npm - @wireapp/core-crypto - Versions diffs - 3.0.2 → 4.0.1 - Mend

@wireapp/core-crypto 3.0.2 → 4.0.1

Files changed (8) hide show

package/package.json +36 -30
package/{platforms/web → src}/core-crypto-ffi_bg.wasm +0 -0
package/src/core-crypto-ffi_bg.wasm.d.ts +236 -0
package/{platforms/web → src}/corecrypto.d.ts +942 -1719
package/{platforms/web → src}/corecrypto.js +2124 -2467
package/LICENSE +0 -674
package/README.md +0 -321
package/platforms/web/.gitkeep +0 -0

package/{platforms/web → src}/corecrypto.d.ts RENAMED Viewed

@@ -1,3 +1,29 @@
+// Generated by dts-bundle-generator v9.5.1
+export interface CoreCryptoRichError {
+	message: string;
+	error_name?: string;
+	error_stack?: string[];
+	proteus_error_code?: number;
+}
+/**
+ * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
+ *
+ * Whenever you're supposed to get this class (that extends `Error`) you might end up with a base `Error`
+ * in case the parsing of the message structure fails. This is unlikely but the case is still covered and fall backs automatically.
+ * More information will be found in the base `Error.cause` to inform you why the parsing has failed.
+ *
+ * Please note that in this case the extra properties will not be available.
+ */
+export declare class CoreCryptoError extends Error {
+	errorStack: string[];
+	proteusErrorCode: number | null;
+	private constructor();
+	private static fallback;
+	static build(msg: string, ...params: unknown[]): CoreCryptoError | Error;
+	static fromStdError(e: Error): CoreCryptoError | Error;
+	static asyncMapErr<T>(p: Promise<T>): Promise<T>;
+}
 declare enum CredentialType {
 	/**
 	* Just a KeyPair
@@ -8,6 +34,16 @@ declare enum CredentialType {
 	*/
 	X509 = 2
 }
+declare enum WirePolicy {
+	/**
+	* Handshake messages are never encrypted
+	*/
+	Plaintext = 1,
+	/**
+	* Handshake messages are always encrypted
+	*/
+	Ciphertext = 2
+}
 declare enum Ciphersuite {
 	/**
 	* DH KEM x25519 | AES-GCM 128 | SHA2-256 | Ed25519
@@ -38,21 +74,7 @@ declare enum Ciphersuite {
 	*/
 	MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 7
 }
-declare enum WirePolicy {
-	/**
-	* Handshake messages are never encrypted
-	*/
-	Plaintext = 1,
-	/**
-	* Handshake messages are always encrypted
-	*/
-	Ciphertext = 2
-}
-/**
-* For creating a challenge.
-* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
-*/
-export class AcmeChallenge {
+declare class AcmeChallenge {
 	free(): void;
 	/**
 	* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
@@ -68,7 +90,10 @@ export class AcmeChallenge {
 	*/
 	readonly url: string;
 }
-declare class BuildMetadata {
+/**
+* Metadata describing the conditions of the build of this software.
+*/
+export class BuildMetadata {
 	/**
 	** Return copy of self without private attributes.
 	*/
@@ -116,9 +141,10 @@ declare class BuildMetadata {
 	readonly timestamp: string;
 }
 /**
+* Configuration object for new conversations
 * see [core_crypto::prelude::MlsConversationConfiguration]
 */
-declare class ConversationConfiguration {
+export class ConversationConfiguration {
 	free(): void;
 	/**
 	* @param {Ciphersuite | undefined} [ciphersuite]
@@ -127,9 +153,19 @@ declare class ConversationConfiguration {
 	* @param {WirePolicy | undefined} [wire_policy]
 	*/
 	constructor(ciphersuite?: Ciphersuite, external_senders?: (Uint8Array)[], key_rotation_span?: number, wire_policy?: WirePolicy);
+	/**
+	* Conversation ciphersuite
+	*/
+	readonly ciphersuite: Ciphersuite | undefined;
+	/**
+	* Additional configuration
+	*/
+	readonly custom: CustomConfiguration;
+	/**
+	* List of client IDs that are allowed to be external senders
+	*/
+	readonly externalSenders: Array<any>;
 }
-/**
-*/
 declare class CoreCryptoContext {
 	free(): void;
 	/**
@@ -253,7 +289,7 @@ declare class CoreCryptoContext {
 	*/
 	process_welcome_message(welcome_message: Uint8Array, custom_configuration: CustomConfiguration): Promise<any>;
 	/**
-	* Returns: [`WasmCryptoResult<Option<MemberAddedMessages>>`]
+	* Returns: [`WasmCryptoResult<Option<Vec<String>>>`]
 	*
 	* see [core_crypto::mls::context::CentralContext::add_members_to_conversation]
 	* @param {Uint8Array} conversation_id
@@ -262,7 +298,7 @@ declare class CoreCryptoContext {
 	*/
 	add_clients_to_conversation(conversation_id: Uint8Array, key_packages: (Uint8Array)[]): Promise<any>;
 	/**
-	* Returns: [`WasmCryptoResult<Option<js_sys::Uint8Array>>`]
+	* Returns: [`WasmCryptoResult<()>`]
 	*
 	* see [core_crypto::mls::context::CentralContext::remove_members_from_conversation]
 	* @param {Uint8Array} conversation_id
@@ -280,7 +316,7 @@ declare class CoreCryptoContext {
 	*/
 	mark_conversation_as_child_of(child_id: Uint8Array, parent_id: Uint8Array): Promise<any>;
 	/**
-	* Returns: [`WasmCryptoResult<CommitBundle>`]
+	* Returns: [`WasmCryptoResult()`]
 	*
 	* see [core_crypto::mls::context::CentralContext::update_keying_material]
 	* @param {Uint8Array} conversation_id
@@ -288,6 +324,8 @@ declare class CoreCryptoContext {
 	*/
 	update_keying_material(conversation_id: Uint8Array): Promise<any>;
 	/**
+	* Returns: [`WasmCryptoResult()`]
+	*
 	* see [core_crypto::mls::context::CentralContext::commit_pending_proposals]
 	* @param {Uint8Array} conversation_id
 	* @returns {Promise<any>}
@@ -320,44 +358,7 @@ declare class CoreCryptoContext {
 	*/
 	encrypt_message(conversation_id: Uint8Array, message: Uint8Array): Promise<any>;
 	/**
-	* Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
-	*
-	* see [core_crypto::mls::context::CentralContext::new_add_proposal]
-	* @param {Uint8Array} conversation_id
-	* @param {Uint8Array} keypackage
-	* @returns {Promise<any>}
-	*/
-	new_add_proposal(conversation_id: Uint8Array, keypackage: Uint8Array): Promise<any>;
-	/**
-	* Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
-	*
-	* see [core_crypto::mls::context::CentralContext::new_update_proposal]
-	* @param {Uint8Array} conversation_id
-	* @returns {Promise<any>}
-	*/
-	new_update_proposal(conversation_id: Uint8Array): Promise<any>;
-	/**
-	* Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
-	*
-	* see [core_crypto::mls::context::CentralContext::new_remove_proposal]
-	* @param {Uint8Array} conversation_id
-	* @param {Uint8Array} client_id
-	* @returns {Promise<any>}
-	*/
-	new_remove_proposal(conversation_id: Uint8Array, client_id: Uint8Array): Promise<any>;
-	/**
-	* Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
-	*
-	* see [core_crypto::mls::context::CentralContext::new_external_add_proposal]
-	* @param {Uint8Array} conversation_id
-	* @param {number} epoch
-	* @param {Ciphersuite} ciphersuite
-	* @param {CredentialType} credential_type
-	* @returns {Promise<any>}
-	*/
-	new_external_add_proposal(conversation_id: Uint8Array, epoch: number, ciphersuite: Ciphersuite, credential_type: CredentialType): Promise<any>;
-	/**
-	* Returns: [`WasmCryptoResult<ConversationInitBundle>`]
+	* Returns: [`WasmCryptoResult<WelcomeBundle>`]
 	*
 	* see [core_crypto::mls::context::CentralContext::join_by_external_commit]
 	* @param {Uint8Array} group_info
@@ -367,41 +368,6 @@ declare class CoreCryptoContext {
 	*/
 	join_by_external_commit(group_info: Uint8Array, custom_configuration: CustomConfiguration, credential_type: CredentialType): Promise<any>;
 	/**
-	* Returns: [`WasmCryptoResult<()>`]
-	*
-	* see [core_crypto::mls::context::CentralContext::merge_pending_group_from_external_commit]
-	* @param {Uint8Array} conversation_id
-	* @returns {Promise<any>}
-	*/
-	merge_pending_group_from_external_commit(conversation_id: Uint8Array): Promise<any>;
-	/**
-	* Returns: [`WasmCryptoResult<()>`]
-	*
-	* see [core_crypto::mls::context::CentralContext::clear_pending_group_from_external_commit]
-	* @param {Uint8Array} conversation_id
-	* @returns {Promise<any>}
-	*/
-	clear_pending_group_from_external_commit(conversation_id: Uint8Array): Promise<any>;
-	/**
-	* see [core_crypto::mls::context::CentralContext::commit_accepted]
-	* @param {Uint8Array} conversation_id
-	* @returns {Promise<any>}
-	*/
-	commit_accepted(conversation_id: Uint8Array): Promise<any>;
-	/**
-	* see [core_crypto::mls::context::CentralContext::clear_pending_proposal]
-	* @param {Uint8Array} conversation_id
-	* @param {Uint8Array} proposal_ref
-	* @returns {Promise<any>}
-	*/
-	clear_pending_proposal(conversation_id: Uint8Array, proposal_ref: Uint8Array): Promise<any>;
-	/**
-	* see [core_crypto::mls::context::CentralContext::clear_pending_commit]
-	* @param {Uint8Array} conversation_id
-	* @returns {Promise<any>}
-	*/
-	clear_pending_commit(conversation_id: Uint8Array): Promise<any>;
-	/**
 	* Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
 	*
 	* see [core_crypto::mls::context::CentralContext::random_bytes]
@@ -581,13 +547,6 @@ declare class CoreCryptoContext {
 	*/
 	proteus_cryptobox_migrate(path: string): Promise<any>;
 	/**
-	* Returns: [`WasmCryptoResult<u32>`]
-	*
-	* NOTE: This will clear the last error code.
-	* @returns {Promise<any>}
-	*/
-	proteus_last_error_code(): Promise<any>;
-	/**
 	* Returns: [`WasmCryptoResult<E2eiEnrollment>`]
 	*
 	* see [core_crypto::mls::context::CentralContext::e2ei_new_enrollment]
@@ -662,7 +621,7 @@ declare class CoreCryptoContext {
 	*/
 	e2ei_mls_init_only(enrollment: FfiWireE2EIdentity, certificate_chain: string, nb_key_package?: number): Promise<any>;
 	/**
-	* Returns: [`WasmCryptoResult<CommitBundle>`]
+	* Returns: [`WasmCryptoResult<()>`]
 	*
 	* see [core_crypto::context::CentralContext::e2ei_rotate]
 	* @param {Uint8Array} conversation_id
@@ -670,13 +629,22 @@ declare class CoreCryptoContext {
 	*/
 	e2ei_rotate(conversation_id: Uint8Array): Promise<any>;
 	/**
-	* see [core_crypto::mls::context::CentralContext::e2ei_rotate_all]
+	* Returns: [`WasmCryptoResult<Option<Vec<String>>>`]
+	*
+	* see [core_crypto::mls::context::CentralContext::save_x509_credential]
 	* @param {FfiWireE2EIdentity} enrollment
 	* @param {string} certificate_chain
-	* @param {number} new_key_packages_count
 	* @returns {Promise<any>}
 	*/
-	e2ei_rotate_all(enrollment: FfiWireE2EIdentity, certificate_chain: string, new_key_packages_count: number): Promise<any>;
+	save_x509_credential(enrollment: FfiWireE2EIdentity, certificate_chain: string): Promise<any>;
+	/**
+	* Returns: [`WasmCryptoResult<()>`]
+	*
+	* see [core_crypto::context::CentralContext::delete_stale_key_packages]
+	* @param {Ciphersuite} cipher_suite
+	* @returns {Promise<any>}
+	*/
+	delete_stale_key_packages(cipher_suite: Ciphersuite): Promise<any>;
 	/**
 	* see [core_crypto::mls::context::CentralContext::e2ei_enrollment_stash]
 	* @param {FfiWireE2EIdentity} enrollment
@@ -744,18 +712,25 @@ declare class CoreCryptoWasmLogger {
 /**
 * see [core_crypto::prelude::MlsCustomConfiguration]
 */
-declare class CustomConfiguration {
+export class CustomConfiguration {
 	free(): void;
 	/**
 	* @param {number | undefined} [key_rotation_span]
 	* @param {WirePolicy | undefined} [wire_policy]
 	*/
 	constructor(key_rotation_span?: number, wire_policy?: WirePolicy);
+	/**
+	*  Duration in seconds after which we will automatically force a self-update commit
+	*  Note: This isn't currently implemented
+	*/
+	keyRotationSpan?: number;
+	/**
+	* Defines if handshake messages are encrypted or not
+	* Note: encrypted handshake messages are not supported by wire-server
+	*/
+	wirePolicy?: WirePolicy;
 }
-/**
-* Dump of the PKI environemnt as PEM
-*/
-export class E2eiDumpedPkiEnv {
+declare class E2eiDumpedPkiEnv {
 	free(): void;
 	/**
 	* CRLs registered in the PKI env
@@ -880,11 +855,7 @@ declare class FfiWireE2EIdentity {
 	*/
 	certificate_request(previous_nonce: string): Promise<any>;
 }
-/**
-* Result of an authorization creation.
-* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
-*/
-export class NewAcmeAuthz {
+declare class NewAcmeAuthz {
 	free(): void;
 	/**
 	* Associated ACME Challenge
@@ -899,11 +870,7 @@ export class NewAcmeAuthz {
 	*/
 	readonly keyauth: string | undefined;
 }
-/**
-* Result of an order creation.
-* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
-*/
-export class NewAcmeOrder {
+declare class NewAcmeOrder {
 	free(): void;
 	/**
 	*/
@@ -913,811 +880,572 @@ export class NewAcmeOrder {
 	*/
 	readonly delegate: Uint8Array;
 }
+/**
+*/
+export class WelcomeBundle {
+	free(): void;
+	/**
+	* New CRL Distribution of members of this group
+	*/
+	readonly crlNewDistributionPoints: Array<any> | undefined;
+	/**
+	* Identifier of the joined conversation
+	*/
+	readonly id: Uint8Array;
+}
 declare class WireIdentity {
 	free(): void;
 	/**
+	* Unique client identifier e.g. `T4Coy4vdRzianwfOgXpn6A:6add501bacd1d90e@whitehouse.gov`
 	*/
-	readonly client_id: string;
+	readonly clientId: string;
 	/**
 	*/
-	readonly credential_type: number;
+	readonly credentialType: number;
 	/**
+	* Status of the Credential at the moment this object is created
 	*/
 	readonly status: number;
 	/**
+	* MLS thumbprint
 	*/
 	readonly thumbprint: string;
 	/**
 	*/
-	readonly x509_identity: X509Identity | undefined;
+	readonly x509Identity: X509Identity | undefined;
 }
 declare class X509Identity {
 	free(): void;
 	/**
+	* X509 certificate identifying this client in the MLS group ; PEM encoded
 	*/
 	readonly certificate: string;
 	/**
+	* Name as displayed in the messaging application e.g. `John Fitzgerald Kennedy`
 	*/
-	readonly display_name: string;
+	readonly displayName: string;
 	/**
+	* DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
 	*/
 	readonly domain: string;
 	/**
+	* user handle e.g. `john_wire`
 	*/
 	readonly handle: string;
 	/**
+	* X509 certificate not after as Unix timestamp
 	*/
-	readonly not_after: bigint;
+	readonly notAfter: bigint;
 	/**
+	* X509 certificate not before as Unix timestamp
 	*/
-	readonly not_before: bigint;
+	readonly notBefore: bigint;
 	/**
+	* X509 certificate serial number
 	*/
-	readonly serial_number: string;
+	readonly serialNumber: string;
 }
-declare class CoreCryptoContext$1 {
-	#private;
-	/** @hidden */
-	private constructor();
-	/** @hidden */
-	static fromFfiContext(ctx: CoreCryptoContext): CoreCryptoContext$1;
+/**
+ * see [core_crypto::prelude::CiphersuiteName]
+ */
+declare enum Ciphersuite$1 {
 	/**
-	 * Set arbitrary data to be retrieved by {@link getData}.
-	 * This is meant to be used as a check point at the end of a transaction.
-	 * The data should be limited to a reasonable size.
+	 * DH KEM x25519 | AES-GCM 128 | SHA2-256 | Ed25519
 	 */
-	setData(data: Uint8Array): Promise<void>;
+	MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 = 1,
 	/**
-	 * Get data if it has previously been set by {@link setData}, or `undefined` otherwise.
-	 * This is meant to be used as a check point at the end of a transaction.
+	 * DH KEM P256 | AES-GCM 128 | SHA2-256 | EcDSA P256
 	 */
-	getData(): Promise<Uint8Array | undefined>;
+	MLS_128_DHKEMP256_AES128GCM_SHA256_P256 = 2,
 	/**
-	 * Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
-	 *
-	 * @param clientId - {@link CoreCryptoParams#clientId} but required
-	 * @param ciphersuites - All the ciphersuites supported by this MLS client
-	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
+	 * DH KEM x25519 | Chacha20Poly1305 | SHA2-256 | Ed25519
 	 */
-	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite$1[], nbKeyPackage?: number): Promise<void>;
+	MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519 = 3,
 	/**
-	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
-	 * This method is designed to be used in conjunction with {@link CoreCryptoContext.mlsInitWithClientId} and represents the first step in this process
-	 *
-	 * @param ciphersuites - All the ciphersuites supported by this MLS client
-	 * @returns This returns the TLS-serialized identity key (i.e. the signature keypair's public key)
+	 * DH KEM x448 | AES-GCM 256 | SHA2-512 | Ed448
 	 */
-	mlsGenerateKeypair(ciphersuites: Ciphersuite$1[]): Promise<Uint8Array[]>;
+	MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448 = 4,
 	/**
-	 * Updates the current temporary Client ID with the newly provided one. This is the second step in the externally-generated clients process
-	 *
-	 * Important: This is designed to be called after {@link CoreCryptoContext.mlsGenerateKeypair}
-	 *
-	 * @param clientId - The newly-allocated client ID by the MLS Authentication Service
-	 * @param signaturePublicKeys - The public key you were given at the first step; This is for authentication purposes
-	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * DH KEM P521 | AES-GCM 256 | SHA2-512 | EcDSA P521
 	 */
-	mlsInitWithClientId(clientId: ClientId, signaturePublicKeys: Uint8Array[], ciphersuites: Ciphersuite$1[]): Promise<void>;
+	MLS_256_DHKEMP521_AES256GCM_SHA512_P521 = 5,
 	/**
-	 * Checks if the Client is member of a given conversation and if the MLS Group is loaded up
-	 *
-	 * @returns Whether the given conversation ID exists
-	 *
-	 * @example
-	 * ```ts
-	 *  const cc = await CoreCrypto.init({ databaseName: "test", key: "test", clientId: "test" });
-	 *  const encoder = new TextEncoder();
-	 *  if (await cc.conversationExists(encoder.encode("my super chat"))) {
-	 *    // Do something
-	 *  } else {
-	 *    // Do something else
-	 *  }
-	 * ```
+	 * DH KEM x448 | Chacha20Poly1305 | SHA2-512 | Ed448
 	 */
-	conversationExists(conversationId: ConversationId): Promise<boolean>;
+	MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 = 6,
 	/**
-	 * Marks a conversation as child of another one
-	 * This will mostly affect the behavior of the callbacks (the parentConversationClients parameter will be filled)
-	 *
-	 * @param childId - conversation identifier of the child conversation
-	 * @param parentId - conversation identifier of the parent conversation
+	 * DH KEM P384 | AES-GCM 256 | SHA2-384 | EcDSA P384
 	 */
-	markConversationAsChildOf(childId: ConversationId, parentId: ConversationId): Promise<void>;
+	MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 7
+}
+declare enum CredentialType$1 {
 	/**
-	 * Returns the current epoch of a conversation
-	 *
-	 * @returns the epoch of the conversation
-	 *
-	 * @example
-	 * ```ts
-	 *  const cc = await CoreCrypto.init({ databaseName: "test", key: "test", clientId: "test" });
-	 *  const encoder = new TextEncoder();
-	 *  console.log(await cc.conversationEpoch(encoder.encode("my super chat")))
-	 * ```
+	 * Just a KeyPair
 	 */
-	conversationEpoch(conversationId: ConversationId): Promise<number>;
+	Basic = 1,
 	/**
-	 * Returns the ciphersuite of a conversation
-	 *
-	 * @returns the ciphersuite of the conversation
+	 * A certificate obtained through e2e identity enrollment process
 	 */
-	conversationCiphersuite(conversationId: ConversationId): Promise<Ciphersuite$1>;
+	X509 = 2
+}
+/**
+ * see [core_crypto::prelude::MlsWirePolicy]
+ */
+declare enum WirePolicy$1 {
 	/**
-	 * Wipes and destroys the local storage of a given conversation / MLS group
-	 *
-	 * @param conversationId - The ID of the conversation to remove
+	 * Handshake messages are never encrypted
 	 */
-	wipeConversation(conversationId: ConversationId): Promise<void>;
+	Plaintext = 1,
 	/**
-	 * Creates a new conversation with the current client being the sole member
-	 * You will want to use {@link addClientsToConversation} afterwards to add clients to this conversation
-	 *
-	 * @param conversationId - The conversation ID; You can either make them random or let the backend attribute MLS group IDs
-	 * @param creatorCredentialType - kind of credential the creator wants to create the group with
-	 * @param configuration - configuration of the MLS group
-	 * @param configuration.ciphersuite - The {@link Ciphersuite} that is chosen to be the group's
-	 * @param configuration.externalSenders - Array of Client IDs that are qualified as external senders within the group
-	 * @param configuration.custom - {@link CustomConfiguration}
+	 * Handshake messages are always encrypted
 	 */
-	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType$1, configuration?: ConversationConfiguration$1): Promise<any>;
-	/**
-	 * Decrypts a message for a given conversation.
-	 *
-	 * Note: you should catch & ignore the following error reasons:
-	 * * "We already decrypted this message once"
-	 * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
-	 * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @param payload - The encrypted message buffer
-	 *
-	 * @returns a {@link DecryptedMessage}. Note that {@link DecryptedMessage#message} is `undefined` when the encrypted payload contains a system message such a proposal or commit
-	 */
-	decryptMessage(conversationId: ConversationId, payload: Uint8Array): Promise<DecryptedMessage>;
+	Ciphertext = 2
+}
+/**
+ * Alias for conversation IDs.
+ * This is a freeform, uninspected buffer.
+ */
+export type ConversationId = Uint8Array;
+/**
+ * Alias for client identifier.
+ * This is a freeform, uninspected buffer.
+ */
+export type ClientId = Uint8Array;
+/**
+ * Alias for proposal reference. It is a byte array of size 16.
+ */
+export type ProposalRef = Uint8Array;
+/**
+ * Data shape for a MLS generic commit + optional bundle (aka stapled commit & welcome)
+ */
+export interface CommitBundle {
 	/**
-	 * Encrypts a message for a given conversation
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @param message - The plaintext message to encrypt
+	 * TLS-serialized MLS Commit that needs to be fanned out to other (existing) members of the conversation
 	 *
-	 * @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
+	 * @readonly
 	 */
-	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
+	commit: Uint8Array;
 	/**
-	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
-	 *
-	 * Important: you have to catch the error with this reason "Although this Welcome seems valid, the local KeyPackage
-	 * it references has already been deleted locally. Join this group with an external commit", ignore it and then try
-	 * to join this group with an external commit.
+	 * Optional TLS-serialized MLS Welcome message that needs to be fanned out to the clients newly added to the conversation
 	 *
-	 * @param welcomeMessage - TLS-serialized MLS Welcome message
-	 * @param configuration - configuration of the MLS group
-	 * @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
+	 * @readonly
 	 */
-	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration$1): Promise<WelcomeBundle>;
+	welcome?: Uint8Array;
 	/**
-	 * Get the client's public signature key. To upload to the DS for further backend side validation
+	 * MLS GroupInfo which is required for joining a group by external commit
 	 *
-	 * @param ciphersuite - of the signature key to get
-	 * @param credentialType - of the public key to look for
-	 * @returns the client's public signature key
+	 * @readonly
 	 */
-	clientPublicKey(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1): Promise<Uint8Array>;
+	groupInfo: GroupInfoBundle;
+}
+/**
+ * Wraps a GroupInfo in order to efficiently upload it to the Delivery Service.
+ * This is not part of MLS protocol but parts might be standardized at some point.
+ */
+export interface GroupInfoBundle {
 	/**
-	 *
-	 * @param ciphersuite - of the KeyPackages to count
-	 * @param credentialType - of the KeyPackages to count
-	 * @returns The amount of valid, non-expired KeyPackages that are persisted in the backing storage
+	 * see {@link GroupInfoEncryptionType}
 	 */
-	clientValidKeypackagesCount(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1): Promise<number>;
+	encryptionType: GroupInfoEncryptionType;
 	/**
-	 * Fetches a requested amount of keypackages
-	 *
-	 * @param ciphersuite - of the KeyPackages to generate
-	 * @param credentialType - of the KeyPackages to generate
-	 * @param amountRequested - The amount of keypackages requested
-	 * @returns An array of length `amountRequested` containing TLS-serialized KeyPackages
+	 * see {@link RatchetTreeType}
 	 */
-	clientKeypackages(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1, amountRequested: number): Promise<Array<Uint8Array>>;
+	ratchetTreeType: RatchetTreeType;
 	/**
-	 * Prunes local KeyPackages after making sure they also have been deleted on the backend side
-	 * You should only use this after {@link CoreCryptoContext.e2eiRotateAll}
-	 *
-	 * @param refs - KeyPackage references to delete obtained from a {RotateBundle}
+	 * TLS-serialized GroupInfo
 	 */
-	deleteKeypackages(refs: Uint8Array[]): Promise<void>;
+	payload: Uint8Array;
+}
+/**
+ * Informs whether the GroupInfo is confidential
+ * see [core_crypto::mls::conversation::group_info::GroupInfoEncryptionType]
+ */
+export declare enum GroupInfoEncryptionType {
 	/**
-	 * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
-	 *
-	 * **CAUTION**: {@link CoreCryptoContext.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @param keyPackages - KeyPackages of the new clients to add
-	 *
-	 * @returns A {@link CommitBundle}
+	 * Unencrypted
 	 */
-	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
+	Plaintext = 1,
 	/**
-	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
-	 * to do so, otherwise this operation does nothing.
-	 *
-	 * **CAUTION**: {@link CoreCryptoContext.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @param clientIds - Array of Client IDs to remove.
-	 *
-	 * @returns A {@link CommitBundle}
+	 * Encrypted in a JWE (not yet implemented)
 	 */
-	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<CommitBundle>;
+	JweEncrypted = 2
+}
+/**
+ * Represents different ways of carrying the Ratchet Tree with some optimizations to save some space
+ * see [core_crypto::mls::conversation::group_info::RatchetTreeType]
+ */
+export declare enum RatchetTreeType {
 	/**
-	 * Creates an update commit which forces every client to update their LeafNode in the conversation
-	 *
-	 * **CAUTION**: {@link CoreCryptoContext.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 *
-	 * @returns A {@link CommitBundle}
+	 * Complete GroupInfo
 	 */
-	updateKeyingMaterial(conversationId: ConversationId): Promise<CommitBundle>;
+	Full = 1,
 	/**
-	 * Commits the local pending proposals and returns the {@link CommitBundle} object containing what can result from this operation.
-	 *
-	 * **CAUTION**: {@link CoreCryptoContext.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 *
-	 * @returns A {@link CommitBundle} or `undefined` when there was no pending proposal to commit
+	 * Contains the difference since previous epoch (not yet implemented)
 	 */
-	commitPendingProposals(conversationId: ConversationId): Promise<CommitBundle | undefined>;
+	Delta = 2,
 	/**
-	 * Creates a new proposal for the provided Conversation ID
-	 *
-	 * @param proposalType - The type of proposal, see {@link ProposalType}
-	 * @param args - The arguments of the proposal, see {@link ProposalArgs}, {@link AddProposalArgs} or {@link RemoveProposalArgs}
-	 *
-	 * @returns A {@link ProposalBundle} containing the Proposal and its reference in order to roll it back if necessary
+	 * To define (not yet implemented)
 	 */
-	newProposal(proposalType: ProposalType, args: ProposalArgs | AddProposalArgs | RemoveProposalArgs): Promise<ProposalBundle>;
+	ByRef = 3
+}
+/**
+ * This is a wrapper for all the possible outcomes you can get after decrypting a message
+ */
+export interface DecryptedMessage {
 	/**
-	 * Creates a new external Add proposal for self client to join a conversation.
+	 * Raw decrypted application message, if the decrypted MLS message is an application message
 	 */
-	newExternalProposal(externalProposalType: ExternalProposalType, args: ExternalAddProposalArgs): Promise<Uint8Array>;
+	message?: Uint8Array;
 	/**
-	 * Allows to create an external commit to "apply" to join a group through its GroupInfo.
-	 *
-	 * If the Delivery Service accepts the external commit, you have to {@link CoreCryptoContext.mergePendingGroupFromExternalCommit}
-	 * in order to get back a functional MLS group. On the opposite, if it rejects it, you can either retry by just
-	 * calling again {@link CoreCryptoContext.joinByExternalCommit}, no need to {@link CoreCryptoContext.clearPendingGroupFromExternalCommit}.
-	 * If you want to abort the operation (too many retries or the user decided to abort), you can use
-	 * {@link CoreCryptoContext.clearPendingGroupFromExternalCommit} in order not to bloat the user's storage but nothing
-	 * bad can happen if you forget to except some storage space wasted.
-	 *
-	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
-	 * @param credentialType - kind of Credential to use for joining this group. If {@link CredentialType.Basic} is
-	 * chosen and no Credential has been created yet for it, a new one will be generated.
-	 * @param configuration - configuration of the MLS group
-	 * When {@link CredentialType.X509} is chosen, it fails when no Credential has been created for the given {@link Ciphersuite}.
-	 * @returns see {@link ConversationInitBundle}
+	 * Only when decrypted message is a commit, CoreCrypto will renew local proposal which could not make it in the commit.
+	 * This will contain either:
+	 *   * local pending proposal not in the accepted commit
+	 *   * If there is a pending commit, its proposals which are not in the accepted commit
 	 */
-	joinByExternalCommit(groupInfo: Uint8Array, credentialType: CredentialType$1, configuration?: CustomConfiguration$1): Promise<ConversationInitBundle>;
+	proposals: ProposalBundle[];
 	/**
-	 * This merges the commit generated by {@link CoreCryptoContext.joinByExternalCommit}, persists the group permanently
-	 * and deletes the temporary one. This step makes the group operational and ready to encrypt/decrypt message
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @returns eventually decrypted buffered messages if any
+	 * It is set to false if ingesting this MLS message has resulted in the client being removed from the group (i.e. a Remove commit)
 	 */
-	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
+	isActive: boolean;
 	/**
-	 * In case the external commit generated by {@link CoreCryptoContext.joinByExternalCommit} is rejected by the Delivery Service, and we
-	 * want to abort this external commit once for all, we can wipe out the pending group from the keystore in order
-	 * not to waste space
-	 *
-	 * @param conversationId - The ID of the conversation
+	 * Commit delay hint (in milliseconds) to prevent clients from hammering the server with epoch changes
 	 */
-	clearPendingGroupFromExternalCommit(conversationId: ConversationId): Promise<void>;
+	commitDelay?: number;
 	/**
-	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it into the local group state
-	 *
-	 * @param conversationId - The group's ID
-	 * @returns the messages from current epoch which had been buffered, if any
+	 * Client identifier of the sender of the message being decrypted. Only present for application messages.
 	 */
-	commitAccepted(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
+	senderClientId?: ClientId;
 	/**
-	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions have changed meanwhile.
-	 *
-	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc…
-	 *
-	 * @param conversationId - The group's ID
-	 * @param proposalRef - A reference to the proposal to delete. You get one when using {@link CoreCryptoContext.newProposal}
+	 * true when the decrypted message resulted in an epoch change i.e. it was a commit
 	 */
-	clearPendingProposal(conversationId: ConversationId, proposalRef: ProposalRef): Promise<void>;
+	hasEpochChanged: boolean;
 	/**
-	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions have changed meanwhile.
-	 *
-	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-	 * e.g. 403. Do not use otherwise e.g. 5xx responses, timeout etc..
-	 * **DO NOT** use when Delivery Service responds 409, pending state will be renewed
-	 * in {@link CoreCryptoContext.decryptMessage}
-	 *
-	 * @param conversationId - The group's ID
+	 * Identity claims present in the sender credential
+	 * Only present when the credential is a x509 certificate
+	 * Present for all messages
 	 */
-	clearPendingCommit(conversationId: ConversationId): Promise<void>;
+	identity?: WireIdentity;
 	/**
-	 * Derives a new key from the group
-	 *
-	 * @param conversationId - The group's ID
-	 * @param keyLength - the length of the key to be derived. If the value is higher than the
-	 * bounds of `u16` or the context hash * 255, an error will be returned
-	 *
-	 * @returns A `Uint8Array` representing the derived key
+	 * Only set when the decrypted message is a commit.
+	 * Contains buffered messages for next epoch which were received before the commit creating the epoch
+	 * because the DS did not fan them out in order.
 	 */
-	exportSecretKey(conversationId: ConversationId, keyLength: number): Promise<Uint8Array>;
+	bufferedMessages?: BufferedDecryptedMessage[];
 	/**
-	 * Returns the raw public key of the single external sender present in this group.
-	 * This should be used to initialize a subconversation
-	 *
-	 * @param conversationId - The group's ID
-	 *
-	 * @returns A `Uint8Array` representing the external sender raw public key
+	 * New CRL distribution points that appeared by the introduction of a new credential
 	 */
-	getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
+	crlNewDistributionPoints?: string[];
+}
+/**
+ * Almost same as {@link DecryptedMessage} but avoids recursion
+ */
+export interface BufferedDecryptedMessage {
 	/**
-	 * Returns all clients from group's members
-	 *
-	 * @param conversationId - The group's ID
-	 *
-	 * @returns A list of clients from the members of the group
+	 * see {@link DecryptedMessage.message}
 	 */
-	getClientIds(conversationId: ConversationId): Promise<ClientId[]>;
+	message?: Uint8Array;
 	/**
-	 * Allows {@link CoreCryptoContext} to act as a CSPRNG provider
-	 * @note The underlying CSPRNG algorithm is ChaCha20 and takes in account the external seed provider.
-	 *
-	 * @param length - The number of bytes to be returned in the `Uint8Array`
-	 *
-	 * @returns A `Uint8Array` buffer that contains `length` cryptographically-secure random bytes
+	 * see {@link DecryptedMessage.proposals}
 	 */
-	randomBytes(length: number): Promise<Uint8Array>;
+	proposals: ProposalBundle[];
 	/**
-	 * Initializes the proteus client
+	 * see {@link DecryptedMessage.isActive}
 	 */
-	proteusInit(): Promise<void>;
+	isActive: boolean;
 	/**
-	 * Create a Proteus session using a prekey
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param prekey - CBOR-encoded Proteus prekey of the other client
+	 * see {@link DecryptedMessage.commitDelay}
 	 */
-	proteusSessionFromPrekey(sessionId: string, prekey: Uint8Array): Promise<void>;
+	commitDelay?: number;
 	/**
-	 * Create a Proteus session from a handshake message
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param envelope - CBOR-encoded Proteus message
-	 *
-	 * @returns A `Uint8Array` containing the message that was sent along with the session handshake
+	 * see {@link DecryptedMessage.senderClientId}
 	 */
-	proteusSessionFromMessage(sessionId: string, envelope: Uint8Array): Promise<Uint8Array>;
+	senderClientId?: ClientId;
 	/**
-	 * Locally persists a session to the keystore
-	 *
-	 * **Note**: This isn't usually needed as persisting sessions happens automatically when decrypting/encrypting messages and initializing Sessions
-	 *
-	 * @param sessionId - ID of the Proteus session
+	 * see {@link DecryptedMessage.hasEpochChanged}
 	 */
-	proteusSessionSave(sessionId: string): Promise<void>;
+	hasEpochChanged: boolean;
 	/**
-	 * Deletes a session
-	 * Note: this also deletes the persisted data within the keystore
-	 *
-	 * @param sessionId - ID of the Proteus session
+	 * see {@link DecryptedMessage.identity}
 	 */
-	proteusSessionDelete(sessionId: string): Promise<void>;
+	identity?: WireIdentity;
 	/**
-	 * Checks if a session exists
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 *
-	 * @returns whether the session exists or not
+	 * see {@link DecryptedMessage.crlNewDistributionPoints}
 	 */
-	proteusSessionExists(sessionId: string): Promise<boolean>;
+	crlNewDistributionPoints?: string[];
+}
+/**
+ * Indicates the standalone status of a device Credential in a MLS group at a moment T.
+ * This does not represent the states where a device is not using MLS or is not using end-to-end identity
+ */
+export declare enum DeviceStatus {
 	/**
-	 * Decrypt an incoming message for an existing Proteus session
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param ciphertext - CBOR encoded, encrypted proteus message
-	 * @returns The decrypted payload contained within the message
+	 * All is fine
 	 */
-	proteusDecrypt(sessionId: string, ciphertext: Uint8Array): Promise<Uint8Array>;
+	Valid = 1,
 	/**
-	 * Encrypt a message for a given Proteus session
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param plaintext - payload to encrypt
-	 * @returns The CBOR-serialized encrypted message
+	 * The Credential's certificate is expired
 	 */
-	proteusEncrypt(sessionId: string, plaintext: Uint8Array): Promise<Uint8Array>;
+	Expired = 2,
 	/**
-	 * Batch encryption for proteus messages
-	 * This is used to minimize FFI roundtrips when used in the context of a multi-client session (i.e. conversation)
-	 *
-	 * @param sessions - List of Proteus session IDs to encrypt the message for
-	 * @param plaintext - payload to encrypt
-	 * @returns A map indexed by each session ID and the corresponding CBOR-serialized encrypted message for this session
+	 * The Credential's certificate is revoked
 	 */
-	proteusEncryptBatched(sessions: string[], plaintext: Uint8Array): Promise<Map<string, Uint8Array>>;
+	Revoked = 3
+}
+/**
+ * Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
+ */
+export interface ProposalBundle {
 	/**
-	 * Creates a new prekey with the requested ID.
+	 * TLS-serialized MLS proposal that needs to be fanned out to other (existing) members of the conversation
 	 *
-	 * @param prekeyId - ID of the PreKey to generate. This cannot be bigger than a u16
-	 * @returns: A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey
+	 * @readonly
 	 */
-	proteusNewPrekey(prekeyId: number): Promise<Uint8Array>;
+	proposal: Uint8Array;
 	/**
-	 * Creates a new prekey with an automatically generated ID..
+	 * Unique identifier of a proposal.
 	 *
-	 * @returns A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey accompanied by its ID
+	 * @readonly
 	 */
-	proteusNewPrekeyAuto(): Promise<ProteusAutoPrekeyBundle>;
+	proposalRef: ProposalRef;
 	/**
-	 * Proteus last resort prekey stuff
+	 *  New CRL Distribution of members of this group
 	 *
-	 * @returns A CBOR-serialize version of the PreKeyBundle associated with the last resort PreKey (holding the last resort prekey id)
+	 * @readonly
 	 */
-	proteusLastResortPrekey(): Promise<Uint8Array>;
+	crlNewDistributionPoints?: string[];
+}
+/**
+ * Returned by {@link MlsTransport} callbacks.
+ */
+export type MlsTransportResponse = "success" | "retry" | {
 	/**
-	 * @returns The last resort PreKey id
+	 * The message was rejected by the delivery service and there's no recovery.
 	 */
-	static proteusLastResortPrekeyId(): number;
+	abort: {
+		reason: string;
+	};
+};
+/**
+ * An interface that must be implemented and provided to CoreCrypto via
+ * {@link CoreCrypto.provideTransport}.
+ */
+export interface MlsTransport {
 	/**
-	 * Proteus public key fingerprint
-	 * It's basically the public key encoded as an hex string
+	 * This callback is called by CoreCrypto to send a commit bundle to the delivery service.
 	 *
-	 * @returns Hex-encoded public key string
+	 * @param commitBundle - the commit bundle
+	 * @returns a promise resolving to a {@link MlsTransportResponse}
 	 */
-	proteusFingerprint(): Promise<string>;
+	sendCommitBundle: (commitBundle: CommitBundle) => Promise<MlsTransportResponse>;
 	/**
-	 * Proteus session local fingerprint
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @returns Hex-encoded public key string
+	 *  This callback is called by CoreCrypto to send a regular message to the delivery service.
+	 * @param message
+	 * @returns a promise resolving to a {@link MlsTransportResponse}
 	 */
-	proteusFingerprintLocal(sessionId: string): Promise<string>;
+	sendMessage: (message: Uint8Array) => Promise<MlsTransportResponse>;
+}
+/**
+ *  Supporting struct for CRL registration result
+ */
+export interface CRLRegistration {
 	/**
-	 * Proteus session remote fingerprint
+	 * Whether this CRL modifies the old CRL (i.e. has a different revocated cert list)
 	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @returns Hex-encoded public key string
+	 * @readonly
 	 */
-	proteusFingerprintRemote(sessionId: string): Promise<string>;
+	dirty: boolean;
 	/**
-	 * Hex-encoded fingerprint of the given prekey
+	 * Optional expiration timestamp
 	 *
-	 * @param prekey - the prekey bundle to get the fingerprint from
-	 * @returns Hex-encoded public key string
-	 **/
-	static proteusFingerprintPrekeybundle(prekey: Uint8Array): string;
+	 * @readonly
+	 */
+	expiration?: number;
+}
+export interface AcmeDirectory {
 	/**
-	 * Imports all the data stored by Cryptobox into the CoreCrypto keystore
-	 *
-	 * @param storeName - The name of the IndexedDB store where the data is stored
+	 * URL for fetching a new nonce. Use this only for creating a new account.
 	 */
-	proteusCryptoboxMigrate(storeName: string): Promise<void>;
+	newNonce: string;
 	/**
-	 * Note: this call clears out the code and resets it to 0 (aka no error)
-	 * @returns the last proteus error code that occured.
+	 * URL for creating a new account.
 	 */
-	proteusLastErrorCode(): Promise<number>;
+	newAccount: string;
 	/**
-	 * Creates an enrollment instance with private key material you can use in order to fetch
-	 * a new x509 certificate from the acme server.
-	 *
-	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
-	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
-	 * @param expirySec - generated x509 certificate expiry
-	 * @param ciphersuite - for generating signing key material
-	 * @param team - name of the Wire team a user belongs to
-	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCryptoContext.e2eiMlsInitOnly}
+	 * URL for creating a new order.
 	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite$1, team?: string): Promise<E2eiEnrollment>;
+	newOrder: string;
 	/**
-	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
-	 * Once the enrollment is finished, use the instance in {@link CoreCryptoContext.e2eiRotateAll} to do the rotation.
-	 *
-	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
-	 * @param expirySec - generated x509 certificate expiry
-	 * @param ciphersuite - for generating signing key material
-	 * @param team - name of the Wire team a user belongs to
-	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCryptoContext.e2eiRotateAll}
+	 * Revocation URL
 	 */
-	e2eiNewActivationEnrollment(displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite$1, team?: string): Promise<E2eiEnrollment>;
+	revokeCert: string;
+}
+/**
+ * Returned by APIs whose code paths potentially discover new certificate revocation list distribution URLs.
+ */
+export type NewCrlDistributionPoints = string[] | undefined;
+export type JsonRawData = Uint8Array;
+export declare class E2eiEnrollment {
+	#private;
+	/** @hidden */
+	constructor(e2ei: unknown);
+	free(): void;
 	/**
-	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
-	 * having to change/rotate their credential, either because the former one is expired or it
-	 * has been revoked. It lets you change the DisplayName or the handle
-	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCryptoContext.e2eiRotateAll} to do the rotation.
-	 *
-	 * @param expirySec - generated x509 certificate expiry
-	 * @param ciphersuite - for generating signing key material
-	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
-	 * @param team - name of the Wire team a user belongs to
-	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCryptoContext.e2eiRotateAll}
+	 * Should only be used internally
 	 */
-	e2eiNewRotateEnrollment(expirySec: number, ciphersuite: Ciphersuite$1, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
+	inner(): unknown;
 	/**
-	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
-	 * that means he cannot initialize with a Basic credential
+	 * Parses the response from `GET /acme/{provisioner-name}/directory`.
+	 * Use this {@link AcmeDirectory} in the next step to fetch the first nonce from the acme server. Use
+	 * {@link AcmeDirectory.newNonce}.
 	 *
-	 * @param enrollment - the enrollment instance used to fetch the certificates
-	 * @param certificateChain - the raw response from ACME server
-	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
-	 * @returns a MlsClient initialized with only a x509 credential
+	 * @param directory HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
 	 */
-	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<string[] | undefined>;
+	directoryResponse(directory: JsonRawData): Promise<AcmeDirectory>;
 	/**
-	 * Dumps the PKI environment as PEM
+	 * For creating a new acme account. This returns a signed JWS-alike request body to send to
+	 * `POST /acme/{provisioner-name}/new-account`.
 	 *
-	 * @returns a struct with different fields representing the PKI environment as PEM strings
+	 * @param previousNonce you got from calling `HEAD {@link AcmeDirectory.newNonce}`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	e2eiDumpPKIEnv(): Promise<E2eiDumpedPkiEnv | undefined>;
+	newAccountRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * @returns whether the E2EI PKI environment is setup (i.e. Root CA, Intermediates, CRLs)
+	 * Parses the response from `POST /acme/{provisioner-name}/new-account`.
+	 * @param account HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	e2eiIsPKIEnvSetup(): Promise<boolean>;
+	newAccountResponse(account: JsonRawData): Promise<void>;
 	/**
-	 * Registers a Root Trust Anchor CA for the use in E2EI processing.
-	 *
-	 * Please note that without a Root Trust Anchor, all validations *will* fail;
-	 * So this is the first step to perform after initializing your E2EI client
+	 * Creates a new acme order for the handle (userId + display name) and the clientId.
 	 *
-	 * @param trustAnchorPEM - PEM certificate to anchor as a Trust Root
+	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	e2eiRegisterAcmeCA(trustAnchorPEM: string): Promise<void>;
+	newOrderRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Registers an Intermediate CA for the use in E2EI processing.
-	 *
-	 * Please note that a Root Trust Anchor CA is needed to validate Intermediate CAs;
-	 * You **need** to have a Root CA registered before calling this
+	 * Parses the response from `POST /acme/{provisioner-name}/new-order`.
 	 *
-	 * @param certPEM - PEM certificate to register as an Intermediate CA
+	 * @param order HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	e2eiRegisterIntermediateCA(certPEM: string): Promise<string[] | undefined>;
+	newOrderResponse(order: JsonRawData): Promise<NewAcmeOrder>;
 	/**
-	 * Registers a CRL for the use in E2EI processing.
-	 *
-	 * Please note that a Root Trust Anchor CA is needed to validate CRLs;
-	 * You **need** to have a Root CA registered before calling this
-	 *
-	 * @param crlDP - CRL Distribution Point; Basically the URL you fetched it from
-	 * @param crlDER - DER representation of the CRL
+	 * Creates a new authorization request.
 	 *
-	 * @returns a {@link CRLRegistration} with the dirty state of the new CRL (see struct) and its expiration timestamp
+	 * @param url one of the URL in new order's authorizations from {@link newOrderResponse})
+	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-order` (or from the
+	 * previous to this method if you are creating the second authorization)
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	e2eiRegisterCRL(crlDP: string, crlDER: Uint8Array): Promise<CRLRegistration>;
+	newAuthzRequest(url: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Creates an update commit which replaces your leaf containing basic credentials with a leaf node containing x509 credentials in the conversation.
-	 *
-	 * NOTE: you can only call this after you've completed the enrollment for an end-to-end identity, calling this without
-	 * a valid end-to-end identity will result in an error.
+	 * Parses the response from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
+	 * @param authz HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
+	 */
+	newAuthzResponse(authz: JsonRawData): Promise<NewAcmeAuthz>;
+	/**
+	 * Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces
+	 * (from wire-server & acme server) and will be verified by the acme server when verifying the
+	 * challenge (in order to deliver a certificate).
 	 *
-	 * @param conversationId - The ID of the conversation
+	 * Then send it to `POST /clients/{id}/access-token`
+	 * {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/post_clients__cid__access_token} on wire-server.
 	 *
-	 * @returns A {@link CommitBundle}
+	 * @param expirySecs of the client Dpop JWT. This should be equal to the grace period set in Team Management
+	 * @param backendNonce you get by calling `GET /clients/token/nonce` on wire-server as defined here {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/get_clients__client__nonce}
 	 */
-	e2eiRotate(conversationId: ConversationId): Promise<CommitBundle>;
+	createDpopToken(expirySecs: number, backendNonce: string): Promise<Uint8Array>;
 	/**
-	 * Creates a commit in all local conversations for changing the credential. Requires first
-	 * having enrolled a new X509 certificate with either {@link CoreCryptoContext.e2eiNewActivationEnrollment}
-	 * or {@link CoreCryptoContext.e2eiNewRotateEnrollment}
+	 * Creates a new challenge request for Wire Dpop challenge.
 	 *
-	 * @param enrollment - the enrollment instance used to fetch the certificates
-	 * @param certificateChain - the raw response from ACME server
-	 * @param newKeyPackageCount - number of KeyPackages with new identity to generate
-	 * @returns a {@link RotateBundle} with commits to fan-out to other group members, KeyPackages to upload and old ones to delete
+	 * @param accessToken returned by wire-server from https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/post_clients__cid__access_token
+	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	e2eiRotateAll(enrollment: E2eiEnrollment, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
+	newDpopChallengeRequest(accessToken: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Allows persisting an active enrollment (for example while redirecting the user during OAuth) in order to resume
-	 * it later with {@link e2eiEnrollmentStashPop}
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the DPoP challenge.
 	 *
-	 * @param enrollment the enrollment instance to persist
-	 * @returns a handle to fetch the enrollment later with {@link e2eiEnrollmentStashPop}
+	 * @param challenge HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
+	newDpopChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
-	 * Fetches the persisted enrollment and deletes it from the keystore
+	 * Creates a new challenge request for Wire Oidc challenge.
 	 *
-	 * @param handle returned by {@link e2eiEnrollmentStash}
-	 * @returns the persisted enrollment instance
+	 * @param idToken you get back from Identity Provider
+	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
+	newOidcChallengeRequest(idToken: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Indicates when to mark a conversation as not verified i.e. when not all its members have a X509.
-	 * Credential generated by Wire's end-to-end identity enrollment
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the OIDC challenge.
 	 *
-	 * @param conversationId The group's ID
-	 * @returns the conversation state given current members
+	 * @param challenge HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	e2eiConversationState(conversationId: ConversationId): Promise<E2eiConversationState>;
+	newOidcChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
-	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
+	 * Verifies that the previous challenge has been completed.
 	 *
-	 * @param ciphersuite of the credential to check
-	 * @returns true if end-to-end identity is enabled for the given ciphersuite
+	 * @param orderUrl `location` header from http response you got from {@link newOrderResponse}
+	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/challenge/{challenge-id}`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	e2eiIsEnabled(ciphersuite: Ciphersuite$1): Promise<boolean>;
+	checkOrderRequest(orderUrl: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
-	 * Certificate Credential (after turning on end-to-end identity).
+	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
-	 * @param conversationId - identifier of the conversation
-	 * @param deviceIds - identifiers of the devices
-	 * @returns identities or if no member has a x509 certificate, it will return an empty List
+	 * @param order HTTP response body
+	 * @return finalize url to use with {@link finalizeRequest}
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity$1[]>;
+	checkOrderResponse(order: JsonRawData): Promise<string>;
 	/**
-	 * From a given conversation, get the identity of the users (device holders) supplied.
-	 * Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
-	 * If no member has a x509 certificate, it will return an empty Vec.
+	 * Final step before fetching the certificate.
 	 *
-	 * @param conversationId - identifier of the conversation
-	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
-	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
+	 * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity$1[]>>;
+	finalizeRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Gets the e2ei conversation state from a `GroupInfo`. Useful to check if the group has e2ei
-	 * turned on or not before joining it.
+	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
 	 *
-	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
-	 * @param credentialType - kind of Credential to check usage of. Defaults to X509 for now as no other value will give any result.
-	 * @returns see {@link E2eiConversationState}
-	 */
-	getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType$1): Promise<E2eiConversationState>;
-}
-export interface CoreCryptoRichError {
-	message: string;
-	error_name?: string;
-	error_stack?: string[];
-	proteus_error_code?: number;
-}
-/**
- * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
- *
- * Whenever you're supposed to get this class (that extends `Error`) you might end up with a base `Error`
- * in case the parsing of the message structure fails. This is unlikely but the case is still covered and fall backs automatically.
- * More information will be found in the base `Error.cause` to inform you why the parsing has failed.
- *
- * Please note that in this case the extra properties will not be available.
- */
-export declare class CoreCryptoError extends Error {
-	errorStack: string[];
-	proteusErrorCode: number | null;
-	private constructor();
-	private static fallback;
-	static build(msg: string, ...params: unknown[]): CoreCryptoError | Error;
-	static fromStdError(e: Error): CoreCryptoError | Error;
-	static asyncMapErr<T>(p: Promise<T>): Promise<T>;
-}
-/**
- * see [core_crypto::prelude::CiphersuiteName]
- */
-declare enum Ciphersuite$1 {
-	/**
-	 * DH KEM x25519 | AES-GCM 128 | SHA2-256 | Ed25519
-	 */
-	MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 = 1,
-	/**
-	 * DH KEM P256 | AES-GCM 128 | SHA2-256 | EcDSA P256
-	 */
-	MLS_128_DHKEMP256_AES128GCM_SHA256_P256 = 2,
-	/**
-	 * DH KEM x25519 | Chacha20Poly1305 | SHA2-256 | Ed25519
-	 */
-	MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519 = 3,
-	/**
-	 * DH KEM x448 | AES-GCM 256 | SHA2-512 | Ed448
-	 */
-	MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448 = 4,
-	/**
-	 * DH KEM P521 | AES-GCM 256 | SHA2-512 | EcDSA P521
-	 */
-	MLS_256_DHKEMP521_AES256GCM_SHA512_P521 = 5,
-	/**
-	 * DH KEM x448 | Chacha20Poly1305 | SHA2-512 | Ed448
-	 */
-	MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 = 6,
-	/**
-	 * DH KEM P384 | AES-GCM 256 | SHA2-384 | EcDSA P384
-	 */
-	MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 7
-}
-declare enum CredentialType$1 {
-	/**
-	 * Just a KeyPair
-	 */
-	Basic = 1,
-	/**
-	 * A certificate obtained through e2e identity enrollment process
-	 */
-	X509 = 2
-}
-/**
- * Configuration object for new conversations
- */
-interface ConversationConfiguration$1 {
-	/**
-	 * Conversation ciphersuite
-	 */
-	ciphersuite?: Ciphersuite$1;
-	/**
-	 * List of client IDs that are allowed to be external senders of commits
+	 * @param finalize HTTP response body
+	 * @return the certificate url to use with {@link certificateRequest}
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	externalSenders?: Uint8Array[];
+	finalizeResponse(finalize: JsonRawData): Promise<string>;
 	/**
-	 * Implementation specific configuration
+	 * Creates a request for finally fetching the x509 certificate.
+	 *
+	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}/finalize`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
 	 */
-	custom?: CustomConfiguration$1;
+	certificateRequest(previousNonce: string): Promise<JsonRawData>;
 }
 /**
- * see [core_crypto::prelude::MlsWirePolicy]
+ * Indicates the state of a Conversation regarding end-to-end identity.
+ * Note: this does not check pending state (pending commit, pending proposals) so it does not
+ * consider members about to be added/removed
  */
-declare enum WirePolicy$1 {
-	/**
-	 * Handshake messages are never encrypted
-	 */
-	Plaintext = 1,
+export declare enum E2eiConversationState {
 	/**
-	 * Handshake messages are always encrypted
+	 * All clients have a valid E2EI certificate
 	 */
-	Ciphertext = 2
-}
-/**
- * Implementation specific configuration object for a conversation
- */
-interface CustomConfiguration$1 {
+	Verified = 1,
 	/**
-	 * Duration in seconds after which we will automatically force a self_update commit
-	 * Note: This isn't currently implemented
+	 * Some clients are either still Basic or their certificate is expired
 	 */
-	keyRotationSpan?: number;
+	NotVerified = 2,
 	/**
-	 * Defines if handshake messages are encrypted or not
-	 * Note: Ciphertext is not currently supported by wire-server
+	 * All clients are still Basic. If all client have expired certificates, NotVerified is returned.
 	 */
-	wirePolicy?: WirePolicy$1;
+	NotEnabled = 3
 }
-/**
- * Alias for conversation IDs.
- * This is a freeform, uninspected buffer.
- */
-export type ConversationId = Uint8Array;
-/**
- * Alias for client identifier.
- * This is a freeform, uninspected buffer.
- */
-export type ClientId = Uint8Array;
-/**
- * Alias for proposal reference. It is a byte array of size 16.
- */
-export type ProposalRef = Uint8Array;
 /**
  * Data shape for proteusNewPrekeyAuto() call returns.
  */
@@ -1735,547 +1463,624 @@ export interface ProteusAutoPrekeyBundle {
 	 */
 	pkb: Uint8Array;
 }
-/**
- * Data shape for the returned MLS commit & welcome message tuple upon adding clients to a conversation
- */
-export interface MemberAddedMessages {
+declare class CoreCryptoContext$1 {
+	#private;
+	/** @hidden */
+	private constructor();
+	/** @hidden */
+	static fromFfiContext(ctx: CoreCryptoContext): CoreCryptoContext$1;
 	/**
-	 * TLS-serialized MLS Commit that needs to be fanned out to other (existing) members of the conversation
-	 *
-	 * @readonly
+	 * Set arbitrary data to be retrieved by {@link getData}.
+	 * This is meant to be used as a check point at the end of a transaction.
+	 * The data should be limited to a reasonable size.
 	 */
-	commit: Uint8Array;
+	setData(data: Uint8Array): Promise<void>;
 	/**
-	 * TLS-serialized MLS Welcome message that needs to be fanned out to the clients newly added to the conversation
-	 *
-	 * @readonly
+	 * Get data if it has previously been set by {@link setData}, or `undefined` otherwise.
+	 * This is meant to be used as a check point at the end of a transaction.
 	 */
-	welcome: Uint8Array;
+	getData(): Promise<Uint8Array | undefined>;
 	/**
-	 * MLS GroupInfo which is required for joining a group by external commit
+	 * Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
 	 *
-	 * @readonly
+	 * @param clientId - {@link CoreCryptoParams#clientId} but required
+	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
 	 */
-	groupInfo: GroupInfoBundle;
+	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite$1[], nbKeyPackage?: number): Promise<void>;
 	/**
-	 * New CRL distribution points that appeared by the introduction of a new credential
+	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
+	 * This method is designed to be used in conjunction with {@link CoreCryptoContext.mlsInitWithClientId} and represents the first step in this process
+	 *
+	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * @returns This returns the TLS-serialized identity key (i.e. the signature keypair's public key)
 	 */
-	crlNewDistributionPoints?: string[];
-}
-/**
- * Data shape for a MLS generic commit + optional bundle (aka stapled commit & welcome)
- */
-export interface CommitBundle {
+	mlsGenerateKeypair(ciphersuites: Ciphersuite$1[]): Promise<Uint8Array[]>;
 	/**
-	 * TLS-serialized MLS Commit that needs to be fanned out to other (existing) members of the conversation
+	 * Updates the current temporary Client ID with the newly provided one. This is the second step in the externally-generated clients process
 	 *
-	 * @readonly
+	 * Important: This is designed to be called after {@link CoreCryptoContext.mlsGenerateKeypair}
+	 *
+	 * @param clientId - The newly-allocated client ID by the MLS Authentication Service
+	 * @param signaturePublicKeys - The public key you were given at the first step; This is for authentication purposes
+	 * @param ciphersuites - All the ciphersuites supported by this MLS client
 	 */
-	commit: Uint8Array;
+	mlsInitWithClientId(clientId: ClientId, signaturePublicKeys: Uint8Array[], ciphersuites: Ciphersuite$1[]): Promise<void>;
 	/**
-	 * Optional TLS-serialized MLS Welcome message that needs to be fanned out to the clients newly added to the conversation
+	 * Checks if the Client is member of a given conversation and if the MLS Group is loaded up
 	 *
-	 * @readonly
+	 * @returns Whether the given conversation ID exists
+	 *
+	 * @example
+	 * ```ts
+	 *  const cc = await CoreCrypto.init({ databaseName: "test", key: "test", clientId: "test" });
+	 *  const encoder = new TextEncoder();
+	 *  if (await cc.conversationExists(encoder.encode("my super chat"))) {
+	 *    // Do something
+	 *  } else {
+	 *    // Do something else
+	 *  }
+	 * ```
 	 */
-	welcome?: Uint8Array;
+	conversationExists(conversationId: ConversationId): Promise<boolean>;
 	/**
-	 * MLS GroupInfo which is required for joining a group by external commit
+	 * Marks a conversation as child of another one
+	 * This will mostly affect the behavior of the callbacks (the parentConversationClients parameter will be filled)
 	 *
-	 * @readonly
+	 * @param childId - conversation identifier of the child conversation
+	 * @param parentId - conversation identifier of the parent conversation
 	 */
-	groupInfo: GroupInfoBundle;
-}
-/**
- * Wraps a GroupInfo in order to efficiently upload it to the Delivery Service.
- * This is not part of MLS protocol but parts might be standardized at some point.
- */
-export interface GroupInfoBundle {
+	markConversationAsChildOf(childId: ConversationId, parentId: ConversationId): Promise<void>;
 	/**
-	 * see {@link GroupInfoEncryptionType}
+	 * Returns the current epoch of a conversation
+	 *
+	 * @returns the epoch of the conversation
+	 *
+	 * @example
+	 * ```ts
+	 *  const cc = await CoreCrypto.init({ databaseName: "test", key: "test", clientId: "test" });
+	 *  const encoder = new TextEncoder();
+	 *  console.log(await cc.conversationEpoch(encoder.encode("my super chat")))
+	 * ```
 	 */
-	encryptionType: GroupInfoEncryptionType;
+	conversationEpoch(conversationId: ConversationId): Promise<number>;
 	/**
-	 * see {@link RatchetTreeType}
-	 */
-	ratchetTreeType: RatchetTreeType;
-	/**
-	 * TLS-serialized GroupInfo
-	 */
-	payload: Uint8Array;
-}
-/**
- * Informs whether the GroupInfo is confidential
- * see [core_crypto::mls::conversation::group_info::GroupInfoEncryptionType]
- */
-export declare enum GroupInfoEncryptionType {
-	/**
-	 * Unencrypted
-	 */
-	Plaintext = 1,
-	/**
-	 * Encrypted in a JWE (not yet implemented)
-	 */
-	JweEncrypted = 2
-}
-/**
- * Represents different ways of carrying the Ratchet Tree with some optimizations to save some space
- * see [core_crypto::mls::conversation::group_info::RatchetTreeType]
- */
-export declare enum RatchetTreeType {
-	/**
-	 * Complete GroupInfo
-	 */
-	Full = 1,
-	/**
-	 * Contains the difference since previous epoch (not yet implemented)
-	 */
-	Delta = 2,
-	/**
-	 * To define (not yet implemented)
-	 */
-	ByRef = 3
-}
-/**
- * Result returned after rotating the Credential of the current client in all the local conversations
- */
-export interface RotateBundle {
-	/**
-	 * An Update commit for each conversation
+	 * Returns the ciphersuite of a conversation
 	 *
-	 * @readonly
+	 * @returns the ciphersuite of the conversation
 	 */
-	commits: Map<string, CommitBundle>;
+	conversationCiphersuite(conversationId: ConversationId): Promise<Ciphersuite$1>;
 	/**
-	 * Fresh KeyPackages with the new Credential
+	 * Wipes and destroys the local storage of a given conversation / MLS group
 	 *
-	 * @readonly
+	 * @param conversationId - The ID of the conversation to remove
 	 */
-	newKeyPackages: Uint8Array[];
+	wipeConversation(conversationId: ConversationId): Promise<void>;
 	/**
-	 * All the now deprecated KeyPackages. Once deleted remotely, delete them locally with {@link CoreCrypto.deleteKeyPackages}
+	 * Creates a new conversation with the current client being the sole member
+	 * You will want to use {@link addClientsToConversation} afterwards to add clients to this conversation
 	 *
-	 * @readonly
-	 */
-	keyPackageRefsToRemove: Uint8Array[];
-	/**
-	 * New CRL distribution points that appeared by the introduction of a new credential
-	 */
-	crlNewDistributionPoints?: string[];
-}
-/**
- * Params for CoreCrypto deferred initialization
- * Please note that the `entropySeed` parameter MUST be exactly 32 bytes
- */
-export interface CoreCryptoDeferredParams {
-	/**
-	 * Name of the IndexedDB database
-	 */
-	databaseName: string;
-	/**
-	 * Encryption master key
-	 * This should be appropriately stored in a secure location (i.e. WebCrypto private key storage)
-	 */
-	key: string;
-	/**
-	 * External PRNG entropy pool seed.
-	 * This **must** be exactly 32 bytes
-	 */
-	entropySeed?: Uint8Array;
-	/**
-	 * .wasm file path, this will be useful in case your bundling system likes to relocate files (i.e. what webpack does)
-	 */
-	wasmFilePath?: string;
-}
-/**
- * Params for CoreCrypto initialization
- * Please note that the `entropySeed` parameter MUST be exactly 32 bytes
- */
-export interface CoreCryptoParams extends CoreCryptoDeferredParams {
-	/**
-	 * MLS Client ID.
-	 * This should stay consistent as it will be verified against the stored signature & identity to validate the persisted credential
-	 */
-	clientId: ClientId;
-	/**
-	 * All the ciphersuites this MLS client can support
-	 */
-	ciphersuites: Ciphersuite$1[];
-	/**
-	 * Number of initial KeyPackage to create when initializing the client
+	 * @param conversationId - The conversation ID; You can either make them random or let the backend attribute MLS group IDs
+	 * @param creatorCredentialType - kind of credential the creator wants to create the group with
+	 * @param configuration - configuration of the MLS group
+	 * @param configuration.ciphersuite - The {@link Ciphersuite} that is chosen to be the group's
+	 * @param configuration.externalSenders - Array of Client IDs that are qualified as external senders within the group
+	 * @param configuration.custom - {@link CustomConfiguration}
 	 */
-	nbKeyPackage?: number;
-}
-export interface ConversationInitBundle {
+	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType$1, configuration?: Partial<ConversationConfiguration>): Promise<any>;
 	/**
-	 * Conversation ID of the conversation created
+	 * Decrypts a message for a given conversation.
 	 *
-	 * @readonly
+	 * Note: you should catch & ignore the following error reasons:
+	 * * "We already decrypted this message once"
+	 * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
+	 * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
+	 *
+	 * @param conversationId - The ID of the conversation
+	 * @param payload - The encrypted message buffer
+	 *
+	 * @returns a {@link DecryptedMessage}. Note that {@link DecryptedMessage#message} is `undefined` when the encrypted payload contains a system message such a proposal or commit
 	 */
-	conversationId: ConversationId;
+	decryptMessage(conversationId: ConversationId, payload: Uint8Array): Promise<DecryptedMessage>;
 	/**
-	 * TLS-serialized MLS External Commit that needs to be fanned out
+	 * Encrypts a message for a given conversation
 	 *
-	 * @readonly
+	 * @param conversationId - The ID of the conversation
+	 * @param message - The plaintext message to encrypt
+	 *
+	 * @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
 	 */
-	commit: Uint8Array;
+	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
 	/**
-	 * MLS Public Group State (aka Group Info) which becomes valid when the external commit is accepted by the Delivery Service
-	 * with {@link CoreCrypto.mergePendingGroupFromExternalCommit}
+	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
-	 * @readonly
+	 * You have to catch the error with this reason "Although this Welcome seems valid, the local KeyPackage
+	 * it references has already been deleted locally. Join this group with an external commit", ignore it and then
+	 * join this group via {@link CoreCryptoContext.joinByExternalCommit}.
+	 *
+	 * @param welcomeMessage - TLS-serialized MLS Welcome message
+	 * @param configuration - configuration of the MLS group
+	 * @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
 	 */
-	groupInfo: GroupInfoBundle;
+	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: Partial<CustomConfiguration>): Promise<WelcomeBundle>;
 	/**
-	 * New CRL distribution points that appeared by the introduction of a new credential
+	 * Get the client's public signature key. To upload to the DS for further backend side validation
+	 *
+	 * @param ciphersuite - of the signature key to get
+	 * @param credentialType - of the public key to look for
+	 * @returns the client's public signature key
 	 */
-	crlNewDistributionPoints?: string[];
-}
-/**
- *  Supporting struct for CRL registration result
- */
-export interface CRLRegistration {
+	clientPublicKey(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1): Promise<Uint8Array>;
 	/**
-	 * Whether this CRL modifies the old CRL (i.e. has a different revocated cert list)
 	 *
-	 * @readonly
+	 * @param ciphersuite - of the KeyPackages to count
+	 * @param credentialType - of the KeyPackages to count
+	 * @returns The amount of valid, non-expired KeyPackages that are persisted in the backing storage
 	 */
-	dirty: boolean;
+	clientValidKeypackagesCount(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1): Promise<number>;
 	/**
-	 * Optional expiration timestamp
+	 * Fetches a requested amount of keypackages
 	 *
-	 * @readonly
+	 * @param ciphersuite - of the KeyPackages to generate
+	 * @param credentialType - of the KeyPackages to generate
+	 * @param amountRequested - The amount of keypackages requested
+	 * @returns An array of length `amountRequested` containing TLS-serialized KeyPackages
 	 */
-	expiration?: number;
-}
-/**
- * This is a wrapper for all the possible outcomes you can get after decrypting a message
- */
-export interface DecryptedMessage {
+	clientKeypackages(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1, amountRequested: number): Promise<Array<Uint8Array>>;
 	/**
-	 * Raw decrypted application message, if the decrypted MLS message is an application message
+	 * Prunes local KeyPackages after making sure they also have been deleted on the backend side
+	 * You should only use this after calling {@link CoreCryptoContext.e2eiRotate} on all conversations.
+	 *
+	 * @param refs - KeyPackage references to delete obtained from a {RotateBundle}
 	 */
-	message?: Uint8Array;
+	deleteKeypackages(refs: Uint8Array[]): Promise<void>;
 	/**
-	 * Only when decrypted message is a commit, CoreCrypto will renew local proposal which could not make it in the commit.
-	 * This will contain either:
-	 *   * local pending proposal not in the accepted commit
-	 *   * If there is a pending commit, its proposals which are not in the accepted commit
+	 * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
+	 *
+	 * Sends the corresponding commit via {@link MlsTransport.sendCommitBundle} and merges it if the call is successful.
+	 *
+	 * @param conversationId - The ID of the conversation
+	 * @param keyPackages - KeyPackages of the new clients to add
+	 *
+	 * @returns Potentially a list of newly discovered crl distribution points
 	 */
-	proposals: ProposalBundle[];
+	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<NewCrlDistributionPoints>;
 	/**
-	 * It is set to false if ingesting this MLS message has resulted in the client being removed from the group (i.e. a Remove commit)
+	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
+	 * to do so, otherwise this operation does nothing.
+	 *
+	 * @param conversationId - The ID of the conversation
+	 * @param clientIds - Array of Client IDs to remove.
 	 */
-	isActive: boolean;
+	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<void>;
 	/**
-	 * Commit delay hint (in milliseconds) to prevent clients from hammering the server with epoch changes
+	 * Update the keying material of the conversation.
+	 *
+	 * @param conversationId - The ID of the conversation
 	 */
-	commitDelay?: number;
+	updateKeyingMaterial(conversationId: ConversationId): Promise<void>;
 	/**
-	 * Client identifier of the sender of the message being decrypted. Only present for application messages.
+	 * Commits the local pending proposals.
+	 *
+	 * Sends the corresponding commit via {@link MlsTransport.sendCommitBundle}
+	 * and merges it if the call is successful.
+	 *
+	 * @param conversationId - The ID of the conversation
 	 */
-	senderClientId?: ClientId;
+	commitPendingProposals(conversationId: ConversationId): Promise<void>;
 	/**
-	 * true when the decrypted message resulted in an epoch change i.e. it was a commit
+	 * "Apply" to join a group through its GroupInfo.
+	 *
+	 * Sends the corresponding commit via {@link MlsTransport.sendCommitBundle}
+	 * and creates the group if the call is successful.
+	 *
+	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
+	 * @param credentialType - kind of Credential to use for joining this group. If {@link CredentialType.Basic} is
+	 * chosen and no Credential has been created yet for it, a new one will be generated.
+	 * @param configuration - configuration of the MLS group
+	 * When {@link CredentialType.X509} is chosen, it fails when no Credential has been created for the given {@link Ciphersuite}.
+	 *
+	 * @return see {@link WelcomeBundle}
 	 */
-	hasEpochChanged: boolean;
+	joinByExternalCommit(groupInfo: Uint8Array, credentialType: CredentialType$1, configuration?: Partial<CustomConfiguration>): Promise<WelcomeBundle>;
 	/**
-	 * Identity claims present in the sender credential
-	 * Only present when the credential is a x509 certificate
-	 * Present for all messages
+	 * Derives a new key from the group
+	 *
+	 * @param conversationId - The group's ID
+	 * @param keyLength - the length of the key to be derived. If the value is higher than the
+	 * bounds of `u16` or the context hash * 255, an error will be returned
+	 *
+	 * @returns A `Uint8Array` representing the derived key
 	 */
-	identity?: WireIdentity$1;
+	exportSecretKey(conversationId: ConversationId, keyLength: number): Promise<Uint8Array>;
 	/**
-	 * Only set when the decrypted message is a commit.
-	 * Contains buffered messages for next epoch which were received before the commit creating the epoch
-	 * because the DS did not fan them out in order.
+	 * Returns the raw public key of the single external sender present in this group.
+	 * This should be used to initialize a subconversation
+	 *
+	 * @param conversationId - The group's ID
+	 *
+	 * @returns A `Uint8Array` representing the external sender raw public key
 	 */
-	bufferedMessages?: BufferedDecryptedMessage[];
+	getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
 	/**
-	 * New CRL distribution points that appeared by the introduction of a new credential
+	 * Returns all clients from group's members
+	 *
+	 * @param conversationId - The group's ID
+	 *
+	 * @returns A list of clients from the members of the group
 	 */
-	crlNewDistributionPoints?: string[];
-}
-/**
- * Almost same as {@link DecryptedMessage} but avoids recursion
- */
-export interface BufferedDecryptedMessage {
+	getClientIds(conversationId: ConversationId): Promise<ClientId[]>;
 	/**
-	 * see {@link DecryptedMessage.message}
+	 * Allows {@link CoreCryptoContext} to act as a CSPRNG provider
+	 *
+	 * The underlying CSPRNG algorithm is ChaCha20 and takes in account the external seed provider.
+	 *
+	 * @param length - The number of bytes to be returned in the `Uint8Array`
+	 *
+	 * @returns A `Uint8Array` buffer that contains `length` cryptographically-secure random bytes
 	 */
-	message?: Uint8Array;
+	randomBytes(length: number): Promise<Uint8Array>;
 	/**
-	 * see {@link DecryptedMessage.proposals}
+	 * Initializes the proteus client
 	 */
-	proposals: ProposalBundle[];
+	proteusInit(): Promise<void>;
 	/**
-	 * see {@link DecryptedMessage.isActive}
+	 * Create a Proteus session using a prekey
+	 *
+	 * @param sessionId - ID of the Proteus session
+	 * @param prekey - CBOR-encoded Proteus prekey of the other client
 	 */
-	isActive: boolean;
+	proteusSessionFromPrekey(sessionId: string, prekey: Uint8Array): Promise<void>;
 	/**
-	 * see {@link DecryptedMessage.commitDelay}
+	 * Create a Proteus session from a handshake message
+	 *
+	 * @param sessionId - ID of the Proteus session
+	 * @param envelope - CBOR-encoded Proteus message
+	 *
+	 * @returns A `Uint8Array` containing the message that was sent along with the session handshake
 	 */
-	commitDelay?: number;
+	proteusSessionFromMessage(sessionId: string, envelope: Uint8Array): Promise<Uint8Array>;
 	/**
-	 * see {@link DecryptedMessage.senderClientId}
+	 * Locally persists a session to the keystore
+	 *
+	 * **Note**: This isn't usually needed as persisting sessions happens automatically when decrypting/encrypting messages and initializing Sessions
+	 *
+	 * @param sessionId - ID of the Proteus session
 	 */
-	senderClientId?: ClientId;
+	proteusSessionSave(sessionId: string): Promise<void>;
 	/**
-	 * see {@link DecryptedMessage.hasEpochChanged}
+	 * Deletes a session
+	 * Note: this also deletes the persisted data within the keystore
+	 *
+	 * @param sessionId - ID of the Proteus session
 	 */
-	hasEpochChanged: boolean;
+	proteusSessionDelete(sessionId: string): Promise<void>;
 	/**
-	 * see {@link DecryptedMessage.identity}
+	 * Checks if a session exists
+	 *
+	 * @param sessionId - ID of the Proteus session
+	 *
+	 * @returns whether the session exists or not
 	 */
-	identity?: WireIdentity$1;
+	proteusSessionExists(sessionId: string): Promise<boolean>;
 	/**
-	 * see {@link DecryptedMessage.crlNewDistributionPoints}
+	 * Decrypt an incoming message for an existing Proteus session
+	 *
+	 * @param sessionId - ID of the Proteus session
+	 * @param ciphertext - CBOR encoded, encrypted proteus message
+	 * @returns The decrypted payload contained within the message
 	 */
-	crlNewDistributionPoints?: string[];
-}
-/**
- * Represents the identity claims identifying a client
- * Those claims are verifiable by any member in the group
- */
-interface WireIdentity$1 {
+	proteusDecrypt(sessionId: string, ciphertext: Uint8Array): Promise<Uint8Array>;
 	/**
-	 * Unique client identifier
+	 * Encrypt a message for a given Proteus session
+	 *
+	 * @param sessionId - ID of the Proteus session
+	 * @param plaintext - payload to encrypt
+	 * @returns The CBOR-serialized encrypted message
 	 */
-	clientId: string;
+	proteusEncrypt(sessionId: string, plaintext: Uint8Array): Promise<Uint8Array>;
 	/**
-	 * Status of the Credential at the moment T when this object is created
+	 * Batch encryption for proteus messages
+	 * This is used to minimize FFI roundtrips when used in the context of a multi-client session (i.e. conversation)
+	 *
+	 * @param sessions - List of Proteus session IDs to encrypt the message for
+	 * @param plaintext - payload to encrypt
+	 * @returns A map indexed by each session ID and the corresponding CBOR-serialized encrypted message for this session
 	 */
-	status: DeviceStatus;
+	proteusEncryptBatched(sessions: string[], plaintext: Uint8Array): Promise<Map<string, Uint8Array>>;
 	/**
-	 * MLS thumbprint
+	 * Creates a new prekey with the requested ID.
+	 *
+	 * @param prekeyId - ID of the PreKey to generate. This cannot be bigger than a u16
+	 * @returns: A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey
 	 */
-	thumbprint: string;
+	proteusNewPrekey(prekeyId: number): Promise<Uint8Array>;
 	/**
-	 * Indicates whether the credential is Basic or X509
+	 * Creates a new prekey with an automatically generated ID..
+	 *
+	 * @returns A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey accompanied by its ID
 	 */
-	credentialType: CredentialType$1;
+	proteusNewPrekeyAuto(): Promise<ProteusAutoPrekeyBundle>;
 	/**
-	 * In case {@link credentialType} is {@link CredentialType.X509} this is populated
+	 * Proteus last resort prekey stuff
+	 *
+	 * @returns A CBOR-serialize version of the PreKeyBundle associated with the last resort PreKey (holding the last resort prekey id)
 	 */
-	x509Identity?: X509Identity$1;
-}
-/**
- * Represents the parts of {@link WireIdentity} that are specific to a X509 certificate (and not a Basic one).
- */
-interface X509Identity$1 {
+	proteusLastResortPrekey(): Promise<Uint8Array>;
 	/**
-	 * User handle e.g. `john_wire`
+	 * @returns The last resort PreKey id
 	 */
-	handle: string;
+	static proteusLastResortPrekeyId(): number;
 	/**
-	 * Name as displayed in the messaging application e.g. `John Fitzgerald Kennedy`
+	 * Proteus public key fingerprint
+	 * It's basically the public key encoded as an hex string
+	 *
+	 * @returns Hex-encoded public key string
 	 */
-	displayName: string;
+	proteusFingerprint(): Promise<string>;
 	/**
-	 * DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
+	 * Proteus session local fingerprint
+	 *
+	 * @param sessionId - ID of the Proteus session
+	 * @returns Hex-encoded public key string
 	 */
-	domain: string;
+	proteusFingerprintLocal(sessionId: string): Promise<string>;
 	/**
-	 * X509 certificate identifying this client in the MLS group ; PEM encoded
+	 * Proteus session remote fingerprint
+	 *
+	 * @param sessionId - ID of the Proteus session
+	 * @returns Hex-encoded public key string
 	 */
-	certificate: string;
+	proteusFingerprintRemote(sessionId: string): Promise<string>;
 	/**
-	 * X509 certificate serial number
-	 */
-	serialNumber: string;
+	 * Hex-encoded fingerprint of the given prekey
+	 *
+	 * @param prekey - the prekey bundle to get the fingerprint from
+	 * @returns Hex-encoded public key string
+	 **/
+	static proteusFingerprintPrekeybundle(prekey: Uint8Array): string;
 	/**
-	 * X509 certificate not before as Unix timestamp
+	 * Imports all the data stored by Cryptobox into the CoreCrypto keystore
+	 *
+	 * @param storeName - The name of the IndexedDB store where the data is stored
 	 */
-	notBefore: bigint;
+	proteusCryptoboxMigrate(storeName: string): Promise<void>;
 	/**
-	 * X509 certificate not after as Unix timestamp
+	 * Creates an enrollment instance with private key material you can use in order to fetch
+	 * a new x509 certificate from the acme server.
+	 *
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expirySec - generated x509 certificate expiry
+	 * @param ciphersuite - for generating signing key material
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCryptoContext.e2eiMlsInitOnly}
 	 */
-	notAfter: bigint;
-}
-export declare function normalizeEnum<T>(enumType: T, value: number): T[keyof T];
-export declare const mapWireIdentity: (ffiIdentity?: WireIdentity) => WireIdentity$1 | undefined;
-export interface AcmeDirectory {
+	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite$1, team?: string): Promise<E2eiEnrollment>;
 	/**
-	 * URL for fetching a new nonce. Use this only for creating a new account.
+	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
+	 * Once the enrollment is finished, use {@link CoreCryptoContext.e2eiRotate} to do key rotation.
+	 *
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expirySec - generated x509 certificate expiry
+	 * @param ciphersuite - for generating signing key material
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCryptoContext.e2eiRotate}
 	 */
-	newNonce: string;
+	e2eiNewActivationEnrollment(displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite$1, team?: string): Promise<E2eiEnrollment>;
 	/**
-	 * URL for creating a new account.
+	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
+	 * having to change/rotate their credential, either because the former one is expired or it
+	 * has been revoked. It lets you change the DisplayName or the handle
+	 * if you need to. Once the enrollment is finished, use {@link CoreCryptoContext.e2eiRotate}
+	 * to do key rotation.
+	 *
+	 * @param expirySec - generated x509 certificate expiry
+	 * @param ciphersuite - for generating signing key material
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCryptoContext.e2eiRotate}
 	 */
-	newAccount: string;
+	e2eiNewRotateEnrollment(expirySec: number, ciphersuite: Ciphersuite$1, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
 	/**
-	 * URL for creating a new order.
+	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
+	 * that means he cannot initialize with a Basic credential
+	 *
+	 * @param enrollment - the enrollment instance used to fetch the certificates
+	 * @param certificateChain - the raw response from ACME server
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
+	 * @returns a MlsClient initialized with only a x509 credential
 	 */
-	newOrder: string;
+	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<NewCrlDistributionPoints>;
 	/**
-	 * Revocation URL
+	 * Dumps the PKI environment as PEM
+	 *
+	 * @returns a struct with different fields representing the PKI environment as PEM strings
 	 */
-	revokeCert: string;
-}
-/**
- * Indicates the standalone status of a device Credential in a MLS group at a moment T.
- * This does not represent the states where a device is not using MLS or is not using end-to-end identity
- */
-export declare enum DeviceStatus {
+	e2eiDumpPKIEnv(): Promise<E2eiDumpedPkiEnv | undefined>;
 	/**
-	 * All is fine
+	 * @returns whether the E2EI PKI environment is setup (i.e. Root CA, Intermediates, CRLs)
 	 */
-	Valid = 1,
+	e2eiIsPKIEnvSetup(): Promise<boolean>;
 	/**
-	 * The Credential's certificate is expired
+	 * Registers a Root Trust Anchor CA for the use in E2EI processing.
+	 *
+	 * Please note that without a Root Trust Anchor, all validations *will* fail;
+	 * So this is the first step to perform after initializing your E2EI client
+	 *
+	 * @param trustAnchorPEM - PEM certificate to anchor as a Trust Root
 	 */
-	Expired = 2,
+	e2eiRegisterAcmeCA(trustAnchorPEM: string): Promise<void>;
 	/**
-	 * The Credential's certificate is revoked
+	 * Registers an Intermediate CA for the use in E2EI processing.
+	 *
+	 * Please note that a Root Trust Anchor CA is needed to validate Intermediate CAs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param certPEM - PEM certificate to register as an Intermediate CA
 	 */
-	Revoked = 3
-}
-/**
- * Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
- */
-export interface ProposalBundle {
+	e2eiRegisterIntermediateCA(certPEM: string): Promise<NewCrlDistributionPoints>;
 	/**
-	 * TLS-serialized MLS proposal that needs to be fanned out to other (existing) members of the conversation
+	 * Registers a CRL for the use in E2EI processing.
 	 *
-	 * @readonly
+	 * Please note that a Root Trust Anchor CA is needed to validate CRLs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param crlDP - CRL Distribution Point; Basically the URL you fetched it from
+	 * @param crlDER - DER representation of the CRL
+	 *
+	 * @returns a {@link CRLRegistration} with the dirty state of the new CRL (see struct) and its expiration timestamp
 	 */
-	proposal: Uint8Array;
+	e2eiRegisterCRL(crlDP: string, crlDER: Uint8Array): Promise<CRLRegistration>;
 	/**
-	 * Unique identifier of a proposal. Use this in {@link CoreCrypto.clearPendingProposal} to roll back (delete) the proposal
+	 * Creates an update commit which replaces your leaf containing basic credentials with a leaf node containing x509 credentials in the conversation.
 	 *
-	 * @readonly
+	 * NOTE: you can only call this after you've completed the enrollment for an end-to-end identity, and saved the
+	 * resulting credential with {@link CoreCryptoContext.saveX509Credential}.
+	 * Calling this without a valid end-to-end identity will result in an error.
+	 *
+	 * Sends the corresponding commit via {@link MlsTransport.sendCommitBundle} and merges it if the call is successful.
+	 *
+	 * @param conversationId - The ID of the conversation
 	 */
-	proposalRef: ProposalRef;
+	e2eiRotate(conversationId: ConversationId): Promise<void>;
 	/**
-	 *  New CRL Distribution of members of this group
+	 * Saves a new X509 credential. Requires first
+	 * having enrolled a new X509 certificate with either {@link CoreCryptoContext.e2eiNewActivationEnrollment}
+	 * or {@link CoreCryptoContext.e2eiNewRotateEnrollment}
 	 *
-	 * @readonly
+	 * # Expected actions to perform after this function (in this order)
+	 * 1. Rotate credentials for each conversation using {@link CoreCryptoContext.e2eiRotate}
+	 * 2. Generate new key packages with {@link CoreCryptoContext.clientKeypackages}
+	 * 3. Use these to replace the stale ones the in the backend
+	 * 4. Delete the stale ones locally using {@link CoreCryptoContext.deleteStaleKeyPackages}
+	 *      * This is the last step because you might still need the old key packages to avoid
+	 *        an orphan welcome message
+	 *
+	 * @param enrollment - the enrollment instance used to fetch the certificates
+	 * @param certificateChain - the raw response from ACME server
+	 * @returns Potentially a list of new crl distribution points discovered in the certificate chain
 	 */
-	crlNewDistributionPoints?: string[];
-}
-export interface WelcomeBundle {
+	saveX509Credential(enrollment: E2eiEnrollment, certificateChain: string): Promise<NewCrlDistributionPoints>;
 	/**
-	 * Conversation ID
-	 *
-	 * @readonly
+	 * Deletes all key packages whose credential does not match the most recently
+	 * saved x509 credential and the provided signature scheme.
+	 * @param cipherSuite
 	 */
-	id: Uint8Array;
+	deleteStaleKeyPackages(cipherSuite: Ciphersuite$1): Promise<void>;
 	/**
-	 *  New CRL Distribution of members of this group
+	 * Allows persisting an active enrollment (for example while redirecting the user during OAuth) in order to resume
+	 * it later with {@link e2eiEnrollmentStashPop}
 	 *
-	 * @readonly
+	 * @param enrollment the enrollment instance to persist
+	 * @returns a handle to fetch the enrollment later with {@link e2eiEnrollmentStashPop}
 	 */
-	crlNewDistributionPoints?: string[];
-}
-/**
- * MLS Proposal type
- */
-export declare enum ProposalType {
+	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
 	/**
-	 * This allows to propose the addition of other clients to the MLS group/conversation
+	 * Fetches the persisted enrollment and deletes it from the keystore
+	 *
+	 * @param handle returned by {@link e2eiEnrollmentStash}
+	 * @returns the persisted enrollment instance
 	 */
-	Add = 0,
+	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
-	 * This allows to propose the removal of clients from the MLS group/conversation
+	 * Indicates when to mark a conversation as not verified i.e. when not all its members have a X509.
+	 * Credential generated by Wire's end-to-end identity enrollment
+	 *
+	 * @param conversationId The group's ID
+	 * @returns the conversation state given current members
 	 */
-	Remove = 1,
+	e2eiConversationState(conversationId: ConversationId): Promise<E2eiConversationState>;
 	/**
-	 * This allows to propose to update the client keying material (i.e. keypackage rotation) and the group root key
+	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
+	 *
+	 * @param ciphersuite of the credential to check
+	 * @returns true if end-to-end identity is enabled for the given ciphersuite
 	 */
-	Update = 2
-}
-/**
- * Common arguments for proposals
- */
-export interface ProposalArgs {
+	e2eiIsEnabled(ciphersuite: Ciphersuite$1): Promise<boolean>;
 	/**
-	 * Conversation ID that is targeted by the proposal
+	 * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
+	 * Certificate Credential (after turning on end-to-end identity).
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param deviceIds - identifiers of the devices
+	 * @returns identities or if no member has a x509 certificate, it will return an empty List
 	 */
-	conversationId: ConversationId;
-}
-/**
- * Arguments for a proposal of type `Add`
- */
-export interface AddProposalArgs extends ProposalArgs {
+	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
 	/**
-	 * TLS-serialized MLS KeyPackage to be added
-	 */
-	kp: Uint8Array;
-}
-/**
- * Arguments for a proposal of type `Remove`
- */
-export interface RemoveProposalArgs extends ProposalArgs {
+	 * From a given conversation, get the identity of the users (device holders) supplied.
+	 * Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
+	 * If no member has a x509 certificate, it will return an empty Vec.
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
+	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
+	 */
+	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
 	/**
-	 * Client ID to be removed from the conversation
+	 * Gets the e2ei conversation state from a `GroupInfo`. Useful to check if the group has e2ei
+	 * turned on or not before joining it.
+	 *
+	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
+	 * @param credentialType - kind of Credential to check usage of. Defaults to X509 for now as no other value will give any result.
+	 * @returns see {@link E2eiConversationState}
 	 */
-	clientId: ClientId;
+	getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType$1): Promise<E2eiConversationState>;
 }
 /**
- * MLS External Proposal type
+ * Params for CoreCrypto deferred initialization
+ * Please note that the `entropySeed` parameter MUST be exactly 32 bytes
  */
-export declare enum ExternalProposalType {
-	/**
-	 * This allows to propose the addition of other clients to the MLS group/conversation
-	 */
-	Add = 0
-}
-export interface ExternalProposalArgs {
+export interface CoreCryptoDeferredParams {
 	/**
-	 * Conversation ID that is targeted by the external proposal
+	 * Name of the IndexedDB database
 	 */
-	conversationId: ConversationId;
+	databaseName: string;
 	/**
-	 * MLS Group epoch for the external proposal.
-	 * This needs to be the current epoch of the group or this proposal **will** be rejected
+	 * Encryption master key
+	 * This should be appropriately stored in a secure location (i.e. WebCrypto private key storage)
 	 */
-	epoch: number;
-}
-export interface ExternalAddProposalArgs extends ExternalProposalArgs {
+	key: string;
 	/**
-	 * {@link Ciphersuite} to propose to join the MLS group with.
+	 * External PRNG entropy pool seed.
+	 * This **must** be exactly 32 bytes
 	 */
-	ciphersuite: Ciphersuite$1;
+	entropySeed?: Uint8Array;
 	/**
-	 * Fails when it is {@link CredentialType.X509} and no Credential has been created
-	 * for it beforehand with {@link CoreCrypto.e2eiMlsInit} or variants.
+	 * .wasm file path, this will be useful in case your bundling system likes to relocate files (i.e. what webpack does)
 	 */
-	credentialType: CredentialType$1;
+	wasmFilePath?: string;
 }
-export interface CoreCryptoCallbacks {
+/**
+ * Params for CoreCrypto initialization
+ * Please note that the `entropySeed` parameter MUST be exactly 32 bytes
+ */
+export interface CoreCryptoParams extends CoreCryptoDeferredParams {
 	/**
-	 * This callback is called by CoreCrypto to know whether a given clientId is authorized to "write"
-	 * in the given conversationId. Think of it as a "isAdmin" callback conceptually
-	 *
-	 * This callback exists because there are many business cases where CoreCrypto doesn't have enough knowledge
-	 * (such as what can exist on a backend) to inform the decision
-	 *
-	 * @param conversationId - id of the group/conversation
-	 * @param clientId - id of the client performing an operation requiring authorization
-	 * @returns whether the user is authorized by the logic layer to perform the operation
+	 * MLS Client ID.
+	 * This should stay consistent as it will be verified against the stored signature & identity to validate the persisted credential
 	 */
-	authorize: (conversationId: Uint8Array, clientId: Uint8Array) => Promise<boolean>;
+	clientId: ClientId;
 	/**
-	 * A mix between {@link authorize} and {@link clientIsExistingGroupUser}. We currently use this callback to verify
-	 * external commits to join a group ; in such case, the client has to:
-	 * * first, belong to a user which is already in the MLS group (similar to {@link clientIsExistingGroupUser})
-	 * * then, this user should be authorized to "write" in the given conversation (similar to {@link authorize})
-	 *
-	 * @param conversationId - id of the group/conversation
-	 * @param externalClientId - id of the client performing an operation requiring authorization
-	 * @param existingClients - all the clients currently within the MLS group
-	 * @returns true if the external client is authorized to write to the conversation
+	 * All the ciphersuites this MLS client can support
 	 */
-	userAuthorize: (conversationId: Uint8Array, externalClientId: Uint8Array, existingClients: Uint8Array[]) => Promise<boolean>;
+	ciphersuites: Ciphersuite$1[];
 	/**
-	 * Callback to ensure that the given `clientId` belongs to one of the provided `existingClients`
-	 * This basically allows to defer the client ID parsing logic to the caller - because CoreCrypto is oblivious to such things
-	 *
-	 * @param conversationId - id of the group/conversation
-	 * @param clientId - id of a client
-	 * @param existingClients - all the clients currently within the MLS group
+	 * Number of initial KeyPackage to create when initializing the client
 	 */
-	clientIsExistingGroupUser: (conversationId: Uint8Array, clientId: Uint8Array, existingClients: Uint8Array[], parent_conversation_clients?: Uint8Array[]) => Promise<boolean>;
+	nbKeyPackage?: number;
 }
+/**
+ * Initializes the global logger for Core Crypto and registers the callback.
+ *
+ * **NOTE:** you must call this after `await CoreCrypto.init(params)` or `await CoreCrypto.deferredInit(params)`.
+ *
+ * @param logger - the interface to be called when something is going to be logged
+ **/
+export declare function setLogger(logger: CoreCryptoLogger, ctx?: unknown): void;
 /**
  * An interface to register a logger in CoreCrypto
  **/
@@ -2300,30 +2105,23 @@ export declare enum CoreCryptoLogLevel {
 	Error = 6
 }
 /**
- * Initializes the global logger for Core Crypto and registers the callback.
- *
- * **NOTE:** you must call this after `await CoreCrypto.init(params)` or `await CoreCrypto.deferredInit(params)`.
- *
- * @deprecated use {@link CoreCrypto.setLogger} instead.
+ * Sets maximum log level for logs forwarded to the logger, defaults to `Warn`.
  *
- * @param logger - the interface to be called when something is going to be logged
  * @param level - the max level that should be logged
- **/
-export declare function initLogger(logger: CoreCryptoLogger, level: CoreCryptoLogLevel, ctx?: unknown): void;
+ */
+export declare function setMaxLogLevel(level: CoreCryptoLogLevel): void;
 /**
- * Initializes the global logger for Core Crypto and registers the callback.
- *
- * **NOTE:** you must call this after `await CoreCrypto.init(params)` or `await CoreCrypto.deferredInit(params)`.
+ * Returns build metadata for the {@link CoreCrypto} libary.
  *
- * @param logger - the interface to be called when something is going to be logged
- **/
-export declare function setLogger(logger: CoreCryptoLogger, ctx?: unknown): void;
+ * @returns varous build metadata for `core-crypto`.
+ */
+export declare function buildMetadata(): BuildMetadata;
 /**
- * Sets maximum log level for logs forwarded to the logger, defaults to `Warn`.
+ * Returns the current version of {@link CoreCrypto}
  *
- * @param level - the max level that should be logged
+ * @returns the CoreCrypto version as a string (e.g. "3.1.2")
  */
-export declare function setMaxLogLevel(level: CoreCryptoLogLevel): void;
+export declare function version(): string;
 /**
  * Wrapper for the WASM-compiled version of CoreCrypto
  */
@@ -2368,12 +2166,13 @@ export declare class CoreCrypto {
 	 * });
 	 * ````
 	 */
-	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
+	static init({ databaseName, key, clientId, wasmFilePath, // eslint-disable-line @typescript-eslint/no-unused-vars
+	ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
 	/**
 	 * Almost identical to {@link CoreCrypto.init} but allows a 2 phase initialization of MLS.
 	 * First, calling this will set up the keystore and will allow generating proteus prekeys.
 	 * Then, those keys can be traded for a clientId.
-	 * Use this clientId to initialize MLS with {@link CoreCrypto.mlsInit}.
+	 * Use this clientId to initialize MLS with {@link CoreCryptoContext.mlsInit}.
 	 * @param params - {@link CoreCryptoDeferredParams}
 	 */
 	static deferredInit({ databaseName, key, entropySeed, wasmFilePath, }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
@@ -2386,42 +2185,15 @@ export declare class CoreCrypto {
 	 * @returns the result of the callback will be returned from this call
 	 */
 	transaction<R>(callback: (ctx: CoreCryptoContext$1) => Promise<R>): Promise<R>;
-	/**
-	 * See {@link CoreCryptoContext.mlsInit}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.mlsInit} instead.
-	 */
-	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite$1[], nbKeyPackage?: number): Promise<void>;
-	/**
-	 * See {@link CoreCryptoContext.mlsGenerateKeypair}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.mlsGenerateKeypair} instead.
-	 */
-	mlsGenerateKeypair(ciphersuites: Ciphersuite$1[]): Promise<Uint8Array[]>;
-	/**
-	 * See {@link CoreCryptoContext.mlsInitWithClientId}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.mlsInitWithClientId} instead.
-	 */
-	mlsInitWithClientId(clientId: ClientId, signaturePublicKeys: Uint8Array[], ciphersuites: Ciphersuite$1[]): Promise<void>;
 	/** @hidden */
 	private constructor();
 	/**
-	 * If this returns `true` you **cannot** call {@link CoreCrypto.wipe} or {@link CoreCrypto.close} as they will produce an error because of the
+	 * If this returns `true` you **cannot** call {@link CoreCrypto.close} as it will produce an error because of the
 	 * outstanding references that were detected.
 	 *
-	 * @returns the count of strong refs for this CoreCrypto instance
+	 * @returns whether the CoreCrypto instance is locked
 	 */
 	isLocked(): boolean;
-	/**
-	 * Wipes the {@link CoreCrypto} backing storage (i.e. {@link https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API | IndexedDB} database)
-	 *
-	 * **CAUTION**: This {@link CoreCrypto} instance won't be useable after a call to this method, but there's no way to express this requirement in TypeScript so you'll get errors instead!
-	 */
-	wipe(): Promise<void>;
 	/**
 	 * Closes this {@link CoreCrypto} instance and deallocates all loaded resources
 	 *
@@ -2429,22 +2201,16 @@ export declare class CoreCrypto {
 	 */
 	close(): Promise<void>;
 	/**
-	 * Registers the callbacks for CoreCrypto to use in order to gain additional information
+	 * Registers the transport callbacks for core crypto to give it access to backend endpoints for sending
+	 * a commit bundle or a message, respectively.
 	 *
-	 * @param callbacks - Any interface following the {@link CoreCryptoCallbacks} interface
+	 * @param transportProvider - Any implementor of the {@link MlsTransport} interface
 	 */
-	registerCallbacks(callbacks: CoreCryptoCallbacks, ctx?: unknown): Promise<void>;
+	provideTransport(transportProvider: MlsTransport, ctx?: unknown): Promise<void>;
 	/**
 	 * See {@link CoreCryptoContext.conversationExists}.
 	 */
 	conversationExists(conversationId: ConversationId): Promise<boolean>;
-	/**
-	 * See {@link CoreCryptoContext.markConversationAsChildOf}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.markConversationAsChildOf} instead.
-	 */
-	markConversationAsChildOf(childId: ConversationId, parentId: ConversationId): Promise<void>;
 	/**
 	 * See {@link CoreCryptoContext.conversationEpoch}.
 	 *
@@ -2464,41 +2230,6 @@ export declare class CoreCrypto {
 	 * @returns the ciphersuite of the conversation
 	 */
 	conversationCiphersuite(conversationId: ConversationId): Promise<Ciphersuite$1>;
-	/**
-	 * See {@link CoreCryptoContext.wipeConversation}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.wipeConversation} instead.
-	 */
-	wipeConversation(conversationId: ConversationId): Promise<void>;
-	/**
-	 * See {@link CoreCryptoContext.createConversation}.
-	 *
-	 * @deprecated Create a transaction with {@link transaction}
-	 * and use {@link CoreCryptoContext.createConversation} instead.
-	 */
-	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType$1, configuration?: ConversationConfiguration$1): Promise<any>;
-	/**
-	 * See {@link CoreCryptoContext.decryptMessage}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.decryptMessage} instead.
-	 */
-	decryptMessage(conversationId: ConversationId, payload: Uint8Array): Promise<DecryptedMessage>;
-	/**
-	 * See {@link CoreCryptoContext.encryptMessage}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.encryptMessage} instead.
-	 */
-	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
-	/**
-	 * See {@link CoreCryptoContext.processWelcomeMessage}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.processWelcomeMessage} instead.
-	 */
-	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration$1): Promise<WelcomeBundle>;
 	/**
 	 * See {@link CoreCryptoContext.clientPublicKey}.
 	 *
@@ -2507,129 +2238,6 @@ export declare class CoreCrypto {
 	 * @returns the client's public signature key
 	 */
 	clientPublicKey(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1): Promise<Uint8Array>;
-	/**
-	 * See {@link CoreCryptoContext.clientValidKeypackagesCount}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.clientValidKeypackagesCount} instead.
-	 */
-	clientValidKeypackagesCount(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1): Promise<number>;
-	/**
-	 * See {@link CoreCryptoContext.clientKeypackages}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.clientKeypackages} instead.
-	 */
-	clientKeypackages(ciphersuite: Ciphersuite$1, credentialType: CredentialType$1, amountRequested: number): Promise<Array<Uint8Array>>;
-	/**
-	 * See {@link CoreCryptoContext.deleteKeypackages}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.deleteKeypackages} instead.
-	 */
-	deleteKeypackages(refs: Uint8Array[]): Promise<void>;
-	/**
-	 * See {@link CoreCryptoContext.addClientsToConversation}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.addClientsToConversation} instead.
-	 */
-	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
-	/**
-	 * See {@link CoreCryptoContext.removeClientsFromConversation}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.removeClientsFromConversation} instead.
-	 */
-	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<CommitBundle>;
-	/**
-	 * See {@link CoreCryptoContext.updateKeyingMaterial}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.updateKeyingMaterial} instead.
-	 */
-	updateKeyingMaterial(conversationId: ConversationId): Promise<CommitBundle>;
-	/**
-	 * Creates an update commit which replaces your leaf containing basic credentials with a leaf node containing x509 credentials in the conversation.
-	 *
-	 * NOTE: you can only call this after you've completed the enrollment for an end-to-end identity, calling this without
-	 * a valid end-to-end identity will result in an error.
-	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 *
-	 * @returns A {@link CommitBundle}
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiRotate} instead.
-	 */
-	e2eiRotate(conversationId: ConversationId): Promise<CommitBundle>;
-	/**
-	 * See {@link CoreCryptoContext.commitPendingProposals}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.commitPendingProposals} instead.
-	 */
-	commitPendingProposals(conversationId: ConversationId): Promise<CommitBundle | undefined>;
-	/**
-	 * See {@link CoreCryptoContext.newProposal}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.newProposal} instead.
-	 */
-	newProposal(proposalType: ProposalType, args: ProposalArgs | AddProposalArgs | RemoveProposalArgs): Promise<ProposalBundle>;
-	/**
-	 * See {@link CoreCryptoContext.newExternalProposal}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.newExternalProposal} instead.
-	 */
-	newExternalProposal(externalProposalType: ExternalProposalType, args: ExternalAddProposalArgs): Promise<Uint8Array>;
-	/**
-	 * See {@link CoreCryptoContext.joinByExternalCommit}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.joinByExternalCommit} instead.
-	 */
-	joinByExternalCommit(groupInfo: Uint8Array, credentialType: CredentialType$1, configuration?: CustomConfiguration$1): Promise<ConversationInitBundle>;
-	/**
-	 * See {@link CoreCryptoContext.mergePendingGroupFromExternalCommit}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.mergePendingGroupFromExternalCommit} instead.
-	 */
-	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
-	/**
-	 * See {@link CoreCryptoContext.clearPendingGroupFromExternalCommit}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.clearPendingGroupFromExternalCommit} instead.
-	 */
-	clearPendingGroupFromExternalCommit(conversationId: ConversationId): Promise<void>;
-	/**
-	 * See {@link CoreCryptoContext.commitAccepted}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.commitAccepted} instead.
-	 */
-	commitAccepted(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
-	/**
-	 * See {@link CoreCryptoContext.clearPendingProposal}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.clearPendingProposal} instead.
-	 */
-	clearPendingProposal(conversationId: ConversationId, proposalRef: ProposalRef): Promise<void>;
-	/**
-	 * See {@link CoreCryptoContext.clearPendingCommit}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.clearPendingCommit} instead.
-	 */
-	clearPendingCommit(conversationId: ConversationId): Promise<void>;
 	/**
 	 * See {@link CoreCryptoContext.exportSecretKey}.
 	 *
@@ -2641,154 +2249,43 @@ export declare class CoreCrypto {
 	 */
 	exportSecretKey(conversationId: ConversationId, keyLength: number): Promise<Uint8Array>;
 	/**
-	 * See {@link CoreCryptoContext.getExternalSender}.
-	 *
-	 * @param conversationId - The group's ID
-	 *
-	 * @returns A `Uint8Array` representing the external sender raw public key
-	 */
-	getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
-	/**
-	 * See {@link CoreCryptoContext.getClientIds}.
-	 *
-	 * @param conversationId - The group's ID
-	 *
-	 * @returns A list of clients from the members of the group
-	 */
-	getClientIds(conversationId: ConversationId): Promise<ClientId[]>;
-	/**
-	 * See {@link CoreCryptoContext.randomBytes}.
-	 *
-	 * @param length - The number of bytes to be returned in the `Uint8Array`
-	 *
-	 * @returns A `Uint8Array` buffer that contains `length` cryptographically-secure random bytes
-	 */
-	randomBytes(length: number): Promise<Uint8Array>;
-	/**
-	 * Allows to reseed {@link CoreCrypto}'s internal CSPRNG with a new seed.
-	 *
-	 * @param seed - **exactly 32** bytes buffer seed
-	 */
-	reseedRng(seed: Uint8Array): Promise<void>;
-	/**
-	 * Initializes the proteus client
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusInit} instead.
-	 */
-	proteusInit(): Promise<void>;
-	/**
-	 * Create a Proteus session using a prekey
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param prekey - CBOR-encoded Proteus prekey of the other client
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusSessionFromPrekey} instead.
-	 */
-	proteusSessionFromPrekey(sessionId: string, prekey: Uint8Array): Promise<void>;
-	/**
-	 * Create a Proteus session from a handshake message
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param envelope - CBOR-encoded Proteus message
-	 *
-	 * @returns A `Uint8Array` containing the message that was sent along with the session handshake
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusSessionFromMessage} instead.
-	 */
-	proteusSessionFromMessage(sessionId: string, envelope: Uint8Array): Promise<Uint8Array>;
-	/**
-	 * Locally persists a session to the keystore
-	 *
-	 * **Note**: This isn't usually needed as persisting sessions happens automatically when decrypting/encrypting messages and initializing Sessions
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusSessionSave} instead.
-	 */
-	proteusSessionSave(sessionId: string): Promise<void>;
-	/**
-	 * Deletes a session
-	 * Note: this also deletes the persisted data within the keystore
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusSessionDelete} instead.
-	 */
-	proteusSessionDelete(sessionId: string): Promise<void>;
-	/**
-	 * Checks if a session exists
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 *
-	 * @returns whether the session exists or not
-	 */
-	proteusSessionExists(sessionId: string): Promise<boolean>;
-	/**
-	 * Decrypt an incoming message for an existing Proteus session
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param ciphertext - CBOR encoded, encrypted proteus message
-	 * @returns The decrypted payload contained within the message
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusDecrypt} instead.
-	 */
-	proteusDecrypt(sessionId: string, ciphertext: Uint8Array): Promise<Uint8Array>;
-	/**
-	 * Encrypt a message for a given Proteus session
-	 *
-	 * @param sessionId - ID of the Proteus session
-	 * @param plaintext - payload to encrypt
-	 * @returns The CBOR-serialized encrypted message
+	 * See {@link CoreCryptoContext.getExternalSender}.
+	 *
+	 * @param conversationId - The group's ID
 	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusEncrypt} instead.
+	 * @returns A `Uint8Array` representing the external sender raw public key
 	 */
-	proteusEncrypt(sessionId: string, plaintext: Uint8Array): Promise<Uint8Array>;
+	getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
 	/**
-	 * Batch encryption for proteus messages
-	 * This is used to minimize FFI roundtrips when used in the context of a multi-client session (i.e. conversation)
+	 * See {@link CoreCryptoContext.getClientIds}.
 	 *
-	 * @param sessions - List of Proteus session IDs to encrypt the message for
-	 * @param plaintext - payload to encrypt
-	 * @returns A map indexed by each session ID and the corresponding CBOR-serialized encrypted message for this session
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusEncryptBatched} instead.
+	 * @param conversationId - The group's ID
+	 *
+	 * @returns A list of clients from the members of the group
 	 */
-	proteusEncryptBatched(sessions: string[], plaintext: Uint8Array): Promise<Map<string, Uint8Array>>;
+	getClientIds(conversationId: ConversationId): Promise<ClientId[]>;
 	/**
-	 * Creates a new prekey with the requested ID.
+	 * See {@link CoreCryptoContext.randomBytes}.
 	 *
-	 * @param prekeyId - ID of the PreKey to generate. This cannot be bigger than a u16
-	 * @returns: A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey
+	 * @param length - The number of bytes to be returned in the `Uint8Array`
 	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusNewPrekey} instead.
+	 * @returns A `Uint8Array` buffer that contains `length` cryptographically-secure random bytes
 	 */
-	proteusNewPrekey(prekeyId: number): Promise<Uint8Array>;
+	randomBytes(length: number): Promise<Uint8Array>;
 	/**
-	 * Creates a new prekey with an automatically generated ID..
-	 *
-	 * @returns A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey accompanied by its ID
+	 * Allows to reseed {@link CoreCrypto}'s internal CSPRNG with a new seed.
 	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusNewPrekeyAuto} instead.
+	 * @param seed - **exactly 32** bytes buffer seed
 	 */
-	proteusNewPrekeyAuto(): Promise<ProteusAutoPrekeyBundle>;
+	reseedRng(seed: Uint8Array): Promise<void>;
 	/**
-	 * Proteus last resort prekey stuff
+	 * Checks if a session exists
 	 *
-	 * @returns A CBOR-serialize version of the PreKeyBundle associated with the last resort PreKey (holding the last resort prekey id)
+	 * @param sessionId - ID of the Proteus session
 	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusLastResortPrekey} instead.
+	 * @returns whether the session exists or not
 	 */
-	proteusLastResortPrekey(): Promise<Uint8Array>;
+	proteusSessionExists(sessionId: string): Promise<boolean>;
 	/**
 	 * @returns The last resort PreKey id
 	 */
@@ -2821,48 +2318,6 @@ export declare class CoreCrypto {
 	 * @returns Hex-encoded public key string
 	 **/
 	static proteusFingerprintPrekeybundle(prekey: Uint8Array): string;
-	/**
-	 * Imports all the data stored by Cryptobox into the CoreCrypto keystore
-	 *
-	 * @param storeName - The name of the IndexedDB store where the data is stored
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.proteusCryptoboxMigrate} instead.
-	 */
-	proteusCryptoboxMigrate(storeName: string): Promise<void>;
-	/**
-	 * Note: this call clears out the code and resets it to 0 (aka no error)
-	 * @returns the last proteus error code that occured.
-	 */
-	proteusLastErrorCode(): Promise<number>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiNewEnrollment}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiNewEnrollment} instead.
-	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite$1, team?: string): Promise<E2eiEnrollment>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiNewActivationEnrollment}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiNewActivationEnrollment} instead.
-	 */
-	e2eiNewActivationEnrollment(displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite$1, team?: string): Promise<E2eiEnrollment>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiNewRotateEnrollment}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiNewRotateEnrollment} instead.
-	 */
-	e2eiNewRotateEnrollment(expirySec: number, ciphersuite: Ciphersuite$1, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiMlsInitOnly}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiMlsInitOnly} instead.
-	 */
-	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<string[] | undefined>;
 	/**
 	 * See {@link CoreCryptoContext.e2eiDumpPKIEnv}.
 	 *
@@ -2874,55 +2329,6 @@ export declare class CoreCrypto {
 	 * @returns whether the E2EI PKI environment is setup (i.e. Root CA, Intermediates, CRLs)
 	 */
 	e2eiIsPKIEnvSetup(): Promise<boolean>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiRegisterAcmeCA}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiRegisterAcmeCA} instead.
-	 */
-	e2eiRegisterAcmeCA(trustAnchorPEM: string): Promise<void>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiRegisterIntermediateCA}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiRegisterIntermediateCA} instead.
-	 */
-	e2eiRegisterIntermediateCA(certPEM: string): Promise<string[] | undefined>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiRegisterCRL}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiRegisterCRL} instead.
-	 */
-	e2eiRegisterCRL(crlDP: string, crlDER: Uint8Array): Promise<CRLRegistration>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiRotateAll}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiRotateAll} instead.
-	 */
-	e2eiRotateAll(enrollment: E2eiEnrollment, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiEnrollmentStash}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiEnrollmentStash} instead.
-	 */
-	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiEnrollmentStashPop}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiEnrollmentStashPop} instead.
-	 */
-	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
-	/**
-	 * See {@link CoreCryptoContext.e2eiConversationState}.
-	 *
-	 * @deprecated Create a transaction with {@link CoreCrypto.transaction}
-	 * and use {@link CoreCryptoContext.e2eiConversationState} instead.
-	 */
-	e2eiConversationState(conversationId: ConversationId): Promise<E2eiConversationState>;
 	/**
 	 * See {@link CoreCryptoContext.e2eiIsEnabled}.
 	 *
@@ -2937,7 +2343,7 @@ export declare class CoreCrypto {
 	 * @param deviceIds - identifiers of the devices
 	 * @returns identities or if no member has a x509 certificate, it will return an empty List
 	 */
-	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity$1[]>;
+	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
 	/**
 	 * See {@link CoreCryptoContext.getUserIdentities}.
 	 *
@@ -2945,7 +2351,7 @@ export declare class CoreCrypto {
 	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
 	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
 	 */
-	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity$1[]>>;
+	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
 	/**
 	 * See {@link CoreCryptoContext.getCredentialInUse}.
 	 *
@@ -2954,196 +2360,13 @@ export declare class CoreCrypto {
 	 * @returns see {@link E2eiConversationState}
 	 */
 	getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType$1): Promise<E2eiConversationState>;
-	/**
-	 * Returns the current version of {@link CoreCrypto}
-	 *
-	 * @returns The `core-crypto-ffi` version as defined in its `Cargo.toml` file
-	 */
-	static version(): string;
-	/**
-	 * Returns build metadata for the {@link CoreCrypto} libary.
-	 *
-	 * @returns varous build metadata for `core-crypto`.
-	 */
-	static buildMetadata(): BuildMetadata;
-}
-type JsonRawData = Uint8Array;
-export declare class E2eiEnrollment {
-	#private;
-	/** @hidden */
-	constructor(e2ei: unknown);
-	free(): void;
-	/**
-	 * Should only be used internally
-	 */
-	inner(): unknown;
-	/**
-	 * Parses the response from `GET /acme/{provisioner-name}/directory`.
-	 * Use this {@link AcmeDirectory} in the next step to fetch the first nonce from the acme server. Use
-	 * {@link AcmeDirectory.newNonce}.
-	 *
-	 * @param directory HTTP response body
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
-	 */
-	directoryResponse(directory: JsonRawData): Promise<AcmeDirectory>;
-	/**
-	 * For creating a new acme account. This returns a signed JWS-alike request body to send to
-	 * `POST /acme/{provisioner-name}/new-account`.
-	 *
-	 * @param previousNonce you got from calling `HEAD {@link AcmeDirectory.newNonce}`
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
-	 */
-	newAccountRequest(previousNonce: string): Promise<JsonRawData>;
-	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/new-account`.
-	 * @param account HTTP response body
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
-	 */
-	newAccountResponse(account: JsonRawData): Promise<void>;
-	/**
-	 * Creates a new acme order for the handle (userId + display name) and the clientId.
-	 *
-	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
-	 */
-	newOrderRequest(previousNonce: string): Promise<JsonRawData>;
-	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/new-order`.
-	 *
-	 * @param order HTTP response body
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
-	 */
-	newOrderResponse(order: JsonRawData): Promise<NewAcmeOrder>;
-	/**
-	 * Creates a new authorization request.
-	 *
-	 * @param url one of the URL in new order's authorizations (use {@link NewAcmeOrder.authorizations} from {@link newOrderResponse})
-	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-order` (or from the
-	 * previous to this method if you are creating the second authorization)
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
-	 */
-	newAuthzRequest(url: string, previousNonce: string): Promise<JsonRawData>;
-	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/authz/{authz-id}`
-	 *
-	 * @param authz HTTP response body
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
-	 */
-	newAuthzResponse(authz: JsonRawData): Promise<NewAcmeAuthz>;
-	/**
-	 * Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces
-	 * (from wire-server & acme server) and will be verified by the acme server when verifying the
-	 * challenge (in order to deliver a certificate).
-	 *
-	 * Then send it to `POST /clients/{id}/access-token`
-	 * {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/post_clients__cid__access_token} on wire-server.
-	 *
-	 * @param expirySecs of the client Dpop JWT. This should be equal to the grace period set in Team Management
-	 * @param backendNonce you get by calling `GET /clients/token/nonce` on wire-server as defined here {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/get_clients__client__nonce}
-	 */
-	createDpopToken(expirySecs: number, backendNonce: string): Promise<Uint8Array>;
-	/**
-	 * Creates a new challenge request for Wire Dpop challenge.
-	 *
-	 * @param accessToken returned by wire-server from https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/post_clients__cid__access_token
-	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
-	 */
-	newDpopChallengeRequest(accessToken: string, previousNonce: string): Promise<JsonRawData>;
-	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the DPoP challenge.
-	 *
-	 * @param challenge HTTP response body
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
-	 */
-	newDpopChallengeResponse(challenge: JsonRawData): Promise<void>;
-	/**
-	 * Creates a new challenge request for Wire Oidc challenge.
-	 *
-	 * @param idToken you get back from Identity Provider
-	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
-	 */
-	newOidcChallengeRequest(idToken: string, previousNonce: string): Promise<JsonRawData>;
-	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the OIDC challenge.
-	 *
-	 * @param cc the CoreCrypto instance
-	 * @param challenge HTTP response body
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
-	 */
-	newOidcChallengeResponse(challenge: JsonRawData): Promise<void>;
-	/**
-	 * Verifies that the previous challenge has been completed.
-	 *
-	 * @param orderUrl `location` header from http response you got from {@link newOrderResponse}
-	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/challenge/{challenge-id}`
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
-	 */
-	checkOrderRequest(orderUrl: string, previousNonce: string): Promise<JsonRawData>;
-	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
-	 *
-	 * @param order HTTP response body
-	 * @return finalize url to use with {@link finalizeRequest}
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
-	 */
-	checkOrderResponse(order: JsonRawData): Promise<string>;
-	/**
-	 * Final step before fetching the certificate.
-	 *
-	 * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
-	 */
-	finalizeRequest(previousNonce: string): Promise<JsonRawData>;
-	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
-	 *
-	 * @param finalize HTTP response body
-	 * @return the certificate url to use with {@link certificateRequest}
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
-	 */
-	finalizeResponse(finalize: JsonRawData): Promise<string>;
-	/**
-	 * Creates a request for finally fetching the x509 certificate.
-	 *
-	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}/finalize`
-	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
-	 */
-	certificateRequest(previousNonce: string): Promise<JsonRawData>;
-}
-/**
- * Indicates the state of a Conversation regarding end-to-end identity.
- * Note: this does not check pending state (pending commit, pending proposals) so it does not
- * consider members about to be added/removed
- */
-export declare enum E2eiConversationState {
-	/**
-	 * All clients have a valid E2EI certificate
-	 */
-	Verified = 1,
-	/**
-	 * Some clients are either still Basic or their certificate is expired
-	 */
-	NotVerified = 2,
-	/**
-	 * All clients are still Basic. If all client have expired certificates, NotVerified is returned.
-	 */
-	NotEnabled = 3
 }
 export {
 	Ciphersuite$1 as Ciphersuite,
-	ConversationConfiguration as ConversationConfigurationFfi,
-	ConversationConfiguration$1 as ConversationConfiguration,
-	CoreCryptoContext as CoreCryptoContextFfi,
 	CoreCryptoContext$1 as CoreCryptoContext,
 	CredentialType$1 as CredentialType,
-	CustomConfiguration as CustomConfigurationFfi,
-	CustomConfiguration$1 as CustomConfiguration,
-	WireIdentity$1 as WireIdentity,
 	WirePolicy$1 as WirePolicy,
-	X509Identity$1 as X509Identity,
 };
 export {};