gdc-sdk-front-ts 0.6.2 → 0.6.6

package/README.md

@@ -14,22 +14,35 @@ Use this package when your frontend needs to:
 This package is frontend-facing. It should explain app flows, not gateway route
 details.
 
+Architectural rule:
+
+- `gdc-sdk-front-ts` should converge on the same actor-scoped facade boundaries
+  as `gdc-sdk-node-ts`
+- transport and adapter details may differ
+- business ownership must not differ by runtime
+
 ## Start Here
 
 If you are integrating this package for the first time, open these in order:
 
-1. [docs/SDK_INTEGRATION_101.md](./docs/SDK_INTEGRATION_101.md)
-   Real frontend/native setup, imports, `new ClientSDK(...)`,
-   `initializeCommunicationIdentity(...)`, provider discovery, and
+1. [gdc-sdk-core-ts/docs/101-SDK_PACKAGE_BOUNDARIES.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/101-SDK_PACKAGE_BOUNDARIES.md)
+   Why `core`, `node`, and `front` are separate packages, what each one owns,
+   and why frontend facades should mirror backend actor boundaries.
+1. [docs/101-SDK_INTEGRATION.md](./docs/101-SDK_INTEGRATION.md)
+  Real frontend/native setup, imports, `new ClientSDK(...)`,
+  `initializeCommunicationIdentity(...)`, provider discovery, and
    `initializeSession(...)`.
 2. [docs/DATASPACE_DISCOVERY_FRONTEND_TODO.md](./docs/DATASPACE_DISCOVERY_FRONTEND_TODO.md)
    Frontend discovery guide for BFF-first provider/operator discovery, UI card
    mapping, and copy/paste backend DTO consumption.
-3. [gdc-sdk-core-ts/docs/SDK_FLOWS_101.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/SDK_FLOWS_101.md)
+3. [gdc-sdk-core-ts/docs/101-SDK_FLOWS.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/101-SDK_FLOWS.md)
    Shared business-flow map by actor family.
-4. [gdc-common-utils-ts/src/examples/frontend-session.ts](https://github.com/Global-DataCare/gdc-common-utils-ts/blob/main/src/examples/frontend-session.ts)
+4. [gdc-sdk-node-ts/docs/101-LIVE_GW_LOCAL.md](https://github.com/Global-DataCare/gdc-sdk-node-ts/blob/main/docs/101-LIVE_GW_LOCAL.md)
+   Canonical local/TTY/Docker GW reference when the frontend team also needs a
+   real local GW running for end-to-end checks.
+5. [gdc-common-utils-ts/src/examples/frontend-session.ts](https://github.com/Global-DataCare/gdc-common-utils-ts/blob/main/src/examples/frontend-session.ts)
    Shared profile/session payload source of truth.
-5. [gdc-common-utils-ts/docs/LIFECYCLE_101.md](https://github.com/Global-DataCare/gdc-common-utils-ts/blob/main/docs/LIFECYCLE_101.md)
+6. [gdc-common-utils-ts/docs/LIFECYCLE_101.md](https://github.com/Global-DataCare/gdc-common-utils-ts/blob/main/docs/LIFECYCLE_101.md)
    Canonical lifecycle semantics and reusable placeholders for UI and portal flows.
 
 If you need the shortest path:
@@ -37,12 +50,12 @@ If you need the shortest path:
 - app identity required by GW CORE:
   `appId` mandatory, `appVersion` optional with default `v1.0`
 - frontend technical identity:
-  [`initializeCommunicationIdentity(...)`](./docs/SDK_INTEGRATION_101.md)
+  [`initializeCommunicationIdentity(...)`](./docs/101-SDK_INTEGRATION.md)
   for the technical device/channel profile identity, not the legal organization id
 - main runtime class:
   [`ClientSDK`](src/ClientSDK.ts)
 - profile/session bootstrap:
-  [`initializeSession(...)`](./docs/SDK_INTEGRATION_101.md)
+  [`initializeSession(...)`](./docs/101-SDK_INTEGRATION.md)
 
 ## Executable Usage Examples
 
@@ -83,18 +96,33 @@ Copy/paste starting point:
 import { HttpDataspaceDiscoveryClient } from 'gdc-sdk-front-ts';
 import { ServiceCapabilityToken } from 'gdc-common-utils-ts/constants';
 
+// Frontend talks to its own backend/BFF.
+// The frontend should not need to know `networkType` or host bootstrap rules.
 const discoveryClient = new HttpDataspaceDiscoveryClient({
   endpointUrl: '/api/dataspace-discovery/providers',
 });
 
+// Ask for providers for one business sector in one jurisdiction.
 const result = await discoveryClient.listPublishedProviders({
   sector: 'animal-care',
   jurisdiction: 'ES',
   coverageScope: 'EU',
   providerCapability: ServiceCapabilityToken.IndexProvider,
 });
+
+// Use the returned cards directly in the UI.
+for (const provider of result.providers) {
+  console.log(provider.did, provider.title, provider.endpointUrl);
+}
 ```
 
+What happens behind that frontend call:
+
+- frontend sends `sector + jurisdiction + capability` to its backend
+- backend uses `gdc-sdk-node-ts` with `default-first`
+- backend resolves hosts and providers
+- frontend receives normalized cards and renders them
+
 ## Actor Split And UI Scope
 
 The frontend package must also start from actor families, because screens and

package/dist/ProfileManager.d.ts

@@ -1,11 +1,25 @@
 import type { DeviceAppType, DeviceUserClass } from 'gdc-common-utils-ts/constants';
 import type { Profile } from './types.js';
 import type { CommonServices, FamilyAdminServices, IndividualServices, OrgAdminServices, ProfessionalServices } from './roleRegistry.js';
+import { HostOnboardingSdk } from './orchestration/host-onboarding-sdk.js';
+import { IndividualControllerSdk } from './orchestration/individual-controller-sdk.js';
+import { IndividualMemberSdk } from './orchestration/individual-member-sdk.js';
+import { OrganizationControllerSdk } from './orchestration/organization-controller-sdk.js';
+import { OrganizationEmployeeSdk } from './orchestration/organization-employee-sdk.js';
+import { PersonalSdk } from './orchestration/personal-sdk.js';
+import { ProfessionalSdk } from './orchestration/professional-sdk.js';
 /**
  * Role-scoped session object returned by `ClientSDK.initializeSession(...)`.
  *
  * It exposes the common/auth surface plus the services allowed by the current
  * profile capabilities.
+ *
+ * Architectural note:
+ * `ProfileManager` remains the frontend session/composition entry point, but it
+ * also materializes actor-scoped facades that mirror `gdc-sdk-node-ts`.
+ *
+ * The goal is to preserve the legacy/frontend-friendly session API while
+ * keeping the same actor boundaries as the backend runtime.
  */
 export declare class ProfileManager {
     readonly profile: Profile;
@@ -17,6 +31,7 @@ export declare class ProfileManager {
     readonly familyAdmin?: FamilyAdminServices;
     readonly individual?: IndividualServices;
     readonly professional?: ProfessionalServices;
+    private readonly runtimeClient;
     /**
      * @param profile Current logical profile.
      * @param orgDid DID of the provider/organization used as the session anchor.
@@ -131,6 +146,13 @@ export declare class ProfileManager {
     }): Promise<{
         thid: string;
     }>;
+    asHostOnboarding(): HostOnboardingSdk;
+    asOrganizationController(): OrganizationControllerSdk;
+    asOrganizationEmployee(): OrganizationEmployeeSdk;
+    asIndividualController(): IndividualControllerSdk;
+    asIndividualMember(): IndividualMemberSdk;
+    asPersonal(): PersonalSdk;
+    asProfessional(): ProfessionalSdk;
 }
 /**
  * Preferred neutral frontend actor-session surface.

package/dist/ProfileManager.js

@@ -1,11 +1,26 @@
 // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
 import { CommonAuthService } from './services.js';
 import { mapCapabilitiesToServices } from './capabilityMapper.js';
+import { HostOnboardingSdk, } from './orchestration/host-onboarding-sdk.js';
+import { IndividualControllerSdk } from './orchestration/individual-controller-sdk.js';
+import { IndividualMemberSdk } from './orchestration/individual-member-sdk.js';
+import { OrganizationControllerSdk } from './orchestration/organization-controller-sdk.js';
+import { OrganizationEmployeeSdk } from './orchestration/organization-employee-sdk.js';
+import { PersonalSdk } from './orchestration/personal-sdk.js';
+import { ProfessionalSdk } from './orchestration/professional-sdk.js';
+import { createSyntheticSubmitAndPollResult } from './orchestration/client-port.js';
 /**
  * Role-scoped session object returned by `ClientSDK.initializeSession(...)`.
  *
  * It exposes the common/auth surface plus the services allowed by the current
  * profile capabilities.
+ *
+ * Architectural note:
+ * `ProfileManager` remains the frontend session/composition entry point, but it
+ * also materializes actor-scoped facades that mirror `gdc-sdk-node-ts`.
+ *
+ * The goal is to preserve the legacy/frontend-friendly session API while
+ * keeping the same actor boundaries as the backend runtime.
  */
 export class ProfileManager {
     /**
@@ -21,6 +36,111 @@ export class ProfileManager {
         this.familyAdmin = mapped.familyAdmin;
         this.individual = mapped.individual;
         this.professional = mapped.professional;
+        this.runtimeClient = {
+            activateOrganizationInGatewayFromIcaProof: (input) => {
+                if (!this.orgAdmin?.admin)
+                    throw new Error('orgAdmin.admin service is not available for this profile.');
+                return this.orgAdmin.admin.activateOrganizationInGatewayFromIcaProof(input);
+            },
+            confirmLegalOrganizationOrder: (input) => {
+                if (!this.orgAdmin?.admin)
+                    throw new Error('orgAdmin.admin service is not available for this profile.');
+                return this.orgAdmin.admin.confirmLegalOrganizationOrder(input);
+            },
+            createOrganizationEmployee: (ctx, input) => {
+                if (!this.orgAdmin?.admin)
+                    throw new Error('orgAdmin.admin service is not available for this profile.');
+                return this.orgAdmin.admin.createOrganizationEmployee(ctx.providerDid, ctx.idToken, input)
+                    .then((result) => createSyntheticSubmitAndPollResult(result.thid));
+            },
+            disableEmployee: (ctx, input) => {
+                if (!this.orgAdmin?.admin)
+                    throw new Error('orgAdmin.admin service is not available for this profile.');
+                return this.orgAdmin.admin.disableEmployee(ctx.providerDid, ctx.idToken, input);
+            },
+            purgeEmployee: (ctx, input) => {
+                if (!this.orgAdmin?.admin)
+                    throw new Error('orgAdmin.admin service is not available for this profile.');
+                return this.orgAdmin.admin.purgeEmployee(ctx.providerDid, ctx.idToken, input);
+            },
+            activateEmployeeDeviceWithActivationRequest: (ctx, input) => this.common.auth.activateEmployeeDeviceWithActivationRequest(input.activationCode, ctx.providerDid, ctx.idToken, input.dcrPayload),
+            requestSmartToken: (input) => this.common.auth.requestSmartToken(input),
+            startIndividualOrganization: (ctx, input) => {
+                if (!this.familyAdmin?.admin)
+                    throw new Error('familyAdmin.admin service is not available for this profile.');
+                return this.familyAdmin.admin.startIndividualOrganization(ctx.providerDid, ctx.idToken, input);
+            },
+            confirmIndividualOrganizationOrder: (ctx, input) => {
+                if (!this.familyAdmin?.admin)
+                    throw new Error('familyAdmin.admin service is not available for this profile.');
+                return this.familyAdmin.admin.confirmIndividualOrganizationOrder(ctx.providerDid, ctx.idToken, input);
+            },
+            disableIndividual: (ctx, input) => {
+                if (!this.familyAdmin?.admin)
+                    throw new Error('familyAdmin.admin service is not available for this profile.');
+                return this.familyAdmin.admin.disableIndividual(ctx.providerDid, ctx.idToken, input);
+            },
+            purgeIndividual: (ctx, input) => {
+                if (!this.familyAdmin?.admin)
+                    throw new Error('familyAdmin.admin service is not available for this profile.');
+                return this.familyAdmin.admin.purgeIndividual(ctx.providerDid, ctx.idToken, input);
+            },
+            disableIndividualMember: (ctx, input) => {
+                if (!this.familyAdmin?.admin)
+                    throw new Error('familyAdmin.admin service is not available for this profile.');
+                return this.familyAdmin.admin.disableIndividualMember(ctx.providerDid, ctx.idToken, input);
+            },
+            purgeIndividualMember: (ctx, input) => {
+                if (!this.familyAdmin?.admin)
+                    throw new Error('familyAdmin.admin service is not available for this profile.');
+                return this.familyAdmin.admin.purgeIndividualMember(ctx.providerDid, ctx.idToken, input);
+            },
+            grantProfessionalAccess: (ctx, input) => {
+                if (this.professional?.physician) {
+                    return this.professional.physician.grantProfessionalAccess({ ...input, providerDid: ctx.providerDid, requiredScope: ctx.requiredScope, idToken: ctx.idToken });
+                }
+                if (!this.individual?.service)
+                    throw new Error('individual.service is not available for this profile.');
+                return this.individual.service.grantProfessionalAccess({ ...input, providerDid: ctx.providerDid, requiredScope: ctx.requiredScope || '', idToken: ctx.idToken });
+            },
+            importIpsOrFhirAndUpdateIndex: (ctx, input) => {
+                if (!this.individual?.service)
+                    throw new Error('individual.service is not available for this profile.');
+                return this.individual.service.importIpsOrFhirAndUpdateIndex(input.compositionPayload, ctx.providerDid, ctx.requiredScope || '', ctx.idToken, input.format).then((result) => createSyntheticSubmitAndPollResult(result.thid));
+            },
+            upsertRelatedPersonAndPoll: (ctx, input) => {
+                if (!this.individual?.service)
+                    throw new Error('individual.service is not available for this profile.');
+                return this.individual.service.upsertRelatedPersonAndPoll(input.relatedPersonPayload, ctx.providerDid, ctx.requiredScope || '', ctx.idToken);
+            },
+            ingestCommunicationAndUpdateIndex: (ctx, input) => {
+                if (this.professional?.physician) {
+                    return this.professional.physician.ingestCommunicationAndUpdateIndex(input.communicationPayload, ctx.providerDid, ctx.requiredScope || '', ctx.idToken, input.pathFormatSegment);
+                }
+                if (this.professional?.paramedic) {
+                    return this.professional.paramedic.ingestCommunicationAndUpdateIndex(input.communicationPayload, ctx.providerDid, ctx.requiredScope || '', ctx.idToken, input.pathFormatSegment);
+                }
+                if (!this.individual?.service)
+                    throw new Error('individual.service is not available for this profile.');
+                return this.individual.service.ingestCommunicationAndUpdateIndex(input.communicationPayload, ctx.providerDid, ctx.requiredScope || '', ctx.idToken, input.pathFormatSegment);
+            },
+            generateDigitalTwinFromSubjectData: (ctx, input) => {
+                if (!this.individual?.service)
+                    throw new Error('individual.service is not available for this profile.');
+                return this.individual.service.generateDigitalTwinFromSubjectData(input.compositionPayload, ctx.providerDid, ctx.requiredScope || '', ctx.idToken, input.format).then((result) => createSyntheticSubmitAndPollResult(result.thid));
+            },
+            searchClinicalBundle: (ctx, input) => {
+                if (!this.individual?.service)
+                    throw new Error('individual.service is not available for this profile.');
+                return this.individual.service.searchClinicalBundle(input, ctx.providerDid, ctx.requiredScope || '', ctx.idToken);
+            },
+            getLatestIps: (ctx, subject) => {
+                if (!this.individual?.service)
+                    throw new Error('individual.service is not available for this profile.');
+                return this.individual.service.getLatestIps(subject, ctx.providerDid, ctx.requiredScope || '', ctx.idToken);
+            },
+            submitAndPoll: async (_submitPath, _pollPath, payload) => createSyntheticSubmitAndPollResult(String(payload.thid || `front-${Date.now()}`)),
+        };
     }
     /**
      * Organization-admin helper for employee/professional creation.
@@ -67,6 +187,41 @@ export class ProfileManager {
         }
         return this.individual.service.generateDigitalTwinFromSubjectData(params.compositionPayload, params.providerDid, params.requiredScope, params.idToken, params.format);
     }
+    asHostOnboarding() {
+        if (!this.orgAdmin?.admin)
+            throw new Error('HostOnboardingSdk is not available for this profile.');
+        return new HostOnboardingSdk(this.runtimeClient);
+    }
+    asOrganizationController() {
+        if (!this.orgAdmin?.admin)
+            throw new Error('OrganizationControllerSdk is not available for this profile.');
+        return new OrganizationControllerSdk(this.runtimeClient);
+    }
+    asOrganizationEmployee() {
+        return new OrganizationEmployeeSdk(this.runtimeClient);
+    }
+    asIndividualController() {
+        if (!this.familyAdmin?.admin)
+            throw new Error('IndividualControllerSdk is not available for this profile.');
+        return new IndividualControllerSdk(this.runtimeClient);
+    }
+    asIndividualMember() {
+        if (!this.individual?.service)
+            throw new Error('IndividualMemberSdk is not available for this profile.');
+        return new IndividualMemberSdk(this.runtimeClient);
+    }
+    asPersonal() {
+        if (!this.familyAdmin?.admin && !this.individual?.service) {
+            throw new Error('PersonalSdk is not available for this profile.');
+        }
+        return new PersonalSdk(this.runtimeClient);
+    }
+    asProfessional() {
+        if (!this.professional?.physician && !this.professional?.paramedic && !this.individual?.service) {
+            throw new Error('ProfessionalSdk is not available for this profile.');
+        }
+        return new ProfessionalSdk(this.runtimeClient);
+    }
 }
 /**
  * Preferred neutral frontend actor-session surface.

package/dist/gdc-common-utils-ts/src/AesManager.d.ts

@@ -0,0 +1,27 @@
+import { ProtectedDataAES } from './models/aes';
+/**
+ * Manages AES-GCM encryption and decryption using Node's native crypto module.
+ * This class handles the core cryptography and the base64url serialization required for JWE.
+ */
+export declare class AesManager {
+    private readonly ALGORITHM;
+    private readonly KEY_SIZE;
+    private readonly IV_GENERATION_SIZE;
+    private readonly TAG_SIZE_BYTES;
+    /**
+     * Encrypts a plaintext string and returns the components as base64url strings.
+     * @param plaintext The stringified data to encrypt (e.g. a stringified object or ASCII string from raw bytes)
+     * @param cekBytes The 32-byte Content Encryption Key.
+     * @param aad The Additional Authenticated Data string for integrity protection.
+     * @returns A promise resolving to the JWE-compatible encrypted components.
+     */
+    encrypt(plaintext: string, cekBytes: Uint8Array, aad: string): Promise<ProtectedDataAES>;
+    /**
+     * Decrypts JWE-compatible encrypted components back to a plaintext string.
+     * @param encryptedData The object containing the base64url-encoded ciphertext, iv, and tag.
+     * @param cekBytes The 32-byte Content Encryption Key.
+     * @param aad The Additional Authenticated Data for integrity verification.
+     * @returns A promise resolving to the decrypted plaintext string.
+     */
+    decrypt(encryptedData: ProtectedDataAES, cekBytes: Uint8Array, aad: string): Promise<string>;
+}

package/dist/gdc-common-utils-ts/src/AesManager.js

@@ -0,0 +1,64 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/AesManager.ts
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
+import { Content } from './utils/content';
+/**
+ * Manages AES-GCM encryption and decryption using Node's native crypto module.
+ * This class handles the core cryptography and the base64url serialization required for JWE.
+ */
+export class AesManager {
+    constructor() {
+        this.ALGORITHM = 'aes-256-gcm';
+        this.KEY_SIZE = 32; // 256-bit key
+        this.IV_GENERATION_SIZE = 12; // 96-bit IV, recommended by NIST for GCM
+        this.TAG_SIZE_BYTES = 16; // 128-bit authentication tag
+    }
+    /**
+     * Encrypts a plaintext string and returns the components as base64url strings.
+     * @param plaintext The stringified data to encrypt (e.g. a stringified object or ASCII string from raw bytes)
+     * @param cekBytes The 32-byte Content Encryption Key.
+     * @param aad The Additional Authenticated Data string for integrity protection.
+     * @returns A promise resolving to the JWE-compatible encrypted components.
+     */
+    async encrypt(plaintext, cekBytes, aad) {
+        if (cekBytes.length !== this.KEY_SIZE) {
+            throw new Error(`Invalid key length: a ${this.KEY_SIZE}-byte key is required.`);
+        }
+        const iv = randomBytes(this.IV_GENERATION_SIZE);
+        const aadBytes = Content.stringToBytesUTF8(aad);
+        const cipher = createCipheriv(this.ALGORITHM, cekBytes, iv, {
+            authTagLength: this.TAG_SIZE_BYTES
+        });
+        cipher.setAAD(aadBytes);
+        const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return {
+            ciphertext: Content.bytesToRawBase64UrlSafe(ciphertext),
+            iv: Content.bytesToRawBase64UrlSafe(iv),
+            tag: Content.bytesToRawBase64UrlSafe(tag),
+        };
+    }
+    /**
+     * Decrypts JWE-compatible encrypted components back to a plaintext string.
+     * @param encryptedData The object containing the base64url-encoded ciphertext, iv, and tag.
+     * @param cekBytes The 32-byte Content Encryption Key.
+     * @param aad The Additional Authenticated Data for integrity verification.
+     * @returns A promise resolving to the decrypted plaintext string.
+     */
+    async decrypt(encryptedData, cekBytes, aad) {
+        if (cekBytes.length !== this.KEY_SIZE) {
+            throw new Error(`Invalid key length: a ${this.KEY_SIZE}-byte key is required.`);
+        }
+        const ciphertextBytes = Content.base64ToBytes(encryptedData.ciphertext);
+        const tagBytes = Content.base64ToBytes(encryptedData.tag);
+        const ivBytes = Content.base64ToBytes(encryptedData.iv);
+        const aadBytes = Content.stringToBytesUTF8(aad);
+        const decipher = createDecipheriv(this.ALGORITHM, cekBytes, ivBytes, {
+            authTagLength: this.TAG_SIZE_BYTES
+        });
+        decipher.setAuthTag(tagBytes);
+        decipher.setAAD(aadBytes);
+        const decryptedBytes = Buffer.concat([decipher.update(ciphertextBytes), decipher.final()]);
+        return Content.bytesToStringUTF8(decryptedBytes);
+    }
+}

package/dist/gdc-common-utils-ts/src/CryptographyService.d.ts

@@ -0,0 +1,76 @@
+import { ICryptoHelper } from './interfaces/ICryptoHelper';
+import { ICryptography } from './interfaces/ICryptography';
+import { DataCompactJWT, JwtCompactParts } from './models/jwt';
+import { JweObject } from './models/jwe';
+import { MlkemPublicJwk, MldsaPublicJwk, PublicJwk, MlkemPrivateJwk, MldsaAlg, MlkemCurve } from './interfaces/Cryptography.types';
+import { ProtectedDataAES } from './models/aes';
+/**
+ * Implements the ICryptography interface, providing a complete suite of low-level,
+ * stateless cryptographic functions. This service is the "engine" of the security layer,
+ * orchestrating Post-Quantum and AES primitives.
+ */
+export declare class CryptographyService implements ICryptography {
+    private aesManager;
+    private cryptoHelper;
+    private mlDsaModule;
+    private mlKemModule;
+    private readonly ML_KEM_SEED_SIZE;
+    private readonly ML_DSA_SEED_SIZE;
+    constructor(cryptoHelper: ICryptoHelper);
+    private loadMlDsa;
+    private loadMlKem;
+    digestString(data: string, algorithm: string): Promise<string>;
+    generateKeyPairMlKem(seedBytes?: Uint8Array, crv?: MlkemCurve): Promise<{
+        publicJWKey: MlkemPublicJwk & {
+            kid: string;
+        };
+        secretKeyBytes: Uint8Array;
+    }>;
+    generateKeyPairMlDsa(seedBytes?: Uint8Array, alg?: MldsaAlg): Promise<{
+        publicJWKey: MldsaPublicJwk & {
+            kid: string;
+        };
+        secretKeyBytes: Uint8Array;
+    }>;
+    encryptJwe(payload: object, protectedHeader: object, secretJWKey: MlkemPrivateJwk, recipientsJWKeys: MlkemPublicJwk[]): Promise<JweObject>;
+    encryptJweToCompact(payload: object | string, protectedHeader: object, secretJWKey: MlkemPrivateJwk, recipientJWKey: MlkemPublicJwk): Promise<string>;
+    decryptJwe(jwe: JweObject | string, secretKeyJwk: MlkemPrivateJwk): Promise<{
+        decryptedBytes: Uint8Array;
+        protectedHeader: object;
+    }>;
+    getRecipientKidsFromJwe(jwe: JweObject | string): string[];
+    signDataJws(payload: object, protectedHeader: object, secretKeyBytes: Uint8Array): Promise<JwtCompactParts>;
+    verifyJws(jws: JwtCompactParts | string, publicJwk: PublicJwk): Promise<boolean>;
+    verifyDetachedJws(payloadBytes: Uint8Array, detachedJws: string, publicJWKey: PublicJwk): Promise<boolean>;
+    encrypt(plaintext: string, cekBytes: Uint8Array, aad: string): Promise<ProtectedDataAES>;
+    decrypt(encryptedData: ProtectedDataAES, cekBytes: Uint8Array, aad: string): Promise<string>;
+    encapsulate(cekSeedBytes: Uint8Array, secretKeyBytes: Uint8Array, recipientPublicKeyBytes: Uint8Array): Promise<{
+        encapsulatedCekBytes: Uint8Array;
+        derivedCekBytes: Uint8Array;
+    }>;
+    decapsulate(encapsulatedBytes: Uint8Array, secretKeyBytes: Uint8Array): Promise<Uint8Array>;
+    signBytes(payloadBytes: Uint8Array, secretKeyBytes: Uint8Array, alg: MldsaAlg): Promise<Uint8Array>;
+    verifyBytes(signatureBytes: Uint8Array, dataBytes: Uint8Array, publicKey: PublicJwk): Promise<boolean>;
+    jwsToCompact(jws: DataCompactJWT): string;
+    parseCompactJws(jwsString: string): DataCompactJWT;
+    parseCompactJwe(jweString: string): JweObject;
+    /**
+     * Computes a JWK thumbprint using a specified hash algorithm.
+     * This implementation is platform-agnostic by using the injected ICryptoHelper.
+     */
+    private _computeJwkThumbprint;
+    /**
+     * Creates a canonical string from a simple, flat JSON object as required by
+     * RFC 7638 for JWK thumbprints.
+     */
+    private _canonicalizeForJwkThumbprint;
+    /**
+     * Extracts the Base JWK for thumbprint calculation per RFC 7638.
+     * This handles both Post-Quantum (OKP, AKP) and legacy (EC) key types.
+     */
+    private _toBaseJwk;
+    /**
+     * Utility to convert a hex string to a Uint8Array.
+     */
+    private _hexToBytes;
+}