of trust tier, not the CAR.
+ */
+export interface CARAttestationClaim {
+    /** Issuer DID */
+    iss: string;
+    /** Certified trust tier from this attestation */
+    tier: CertificationTier;
+    /** Attestation scope (domains covered) */
+    scope: string;
+    /** Issued at (Unix timestamp) */
+    iat: number;
+    /** Expiration (Unix timestamp) */
+    exp: number;
+    /** Evidence URL (optional) */
+    evidence?: string;
+}
+/** @deprecated Use CARAttestationClaim instead */
+export type ACIAttestationClaim = CARAttestationClaim;
+/**
+ * Constraints claim for session-specific limitations.
+ */
+export interface CARConstraintsClaim {
+    /** Maximum operations allowed in this session */
+    max_operations?: number;
+    /** Allowed resource patterns */
+    allowed_resources?: string[];
+    /** Blocked resource patterns */
+    blocked_resources?: string[];
+    /** Time window end (Unix timestamp) */
+    valid_until?: number;
+    /** Required human approval for actions */
+    requires_approval?: boolean;
+    /** Custom constraints */
+    custom?: Record<string, unknown>;
+}
+/** @deprecated Use CARConstraintsClaim instead */
+export type ACIConstraintsClaim = CARConstraintsClaim;
+/**
+ * Zod schema for CARAttestationClaim.
+ */
+export declare const carAttestationClaimSchema: z.ZodObject<{
+    iss: z.ZodString;
+    tier: z.ZodNativeEnum<typeof CertificationTier>;
+    scope: z.ZodString;
+    iat: z.ZodNumber;
+    exp: z.ZodNumber;
+    evidence: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    scope: string;
+    tier: CertificationTier;
+    iss: string;
+    exp: number;
+    iat: number;
+    evidence?: string | undefined;
+}, {
+    scope: string;
+    tier: CertificationTier;
+    iss: string;
+    exp: number;
+    iat: number;
+    evidence?: string | undefined;
+}>;
+/** @deprecated Use carAttestationClaimSchema instead */
+export declare const aciAttestationClaimSchema: z.ZodObject<{
+    iss: z.ZodString;
+    tier: z.ZodNativeEnum<typeof CertificationTier>;
+    scope: z.ZodString;
+    iat: z.ZodNumber;
+    exp: z.ZodNumber;
+    evidence: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    scope: string;
+    tier: CertificationTier;
+    iss: string;
+    exp: number;
+    iat: number;
+    evidence?: string | undefined;
+}, {
+    scope: string;
+    tier: CertificationTier;
+    iss: string;
+    exp: number;
+    iat: number;
+    evidence?: string | undefined;
+}>;
+/**
+ * Zod schema for CARConstraintsClaim.
+ */
+export declare const carConstraintsClaimSchema: z.ZodObject<{
+    max_operations: z.ZodOptional<z.ZodNumber>;
+    allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    valid_until: z.ZodOptional<z.ZodNumber>;
+    requires_approval: z.ZodOptional<z.ZodBoolean>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    custom?: Record<string, unknown> | undefined;
+    requires_approval?: boolean | undefined;
+    max_operations?: number | undefined;
+    allowed_resources?: string[] | undefined;
+    blocked_resources?: string[] | undefined;
+    valid_until?: number | undefined;
+}, {
+    custom?: Record<string, unknown> | undefined;
+    requires_approval?: boolean | undefined;
+    max_operations?: number | undefined;
+    allowed_resources?: string[] | undefined;
+    blocked_resources?: string[] | undefined;
+    valid_until?: number | undefined;
+}>;
+/** @deprecated Use carConstraintsClaimSchema instead */
+export declare const aciConstraintsClaimSchema: z.ZodObject<{
+    max_operations: z.ZodOptional<z.ZodNumber>;
+    allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    valid_until: z.ZodOptional<z.ZodNumber>;
+    requires_approval: z.ZodOptional<z.ZodBoolean>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    custom?: Record<string, unknown> | undefined;
+    requires_approval?: boolean | undefined;
+    max_operations?: number | undefined;
+    allowed_resources?: string[] | undefined;
+    blocked_resources?: string[] | undefined;
+    valid_until?: number | undefined;
+}, {
+    custom?: Record<string, unknown> | undefined;
+    requires_approval?: boolean | undefined;
+    max_operations?: number | undefined;
+    allowed_resources?: string[] | undefined;
+    blocked_resources?: string[] | undefined;
+    valid_until?: number | undefined;
+}>;
+/**
+ * Zod schema for CARJWTClaims validation.
+ */
+export declare const carJWTClaimsSchema: z.ZodObject<{
+    iss: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+    exp: z.ZodOptional<z.ZodNumber>;
+    nbf: z.ZodOptional<z.ZodNumber>;
+    iat: z.ZodOptional<z.ZodNumber>;
+    jti: z.ZodOptional<z.ZodString>;
+} & {
+    car: z.ZodString;
+    aci: z.ZodOptional<z.ZodString>;
+    car_domains: z.ZodNumber;
+    aci_domains: z.ZodOptional<z.ZodNumber>;
+    car_domains_list: z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">;
+    aci_domains_list: z.ZodOptional<z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">>;
+    car_level: z.ZodNativeEnum<typeof CapabilityLevel>;
+    aci_level: z.ZodOptional<z.ZodNativeEnum<typeof CapabilityLevel>>;
+    car_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+    aci_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+    car_registry: z.ZodString;
+    aci_registry: z.ZodOptional<z.ZodString>;
+    car_org: z.ZodString;
+    aci_org: z.ZodOptional<z.ZodString>;
+    car_class: z.ZodString;
+    aci_class: z.ZodOptional<z.ZodString>;
+    car_version: z.ZodString;
+    aci_version: z.ZodOptional<z.ZodString>;
+    car_did: z.ZodOptional<z.ZodString>;
+    aci_did: z.ZodOptional<z.ZodString>;
+    car_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+    aci_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+    car_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        iss: z.ZodString;
+        tier: z.ZodNativeEnum<typeof CertificationTier>;
+        scope: z.ZodString;
+        iat: z.ZodNumber;
+        exp: z.ZodNumber;
+        evidence: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }>, "many">>;
+    aci_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        iss: z.ZodString;
+        tier: z.ZodNativeEnum<typeof CertificationTier>;
+        scope: z.ZodString;
+        iat: z.ZodNumber;
+        exp: z.ZodNumber;
+        evidence: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }>, "many">>;
+    car_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+    aci_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+    car_constraints: z.ZodOptional<z.ZodObject<{
+        max_operations: z.ZodOptional<z.ZodNumber>;
+        allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        valid_until: z.ZodOptional<z.ZodNumber>;
+        requires_approval: z.ZodOptional<z.ZodBoolean>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }>>;
+    aci_constraints: z.ZodOptional<z.ZodObject<{
+        max_operations: z.ZodOptional<z.ZodNumber>;
+        allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        valid_until: z.ZodOptional<z.ZodNumber>;
+        requires_approval: z.ZodOptional<z.ZodBoolean>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    car: string;
+    car_domains: number;
+    car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+    car_level: CapabilityLevel;
+    car_registry: string;
+    car_org: string;
+    car_class: string;
+    car_version: string;
+    aci?: string | undefined;
+    sub?: string | undefined;
+    jti?: string | undefined;
+    iss?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    aci_domains?: number | undefined;
+    aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+    aci_level?: CapabilityLevel | undefined;
+    aci_trust?: CertificationTier | undefined;
+    aci_registry?: string | undefined;
+    aci_org?: string | undefined;
+    aci_class?: string | undefined;
+    aci_version?: string | undefined;
+    aci_did?: string | undefined;
+    aci_runtime_tier?: RuntimeTier | undefined;
+    aci_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    aci_permission_ceiling?: number | undefined;
+    aci_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+    car_trust?: CertificationTier | undefined;
+    car_did?: string | undefined;
+    car_runtime_tier?: RuntimeTier | undefined;
+    car_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    car_permission_ceiling?: number | undefined;
+    car_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+}, {
+    car: string;
+    car_domains: number;
+    car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+    car_level: CapabilityLevel;
+    car_registry: string;
+    car_org: string;
+    car_class: string;
+    car_version: string;
+    aci?: string | undefined;
+    sub?: string | undefined;
+    jti?: string | undefined;
+    iss?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    aci_domains?: number | undefined;
+    aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+    aci_level?: CapabilityLevel | undefined;
+    aci_trust?: CertificationTier | undefined;
+    aci_registry?: string | undefined;
+    aci_org?: string | undefined;
+    aci_class?: string | undefined;
+    aci_version?: string | undefined;
+    aci_did?: string | undefined;
+    aci_runtime_tier?: RuntimeTier | undefined;
+    aci_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    aci_permission_ceiling?: number | undefined;
+    aci_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+    car_trust?: CertificationTier | undefined;
+    car_did?: string | undefined;
+    car_runtime_tier?: RuntimeTier | undefined;
+    car_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    car_permission_ceiling?: number | undefined;
+    car_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+}>;
+/** @deprecated Use carJWTClaimsSchema instead */
+export declare const aciJWTClaimsSchema: z.ZodObject<{
+    iss: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+    exp: z.ZodOptional<z.ZodNumber>;
+    nbf: z.ZodOptional<z.ZodNumber>;
+    iat: z.ZodOptional<z.ZodNumber>;
+    jti: z.ZodOptional<z.ZodString>;
+} & {
+    car: z.ZodString;
+    aci: z.ZodOptional<z.ZodString>;
+    car_domains: z.ZodNumber;
+    aci_domains: z.ZodOptional<z.ZodNumber>;
+    car_domains_list: z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">;
+    aci_domains_list: z.ZodOptional<z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">>;
+    car_level: z.ZodNativeEnum<typeof CapabilityLevel>;
+    aci_level: z.ZodOptional<z.ZodNativeEnum<typeof CapabilityLevel>>;
+    car_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+    aci_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+    car_registry: z.ZodString;
+    aci_registry: z.ZodOptional<z.ZodString>;
+    car_org: z.ZodString;
+    aci_org: z.ZodOptional<z.ZodString>;
+    car_class: z.ZodString;
+    aci_class: z.ZodOptional<z.ZodString>;
+    car_version: z.ZodString;
+    aci_version: z.ZodOptional<z.ZodString>;
+    car_did: z.ZodOptional<z.ZodString>;
+    aci_did: z.ZodOptional<z.ZodString>;
+    car_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+    aci_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+    car_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        iss: z.ZodString;
+        tier: z.ZodNativeEnum<typeof CertificationTier>;
+        scope: z.ZodString;
+        iat: z.ZodNumber;
+        exp: z.ZodNumber;
+        evidence: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }>, "many">>;
+    aci_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        iss: z.ZodString;
+        tier: z.ZodNativeEnum<typeof CertificationTier>;
+        scope: z.ZodString;
+        iat: z.ZodNumber;
+        exp: z.ZodNumber;
+        evidence: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }>, "many">>;
+    car_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+    aci_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+    car_constraints: z.ZodOptional<z.ZodObject<{
+        max_operations: z.ZodOptional<z.ZodNumber>;
+        allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        valid_until: z.ZodOptional<z.ZodNumber>;
+        requires_approval: z.ZodOptional<z.ZodBoolean>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }>>;
+    aci_constraints: z.ZodOptional<z.ZodObject<{
+        max_operations: z.ZodOptional<z.ZodNumber>;
+        allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        valid_until: z.ZodOptional<z.ZodNumber>;
+        requires_approval: z.ZodOptional<z.ZodBoolean>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }, {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    car: string;
+    car_domains: number;
+    car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+    car_level: CapabilityLevel;
+    car_registry: string;
+    car_org: string;
+    car_class: string;
+    car_version: string;
+    aci?: string | undefined;
+    sub?: string | undefined;
+    jti?: string | undefined;
+    iss?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    aci_domains?: number | undefined;
+    aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+    aci_level?: CapabilityLevel | undefined;
+    aci_trust?: CertificationTier | undefined;
+    aci_registry?: string | undefined;
+    aci_org?: string | undefined;
+    aci_class?: string | undefined;
+    aci_version?: string | undefined;
+    aci_did?: string | undefined;
+    aci_runtime_tier?: RuntimeTier | undefined;
+    aci_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    aci_permission_ceiling?: number | undefined;
+    aci_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+    car_trust?: CertificationTier | undefined;
+    car_did?: string | undefined;
+    car_runtime_tier?: RuntimeTier | undefined;
+    car_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    car_permission_ceiling?: number | undefined;
+    car_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+}, {
+    car: string;
+    car_domains: number;
+    car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+    car_level: CapabilityLevel;
+    car_registry: string;
+    car_org: string;
+    car_class: string;
+    car_version: string;
+    aci?: string | undefined;
+    sub?: string | undefined;
+    jti?: string | undefined;
+    iss?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    aci_domains?: number | undefined;
+    aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+    aci_level?: CapabilityLevel | undefined;
+    aci_trust?: CertificationTier | undefined;
+    aci_registry?: string | undefined;
+    aci_org?: string | undefined;
+    aci_class?: string | undefined;
+    aci_version?: string | undefined;
+    aci_did?: string | undefined;
+    aci_runtime_tier?: RuntimeTier | undefined;
+    aci_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    aci_permission_ceiling?: number | undefined;
+    aci_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+    car_trust?: CertificationTier | undefined;
+    car_did?: string | undefined;
+    car_runtime_tier?: RuntimeTier | undefined;
+    car_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    car_permission_ceiling?: number | undefined;
+    car_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        requires_approval?: boolean | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+    } | undefined;
+}>;
+/**
+ * Options for generating JWT claims.
+ */
+export interface GenerateJWTClaimsOptions {
+    /** Parsed CAR */
+    parsed: ParsedCAR;
+    /** Agent DID (optional) */
+    did?: string;
+    /** Issuer (optional) */
+    issuer?: string;
+    /** Audience (optional) */
+    audience?: string | string[];
+    /** Validity duration in seconds (default: 1 hour) */
+    validitySeconds?: number;
+    /** Runtime tier (optional) */
+    runtimeTier?: RuntimeTier;
+    /** Attestation claims (optional) */
+    attestations?: CARAttestationClaim[];
+    /** Permission ceiling (optional) */
+    permissionCeiling?: number;
+    /** Constraints (optional) */
+    constraints?: CARConstraintsClaim;
+}
+/**
+ * Generates JWT claims from a parsed CAR.
+ *
+ * @param options - Generation options
+ * @returns CAR JWT claims
+ *
+ * @example
+ * ```typescript
+ * const claims = generateJWTClaims({
+ *   parsed: parseCAR('a3i.acme-corp.invoice-bot:ABF-L3@1.0.0'),
+ *   did: 'did:web:agent.acme.com',
+ *   issuer: 'did:web:auth.acme.com',
+ *   validitySeconds: 3600,
+ * });
+ * ```
+ */
+export declare function generateJWTClaims(options: GenerateJWTClaimsOptions): CARJWTClaims;
+/**
+ * Generates minimal JWT claims from a parsed CAR.
+ *
+ * NOTE: car_trust is NOT included because trust comes from attestations,
+ * not the CAR itself. Use generateJWTClaims with attestations for full claims.
+ *
+ * @param parsed - Parsed CAR
+ * @param did - Optional agent DID
+ * @returns Minimal CAR JWT claims (without trust tier)
+ */
+export declare function generateMinimalJWTClaims(parsed: ParsedCAR, did?: string): CARJWTClaims;
+/**
+ * Validation error for JWT claims.
+ */
+export interface JWTClaimsValidationError {
+    /** Error code */
+    code: JWTClaimsErrorCode;
+    /** Human-readable message */
+    message: string;
+    /** Claim path (if applicable) */
+    path?: string;
+}
+/**
+ * Error codes for JWT claims validation.
+ */
+export type JWTClaimsErrorCode = 'MISSING_CAR' | 'INVALID_CAR' | 'EXPIRED' | 'NOT_YET_VALID' | 'INVALID_DOMAINS' | 'INVALID_LEVEL' | 'INVALID_TIER' | 'DOMAINS_MISMATCH' | 'INVALID_FORMAT';
+/**
+ * Result of JWT claims validation.
+ */
+export interface JWTClaimsValidationResult {
+    /** Whether the claims are valid */
+    valid: boolean;
+    /** Validation errors */
+    errors: JWTClaimsValidationError[];
+    /** Validated claims (if valid) */
+    claims?: CARJWTClaims;
+}
+/**
+ * Validates CAR JWT claims.
+ *
+ * @param claims - Claims to validate
+ * @param options - Validation options
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateJWTClaims(claims, {
+ *   checkExpiry: true,
+ *   validateDomainsMismatch: true,
+ * });
+ * ```
+ */
+export declare function validateJWTClaims(claims: unknown, options?: {
+    checkExpiry?: boolean;
+    validateDomainsMismatch?: boolean;
+}): JWTClaimsValidationResult;
+/**
+ * Extracts capability information from JWT claims.
+ *
+ * NOTE: certificationTier is optional because it comes from attestations,
+ * not the CAR. If no attestations are present, it will be undefined.
+ *
+ * @param claims - CAR JWT claims
+ * @returns Capability information
+ */
+export declare function extractCapabilityFromClaims(claims: CARJWTClaims): {
+    domains: DomainCode[];
+    domainsBitmask: number;
+    level: CapabilityLevel;
+    certificationTier?: CertificationTier;
+    runtimeTier?: RuntimeTier;
+};
+/**
+ * Extracts identity information from JWT claims.
+ *
+ * @param claims - CAR JWT claims
+ * @returns Identity information
+ */
+export declare function extractIdentityFromClaims(claims: CARJWTClaims): {
+    car: string;
+    did?: string;
+    registry: string;
+    organization: string;
+    agentClass: string;
+    version: string;
+};
+/**
+ * Checks if claims have specific domain capability.
+ *
+ * @param claims - CAR JWT claims
+ * @param domain - Domain to check
+ * @returns True if the domain is present
+ */
+export declare function claimsHaveDomain(claims: CARJWTClaims, domain: DomainCode): boolean;
+/**
+ * Checks if claims meet minimum capability requirements.
+ *
+ * @param claims - CAR JWT claims
+ * @param requirements - Minimum requirements
+ * @returns True if requirements are met
+ */
+export declare function claimsMeetRequirements(claims: CARJWTClaims, requirements: {
+    domains?: DomainCode[];
+    minLevel?: CapabilityLevel;
+    minCertificationTier?: CertificationTier;
+    minRuntimeTier?: RuntimeTier;
+}): boolean;
+/**
+ * Zod schema for JWT claims validation options.
+ */
+export declare const jwtClaimsValidationOptionsSchema: z.ZodObject<{
+    checkExpiry: z.ZodOptional<z.ZodBoolean>;
+    validateDomainsMismatch: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    checkExpiry?: boolean | undefined;
+    validateDomainsMismatch?: boolean | undefined;
+}, {
+    checkExpiry?: boolean | undefined;
+    validateDomainsMismatch?: boolean | undefined;
+}>;
+/**
+ * Zod schema for JWTClaimsValidationError.
+ */
+export declare const jwtClaimsValidationErrorSchema: z.ZodObject<{
+    code: z.ZodEnum<["MISSING_CAR", "INVALID_CAR", "EXPIRED", "NOT_YET_VALID", "INVALID_DOMAINS", "INVALID_LEVEL", "INVALID_TIER", "DOMAINS_MISMATCH", "INVALID_FORMAT"]>;
+    message: z.ZodString;
+    path: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH" | "MISSING_CAR" | "INVALID_CAR";
+    message: string;
+    path?: string | undefined;
+}, {
+    code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH" | "MISSING_CAR" | "INVALID_CAR";
+    message: string;
+    path?: string | undefined;
+}>;
+/**
+ * Zod schema for JWTClaimsValidationResult.
+ */
+export declare const jwtClaimsValidationResultSchema: z.ZodObject<{
+    valid: z.ZodBoolean;
+    errors: z.ZodArray<z.ZodObject<{
+        code: z.ZodEnum<["MISSING_CAR", "INVALID_CAR", "EXPIRED", "NOT_YET_VALID", "INVALID_DOMAINS", "INVALID_LEVEL", "INVALID_TIER", "DOMAINS_MISMATCH", "INVALID_FORMAT"]>;
+        message: z.ZodString;
+        path: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH" | "MISSING_CAR" | "INVALID_CAR";
+        message: string;
+        path?: string | undefined;
+    }, {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH" | "MISSING_CAR" | "INVALID_CAR";
+        message: string;
+        path?: string | undefined;
+    }>, "many">;
+    claims: z.ZodOptional<z.ZodObject<{
+        iss: z.ZodOptional<z.ZodString>;
+        sub: z.ZodOptional<z.ZodString>;
+        aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+        exp: z.ZodOptional<z.ZodNumber>;
+        nbf: z.ZodOptional<z.ZodNumber>;
+        iat: z.ZodOptional<z.ZodNumber>;
+        jti: z.ZodOptional<z.ZodString>;
+    } & {
+        car: z.ZodString;
+        aci: z.ZodOptional<z.ZodString>;
+        car_domains: z.ZodNumber;
+        aci_domains: z.ZodOptional<z.ZodNumber>;
+        car_domains_list: z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">;
+        aci_domains_list: z.ZodOptional<z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">>;
+        car_level: z.ZodNativeEnum<typeof CapabilityLevel>;
+        aci_level: z.ZodOptional<z.ZodNativeEnum<typeof CapabilityLevel>>;
+        car_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+        aci_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+        car_registry: z.ZodString;
+        aci_registry: z.ZodOptional<z.ZodString>;
+        car_org: z.ZodString;
+        aci_org: z.ZodOptional<z.ZodString>;
+        car_class: z.ZodString;
+        aci_class: z.ZodOptional<z.ZodString>;
+        car_version: z.ZodString;
+        aci_version: z.ZodOptional<z.ZodString>;
+        car_did: z.ZodOptional<z.ZodString>;
+        aci_did: z.ZodOptional<z.ZodString>;
+        car_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+        aci_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+        car_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            iss: z.ZodString;
+            tier: z.ZodNativeEnum<typeof CertificationTier>;
+            scope: z.ZodString;
+            iat: z.ZodNumber;
+            exp: z.ZodNumber;
+            evidence: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }, {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }>, "many">>;
+        aci_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            iss: z.ZodString;
+            tier: z.ZodNativeEnum<typeof CertificationTier>;
+            scope: z.ZodString;
+            iat: z.ZodNumber;
+            exp: z.ZodNumber;
+            evidence: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }, {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }>, "many">>;
+        car_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+        aci_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+        car_constraints: z.ZodOptional<z.ZodObject<{
+            max_operations: z.ZodOptional<z.ZodNumber>;
+            allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            valid_until: z.ZodOptional<z.ZodNumber>;
+            requires_approval: z.ZodOptional<z.ZodBoolean>;
+            custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, "strip", z.ZodTypeAny, {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        }, {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        }>>;
+        aci_constraints: z.ZodOptional<z.ZodObject<{
+            max_operations: z.ZodOptional<z.ZodNumber>;
+            allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            valid_until: z.ZodOptional<z.ZodNumber>;
+            requires_approval: z.ZodOptional<z.ZodBoolean>;
+            custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, "strip", z.ZodTypeAny, {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        }, {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        car: string;
+        car_domains: number;
+        car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        car_level: CapabilityLevel;
+        car_registry: string;
+        car_org: string;
+        car_class: string;
+        car_version: string;
+        aci?: string | undefined;
+        sub?: string | undefined;
+        jti?: string | undefined;
+        iss?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        aci_domains?: number | undefined;
+        aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+        aci_level?: CapabilityLevel | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_registry?: string | undefined;
+        aci_org?: string | undefined;
+        aci_class?: string | undefined;
+        aci_version?: string | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+        car_trust?: CertificationTier | undefined;
+        car_did?: string | undefined;
+        car_runtime_tier?: RuntimeTier | undefined;
+        car_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        car_permission_ceiling?: number | undefined;
+        car_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+    }, {
+        car: string;
+        car_domains: number;
+        car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        car_level: CapabilityLevel;
+        car_registry: string;
+        car_org: string;
+        car_class: string;
+        car_version: string;
+        aci?: string | undefined;
+        sub?: string | undefined;
+        jti?: string | undefined;
+        iss?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        aci_domains?: number | undefined;
+        aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+        aci_level?: CapabilityLevel | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_registry?: string | undefined;
+        aci_org?: string | undefined;
+        aci_class?: string | undefined;
+        aci_version?: string | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+        car_trust?: CertificationTier | undefined;
+        car_did?: string | undefined;
+        car_runtime_tier?: RuntimeTier | undefined;
+        car_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        car_permission_ceiling?: number | undefined;
+        car_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    valid: boolean;
+    errors: {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH" | "MISSING_CAR" | "INVALID_CAR";
+        message: string;
+        path?: string | undefined;
+    }[];
+    claims?: {
+        car: string;
+        car_domains: number;
+        car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        car_level: CapabilityLevel;
+        car_registry: string;
+        car_org: string;
+        car_class: string;
+        car_version: string;
+        aci?: string | undefined;
+        sub?: string | undefined;
+        jti?: string | undefined;
+        iss?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        aci_domains?: number | undefined;
+        aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+        aci_level?: CapabilityLevel | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_registry?: string | undefined;
+        aci_org?: string | undefined;
+        aci_class?: string | undefined;
+        aci_version?: string | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+        car_trust?: CertificationTier | undefined;
+        car_did?: string | undefined;
+        car_runtime_tier?: RuntimeTier | undefined;
+        car_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        car_permission_ceiling?: number | undefined;
+        car_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+    } | undefined;
+}, {
+    valid: boolean;
+    errors: {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH" | "MISSING_CAR" | "INVALID_CAR";
+        message: string;
+        path?: string | undefined;
+    }[];
+    claims?: {
+        car: string;
+        car_domains: number;
+        car_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        car_level: CapabilityLevel;
+        car_registry: string;
+        car_org: string;
+        car_class: string;
+        car_version: string;
+        aci?: string | undefined;
+        sub?: string | undefined;
+        jti?: string | undefined;
+        iss?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        aci_domains?: number | undefined;
+        aci_domains_list?: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[] | undefined;
+        aci_level?: CapabilityLevel | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_registry?: string | undefined;
+        aci_org?: string | undefined;
+        aci_class?: string | undefined;
+        aci_version?: string | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+        car_trust?: CertificationTier | undefined;
+        car_did?: string | undefined;
+        car_runtime_tier?: RuntimeTier | undefined;
+        car_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        car_permission_ceiling?: number | undefined;
+        car_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            requires_approval?: boolean | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+        } | undefined;
+    } | undefined;
+}>;
+//# sourceMappingURL=jwt-claims.d.ts.map