@vorionsys/contracts 0.1.0

package/dist/aci/jwt-claims.d.ts

@@ -0,0 +1,756 @@
+/**
+ * @fileoverview ACI JWT Claims for OpenID Connect
+ *
+ * Defines JWT claim structures for ACI-aware authentication and authorization.
+ * These claims extend standard OIDC claims with ACI-specific information,
+ * enabling capability-based access control in JWT tokens.
+ *
+ * @module @vorion/contracts/aci/jwt-claims
+ */
+import { z } from 'zod';
+import { type DomainCode } from './domains.js';
+import { CapabilityLevel } from './levels.js';
+import { CertificationTier, RuntimeTier } from './tiers.js';
+import { type ParsedACI } from './aci-string.js';
+/**
+ * Standard JWT claims (RFC 7519).
+ */
+export interface StandardJWTClaims {
+    /** Issuer */
+    iss?: string;
+    /** Subject */
+    sub?: string;
+    /** Audience */
+    aud?: string | string[];
+    /** Expiration time (Unix timestamp) */
+    exp?: number;
+    /** Not before (Unix timestamp) */
+    nbf?: number;
+    /** Issued at (Unix timestamp) */
+    iat?: number;
+    /** JWT ID */
+    jti?: string;
+}
+/**
+ * Zod schema for StandardJWTClaims.
+ */
+export declare const standardJWTClaimsSchema: z.ZodObject<{
+    iss: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+    exp: z.ZodOptional<z.ZodNumber>;
+    nbf: z.ZodOptional<z.ZodNumber>;
+    iat: z.ZodOptional<z.ZodNumber>;
+    jti: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    iss?: string | undefined;
+    sub?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    jti?: string | undefined;
+}, {
+    iss?: string | undefined;
+    sub?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    jti?: string | undefined;
+}>;
+/**
+ * ACI-specific JWT claims.
+ *
+ * These claims encode agent capabilities in JWT tokens for use in
+ * authentication and authorization flows.
+ *
+ * NOTE: `aci_trust` is OPTIONAL because trust tier is NOT embedded in the ACI.
+ * Trust comes from attestations at runtime. If attestations are included,
+ * the highest valid attestation tier should be used for `aci_trust`.
+ */
+export interface ACIJWTClaims extends StandardJWTClaims {
+    /** Full ACI string (immutable identifier, no trust info) */
+    aci: string;
+    /** Domain bitmask for efficient validation */
+    aci_domains: number;
+    /** Domain codes array for readability */
+    aci_domains_list: DomainCode[];
+    /** Capability level */
+    aci_level: CapabilityLevel;
+    /**
+     * Certification tier from attestations (OPTIONAL).
+     * This is NOT from the ACI itself - it comes from valid attestations.
+     * Defaults to T0 if no attestations exist.
+     */
+    aci_trust?: CertificationTier;
+    /** Registry */
+    aci_registry: string;
+    /** Organization */
+    aci_org: string;
+    /** Agent class */
+    aci_class: string;
+    /** ACI version */
+    aci_version: string;
+    /** Agent DID (optional) */
+    aci_did?: string;
+    /** Runtime tier in current context (optional) */
+    aci_runtime_tier?: RuntimeTier;
+    /** Attestation summaries - source of aci_trust value */
+    aci_attestations?: ACIAttestationClaim[];
+    /** Effective permission ceiling (optional) */
+    aci_permission_ceiling?: number;
+    /** Session-specific constraints (optional) */
+    aci_constraints?: ACIConstraintsClaim;
+}
+/**
+ * Attestation claim for JWT.
+ */
+/**
+ * Attestation claim for JWT.
+ * Attestations are the SOURCE of trust tier, not the ACI.
+ */
+export interface ACIAttestationClaim {
+    /** Issuer DID */
+    iss: string;
+    /** Certified trust tier from this attestation */
+    tier: CertificationTier;
+    /** Attestation scope (domains covered) */
+    scope: string;
+    /** Issued at (Unix timestamp) */
+    iat: number;
+    /** Expiration (Unix timestamp) */
+    exp: number;
+    /** Evidence URL (optional) */
+    evidence?: string;
+}
+/**
+ * Constraints claim for session-specific limitations.
+ */
+export interface ACIConstraintsClaim {
+    /** Maximum operations allowed in this session */
+    max_operations?: number;
+    /** Allowed resource patterns */
+    allowed_resources?: string[];
+    /** Blocked resource patterns */
+    blocked_resources?: string[];
+    /** Time window end (Unix timestamp) */
+    valid_until?: number;
+    /** Required human approval for actions */
+    requires_approval?: boolean;
+    /** Custom constraints */
+    custom?: Record<string, unknown>;
+}
+/**
+ * Zod schema for ACIAttestationClaim.
+ */
+export declare const aciAttestationClaimSchema: z.ZodObject<{
+    iss: z.ZodString;
+    tier: z.ZodNativeEnum<typeof CertificationTier>;
+    scope: z.ZodString;
+    iat: z.ZodNumber;
+    exp: z.ZodNumber;
+    evidence: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    scope: string;
+    tier: CertificationTier;
+    iss: string;
+    exp: number;
+    iat: number;
+    evidence?: string | undefined;
+}, {
+    scope: string;
+    tier: CertificationTier;
+    iss: string;
+    exp: number;
+    iat: number;
+    evidence?: string | undefined;
+}>;
+/**
+ * Zod schema for ACIConstraintsClaim.
+ */
+export declare const aciConstraintsClaimSchema: z.ZodObject<{
+    max_operations: z.ZodOptional<z.ZodNumber>;
+    allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    valid_until: z.ZodOptional<z.ZodNumber>;
+    requires_approval: z.ZodOptional<z.ZodBoolean>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    custom?: Record<string, unknown> | undefined;
+    max_operations?: number | undefined;
+    allowed_resources?: string[] | undefined;
+    blocked_resources?: string[] | undefined;
+    valid_until?: number | undefined;
+    requires_approval?: boolean | undefined;
+}, {
+    custom?: Record<string, unknown> | undefined;
+    max_operations?: number | undefined;
+    allowed_resources?: string[] | undefined;
+    blocked_resources?: string[] | undefined;
+    valid_until?: number | undefined;
+    requires_approval?: boolean | undefined;
+}>;
+/**
+ * Zod schema for ACIJWTClaims validation.
+ */
+export declare const aciJWTClaimsSchema: z.ZodObject<{
+    iss: z.ZodOptional<z.ZodString>;
+    sub: z.ZodOptional<z.ZodString>;
+    aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+    exp: z.ZodOptional<z.ZodNumber>;
+    nbf: z.ZodOptional<z.ZodNumber>;
+    iat: z.ZodOptional<z.ZodNumber>;
+    jti: z.ZodOptional<z.ZodString>;
+} & {
+    aci: z.ZodString;
+    aci_domains: z.ZodNumber;
+    aci_domains_list: z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">;
+    aci_level: z.ZodNativeEnum<typeof CapabilityLevel>;
+    aci_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+    aci_registry: z.ZodString;
+    aci_org: z.ZodString;
+    aci_class: z.ZodString;
+    aci_version: z.ZodString;
+    aci_did: z.ZodOptional<z.ZodString>;
+    aci_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+    aci_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        iss: z.ZodString;
+        tier: z.ZodNativeEnum<typeof CertificationTier>;
+        scope: z.ZodString;
+        iat: z.ZodNumber;
+        exp: z.ZodNumber;
+        evidence: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }, {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }>, "many">>;
+    aci_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+    aci_constraints: z.ZodOptional<z.ZodObject<{
+        max_operations: z.ZodOptional<z.ZodNumber>;
+        allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        valid_until: z.ZodOptional<z.ZodNumber>;
+        requires_approval: z.ZodOptional<z.ZodBoolean>;
+        custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        custom?: Record<string, unknown> | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+        requires_approval?: boolean | undefined;
+    }, {
+        custom?: Record<string, unknown> | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+        requires_approval?: boolean | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    aci: string;
+    aci_domains: number;
+    aci_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+    aci_level: CapabilityLevel;
+    aci_registry: string;
+    aci_org: string;
+    aci_class: string;
+    aci_version: string;
+    iss?: string | undefined;
+    sub?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    jti?: string | undefined;
+    aci_trust?: CertificationTier | undefined;
+    aci_did?: string | undefined;
+    aci_runtime_tier?: RuntimeTier | undefined;
+    aci_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    aci_permission_ceiling?: number | undefined;
+    aci_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+        requires_approval?: boolean | undefined;
+    } | undefined;
+}, {
+    aci: string;
+    aci_domains: number;
+    aci_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+    aci_level: CapabilityLevel;
+    aci_registry: string;
+    aci_org: string;
+    aci_class: string;
+    aci_version: string;
+    iss?: string | undefined;
+    sub?: string | undefined;
+    aud?: string | string[] | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    iat?: number | undefined;
+    jti?: string | undefined;
+    aci_trust?: CertificationTier | undefined;
+    aci_did?: string | undefined;
+    aci_runtime_tier?: RuntimeTier | undefined;
+    aci_attestations?: {
+        scope: string;
+        tier: CertificationTier;
+        iss: string;
+        exp: number;
+        iat: number;
+        evidence?: string | undefined;
+    }[] | undefined;
+    aci_permission_ceiling?: number | undefined;
+    aci_constraints?: {
+        custom?: Record<string, unknown> | undefined;
+        max_operations?: number | undefined;
+        allowed_resources?: string[] | undefined;
+        blocked_resources?: string[] | undefined;
+        valid_until?: number | undefined;
+        requires_approval?: boolean | undefined;
+    } | undefined;
+}>;
+/**
+ * Options for generating JWT claims.
+ */
+export interface GenerateJWTClaimsOptions {
+    /** Parsed ACI */
+    parsed: ParsedACI;
+    /** Agent DID (optional) */
+    did?: string;
+    /** Issuer (optional) */
+    issuer?: string;
+    /** Audience (optional) */
+    audience?: string | string[];
+    /** Validity duration in seconds (default: 1 hour) */
+    validitySeconds?: number;
+    /** Runtime tier (optional) */
+    runtimeTier?: RuntimeTier;
+    /** Attestation claims (optional) */
+    attestations?: ACIAttestationClaim[];
+    /** Permission ceiling (optional) */
+    permissionCeiling?: number;
+    /** Constraints (optional) */
+    constraints?: ACIConstraintsClaim;
+}
+/**
+ * Generates JWT claims from a parsed ACI.
+ *
+ * @param options - Generation options
+ * @returns ACI JWT claims
+ *
+ * @example
+ * ```typescript
+ * const claims = generateJWTClaims({
+ *   parsed: parseACI('a3i.acme-corp.invoice-bot:ABF-L3@1.0.0'),
+ *   did: 'did:web:agent.acme.com',
+ *   issuer: 'did:web:auth.acme.com',
+ *   validitySeconds: 3600,
+ * });
+ * ```
+ */
+export declare function generateJWTClaims(options: GenerateJWTClaimsOptions): ACIJWTClaims;
+/**
+ * Generates minimal JWT claims from a parsed ACI.
+ *
+ * NOTE: aci_trust is NOT included because trust comes from attestations,
+ * not the ACI itself. Use generateJWTClaims with attestations for full claims.
+ *
+ * @param parsed - Parsed ACI
+ * @param did - Optional agent DID
+ * @returns Minimal ACI JWT claims (without trust tier)
+ */
+export declare function generateMinimalJWTClaims(parsed: ParsedACI, did?: string): ACIJWTClaims;
+/**
+ * Validation error for JWT claims.
+ */
+export interface JWTClaimsValidationError {
+    /** Error code */
+    code: JWTClaimsErrorCode;
+    /** Human-readable message */
+    message: string;
+    /** Claim path (if applicable) */
+    path?: string;
+}
+/**
+ * Error codes for JWT claims validation.
+ */
+export type JWTClaimsErrorCode = 'MISSING_ACI' | 'INVALID_ACI' | 'EXPIRED' | 'NOT_YET_VALID' | 'INVALID_DOMAINS' | 'INVALID_LEVEL' | 'INVALID_TIER' | 'DOMAINS_MISMATCH' | 'INVALID_FORMAT';
+/**
+ * Result of JWT claims validation.
+ */
+export interface JWTClaimsValidationResult {
+    /** Whether the claims are valid */
+    valid: boolean;
+    /** Validation errors */
+    errors: JWTClaimsValidationError[];
+    /** Validated claims (if valid) */
+    claims?: ACIJWTClaims;
+}
+/**
+ * Validates ACI JWT claims.
+ *
+ * @param claims - Claims to validate
+ * @param options - Validation options
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateJWTClaims(claims, {
+ *   checkExpiry: true,
+ *   validateDomainsMismatch: true,
+ * });
+ * ```
+ */
+export declare function validateJWTClaims(claims: unknown, options?: {
+    checkExpiry?: boolean;
+    validateDomainsMismatch?: boolean;
+}): JWTClaimsValidationResult;
+/**
+ * Extracts capability information from JWT claims.
+ *
+ * NOTE: certificationTier is optional because it comes from attestations,
+ * not the ACI. If no attestations are present, it will be undefined.
+ *
+ * @param claims - ACI JWT claims
+ * @returns Capability information
+ */
+export declare function extractCapabilityFromClaims(claims: ACIJWTClaims): {
+    domains: DomainCode[];
+    domainsBitmask: number;
+    level: CapabilityLevel;
+    certificationTier?: CertificationTier;
+    runtimeTier?: RuntimeTier;
+};
+/**
+ * Extracts identity information from JWT claims.
+ *
+ * @param claims - ACI JWT claims
+ * @returns Identity information
+ */
+export declare function extractIdentityFromClaims(claims: ACIJWTClaims): {
+    aci: string;
+    did?: string;
+    registry: string;
+    organization: string;
+    agentClass: string;
+    version: string;
+};
+/**
+ * Checks if claims have specific domain capability.
+ *
+ * @param claims - ACI JWT claims
+ * @param domain - Domain to check
+ * @returns True if the domain is present
+ */
+export declare function claimsHaveDomain(claims: ACIJWTClaims, domain: DomainCode): boolean;
+/**
+ * Checks if claims meet minimum capability requirements.
+ *
+ * @param claims - ACI JWT claims
+ * @param requirements - Minimum requirements
+ * @returns True if requirements are met
+ */
+export declare function claimsMeetRequirements(claims: ACIJWTClaims, requirements: {
+    domains?: DomainCode[];
+    minLevel?: CapabilityLevel;
+    minCertificationTier?: CertificationTier;
+    minRuntimeTier?: RuntimeTier;
+}): boolean;
+/**
+ * Zod schema for JWT claims validation options.
+ */
+export declare const jwtClaimsValidationOptionsSchema: z.ZodObject<{
+    checkExpiry: z.ZodOptional<z.ZodBoolean>;
+    validateDomainsMismatch: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    checkExpiry?: boolean | undefined;
+    validateDomainsMismatch?: boolean | undefined;
+}, {
+    checkExpiry?: boolean | undefined;
+    validateDomainsMismatch?: boolean | undefined;
+}>;
+/**
+ * Zod schema for JWTClaimsValidationError.
+ */
+export declare const jwtClaimsValidationErrorSchema: z.ZodObject<{
+    code: z.ZodEnum<["MISSING_ACI", "INVALID_ACI", "EXPIRED", "NOT_YET_VALID", "INVALID_DOMAINS", "INVALID_LEVEL", "INVALID_TIER", "DOMAINS_MISMATCH", "INVALID_FORMAT"]>;
+    message: z.ZodString;
+    path: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "MISSING_ACI" | "INVALID_ACI" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH";
+    message: string;
+    path?: string | undefined;
+}, {
+    code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "MISSING_ACI" | "INVALID_ACI" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH";
+    message: string;
+    path?: string | undefined;
+}>;
+/**
+ * Zod schema for JWTClaimsValidationResult.
+ */
+export declare const jwtClaimsValidationResultSchema: z.ZodObject<{
+    valid: z.ZodBoolean;
+    errors: z.ZodArray<z.ZodObject<{
+        code: z.ZodEnum<["MISSING_ACI", "INVALID_ACI", "EXPIRED", "NOT_YET_VALID", "INVALID_DOMAINS", "INVALID_LEVEL", "INVALID_TIER", "DOMAINS_MISMATCH", "INVALID_FORMAT"]>;
+        message: z.ZodString;
+        path: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "MISSING_ACI" | "INVALID_ACI" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH";
+        message: string;
+        path?: string | undefined;
+    }, {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "MISSING_ACI" | "INVALID_ACI" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH";
+        message: string;
+        path?: string | undefined;
+    }>, "many">;
+    claims: z.ZodOptional<z.ZodObject<{
+        iss: z.ZodOptional<z.ZodString>;
+        sub: z.ZodOptional<z.ZodString>;
+        aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+        exp: z.ZodOptional<z.ZodNumber>;
+        nbf: z.ZodOptional<z.ZodNumber>;
+        iat: z.ZodOptional<z.ZodNumber>;
+        jti: z.ZodOptional<z.ZodString>;
+    } & {
+        aci: z.ZodString;
+        aci_domains: z.ZodNumber;
+        aci_domains_list: z.ZodArray<z.ZodEnum<["A", "B", "C", "D", "E", "F", "G", "H", "I", "S"]>, "many">;
+        aci_level: z.ZodNativeEnum<typeof CapabilityLevel>;
+        aci_trust: z.ZodOptional<z.ZodNativeEnum<typeof CertificationTier>>;
+        aci_registry: z.ZodString;
+        aci_org: z.ZodString;
+        aci_class: z.ZodString;
+        aci_version: z.ZodString;
+        aci_did: z.ZodOptional<z.ZodString>;
+        aci_runtime_tier: z.ZodOptional<z.ZodNativeEnum<typeof RuntimeTier>>;
+        aci_attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            iss: z.ZodString;
+            tier: z.ZodNativeEnum<typeof CertificationTier>;
+            scope: z.ZodString;
+            iat: z.ZodNumber;
+            exp: z.ZodNumber;
+            evidence: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }, {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }>, "many">>;
+        aci_permission_ceiling: z.ZodOptional<z.ZodNumber>;
+        aci_constraints: z.ZodOptional<z.ZodObject<{
+            max_operations: z.ZodOptional<z.ZodNumber>;
+            allowed_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            blocked_resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            valid_until: z.ZodOptional<z.ZodNumber>;
+            requires_approval: z.ZodOptional<z.ZodBoolean>;
+            custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, "strip", z.ZodTypeAny, {
+            custom?: Record<string, unknown> | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+            requires_approval?: boolean | undefined;
+        }, {
+            custom?: Record<string, unknown> | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+            requires_approval?: boolean | undefined;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        aci: string;
+        aci_domains: number;
+        aci_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        aci_level: CapabilityLevel;
+        aci_registry: string;
+        aci_org: string;
+        aci_class: string;
+        aci_version: string;
+        iss?: string | undefined;
+        sub?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        jti?: string | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+            requires_approval?: boolean | undefined;
+        } | undefined;
+    }, {
+        aci: string;
+        aci_domains: number;
+        aci_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        aci_level: CapabilityLevel;
+        aci_registry: string;
+        aci_org: string;
+        aci_class: string;
+        aci_version: string;
+        iss?: string | undefined;
+        sub?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        jti?: string | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+            requires_approval?: boolean | undefined;
+        } | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    valid: boolean;
+    errors: {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "MISSING_ACI" | "INVALID_ACI" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH";
+        message: string;
+        path?: string | undefined;
+    }[];
+    claims?: {
+        aci: string;
+        aci_domains: number;
+        aci_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        aci_level: CapabilityLevel;
+        aci_registry: string;
+        aci_org: string;
+        aci_class: string;
+        aci_version: string;
+        iss?: string | undefined;
+        sub?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        jti?: string | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+            requires_approval?: boolean | undefined;
+        } | undefined;
+    } | undefined;
+}, {
+    valid: boolean;
+    errors: {
+        code: "EXPIRED" | "INVALID_FORMAT" | "INVALID_DOMAINS" | "INVALID_LEVEL" | "MISSING_ACI" | "INVALID_ACI" | "NOT_YET_VALID" | "INVALID_TIER" | "DOMAINS_MISMATCH";
+        message: string;
+        path?: string | undefined;
+    }[];
+    claims?: {
+        aci: string;
+        aci_domains: number;
+        aci_domains_list: ("A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "S")[];
+        aci_level: CapabilityLevel;
+        aci_registry: string;
+        aci_org: string;
+        aci_class: string;
+        aci_version: string;
+        iss?: string | undefined;
+        sub?: string | undefined;
+        aud?: string | string[] | undefined;
+        exp?: number | undefined;
+        nbf?: number | undefined;
+        iat?: number | undefined;
+        jti?: string | undefined;
+        aci_trust?: CertificationTier | undefined;
+        aci_did?: string | undefined;
+        aci_runtime_tier?: RuntimeTier | undefined;
+        aci_attestations?: {
+            scope: string;
+            tier: CertificationTier;
+            iss: string;
+            exp: number;
+            iat: number;
+            evidence?: string | undefined;
+        }[] | undefined;
+        aci_permission_ceiling?: number | undefined;
+        aci_constraints?: {
+            custom?: Record<string, unknown> | undefined;
+            max_operations?: number | undefined;
+            allowed_resources?: string[] | undefined;
+            blocked_resources?: string[] | undefined;
+            valid_until?: number | undefined;
+            requires_approval?: boolean | undefined;
+        } | undefined;
+    } | undefined;
+}>;
+//# sourceMappingURL=jwt-claims.d.ts.map