gdc-sdk-client-ts 1.0.3 → 1.1.0

package/dist/ProfileManager.d.ts

@@ -0,0 +1,72 @@
+import { DidDocument } from 'gdc-common-utils-ts/models/did';
+import { IWallet } from 'gdc-common-utils-ts/interfaces/IWallet';
+import { JobRequest } from 'gdc-common-utils-ts/models/confidential-job';
+import { IVaultRepository, VaultQuery } from './interfaces/IVaultRepository';
+import { IProfile } from './interfaces/IProfile';
+import { SdkConfig, AppInfo } from './interfaces/others';
+import { ISmartTokenManager } from './interfaces/ISmartTokenManager';
+import { IJobManager } from './interfaces/IJobManager';
+import { CommonAuthService } from './frontend-services/common/CommonAuthService';
+import { FamilyAdminServices, OrgAdminServices, ProfessionalServices, IndividualServices } from './roleRegistry';
+interface CommonServices {
+    auth: CommonAuthService;
+}
+/**
+ * Configuration for the ProfileManager.
+ */
+export interface ProfileManagerConfig {
+    profile: IProfile;
+    wallet: IWallet;
+    vault: IVaultRepository;
+    sdkConfig: SdkConfig;
+    appInfo: AppInfo;
+    orgDidDoc: DidDocument;
+}
+/**
+ * @class ProfileManager
+ * Represents an active user session. It is the central hub that provides access
+ * to namespaced API services based on the user's role.
+ * @sdk
+ */
+export declare class ProfileManager {
+    profile: IProfile;
+    orgDidDoc: DidDocument;
+    private appInfo;
+    private wallet;
+    private vault;
+    private sdkConfig;
+    jobManager: IJobManager;
+    smartTokenManager: ISmartTokenManager;
+    orgAdmin?: OrgAdminServices;
+    familyAdmin?: FamilyAdminServices;
+    professional?: ProfessionalServices;
+    individual?: IndividualServices;
+    common: CommonServices;
+    constructor(config: ProfileManagerConfig);
+    /**
+     * Builds the entire API surface by calling the capabilityMapper and assigning
+     * the returned services to the appropriate namespaces.
+     */
+    private buildApiSurface;
+    /**
+     * Initializes all stateful services owned by this profile instance.
+     */
+    initialize(): Promise<void>;
+    /**
+     * Updates and persists the current profile in the local vault.
+     */
+    updateProfile(patch: Partial<IProfile>): Promise<void>;
+    /**
+     * Requests (or reuses) a SMART access token for the given provider and scopes.
+     */
+    getSmartToken(providerDid: string, scopes: string[], idToken: string, clientId?: string): Promise<import("./interfaces").SmartToken>;
+    /**
+     * Shuts down all services owned by this profile instance.
+     */
+    shutdown(): void;
+    /**
+     * Queries jobs from the vault for the current profile using a specific query.
+     */
+    queryJobs(query: VaultQuery): Promise<JobRequest[]>;
+}
+export {};

package/dist/ProfileManager.js

@@ -0,0 +1,113 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: client-sdk-ts/src/ProfileManager.ts
+import JobManager from './JobManager.js';
+import { SmartTokenManager } from './SmartTokenManager.js';
+import { CommonAuthService } from './frontend-services/common/CommonAuthService.js';
+import { mapCapabilitiesToServices } from './utils/capabilityMapper.js';
+/**
+ * @class ProfileManager
+ * Represents an active user session. It is the central hub that provides access
+ * to namespaced API services based on the user's role.
+ * @sdk
+ */
+export class ProfileManager {
+    constructor(config) {
+        var _a, _b, _c;
+        if (!config || !config.profile || !config.wallet || !config.vault || !config.sdkConfig) {
+            throw new Error("ProfileManager requires 'profile', 'wallet', 'vault', and 'sdkConfig'.");
+        }
+        this.profile = config.profile;
+        this.orgDidDoc = config.orgDidDoc;
+        this.appInfo = config.appInfo;
+        this.wallet = config.wallet;
+        this.vault = config.vault;
+        this.sdkConfig = config.sdkConfig;
+        this.jobManager = new JobManager({
+            profile: this.profile,
+            wallet: this.wallet,
+            vault: this.vault,
+            sdkConfig: config.sdkConfig
+        });
+        const isMock = !!((_a = this.sdkConfig.mockOptions) === null || _a === void 0 ? void 0 : _a.apiResponse) || !!((_b = this.sdkConfig.mockOptions) === null || _b === void 0 ? void 0 : _b.resolvedDidDocs);
+        this.smartTokenManager = new SmartTokenManager({
+            mode: isMock ? 'mock' : 'backend',
+            fetcher: this.sdkConfig.fetcher,
+            resolvedDidDocs: (_c = this.sdkConfig.mockOptions) === null || _c === void 0 ? void 0 : _c.resolvedDidDocs,
+            cryptoHelper: this.sdkConfig.crypto,
+        });
+        // The single call to our intelligent "brain" to build the API surface.
+        const serviceContext = this.buildApiSurface();
+        this.common = {
+            auth: new CommonAuthService(serviceContext),
+        };
+    }
+    /**
+     * Builds the entire API surface by calling the capabilityMapper and assigning
+     * the returned services to the appropriate namespaces.
+     */
+    buildApiSurface() {
+        const serviceContext = {
+            profile: this.profile,
+            jobManager: this.jobManager,
+            smartTokenManager: this.smartTokenManager,
+            sdkConfig: this.sdkConfig,
+            appInfo: this.appInfo, // Pass AppInfo to context
+            cryptoHelper: this.sdkConfig.crypto,
+        };
+        // Delegate the complex role mapping to the central mapper
+        const { orgAdmin, familyAdmin, professional, individual } = mapCapabilitiesToServices(serviceContext, this.profile, this.orgDidDoc, this.appInfo.appType // Pass the appType from AppInfo
+        );
+        // Assign the returned, fully instantiated and composed services
+        this.orgAdmin = orgAdmin;
+        this.familyAdmin = familyAdmin;
+        this.professional = professional;
+        this.individual = individual;
+        return serviceContext;
+    }
+    /**
+     * Initializes all stateful services owned by this profile instance.
+     */
+    async initialize() {
+        await this.vault.initialize();
+        await this.jobManager.initialize();
+        console.log(`[ProfileManager] Initialized for profile: ${this.profile.id}`);
+    }
+    /**
+     * Updates and persists the current profile in the local vault.
+     */
+    async updateProfile(patch) {
+        this.profile = Object.assign(Object.assign({}, this.profile), patch);
+        await this.vault.put('profile', this.profile);
+    }
+    /**
+     * Requests (or reuses) a SMART access token for the given provider and scopes.
+     */
+    async getSmartToken(providerDid, scopes, idToken, clientId) {
+        const resolvedClientId = clientId || this.profile.deviceDid;
+        if (!resolvedClientId) {
+            throw new Error('[ProfileManager] Missing device client_id. Activate the device before requesting SMART tokens.');
+        }
+        const normalizedScopes = Array.from(new Set(scopes.filter(Boolean))).sort();
+        return this.smartTokenManager.getToken(providerDid, normalizedScopes, idToken, resolvedClientId);
+    }
+    /**
+     * Shuts down all services owned by this profile instance.
+     */
+    shutdown() {
+        if (this.jobManager) {
+            this.jobManager.shutdown();
+        }
+        this.smartTokenManager.clearAllTokens();
+        console.log(`[ProfileManager] Shutdown for profile: ${this.profile.id}`);
+    }
+    /**
+     * Queries jobs from the vault for the current profile using a specific query.
+     */
+    async queryJobs(query) {
+        if (!this.jobManager) {
+            console.warn("[ProfileManager] Attempted to query jobs, but JobManager is not initialized.");
+            return [];
+        }
+        return this.jobManager.queryJobs(query);
+    }
+}

package/dist/ProfileRegistry.d.ts

@@ -0,0 +1,14 @@
+import { IVaultRepository, VaultQuery } from './interfaces/IVaultRepository';
+import { ProfileRegistryEntry } from './models/profileRegistry';
+export declare class ProfileRegistry {
+    private vault;
+    constructor(vault: IVaultRepository);
+    initialize(): Promise<void>;
+    list(query?: VaultQuery): Promise<ProfileRegistryEntry[]>;
+    get(profileId: string): Promise<ProfileRegistryEntry | undefined>;
+    upsert(entry: Omit<ProfileRegistryEntry, 'id'> & {
+        id?: string;
+    }): Promise<ProfileRegistryEntry>;
+    markLastUsed(profileId: string): Promise<void>;
+    remove(profileId: string): Promise<boolean>;
+}

package/dist/ProfileRegistry.js

@@ -0,0 +1,38 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: client-sdk-ts/src/ProfileRegistry.ts
+const PROFILE_INDEX_COLLECTION = 'profile-index';
+export class ProfileRegistry {
+    constructor(vault) {
+        this.vault = vault;
+    }
+    async initialize() {
+        await this.vault.initialize();
+    }
+    async list(query) {
+        const fallbackQuery = {
+            orderBy: { attribute: 'lastUsedAt', direction: 'desc' },
+        };
+        return this.vault.query(PROFILE_INDEX_COLLECTION, query !== null && query !== void 0 ? query : fallbackQuery);
+    }
+    async get(profileId) {
+        return this.vault.get(PROFILE_INDEX_COLLECTION, profileId);
+    }
+    async upsert(entry) {
+        var _a, _b, _c, _d;
+        const now = new Date().toISOString();
+        const id = entry.id || entry.profileId;
+        const existing = id ? await this.get(id) : undefined;
+        const record = Object.assign(Object.assign(Object.assign({}, existing), entry), { id, profileId: entry.profileId || (existing === null || existing === void 0 ? void 0 : existing.profileId) || id, createdAt: (_b = (_a = existing === null || existing === void 0 ? void 0 : existing.createdAt) !== null && _a !== void 0 ? _a : entry.createdAt) !== null && _b !== void 0 ? _b : now, lastUsedAt: (_d = (_c = entry.lastUsedAt) !== null && _c !== void 0 ? _c : existing === null || existing === void 0 ? void 0 : existing.lastUsedAt) !== null && _d !== void 0 ? _d : now });
+        await this.vault.put(PROFILE_INDEX_COLLECTION, record);
+        return record;
+    }
+    async markLastUsed(profileId) {
+        const existing = await this.get(profileId);
+        if (!existing)
+            return;
+        await this.vault.put(PROFILE_INDEX_COLLECTION, Object.assign(Object.assign({}, existing), { lastUsedAt: new Date().toISOString() }));
+    }
+    async remove(profileId) {
+        return this.vault.delete(PROFILE_INDEX_COLLECTION, profileId);
+    }
+}

package/dist/SmartTokenManager.d.ts

@@ -0,0 +1,62 @@
+import type { ICryptoHelper } from 'gdc-common-utils-ts/interfaces/ICryptoHelper';
+import { ISmartTokenManager, SmartToken } from "./interfaces/ISmartTokenManager";
+export type SmartTokenManagerMode = 'mock' | 'backend';
+export type SmartTokenManagerOptions = {
+    mode?: SmartTokenManagerMode;
+    fetcher?: typeof fetch;
+    resolvedDidDocs?: {
+        [did: string]: any;
+    };
+    cryptoHelper?: ICryptoHelper;
+    /**
+     * Default purpose to request in SMART token calls (backend mode).
+     * This is a business/policy hint, not the OAuth "audience".
+     */
+    defaultPurpose?: string;
+};
+/**
+ * A concrete implementation of the ISmartTokenManager.
+ *
+ * This implementation uses a simple in-memory cache. In a real application,
+ * this could be backed by secure storage. The token acquisition logic is
+ * currently a placeholder and would need to be replaced with a full
+ * OIDC/OAuth 2.0 client flow (e.g., using `expo-auth-session`).
+ */
+export declare class SmartTokenManager implements ISmartTokenManager {
+    private tokenCache;
+    private readonly mode;
+    private readonly fetcher?;
+    private readonly resolvedDidDocs?;
+    private readonly cryptoHelper?;
+    private readonly defaultPurpose;
+    constructor(options?: SmartTokenManagerOptions);
+    private newId;
+    /**
+     * Checks if a token is expired.
+     * @param token The token to check.
+     * @returns True if the token is expired, false otherwise.
+     */
+    private isTokenExpired;
+    /**
+     * Checks if a token's scopes cover all the required scopes.
+     * @param tokenScopes The scopes available in the token.
+     * @param requiredScopes The scopes needed for the API call.
+     * @returns True if all required scopes are present, false otherwise.
+     */
+    private hasRequiredScopes;
+    /**
+     * (Placeholder) This function would contain the logic to initiate the
+     * SMART-on-FHIR OAuth 2.0 authorization code flow to get a new token.
+     */
+    /**
+     * (Placeholder) This function simulates a real Authorization Server.
+     * It now requires both a user's `id_token` and the device's `client_id` (DID)
+     * to simulate the `private_key_jwt` client assertion flow.
+     */
+    private acquireNewToken;
+    private resolveDid;
+    private acquireNewTokenFromBackend;
+    getToken(targetDid: string, requiredScopes: string[], idToken: string, clientId: string): Promise<SmartToken>;
+    clearToken(targetDid: string): void;
+    clearAllTokens(): void;
+}

package/dist/SmartTokenManager.js

@@ -0,0 +1,223 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: client-sdk-ts/src/SmartTokenManager.ts
+import { generateServiceId } from 'gdc-common-utils-ts/utils/did';
+import { EndpointKey, ENDPOINT_REGISTRY } from './serviceSelectorRegistry.js';
+/**
+ * A concrete implementation of the ISmartTokenManager.
+ *
+ * This implementation uses a simple in-memory cache. In a real application,
+ * this could be backed by secure storage. The token acquisition logic is
+ * currently a placeholder and would need to be replaced with a full
+ * OIDC/OAuth 2.0 client flow (e.g., using `expo-auth-session`).
+ */
+export class SmartTokenManager {
+    constructor(options = {}) {
+        this.tokenCache = new Map();
+        this.mode = options.mode || 'mock';
+        this.fetcher = options.fetcher;
+        this.resolvedDidDocs = options.resolvedDidDocs;
+        this.cryptoHelper = options.cryptoHelper;
+        this.defaultPurpose = options.defaultPurpose || 'TREAT';
+    }
+    newId() {
+        var _a, _b;
+        // Prefer the SDK's crypto helper (consistent across platforms/tests).
+        const fromHelper = (_b = (_a = this.cryptoHelper) === null || _a === void 0 ? void 0 : _a.randomUUID) === null || _b === void 0 ? void 0 : _b.call(_a);
+        if (fromHelper)
+            return fromHelper;
+        // Fallback to the platform implementation.
+        const anyCrypto = globalThis.crypto;
+        if (typeof (anyCrypto === null || anyCrypto === void 0 ? void 0 : anyCrypto.randomUUID) === 'function')
+            return anyCrypto.randomUUID();
+        // Hard failure: this SDK requires RFC 4122 UUIDs for DIDComm correlation identifiers.
+        throw new Error('[SmartTokenManager] Cannot generate UUID: provide sdkConfig.crypto.randomUUID() or run on a platform with globalThis.crypto.randomUUID().');
+    }
+    /**
+     * Checks if a token is expired.
+     * @param token The token to check.
+     * @returns True if the token is expired, false otherwise.
+     */
+    isTokenExpired(token) {
+        const now = Math.floor(Date.now() / 1000); // Current time in seconds
+        return now >= token.expiresAt;
+    }
+    /**
+     * Checks if a token's scopes cover all the required scopes.
+     * @param tokenScopes The scopes available in the token.
+     * @param requiredScopes The scopes needed for the API call.
+     * @returns True if all required scopes are present, false otherwise.
+     */
+    hasRequiredScopes(tokenScopes, requiredScopes) {
+        const scopeSet = new Set(tokenScopes);
+        return requiredScopes.every(scope => scopeSet.has(scope));
+    }
+    /**
+     * (Placeholder) This function would contain the logic to initiate the
+     * SMART-on-FHIR OAuth 2.0 authorization code flow to get a new token.
+     */
+    /**
+     * (Placeholder) This function simulates a real Authorization Server.
+     * It now requires both a user's `id_token` and the device's `client_id` (DID)
+     * to simulate the `private_key_jwt` client assertion flow.
+     */
+    async acquireNewToken(targetDid, requiredScopes, idToken, // Proof of user identity
+    clientId // Proof of device identity (used to sign the assertion)
+    ) {
+        if (this.mode === 'backend') {
+            if (!this.fetcher) {
+                throw new Error('[SmartTokenManager] backend mode requires a fetcher.');
+            }
+            return this.acquireNewTokenFromBackend(targetDid, requiredScopes, idToken, clientId);
+        }
+        console.log(`[SmartTokenManager] Simulating Authorization Server for entity '${targetDid}'`);
+        // In a real flow, we would use the clientId and a wallet to create a signed JWT assertion.
+        // For this mock, we just check that they exist.
+        if (!idToken || !clientId) {
+            throw new Error("MOCK AUTH SERVER: Both user id_token and device clientId are required.");
+        }
+        // --- MOCK AUTHORIZATION SERVER LOGIC ---
+        const endpointPermissions = {
+            'did:web:api-provider-1.example.com': {
+                allowedScopes: ['individual.onboard', 'admin.organization.acceptLicenseOffer']
+            },
+            'did:web:health.provider.com': {
+                allowedScopes: ['employee.healthcare.getIndexComposition']
+            }
+        };
+        const rules = endpointPermissions[targetDid];
+        if (!rules)
+            throw new Error(`MOCK AUTH SERVER: Unknown entity DID: ${targetDid}`);
+        const isAuthorized = requiredScopes.every(scope => rules.allowedScopes.includes(scope));
+        if (!isAuthorized) {
+            throw new Error(`MOCK AUTH SERVER: User is not authorized for scopes [${requiredScopes.join(', ')}]`);
+        }
+        console.log(`[SmartTokenManager] MOCK AUTH SERVER: Granting token for scopes [${requiredScopes.join(', ')}]`);
+        const mockToken = {
+            token: 'mock-access-token-string-for-testing',
+            expiresAt: Math.floor(Date.now() / 1000) + 3600,
+            scopes: requiredScopes,
+        };
+        return Promise.resolve(mockToken);
+    }
+    async resolveDid(did) {
+        if (this.resolvedDidDocs && this.resolvedDidDocs[did])
+            return this.resolvedDidDocs[did];
+        const fetcher = this.fetcher;
+        if (!fetcher)
+            throw new Error('[SmartTokenManager] backend mode requires a fetcher to resolve DIDs.');
+        const path = did.substring(8).replace(/:/g, '/');
+        const url = `https://${path}/.well-known/did.json`;
+        const resp = await fetcher(url);
+        if (!resp.ok)
+            throw new Error(`[SmartTokenManager] Failed to resolve DID document at ${url}.`);
+        return resp.json();
+    }
+    async acquireNewTokenFromBackend(providerDid, requiredScopes, idToken, clientId) {
+        var _a, _b, _c, _d;
+        const fetcher = this.fetcher;
+        if (!fetcher)
+            throw new Error('[SmartTokenManager] backend mode requires a fetcher.');
+        // Resolve the provider DID document and locate the SMART token endpoint.
+        const didDoc = await this.resolveDid(providerDid);
+        const selector = Object.assign({}, ENDPOINT_REGISTRY[EndpointKey.GET_SMART_TOKEN]);
+        // Sector is required for the service ID; default to "health-care" if the caller didn't encode it in the DID.
+        selector.sector = selector.sector || 'health-care';
+        const fullServiceId = `${providerDid}${generateServiceId(selector)}`;
+        const normalizedSelector = Object.assign(Object.assign({}, selector), { section: (_a = selector.section) === null || _a === void 0 ? void 0 : _a.toLowerCase(), format: (_b = selector.format) === null || _b === void 0 ? void 0 : _b.toLowerCase(), resourceType: (_c = selector.resourceType) === null || _c === void 0 ? void 0 : _c.toLowerCase(), action: selector.action });
+        const normalizedFullServiceId = `${providerDid}${generateServiceId(normalizedSelector)}`;
+        const service = (_d = didDoc.service) === null || _d === void 0 ? void 0 : _d.find((s) => s.id === fullServiceId || s.id === normalizedFullServiceId);
+        if (!(service === null || service === void 0 ? void 0 : service.serviceEndpoint)) {
+            throw new Error(`[SmartTokenManager] SMART token service not found in DID doc for ${providerDid} (tried '${fullServiceId}' and '${normalizedFullServiceId}').`);
+        }
+        const endpointUrl = String(service.serviceEndpoint);
+        // Backend expects DIDComm plaintext message with body containing SMART token request data.
+        const thid = this.newId();
+        const didcomm = {
+            jti: this.newId(),
+            thid,
+            iss: clientId,
+            aud: endpointUrl,
+            type: 'application/json',
+            body: {
+                expires_in: 300,
+                token_type: 'Bearer',
+                sub: clientId,
+                purpose: this.defaultPurpose,
+                scope: requiredScopes.join(' '),
+            },
+        };
+        const submitResp = await fetcher(endpointUrl, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/didcomm-plaintext+json',
+                authorization: `Bearer ${idToken}`,
+            },
+            body: JSON.stringify(didcomm),
+        });
+        // Sync completion (rare)
+        if (submitResp.status === 200) {
+            const json = (await submitResp.json().catch(() => ({})));
+            const accessToken = json.access_token;
+            if (!accessToken)
+                throw new Error('[SmartTokenManager] Missing access_token in SMART token response.');
+            const expiresIn = Number(json.expires_in || 300);
+            return { token: accessToken, expiresAt: Math.floor(Date.now() / 1000) + expiresIn, scopes: requiredScopes };
+        }
+        if (submitResp.status !== 202) {
+            const text = await submitResp.text().catch(() => '');
+            throw new Error(`[SmartTokenManager] SMART token request failed (${submitResp.status}): ${text || submitResp.statusText}`);
+        }
+        const location = submitResp.headers.get('location');
+        if (!location)
+            throw new Error('[SmartTokenManager] Missing Location header for SMART token polling.');
+        const pollUrl = new URL(location).toString();
+        // Poll async result
+        for (let i = 0; i < 50; i++) {
+            const pollResp = await fetcher(pollUrl, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ thid }),
+            });
+            if (pollResp.status === 202) {
+                await new Promise((r) => setTimeout(r, 100));
+                continue;
+            }
+            const json = (await pollResp.json().catch(() => ({})));
+            if (!pollResp.ok) {
+                throw new Error(`[SmartTokenManager] SMART token polling failed (${pollResp.status}).`);
+            }
+            const accessToken = json.access_token;
+            if (!accessToken)
+                throw new Error('[SmartTokenManager] Missing access_token in SMART token poll response.');
+            const expiresIn = Number(json.expires_in || 300);
+            return { token: accessToken, expiresAt: Math.floor(Date.now() / 1000) + expiresIn, scopes: requiredScopes };
+        }
+        throw new Error('[SmartTokenManager] SMART token polling timed out.');
+    }
+    async getToken(targetDid, requiredScopes, idToken, clientId) {
+        const scopeKey = requiredScopes.slice().sort().join(' ');
+        const cacheKey = `${targetDid}|${scopeKey}`;
+        const cachedToken = this.tokenCache.get(cacheKey);
+        if (cachedToken) {
+            if (!this.isTokenExpired(cachedToken) && this.hasRequiredScopes(cachedToken.scopes, requiredScopes)) {
+                return cachedToken;
+            }
+        }
+        const newToken = await this.acquireNewToken(targetDid, requiredScopes, idToken, clientId);
+        this.tokenCache.set(cacheKey, newToken);
+        return newToken;
+    }
+    clearToken(targetDid) {
+        const prefix = `${targetDid}|`;
+        for (const key of this.tokenCache.keys()) {
+            if (key.startsWith(prefix)) {
+                this.tokenCache.delete(key);
+            }
+        }
+        console.log(`[SmartTokenManager] Cleared token for entity '${targetDid}'.`);
+    }
+    clearAllTokens() {
+        this.tokenCache.clear();
+        console.log("[SmartTokenManager] All cached tokens have been cleared.");
+    }
+}

package/dist/VerifierService.d.ts

@@ -0,0 +1,39 @@
+import { VerifiableCredentialV2 } from "gdc-common-utils-ts/models/verifiable-credential";
+import { ICryptography } from "gdc-common-utils-ts/interfaces/ICryptography";
+import { IVerifier, VerifiablePresentation } from "./interfaces/ITrustRegistry";
+/**
+ * A service that verifies credentials by validating the entire chain of trust,
+ * starting from a single, bundled, hardcoded root public key.
+ */
+export declare class VerifierService implements IVerifier {
+    private cryptographyService;
+    private rootGoverningPublicKey;
+    private fetcher;
+    private icaCache;
+    constructor(cryptographyService: ICryptography, rootGoverningKeyPub: string, fetcher: typeof fetch);
+    /**
+     * Verifies an Assurance VC by validating its chain of trust.
+     * 1. Fetches the credential of the Intermediate CA (ICA) that issued the VC.
+     * 2. Verifies the ICA's credential against the hardcoded Root CA public key.
+     * 3. Caches the ICA's public key upon successful verification.
+     * 4. Verifies the original Assurance VC using the trusted ICA's public key.
+     */
+    verifyCredential(credential: VerifiableCredentialV2): Promise<boolean>;
+    /**
+     * A generic, offline signature verification function.
+     */
+    private verifySignature;
+    /**
+     * Fetches a credential from a /.well-known/self-description.json endpoint.
+     */
+    private fetchCredential;
+    /**
+     * Resolves a DID document. This is kept private as it's a utility for the trust chain, not the primary verification method.
+     */
+    private resolveDid;
+    private didToUrl;
+    /**
+     * Verifies a Verifiable Presentation. (Placeholder)
+     */
+    verifyPresentation(vp: VerifiablePresentation): Promise<boolean>;
+}