ns-auth-sdk 1.14.0 → 1.14.2

package/dist/browser-index.d.cts

@@ -0,0 +1,1998 @@
+import { EventStore } from "applesauce-core";
+import { BehaviorSubject } from "rxjs";
+export * from "applesauce-core";
+
+//#region src/types/zkm.d.ts
+/**
+ * ZK Membership Root of Trust Types
+ * Semaphore-style: only root is published, members prove anonymously
+ * @packageDocumentation
+ */
+interface ZKMGroup {
+  id: string;
+  root: string;
+  members: ZKMIdentity$1[];
+  createdAt: string;
+}
+interface ZKMIdentity$1 {
+  /** Private key - never exposed */
+  privateKey: string;
+  /** Public commitment - can be shared */
+  commitment: string;
+}
+interface ZKMGroupInfo {
+  groupId: string;
+  root: string;
+  adminCommitment?: string;
+  createdAt: string;
+  expiresAt?: string;
+}
+interface ZKMMembershipProof {
+  groupId: string;
+  root: string;
+  proof: string;
+  nullifier: string;
+  scope: string;
+  issuedAt: string;
+  expiresAt?: string;
+}
+interface ZKMVerifierConfig {
+  circuitUrl?: string;
+  verificationKey?: any;
+}
+interface ZKMScheme {
+  identitySecret: string;
+  groupId: string;
+  groupRoot: string;
+  scope?: string;
+}
+interface ZKMVerificationRequest {
+  identity: ZKMIdentity$1;
+  group: ZKMGroup;
+  scope?: string;
+}
+//#endregion
+//#region src/types/nostr.d.ts
+/**
+ * Nostr event types
+ */
+interface Event {
+  id?: string;
+  pubkey?: string;
+  created_at?: number;
+  kind: number;
+  tags?: string[][];
+  content: string;
+  sig?: string;
+}
+/**
+ * Profile metadata (Kind 0)
+ */
+interface ProfileMetadata {
+  name?: string;
+  display_name?: string;
+  about?: string;
+  picture?: string;
+  website?: string;
+  [key: string]: unknown;
+}
+/**
+ * Follow list entry (from Kind 3 tags)
+ */
+interface FollowEntry {
+  pubkey: string;
+  relay?: string;
+  petname?: string;
+}
+//#endregion
+//#region src/types/vlei.d.ts
+type VLEITagData = [string, string, string, string, string, string, string, string, string?];
+interface RootOfTrustInfo {
+  aidPrefix: string;
+  lei: string;
+  legalName: string;
+  role: string;
+  roleCredentialSaid: string;
+  entityCredentialSaid: string;
+  verifiedAt: string;
+  expiresAt?: string;
+}
+interface KERIAConnection {
+  url: string;
+  aidName: string;
+  aidPrefix: string;
+}
+interface KERIACredential {
+  said: string;
+  schema: string;
+  issuer: string;
+  subject: Record<string, unknown>;
+  issuanceDate: string;
+  raw: unknown;
+}
+interface VLEICredentials {
+  entity: KERIACredential;
+  role: KERIACredential;
+}
+interface KERISignature {
+  signature: string;
+  signer: string;
+}
+interface MultisigVLEIConfig {
+  requireVLEI: boolean;
+  organization?: {
+    lei: string;
+    legalName: string;
+  };
+}
+//#endregion
+//#region src/types/eudi.d.ts
+/**
+ * Minimal EUDI claims for publishing - privacy-preserving like ZKPassport
+ */
+interface EUDIClaims {
+  /** Unique identifier (hashed holderDID, for verification) */
+  uniqueIdentifier: string;
+  /** Signature from Nostr key proving ownership of holderDID */
+  signature?: string;
+  /** Age verification status */
+  isOver18?: boolean;
+  /** Nationality (optional, only if user chooses to reveal) */
+  nationality?: string;
+  /** Verification timestamp */
+  verifiedAt: string;
+  /** Expiration timestamp */
+  expiresAt?: string;
+}
+interface EUDISession {
+  sessionId: string;
+  challenge: string;
+  verificationUrl: string;
+  requestUri: string;
+  expiresAt: number;
+}
+interface EUDIVerifierConfig {
+  url: string;
+  clientId: string;
+  clientSecret?: string;
+}
+interface EUDISessionRequest {
+  presentation_definition: {
+    id: string;
+    input_descriptors: Array<{
+      id: string;
+      constraints: {
+        fields: Array<{
+          path: string[];
+          filter?: {
+            type: string;
+            const: string;
+          };
+        }>;
+      };
+    }>;
+  };
+  nonce: string;
+  state?: string;
+  response_uri?: string;
+}
+interface EUDIVerificationResponse {
+  vp_token?: string;
+  presentation_submission?: {
+    id: string;
+    definition_id: string;
+    descriptor_map: Array<{
+      id: string;
+      format: string;
+      path: string;
+    }>;
+  };
+  error?: string;
+  error_description?: string;
+}
+interface EUDILegalClaims {
+  holderDID: string;
+  legalName: string;
+  lei: string;
+  legalForm?: string;
+  registeredAddress?: string;
+  vatNumber?: string;
+  taxReference?: string;
+  verifiedAt: string;
+  expiresAt?: string;
+}
+//#endregion
+//#region src/types/trust.d.ts
+interface VerificationStatus {
+  verified: boolean;
+  individual?: {
+    eudi?: EUDIClaims & {
+      expired?: boolean;
+    };
+    zkp?: ZKPClaims & {
+      expired?: boolean;
+    };
+  };
+  organization?: {
+    vlei?: RootOfTrustInfo & {
+      expired?: boolean;
+    };
+    eudiLegal?: EUDILegalClaims & {
+      expired?: boolean;
+    };
+  };
+  /** ZK Membership proofs - privacy-preserving group membership verification */
+  membership?: {
+    zkm?: ZKMMembershipProof & {
+      expired?: boolean;
+    };
+  };
+}
+type TrustLevel = 'none' | 'verified';
+declare function isTrustExpired(trust: {
+  expiresAt?: string;
+}): boolean;
+declare function getTrustLevelLabel(verified: boolean): string;
+//#endregion
+//#region src/types/zkp.d.ts
+interface ZKPClaims {
+  uniqueIdentifier: string;
+  proofSaid?: string;
+  firstName?: string;
+  nationality?: string;
+  isOver18?: boolean;
+  isEUCitizen?: boolean;
+  documentType?: string;
+  verifiedAt: string;
+  expiresAt?: string;
+}
+interface ZKPVerifierConfig {
+  appId: string;
+}
+type ZKPScope = 'eu-adult' | 'global-adult' | 'eu-citizen';
+interface ZKPVerificationRequest {
+  name: string;
+  logo?: string;
+  purpose: string;
+  scope: ZKPScope;
+  mode?: 'fast' | 'secure';
+  devMode?: boolean;
+}
+//#endregion
+//#region src/utils/types.d.ts
+/**
+ * Type definitions for Auth SDK (PRF Direct Usage Only)
+ * @packageDocumentation
+ */
+/**
+ * Nostr event JSON
+ */
+interface Event$1 {
+  id?: string;
+  pubkey?: string;
+  created_at?: number;
+  kind: number;
+  tags?: string[][];
+  content: string;
+  sig?: string;
+}
+/**
+ * Password-protected key bundle (stored in KeyInfo when PRF unavailable)
+ */
+interface PasswordProtectedBundle$1 {
+  publicKeySpkiBase64: string;
+  wrappedPrivateKeyBase64: string;
+  saltBase64: string;
+  ivBase64: string;
+}
+/**
+ * Frost multisig configuration for a key
+ */
+interface MultisigConfig {
+  threshold: number;
+  totalMembers: number;
+  relays: string[];
+  groupCredential: string;
+  shareCredential: string;
+  shareIndex: number;
+  /** vLEI verification requirement */
+  requireVLEI?: boolean;
+  /** Organization LEI if vLEI required */
+  organizationLEI?: string;
+}
+/**
+ * Encrypted FROST share credential — stored in KeyInfo
+ * The share is encrypted with the passkey-derived secret so it
+ * requires authentication to recover
+ */
+interface EncryptedMultisigBundle {
+  /** Base64 AES-GCM ciphertext */
+  ciphertext: string;
+  /** Base64 IV */
+  iv: string;
+  /** Base64 auth tag */
+  tag: string;
+  /** Group credential (not encrypted, needed for node setup) */
+  groupCredential: string;
+  /** Public multisig metadata */
+  threshold: number;
+  totalMembers: number;
+  relays: string[];
+  shareIndex: number;
+}
+/**
+ * Member to invite to a multisig group
+ */
+interface MultisigMember {
+  /** Member's Nostr pubkey (hex) */
+  pubkey: string;
+  /** Member's key package event (kind 443) for Marmot invite */
+  keyPackageEvent?: any;
+}
+/**
+ * Options for enabling multisig on an identity
+ */
+interface MultisigSetupOptions {
+  threshold: number;
+  totalMembers: number;
+  relays: string[];
+  /** Members to invite. Shares are distributed via Marmot Welcome messages. */
+  members?: MultisigMember[];
+  /** GroupManager instance for sending Welcome messages. Required if members are provided. */
+  groupManager?: any;
+  /** Organization info for vLEI verification (optional) */
+  organization?: {
+    lei: string;
+    legalName: string;
+  };
+  /** Require vLEI verification for all signers (optional, setup-time check) */
+  requireVLEI?: boolean;
+}
+/**
+ * Peer information in a multisig group
+ */
+interface PeerInfo {
+  pubkey: string;
+  status: 'online' | 'offline' | 'unknown';
+  latency?: number;
+}
+/**
+ * Result of enabling multisig
+ */
+interface MultisigSetupResult {
+  keyInfo: KeyInfo;
+  groupCredential: string;
+  shareCredential: string;
+  /** Number of members invited (shares distributed via Welcome messages) */
+  membersInvited: number;
+}
+/**
+ * Options for importing a FROST share credential into an existing identity
+ */
+interface MultisigImportOptions {
+  groupCredential: string;
+  shareCredential: string;
+  relays: string[];
+}
+/**
+ * Nostr key information (PRF or password-protected)
+ */
+interface KeyInfo {
+  credentialId: string;
+  pubkey: string;
+  salt: string;
+  username?: string;
+  passwordProtectedBundle?: PasswordProtectedBundle$1;
+  recovery?: KeyRecovery;
+  multisig?: EncryptedMultisigBundle;
+  /** Organization trust - vLEI or EUDI Legal PID */
+  organizationTrust?: {
+    vlei?: RootOfTrustInfo;
+    eudiLegal?: EUDILegalClaims;
+  };
+  /** Individual trust - EUDI PID and/or ZKPassport */
+  individualTrust?: {
+    eudi?: EUDIClaims;
+    zkp?: ZKPClaims;
+  };
+  /** ZK Membership proof - group membership */
+  membershipTrust?: ZKMMembershipProof;
+  /** ZK Membership group - the group root info */
+  groupTrust?: ZKMGroupInfo;
+  /** Unified trust providers — OAuth, EUDI, vLEI, ZKP, etc. */
+  trustProviders?: {
+    [provider: string]: TrustProviderEntry;
+  };
+}
+interface KeyRecovery {
+  recoveryPubkey: string;
+  recoverySalt: string;
+  createdAt?: number;
+  signature?: string;
+}
+interface PasskeyCreationOptions {
+  rp?: {
+    name?: string;
+    id?: string;
+  };
+  user?: {
+    name?: string;
+    displayName?: string;
+  };
+  authenticatorSelection?: AuthenticatorSelectionCriteria;
+  pubKeyCredParams?: PublicKeyCredentialParameters[];
+  extensions?: Record<string, unknown>;
+}
+/**
+ * Key options
+ */
+interface KeyOptions {
+  username?: string;
+  password?: string;
+  recoveryPassword?: string;
+}
+/**
+ * PRF secret
+ */
+interface GetPrfSecretOptions {
+  /** Relying Party ID */
+  rpId?: string;
+  timeout?: number;
+  userVerification?: UserVerificationRequirement;
+}
+interface KeyCacheOptions {
+  enabled: boolean;
+  timeoutMs?: number;
+  cacheOnCreation?: boolean;
+}
+/**
+ * KeyInfo
+ */
+interface NostrKeyStorageOptions {
+  /** KeyInfo */
+  enabled: boolean;
+  /** localStorage */
+  storage?: Storage;
+  /** keyinfo */
+  storageKey?: string;
+}
+/**
+ * Signing mode for events
+ */
+type SigningMode = 'individual' | 'multisig';
+/**
+ * Sign options
+ */
+interface SignOptions {
+  clearMemory?: boolean;
+  tags?: string[][];
+  password?: string;
+  mode?: SigningMode;
+}
+/**
+ * KeyManager
+ */
+interface KeyManagerOptions {
+  cacheOptions?: Partial<KeyCacheOptions>;
+  storageOptions?: Partial<NostrKeyStorageOptions>;
+  prfOptions?: GetPrfSecretOptions;
+}
+/**
+ * SDK public interface
+ */
+interface KeyManagerLike {
+  /**
+   * NIP-07
+   */
+  getPublicKey(): Promise<string>;
+  /**
+   * NIP-07
+   * KeyInfo
+   * @param event Nostr
+   */
+  signEvent(event: Event$1): Promise<Event$1>;
+  /**
+   * KeyInfo
+   * @param keyInfo KeyInfo
+   */
+  setCurrentKeyInfo(keyInfo: KeyInfo): void;
+  /**
+   * KeyInfo
+   */
+  getCurrentKeyInfo(): KeyInfo | null;
+  /**
+   * KeyInfo
+   * @returns KeyInfo
+   */
+  hasKeyInfo(): boolean;
+  /**
+   * KeyInfo
+   * @param options
+   */
+  setStorageOptions(options: Partial<NostrKeyStorageOptions>): void;
+  /**
+   * KeyInfo
+   */
+  getStorageOptions(): NostrKeyStorageOptions;
+  /**
+   * KeyInfo
+   */
+  clearStoredKeyInfo(): void;
+  /**
+     * Check if PRF is supported
+     */
+  checkPRFSupport(): Promise<boolean>;
+  /**
+   * @param options
+   * @returns Credential
+   */
+  createPasskey(options?: PasskeyCreationOptions): Promise<Uint8Array>;
+  /**
+   * Create KeyInfo - auto-detects PRF support and uses password fallback if needed
+   * @param credentialId Passkey credential ID
+   * @param password Password required if PRF not supported
+   * @param options
+   */
+  createKey(credentialId?: Uint8Array, password?: string, options?: KeyOptions): Promise<KeyInfo>;
+  /**
+   * @param event Nostr
+   * @param keyInfo KeyInfo
+   * @param options
+   */
+  signEventWithKeyInfo(event: Event$1, keyInfo: KeyInfo, options?: SignOptions): Promise<Event$1>;
+  /**
+   * @param options
+   */
+  setCacheOptions(options: Partial<KeyCacheOptions>): void;
+  getCacheOptions(): KeyCacheOptions;
+  /**
+   * @param credentialId
+   */
+  clearCachedKey(credentialId: Uint8Array | string): void;
+  clearAllCachedKeys(): void;
+  /**
+   * Export Nostr private key
+   * @param keyInfo KeyInfo
+   * @param credentialId Optional credential ID
+   * @param options.password Required for password-protected keys
+   */
+  exportNostrKey(keyInfo: KeyInfo, credentialId?: Uint8Array, options?: KeyOptions): Promise<string>;
+  /**
+   * Enable FROSTR multisig on the current identity
+   * @param options Threshold, total members, and relay configuration
+   */
+  enableMultisig(options: MultisigSetupOptions): Promise<MultisigSetupResult>;
+  /**
+   * Check if multisig is enabled on the current key
+   */
+  isMultisigEnabled(): boolean;
+  /**
+   * Get peer status for the current multisig group
+   */
+  getPeerStatus(): Promise<PeerInfo[]>;
+  /**
+   * Rotate shares — generate a new keyset, invalidating old shares
+   * @param newThreshold New threshold (defaults to current)
+   * @param newTotal New total members (defaults to current)
+   * @param members Members to redistribute shares to via Welcome messages
+   * @param groupManager GroupManager for sending Welcome messages
+   * @returns Array of new share credentials (only returned if no members provided for Welcome distribution)
+   */
+  rotateShares(newThreshold?: number, newTotal?: number, members?: MultisigMember[], groupManager?: any): Promise<string[]>;
+  /**
+   * Import a FROST share credential into the current identity
+   * The identity must already exist (created via createKey)
+   * @param options Group credential, share credential, and relay URLs
+   */
+  importMultisigShare(options: MultisigImportOptions): Promise<KeyInfo>;
+}
+/**
+ * Options for creating a Marmot group
+ */
+interface CreateGroupOptions {
+  description?: string;
+  adminPubkeys?: string[];
+  relays?: string[];
+}
+/**
+ * A message received from a Marmot group
+ */
+interface GroupMessage {
+  groupId: Uint8Array;
+  senderPubkey: string;
+  content: string;
+  kind: number;
+  timestamp: number;
+  tags: string[][];
+}
+/**
+ * A signing request sent via a Marmot group
+ */
+interface SigningRequest {
+  type: 'signing-request';
+  eventId: string;
+  description: string;
+  timestamp: number;
+}
+/**
+ * A share credential message sent via a Marmot group (encrypted in Welcome)
+ */
+interface ShareCredentialMessage {
+  type: 'share-credential';
+  shareCredential: string;
+  groupCredential: string;
+  relays: string[];
+  timestamp: number;
+}
+//#endregion
+//#region src/utils/nosskey.d.ts
+declare function deriveSaltFromUsername(username?: string): string;
+declare function parseRecoveryTag(tags: string[][]): KeyRecovery | null;
+declare function createRecoveryTag(recovery: KeyRecovery): string[];
+declare function getRecoverySignature(kind0: Event$1): string | null;
+declare function verifyRecoverySignature(kind0: Event$1): Promise<boolean>;
+/**
+ * Nosskey - Passkey-Derived Nostr Keys
+ */
+declare class KeyManager implements KeyManagerLike {
+  #private;
+  constructor(options?: KeyManagerOptions);
+  /**
+   * Storage options
+   * @param options
+   */
+  setStorageOptions(options: Partial<NostrKeyStorageOptions>): void;
+  /**
+   * Storage options
+   */
+  getStorageOptions(): NostrKeyStorageOptions;
+  /**
+   * Current KeyInfo
+   * @param keyInfo KeyInfo
+   */
+  setCurrentKeyInfo(keyInfo: KeyInfo): void;
+  /**
+   * Current KeyInfo
+   */
+  getCurrentKeyInfo(): KeyInfo | null;
+  /**
+   * Has KeyInfo
+   * @returns true if KeyInfo exists
+   */
+  hasKeyInfo(): boolean;
+  /**
+   * Clear stored KeyInfo
+   */
+  clearStoredKeyInfo(): void;
+  /**
+   * NIP-07
+   * KeyInfo
+   */
+  getPublicKey(): Promise<string>;
+  /**
+   * NIP-07
+   * KeyInfo
+   * @param event Nostr
+   */
+  signEvent(event: Event$1): Promise<Event$1>;
+  /**
+   * @param options
+   */
+  setCacheOptions(options: Partial<KeyCacheOptions>): void;
+  getCacheOptions(): KeyCacheOptions;
+  getCachedSecretKey(credentialId: Uint8Array | string): Uint8Array | undefined;
+  /**
+   * @param credentialId
+   */
+  clearCachedKey(credentialId: Uint8Array | string): void;
+  clearAllCachedKeys(): void;
+  /**
+   * @param options
+   * @returns Credential
+   */
+  createPasskey(options?: PasskeyCreationOptions): Promise<Uint8Array>;
+  /**
+     * Check if PRF is supported
+     */
+  checkPRFSupport(): Promise<boolean>;
+  /**
+   * Create Nostr key - automatically uses password fallback if PRF unavailable
+   * @param credentialId Passkey credential ID
+   * @param password Password for encryption (required if PRF not supported)
+   * @param options
+    */
+  createKey(credentialId?: Uint8Array, password?: string, options?: KeyOptions): Promise<KeyInfo>;
+  /**
+   * Create Nostr key using PRF (standard passkey flow)
+   */
+  createPrfNostrKey(credentialId?: Uint8Array, options?: KeyOptions): Promise<KeyInfo>;
+  /**
+   * Create Nostr key using password-derived key (fallback when PRF unavailable)
+   * @param password Password to derive the private key
+   * @param options
+   */
+  createPasswordProtectedNostrKey(password: string, options?: KeyOptions): Promise<KeyInfo>;
+  /**
+     * @param event Nostr
+     * @param keyInfo KeyInfo
+     * @param options
+     */
+  signEventWithKeyInfo(event: Event$1, keyInfo: KeyInfo, options?: SignOptions): Promise<Event$1>;
+  /**
+     * @param keyInfo KeyInfo
+     * @param credentialId KeyInfoのcredentialId
+     * @param options
+     * @returns
+     */
+  exportNostrKey(keyInfo: KeyInfo, credentialId?: Uint8Array, options?: KeyOptions): Promise<string>;
+  /**
+   * PRF
+   */
+  isPrfSupported(): Promise<boolean>;
+  /**
+   * Add password recovery to an existing PRF key
+   * @param password Password for recovery key
+   * @param currentCredentialId Current passkey credential ID
+   */
+  addPasswordRecovery(password: string, currentCredentialId?: Uint8Array): Promise<KeyInfo>;
+  /**
+   * Activate recovery using password
+   * Requires new credential ID from new device
+   * @param password Password for recovery key
+   * @param newCredentialId New passkey credential ID (required)
+   */
+  activateWithPassword(password: string, newCredentialId: Uint8Array): Promise<KeyInfo>;
+  /**
+   * Get the recovery data for publishing to kind-0
+   */
+  getRecoveryForKind0(): {
+    recoveryPubkey: string;
+    recoverySalt: string;
+    createdAt?: number;
+    signature?: string;
+  } | null;
+  /**
+   * Enable FROSTR multisig on the current identity
+   * Derives the secret key from the passkey, splits it into shares, encrypts the local share, and stores the config
+   * If members are provided with a GroupManager, shares are distributed via Marmot Welcome messages.
+   * @param options Threshold, total members, relay configuration, and optional members for Welcome-based distribution
+   */
+  enableMultisig(options: MultisigSetupOptions): Promise<MultisigSetupResult>;
+  /**
+   * Check if multisig is enabled on the current key
+   */
+  isMultisigEnabled(): boolean;
+  /**
+   * Get peer status for the current multisig group
+   */
+  getPeerStatus(): Promise<PeerInfo[]>;
+  /**
+   * Rotate shares — generate a new keyset, invalidating old shares
+   * If members are provided with a GroupManager, new shares are distributed via Welcome messages.
+   * Otherwise, new share credentials are returned for manual distribution.
+   * @param newThreshold New threshold (defaults to current)
+   * @param newTotal New total members (defaults to current)
+   * @param members Members to redistribute shares to via Welcome messages
+   * @param groupManager GroupManager for sending Welcome messages
+   * @returns Array of new share credentials (only if no members provided for Welcome distribution)
+   */
+  rotateShares(newThreshold?: number, newTotal?: number, members?: MultisigMember[], groupManager?: any): Promise<string[]>;
+  /**
+   * Import a FROST share credential into the current identity
+   * The identity must already exist (created via createKey)
+   * @param options Group credential, share credential, and relay URLs
+   */
+  importMultisigShare(options: MultisigImportOptions): Promise<KeyInfo>;
+}
+//#endregion
+//#region src/utils/multisig.d.ts
+declare class MultisigManager {
+  #private;
+  constructor(relays: string[]);
+  generateKeyset(threshold: number, totalMembers: number, secretHex: string): Promise<{
+    groupCredential: string;
+    shareCredentials: string[];
+  }>;
+  connectNode(config: MultisigConfig): Promise<any>;
+  getNode(): any;
+  signMessage(message: string): Promise<string>;
+  signBatch(messages: string[]): Promise<string[]>;
+  getPeers(): Promise<PeerInfo[]>;
+  disconnect(): void;
+  getConfig(): MultisigConfig | null;
+  isConnected(): boolean;
+}
+//#endregion
+//#region src/utils/utils.d.ts
+/**
+ * @packageDocumentation
+ */
+/**
+ * @param bytes
+ * @returns
+ */
+declare function bytesToHex(bytes: Uint8Array): string;
+/**
+ * @param hex
+ * @returns
+ */
+declare function hexToBytes(hex: string): Uint8Array;
+//#endregion
+//#region src/utils/crypto-utils.d.ts
+/**
+ * Cryptographic utilities for Nosskey
+ * @packageDocumentation
+ */
+/**
+ * PRF AES-GCM
+ * @param secret PRF
+ * @param salt
+ * @returns AES-GCM
+ */
+declare function deriveAesGcmKey(secret: Uint8Array, salt: Uint8Array): Promise<CryptoKey>;
+/**
+ * AES-GCM
+ * @param key
+ * @param iv
+ * @param plaintext
+ * @returns
+ */
+declare function aesGcmEncrypt(key: CryptoKey, iv: Uint8Array, plaintext: Uint8Array): Promise<{
+  ciphertext: Uint8Array<ArrayBuffer>;
+  tag: Uint8Array<ArrayBuffer>;
+}>;
+/**
+ * AES-GCM
+ * @param key
+ * @param iv
+ * @param ct
+ * @param tag
+ * @returns
+ */
+declare function aesGcmDecrypt(key: CryptoKey, iv: Uint8Array, ct: Uint8Array, tag: Uint8Array): Promise<Uint8Array>;
+//#endregion
+//#region src/utils/prf-handler.d.ts
+/**
+ * @returns PRF
+ */
+declare function isPrfSupported(): Promise<boolean>;
+/**
+ * @param options
+ * @returns Credential
+ */
+declare function createPasskey(options?: PasskeyCreationOptions): Promise<Uint8Array>;
+/**
+ * ID
+ * @param credentialId
+ * @param options PRF（rpId、timeout、userVerification）
+ * @returns PRF credentialID
+ */
+declare function getPrfSecret(credentialId?: Uint8Array, options?: GetPrfSecretOptions): Promise<{
+  secret: Uint8Array;
+  id: Uint8Array;
+}>;
+//#endregion
+//#region src/utils/prf-password-fallback.d.ts
+/**
+ * PRF support check with a password-protected-key fallback.
+ * If the PRF WebAuthn extension is unavailable, callers can fall back to a
+ * password-protected private key. The private key is wrapped with a password-
+ * derived AES-GCM key and stored alongside the public key (SPKI).
+ *
+ * This implementation uses @noble libraries for cryptographic operations,
+ * ensuring functionality even when Web Crypto API is unavailable.
+ */
+type PasswordProtectedBundle = {
+  publicKeySpkiBase64: string;
+  wrappedPrivateKeyBase64: string;
+  saltBase64: string;
+  ivBase64: string;
+};
+declare function checkPRFSupport(): Promise<boolean>;
+declare function generatePasswordProtectedKey(password: string): Promise<PasswordProtectedBundle>;
+declare function unwrapPasswordProtectedPrivateKey(bundle: PasswordProtectedBundle, password: string): Promise<Uint8Array>;
+declare function importPublicKeyFromBundle(bundle: PasswordProtectedBundle): Uint8Array;
+declare function deriveNostrPrivateKey(password: string, salt?: string): Uint8Array;
+declare function getPublicKeyFromPassword(password: string, salt?: string): string;
+//#endregion
+//#region src/utils/test-utils.d.ts
+/**
+ * Test utilities for sdk
+ * @packageDocumentation
+ */
+/**
+ * Helper for testing/debugging
+ * @param userId - User identifier
+ * @returns Promise resolving to the dummy credential
+ */
+declare function registerDummyPasskey(userId: string): Promise<PublicKeyCredential>;
+//#endregion
+//#region src/utils/group.d.ts
+declare class GroupManager {
+  #private;
+  constructor(options: {
+    signer: any;
+    network: any;
+    relays: string[];
+    dbName?: string;
+  });
+  initialize(): Promise<void>;
+  getClient(): any;
+  getInviteReader(): any;
+  /**
+   * Observable of unread group IDs.
+   * Emits whenever the unread state changes.
+   */
+  get unreadGroupIds$(): BehaviorSubject<string[]>;
+  createGroup(name: string, options?: CreateGroupOptions): Promise<any>;
+  onGroupChange(handler: (event: {
+    type: 'created' | 'joined';
+    group: any;
+  }) => void): () => void;
+  joinGroupFromWelcome(welcomeRumor: any): Promise<any>;
+  inviteMember(group: any, _memberPubkey: string): Promise<void>;
+  sendMessage(group: any, content: string, kind?: number): Promise<void>;
+  sendShareToMember(group: any, _memberPubkey: string, shareCredential: string, groupCredential: string, relays: string[]): Promise<void>;
+  onMessage(handler: (msg: GroupMessage) => void): () => void;
+  parseGroupMessage(message: GroupMessage): ShareCredentialMessage | {
+    type: 'signing-request';
+    description: string;
+  } | null;
+  getGroups(): Promise<any[]>;
+  leaveGroup(groupId: Uint8Array | string): Promise<void>;
+  destroyGroup(groupId: Uint8Array | string): Promise<void>;
+  /**
+   * Mark a group as read — clears the unread state up to the given timestamp.
+   * @param groupIdHex Group ID (hex string)
+   * @param seenAt Timestamp to mark as seen (seconds since epoch, defaults to now)
+   */
+  markGroupSeen(groupIdHex: string, seenAt?: number): Promise<void>;
+  /**
+   * Start the full event pipeline: ingestion, invite sync, and key package tracking.
+   * Must be called after initialize() and before any group operations that expect incoming messages.
+   */
+  start(): Promise<void>;
+  /**
+   * Stop all subscriptions and clean up resources.
+   */
+  stop(): void;
+  close(): void;
+  /**
+   * Decrypt pending gift wraps and process invites.
+   * Call this after user interaction to trigger decryption prompts.
+   */
+  processInvites(): Promise<void>;
+}
+//#endregion
+//#region src/utils/group-storage.d.ts
+declare class IndexedDBGroupStateBackend {
+  #private;
+  constructor(dbName?: string);
+  getItem(key: string): Promise<Uint8Array | null>;
+  setItem(key: string, value: Uint8Array): Promise<Uint8Array>;
+  removeItem(key: string): Promise<void>;
+  clear(): Promise<void>;
+  keys(): Promise<string[]>;
+}
+declare class IndexedDBKeyPackageStore {
+  #private;
+  constructor(dbName?: string);
+  getItem<T>(key: string): Promise<T | null>;
+  setItem<T>(key: string, value: T): Promise<T>;
+  removeItem(key: string): Promise<void>;
+  clear(): Promise<void>;
+  keys(): Promise<string[]>;
+}
+/**
+ * Generic IndexedDB key-value store backend.
+ * Implements the KeyValueStoreBackend<T> interface expected by Marmot.
+ */
+declare class IndexedDBKeyValueBackend {
+  #private;
+  constructor(dbName: string, storeName: string);
+  getItem<T>(key: string): Promise<T | null>;
+  setItem<T>(key: string, value: T): Promise<T>;
+  removeItem(key: string): Promise<void>;
+  clear(): Promise<void>;
+  keys(): Promise<string[]>;
+}
+//#endregion
+//#region src/utils/group-coordination.d.ts
+declare function createSigningRequest(eventId: string, description: string): string;
+declare function parseSigningRequest(message: GroupMessage): SigningRequest | null;
+declare function parseShareMessage(message: GroupMessage): ShareCredentialMessage | null;
+declare function createShareMessage(shareCredential: string, groupCredential: string, relays: string[]): string;
+//#endregion
+//#region src/utils/root-of-trust-verification.d.ts
+/**
+ * Result of any root of trust verification
+ */
+interface RootOfTrustVerificationResult {
+  type: 'vlei' | 'eudi' | 'eudil' | 'zkp' | 'zkm';
+  valid: boolean;
+  claims?: any;
+  error?: string;
+}
+/**
+ * Verification status for all root of trust types
+ */
+interface AllVerificationResults {
+  vlei?: RootOfTrustVerificationResult;
+  eudi?: RootOfTrustVerificationResult;
+  eudil?: RootOfTrustVerificationResult;
+  zkp?: RootOfTrustVerificationResult;
+  zkm?: RootOfTrustVerificationResult;
+}
+/**
+ * Verify vLEI tag from kind-0 event
+ * vLEI verifies organizational identity via KERIA/ACDC credentials
+ */
+declare function verifyVLEITag(kind0Event: Event): RootOfTrustVerificationResult;
+/**
+ * Verify EUDI tag from kind-0 event
+ * EUDI verifies individual identity with signature linking to Nostr key
+ */
+declare function verifyEUDITag(kind0Event: Event): Promise<RootOfTrustVerificationResult>;
+/**
+ * Verify EUDI Legal PID tag from kind-0 event
+ * EUDI Legal verifies organizational identity via OpenID4VCI
+ */
+declare function verifyEUDILegalTag(kind0Event: Event): Promise<RootOfTrustVerificationResult>;
+/**
+ * Verify ZKPassport tag from kind-0 event
+ * ZKP verifies zero-knowledge proofs without revealing identity
+ */
+declare function verifyZKPTag(kind0Event: Event): RootOfTrustVerificationResult;
+/**
+ * Verify ZK Membership tag from kind-0 event
+ * ZKM proves group membership without revealing identity
+ */
+declare function verifyZKMTag(kind0Event: Event): RootOfTrustVerificationResult;
+/**
+ * Verify all root of trust tags in a kind-0 event
+ */
+declare function verifyAllRootOfTrusts(kind0Event: Event): Promise<AllVerificationResults>;
+/**
+ * Check if any root of trust is verified on a profile
+ */
+declare function hasAnyVerifiedRootOfTrust(kind0Event: Event): Promise<boolean>;
+/**
+ * Get a summary of verification status
+ */
+declare function getVerificationSummary(kind0Event: Event): Promise<{
+  hasAnyTrust: boolean;
+  individualVerified: boolean;
+  organizationVerified: boolean;
+  membershipVerified: boolean;
+  details: string[];
+}>;
+//#endregion
+//#region src/types/auth.d.ts
+/**
+ * Authentication state interface
+ */
+interface AuthState {
+  isAuthenticated: boolean;
+  publicKey: string | null;
+  keyInfo: KeyInfo | null;
+  loginError: string | null;
+  setAuthenticated: (keyInfo: KeyInfo | null) => void;
+  setLoginError: (error: string | null) => void;
+  logout: () => void;
+}
+/**
+ * Auth service configuration
+ */
+interface AuthServiceConfig {
+  rpId?: string;
+  rpName?: string;
+  storageKey?: string;
+  cacheTimeoutMs?: number;
+  cacheOnCreation?: boolean;
+}
+/**
+ * Relay service configuration
+ */
+interface RelayServiceConfig {
+  relayUrls: string[];
+}
+/**
+ * SIOP v2 client metadata as defined in the spec
+ */
+interface SiopClientMetadata {
+  subject_syntax_types_supported: string[];
+  id_token_signed_response_alg?: string;
+}
+/**
+ * SIOP v2 authorization request configuration
+ */
+interface SiopConfig {
+  nonce: string;
+  clientId?: string;
+  redirectUri?: string;
+  idTokenType?: 'subject_signed_id_token' | 'attester_signed_id_token';
+  claims?: Record<string, unknown>;
+  clientMetadata?: SiopClientMetadata;
+}
+/**
+ * SIOP v2 authorization response
+ */
+interface SiopAuthResult {
+  idToken: string;
+  pubkey: string;
+  did: string;
+}
+/**
+ * DID:nostr verification method (Multikey format)
+ */
+interface DidNostrVerificationMethod {
+  id: string;
+  type: 'Multikey';
+  controller: string;
+  publicKeyMultibase: string;
+}
+/**
+ * DID:nostr service entry
+ */
+interface DidNostrService {
+  id: string;
+  type: string;
+  serviceEndpoint: string;
+}
+/**
+ * Nostr profile embedded in DID document
+ */
+interface DidNostrProfile {
+  name?: string;
+  about?: string;
+  picture?: string;
+  nip05?: string;
+  lud16?: string;
+  website?: string;
+  timestamp?: number;
+}
+/**
+ * DID:nostr document (offline-first resolution)
+ */
+interface DidNostrDocument {
+  '@context': string[];
+  id: string;
+  type: 'DIDNostr';
+  verificationMethod: DidNostrVerificationMethod[];
+  authentication: string[];
+  assertionMethod: string[];
+  alsoKnownAs?: string[];
+  service?: DidNostrService[];
+  profile?: DidNostrProfile;
+  follows?: string[];
+}
+/**
+ * NIP-42 authentication options
+ */
+interface Nip42AuthOptions {
+  relayUrl: string;
+  jwt?: string;
+  siop?: {
+    nonce: string;
+  };
+  timeoutMs?: number;
+}
+/**
+ * NIP-42 authentication result
+ */
+interface Nip42AuthResult {
+  success: boolean;
+  challenge: string;
+  pubkey: string;
+  websocket: WebSocket;
+}
+/**
+ * Built-in OAuth provider preset
+ */
+interface OAuthProviderPreset {
+  authorizationUrl: string;
+  tokenUrl: string;
+  defaultScope: string;
+}
+/**
+ * OAuth provider configuration
+ */
+interface OAuthProviderConfig {
+  provider: string;
+  clientId: string;
+  redirectUri: string;
+  scope?: string;
+  nostrPubkeyClaim?: string;
+  category?: 'individual' | 'organization' | 'authentication';
+}
+/**
+ * Encrypted OAuth bundle stored in TrustProviderEntry
+ */
+interface EncryptedOAuthBundle {
+  ciphertext: string;
+  iv: string;
+  tag: string;
+}
+/**
+ * Trust provider entry — unified store for all identity types
+ */
+interface TrustProviderEntry {
+  type: 'oauth' | 'eudi' | 'vlei' | 'zkp' | 'eudil' | 'custom';
+  category: 'individual' | 'organization' | 'authentication';
+  sub: string;
+  claims?: Record<string, unknown>;
+  verifiedAt: number;
+  expiresAt?: number;
+  encryptedBundle?: EncryptedOAuthBundle;
+  accessToken?: string;
+  scope?: string;
+}
+/**
+ * OAuth authentication result
+ */
+interface OAuthAuthResult {
+  provider: string;
+  accessToken: string;
+  refreshToken?: string;
+  expiresAt: number;
+  sub: string;
+  scope: string;
+  linked: boolean;
+}
+/**
+ * Linked provider status
+ */
+interface LinkedProviderStatus {
+  provider: string;
+  type: string;
+  category: string;
+  sub: string;
+  expiresAt?: number;
+}
+//#endregion
+//#region src/services/relay.service.d.ts
+/**
+ * Service for communicating with Nostr relays using applesauce-core
+ */
+declare class RelayService {
+  #private;
+  private eventStore;
+  private relayUrls;
+  private readonly maxProfileContentSize;
+  private readonly minProfileQueryIntervalMs;
+  private readonly minPublishIntervalMs;
+  private readonly lastActionAt;
+  constructor(config: RelayServiceConfig);
+  /**
+   * Initialize with applesauce EventStore
+   */
+  initialize(eventStore: EventStore): void;
+  /**
+   * Set relay URLs
+   */
+  setRelays(urls: string[]): void;
+  /**
+   * Get current relay URLs
+   */
+  getRelays(): string[];
+  /**
+   * Publish an event to relays
+   */
+  publishEvent(event: Event, timeoutMs?: number): Promise<boolean>;
+  /**
+   * Fetch a profile (Kind 0 event)
+   */
+  fetchProfile(pubkey: string): Promise<ProfileMetadata | null>;
+  /**
+   * Fetch role tag from profile event (Kind 0)
+   */
+  fetchProfileRoleTag(pubkey: string): Promise<string | null>;
+  /**
+   * Fetch a follow list (Kind 3 event)
+   */
+  fetchFollowList(pubkey: string): Promise<FollowEntry[]>;
+  /**
+   * Fetch multiple profiles in batch
+   */
+  fetchMultipleProfiles(pubkeys: string[]): Promise<Map<string, ProfileMetadata>>;
+  /**
+   * Query kind 0 events (profiles) by pubkey
+   * If pubkeys array is empty, fetches recent kind 0 events
+   */
+  queryProfiles(pubkeys?: string[], limit?: number): Promise<Map<string, ProfileMetadata>>;
+  /**
+   * Publish or update a kind 3 event (follow list/contacts)
+   */
+  publishFollowList(_pubkey: string, followList: FollowEntry[], signEvent: (event: Event) => Promise<Event>): Promise<boolean>;
+  /**
+   * Fetch the latest kind 0 event for a pubkey, returning the full event (content + tags)
+   */
+  fetchKind0Event(pubkey: string): Promise<{
+    content: string;
+    tags: string[][];
+  } | null>;
+  /**
+   * Publish or update a kind 0 event with recovery data
+   * Fetches the existing kind-0, preserves all content and tags, and amends the recovery "r" tag
+   * @param pubkey The identity's public key
+   * @param recoveryData Recovery data { recoveryPubkey, recoverySalt, createdAt, signature }
+   * @param signEvent Callback to sign the event
+   * @param content Optional content to use instead of fetching the existing kind-0. If not provided, the existing kind-0 content is preserved. Falls back to "{}" if no existing event.
+   */
+  publishRecoveryToKind0(pubkey: string, recoveryData: {
+    recoveryPubkey: string;
+    recoverySalt: string;
+    createdAt?: number;
+    signature?: string;
+  }, signEvent: (event: Event) => Promise<Event>, content?: string): Promise<boolean>;
+  /**
+   * Publish or update a kind 0 event with vLEI root of trust data
+   * Fetches the existing kind-0, preserves all content and tags, and adds/replaces vLEI tag
+   * Supports multiple roles via multiple vLEI tags
+   * @param pubkey The identity's public key
+   * @param rootOfTrust vLEI root of trust info
+   * @param signEvent Callback to sign the event
+   */
+  publishVLEIToKind0(pubkey: string, rootOfTrust: RootOfTrustInfo, signEvent: (event: Event) => Promise<Event>): Promise<boolean>;
+  /**
+   * Fetch all vLEI tags from a kind-0 event
+   * @param pubkey The identity's public key
+   */
+  fetchVLEITags(pubkey: string): Promise<RootOfTrustInfo[]>;
+  /**
+   * Publish or update a kind-0 event with EUDI root of trust data
+   * Fetches the existing kind-0, preserves all content and tags, and adds/replaces eudi tag
+   * @param pubkey The identity's public key
+   * @param eudiClaims EUDI claims info
+   * @param signEvent Callback to sign the event
+   */
+  publishEUDIToKind0(pubkey: string, eudiClaims: EUDIClaims, signEvent: (event: Event) => Promise<Event>): Promise<boolean>;
+  /**
+   * Fetch all EUDI tags from a kind-0 event
+   * @param pubkey The identity's public key
+   */
+  fetchEUDITags(pubkey: string): Promise<EUDIClaims[]>;
+  private validateRelayUrls;
+  private parseProfileMetadata;
+  private enforceRateLimit;
+  /**
+   * Publish or update a kind-0 event with ZKPassport root of trust data
+   * Fetches the existing kind-0, preserves all content and tags, and adds/replaces zkp tag
+   * @param pubkey The identity's public key
+   * @param zkpClaims ZKPassport claims
+   * @param signEvent Callback to sign the event
+   */
+  publishZKPToKind0(pubkey: string, zkpClaims: ZKPClaims, signEvent: (event: Event) => Promise<Event>): Promise<boolean>;
+  /**
+   * Fetch all ZKP tags from a kind-0 event
+   * @param pubkey The identity's public key
+   */
+  fetchZKPTags(pubkey: string): Promise<ZKPClaims[]>;
+  /**
+   * Publish or update a kind-0 event with EUDI Legal PID root of trust data
+   * Fetches the existing kind-0, preserves all content and tags, and adds/replaces eudil tag
+   * @param pubkey The identity's public key
+   * @param legalClaims EUDI Legal PID claims
+   * @param signEvent Callback to sign the event
+   */
+  publishEUDILegalToKind0(pubkey: string, legalClaims: EUDILegalClaims, signEvent: (event: Event) => Promise<Event>): Promise<boolean>;
+  /**
+   * Fetch all EUDI Legal PID tags from a kind-0 event
+   * @param pubkey The identity's public key
+   */
+  fetchEUDILegalTags(pubkey: string): Promise<EUDILegalClaims[]>;
+  /**
+   * Publish ZK Membership group root to kind-0 profile (Semaphore-style)
+   * Only publishes root, not individual members or proofs
+   * @param pubkey The identity's public key
+   * @param group ZKM Group with root
+   * @param signEvent Callback to sign the event
+   */
+  publishZKMGroupToKind0(pubkey: string, group: ZKMGroupInfo, signEvent: (event: Event) => Promise<Event>): Promise<boolean>;
+  /**
+   * Fetch all ZK Membership group roots from a kind-0 event (Semaphore-style)
+   * @param pubkey The identity's public key
+   */
+  fetchZKMGroups(pubkey: string): Promise<ZKMGroupInfo[]>;
+}
+//#endregion
+//#region src/services/auth.service.d.ts
+/**
+ * Service wrapper around KeyManager
+ * Handles WebAuthn/Passkey integration with Nostr
+ */
+declare class AuthService {
+  #private;
+  private manager;
+  private groupManager;
+  private config;
+  constructor(config?: AuthServiceConfig);
+  private getDefaultRpName;
+  /**
+   * Initialize the KeyManager instance
+   */
+  private getManager;
+  /**
+   * Create a new passkey
+   * Uses platform authenticator only (Touch ID, Face ID, Windows Hello)
+   */
+  createPasskey(username?: string): Promise<Uint8Array>;
+  /**
+     * Create a new Nostr key from a credential ID
+     * Automatically uses password fallback if PRF is not supported
+     * @param credentialId Passkey credential ID
+     * @param password Password (required if PRF not supported)
+     * @param options.username Username for the key
+     * @param options.recoveryPassword Password for recovery (enables recovery on new device)
+     */
+  createKey(credentialId?: Uint8Array, password?: string, options?: KeyOptions): Promise<KeyInfo>;
+  /**
+   * Check if PRF is supported, otherwise password fallback is needed
+   */
+  checkPRFSupport(): Promise<boolean>;
+  /**
+   * Get the current public key
+   */
+  getPublicKey(): Promise<string>;
+  /**
+   * Sign a Nostr event
+   * @param event Event to sign
+   * @param options.mode 'individual' for direct signing, 'multisig' for threshold signing. Defaults to multisig if configured.
+   */
+  signEvent(event: Event$1, options?: SignOptions): Promise<Event$1>;
+  /**
+   * Get current key info
+   */
+  getCurrentKeyInfo(): KeyInfo | null;
+  /**
+   * Set current key info
+   */
+  setCurrentKeyInfo(keyInfo: KeyInfo): void;
+  /**
+   * Check if key info exists
+   */
+  hasKeyInfo(): boolean;
+  /**
+   * Clear stored key info
+   */
+  clearStoredKeyInfo(): void;
+  /**
+     * Check if PRF is supported (legacy alias)
+     */
+  isPrfSupported(): Promise<boolean>;
+  /**
+   * Add password recovery to an existing PRF key
+   * @param password Password for recovery key
+   */
+  addPasswordRecovery(password: string): Promise<KeyInfo>;
+  /**
+   * Activate recovery using password
+   * Requires new credential ID from new device
+   * @param password Password for recovery key
+   * @param newCredentialId New passkey credential ID (required)
+   */
+  activateWithPassword(password: string, newCredentialId: Uint8Array): Promise<KeyInfo>;
+  /**
+   * Get recovery data for kind-0
+   */
+  getRecoveryForKind0(): {
+    recoveryPubkey: string;
+    recoverySalt: string;
+    createdAt?: number;
+    signature?: string;
+  } | null;
+  /**
+   * Publish recovery data to a kind-0 event on relays
+   * Fetches the existing kind-0, preserves all content and tags, and amends the recovery "r" tag
+   * @param relayService RelayService instance for publishing
+   * @param content Optional content to use instead of fetching the existing kind-0
+   */
+  publishRecoveryToKind0(relayService: RelayService, content?: string): Promise<boolean>;
+  /**
+   * Enable FROSTR multisig on the current identity
+   * Derives the secret from the passkey, splits into shares, stores config
+   * @param options Threshold, total members, and relay configuration
+   */
+  enableMultisig(options: MultisigSetupOptions): Promise<MultisigSetupResult>;
+  /**
+   * Check if the current identity is multisig-enabled
+   */
+  isMultisig(): boolean;
+  /**
+   * Get the full multisig config (for sharing with other devices)
+   */
+  getMultisigConfig(): MultisigConfig | null;
+  /**
+   * Get peer status — which other signers are online
+   */
+  getPeerStatus(): Promise<PeerInfo[]>;
+  /**
+   * Rotate shares — generate a new keyset, invalidating old shares
+   * If members and groupManager are provided, new shares are distributed via Welcome messages.
+   * Otherwise, returns new share credentials for manual distribution.
+   * @param newThreshold New threshold (defaults to current)
+   * @param newTotal New total members (defaults to current)
+   * @param members Members to redistribute shares to via Welcome messages
+   * @param groupManager GroupManager for sending Welcome messages
+   * @returns Array of new share credentials (empty if distributed via Welcome)
+   */
+  rotateShares(newThreshold?: number, newTotal?: number, members?: any[], groupManager?: any): Promise<string[]>;
+  /**
+   * Import a FROST share credential into the current identity
+   * Used by members who receive a share from the group admin
+   * @param options Group credential, share credential, and relay URLs
+   */
+  importMultisigShare(options: MultisigImportOptions): Promise<KeyInfo>;
+  /**
+   * Get or create the GroupManager instance for Marmot group messaging
+   * @param network Network interface (e.g., RelayService or NostrNetworkInterface)
+   * @param relays Relay URLs for group communication
+   * @param dbName Optional IndexedDB database name (default: 'nosskey')
+   */
+  getGroupManager(network: any, relays: string[], dbName?: string): GroupManager;
+  /**
+   * Create a new Marmot group and optionally enable multisig for it
+   * @param network Network interface
+   * @param relays Relay URLs
+   * @param name Group name
+   * @param options Group creation options
+   */
+  createGroup(network: any, relays: string[], name: string, options?: CreateGroupOptions): Promise<any>;
+  /**
+   * Subscribe to group messages
+   * @param group The Marmot group instance
+   * @param handler Message handler callback
+   * @returns Unsubscribe function
+   */
+  onGroupMessage(group: any, handler: (msg: GroupMessage) => void): () => void;
+  /**
+   * Set ZK Membership trust in KeyInfo
+   * @param proof ZK Membership proof
+   */
+  setMembershipTrust(proof: ZKMMembershipProof): Promise<void>;
+  /**
+   * Set ZK Membership group trust in KeyInfo
+   * @param group ZKM Group info (Semaphore-style - only root published)
+   */
+  setGroupTrust(group: ZKMGroupInfo): Promise<void>;
+  /**
+   * Publish ZK Membership proof to kind-0 profile
+   * Can be called manually or automatically after group join
+   * @param relayService RelayService instance
+   */
+  publishMembershipToProfile(relayService: RelayService): Promise<boolean>;
+  /**
+   * Get membership verification status
+   */
+  getMembershipTrust(): ZKMMembershipProof | undefined;
+  /**
+   * Subscribe to group changes (created/joined) to optionally auto-publish ZK membership
+   * @param relayService RelayService instance
+   * @param zkmService ZKMService for generating proofs
+   * @param groupMembers Array of group member secrets
+   * @returns Unsubscribe function
+   */
+  onGroupChange(relayService: RelayService, _groupMembers: string[]): () => void;
+  /**
+   * Clear membership trust from KeyInfo
+   */
+  clearMembershipTrust(): Promise<void>;
+  /**
+   * Fetch membership tags from a profile
+   * @param relayService RelayService instance
+   * @param pubkey Public key to fetch from
+   */
+  fetchGroupTags(relayService: RelayService, pubkey: string): Promise<ZKMGroupInfo[]>;
+  /**
+   * Parse a group message to check if it's a share credential
+   * @param message The group message to parse
+   */
+  parseShareMessage(message: GroupMessage): Promise<ShareCredentialMessage | null>;
+  /**
+   * Parse a group message to check if it's a signing request
+   * @param message The group message to parse
+   */
+  parseSigningRequest(message: GroupMessage): Promise<{
+    type: 'signing-request';
+    description: string;
+  } | null>;
+  /**
+   * Generate a SIOP v2 Self-Issued ID Token
+   * Auto-generates on demand — signs with the user's Nostr keypair
+   * iss = sub = did:nostr:<hex_pubkey>
+   */
+  generateSiopIdToken(config: SiopConfig): Promise<SiopAuthResult>;
+  /**
+   * Authenticate to a Nostr relay using NIP-42
+   * Auto-generates SIOP ID Token if siop.nonce is provided
+   */
+  authenticateToRelay(options: Nip42AuthOptions): Promise<Nip42AuthResult>;
+  /**
+   * Authenticate with an OAuth provider (Google, GitHub, etc.)
+   * Initiates the OAuth flow — redirects to provider's authorization page
+   * On callback, exchanges code for tokens and automatically links the identity
+   */
+  authenticateWithProvider(config: OAuthProviderConfig): Promise<OAuthAuthResult>;
+  /**
+   * Initiate OAuth flow (redirects to provider)
+   * Call this to start the flow, then handle the callback with completeOAuthCallback
+   */
+  initiateProviderAuth(config: OAuthProviderConfig): Promise<void>;
+  /**
+   * Complete OAuth flow after callback
+   * Exchanges code for tokens and links the identity
+   */
+  completeOAuthCallback(config: OAuthProviderConfig): Promise<OAuthAuthResult>;
+  /**
+   * Link an OAuth identity to the current Nostr key
+   * Stores encrypted refresh token for silent re-auth
+   */
+  linkProvider(config: OAuthProviderConfig): Promise<void>;
+  /**
+   * Unlink a provider from the current Nostr key
+   * Works for all provider types: OAuth, EUDI, vLEI, ZKP
+   */
+  unlinkProvider(provider: string): Promise<void>;
+  /**
+   * Get all linked providers
+   */
+  getLinkedProviders(filter?: {
+    type?: string;
+    category?: string;
+  }): LinkedProviderStatus[];
+  /**
+   * Get an access token for a linked provider
+   * Auto-refreshes if the stored token is expired
+   */
+  getProviderAccessToken(provider: string): Promise<string>;
+  /**
+   * Publish a provider link to kind-0 profile
+   */
+  publishProviderLink(relayService: RelayService, provider: string): Promise<boolean>;
+  /**
+   * Unpublish a provider link from kind-0 profile
+   */
+  unpublishProviderLink(relayService: RelayService, provider: string): Promise<boolean>;
+}
+//#endregion
+//#region src/services/eudi.service.d.ts
+declare class EUDIService {
+  #private;
+  connect(config: EUDIVerifierConfig): Promise<void>;
+  disconnect(): Promise<void>;
+  isConnected(): boolean;
+  getConfig(): EUDIVerifierConfig | null;
+  /**
+   * Create a new verification session
+   * Returns session info including verification URL and request URI
+   */
+  createVerificationSession(): Promise<EUDISession>;
+  /**
+   * Poll for verification result
+   */
+  pollVerificationResult(sessionId: string): Promise<{
+    status: 'pending' | 'verified' | 'failed';
+    claims?: EUDIClaims;
+  }>;
+  /**
+   * Verify EUDI credentials and return claims
+   * This is the main entry point for verification
+   */
+  verifyEUDI(): Promise<EUDIClaims>;
+  /**
+   * Get active sessions
+   */
+  getActiveSessions(): EUDISession[];
+  /**
+   * Clear expired sessions
+   */
+  clearExpiredSessions(): void;
+  /**
+   * Create a verification session for Legal PID credentials
+   */
+  createLegalPIDVerificationSession(): Promise<EUDISession>;
+  /**
+   * Verify EUDI Legal PID credentials and return claims
+   */
+  verifyEUDILegalPID(): Promise<EUDILegalClaims>;
+  /**
+   * Extract Legal PID claims from a verified VP token
+   */
+  extractLegalPIDClaims(vpToken: string, _challenge: string): Promise<EUDILegalClaims>;
+}
+declare function isEUDIAvailable(): Promise<boolean>;
+//#endregion
+//#region src/services/zkp.service.d.ts
+declare class ZKPService {
+  #private;
+  connect(config: ZKPVerifierConfig): Promise<void>;
+  disconnect(): Promise<void>;
+  isConnected(): boolean;
+  getConfig(): ZKPVerifierConfig | null;
+  verifyZKP(options?: Partial<ZKPVerificationRequest>): Promise<ZKPClaims>;
+  getCurrentQueryUrl(): string | null;
+  cancelVerification(): void;
+}
+declare function isZKPAvailable(): Promise<boolean>;
+//#endregion
+//#region src/services/individual-trust.service.d.ts
+declare class IndividualTrustService {
+  #private;
+  constructor();
+  get eudi(): EUDIService;
+  get zkp(): ZKPService;
+  connectEUDI(config: EUDIVerifierConfig): Promise<void>;
+  connectZKP(config: ZKPVerifierConfig): Promise<void>;
+  disconnect(): Promise<void>;
+  isConnected(): boolean;
+  verifyEUDI(): Promise<EUDIClaims>;
+  verifyZKP(options?: Partial<ZKPVerificationRequest>): Promise<ZKPClaims>;
+  getVerificationStatus(): {
+    eudi: boolean;
+    zkp: boolean;
+  };
+}
+//#endregion
+//#region src/services/keria.service.d.ts
+declare class KERIAService {
+  #private;
+  connect(url: string, bran: string): Promise<KERIAConnection>;
+  disconnect(): Promise<void>;
+  isConnected(): boolean;
+  getConnection(): KERIAConnection | null;
+  fetchCredentials(): Promise<KERIACredential[]>;
+  findVLEICredentials(): Promise<VLEICredentials | null>;
+  verifyCredentials(): Promise<RootOfTrustInfo>;
+  signChallenge(challenge: string): Promise<KERISignature>;
+  getCachedCredentials(): KERIACredential[];
+  clearCache(): void;
+}
+declare function isKERIAAvailable(): Promise<boolean>;
+//#endregion
+//#region src/services/organization-trust.service.d.ts
+declare class OrganizationTrustService {
+  #private;
+  constructor();
+  get keria(): KERIAService;
+  get eudi(): EUDIService;
+  connectKERIA(url: string, bran: string): Promise<KERIAConnection>;
+  connectEUDI(config: EUDIVerifierConfig): Promise<void>;
+  disconnect(): Promise<void>;
+  isConnected(): boolean;
+  verifyVLEI(): Promise<RootOfTrustInfo>;
+  verifyEUDILegal(): Promise<EUDILegalClaims>;
+  getVerificationStatus(): {
+    vlei: boolean;
+    eudiLegal: boolean;
+  };
+}
+//#endregion
+//#region src/services/zkm.service.d.ts
+interface ZKMIdentity {
+  privateKey: string;
+  commitment: string;
+}
+declare function isZKMAvailable(): boolean;
+declare class ZKMService {
+  #private;
+  connect(config: ZKMVerifierConfig): Promise<void>;
+  disconnect(): Promise<void>;
+  isConnected(): boolean;
+  generateIdentity(): Promise<ZKMIdentity>;
+  createGroup(groupId: string): Promise<any>;
+  addMember(identity: ZKMIdentity): Promise<any>;
+  generateProof(scope?: string): Promise<any>;
+  verifyProof(proof: any, root: string): Promise<boolean>;
+  getIdentity(): ZKMIdentity | null;
+  getGroup(): any | null;
+  getConfig(): ZKMVerifierConfig | null;
+}
+//#endregion
+//#region src/services/siop.d.ts
+/**
+ * Build a SIOP v2 authorization request URL
+ * Used by RPs to invoke the Self-Issued OP
+ */
+declare function buildSiopAuthorizationUrl(config: {
+  clientId: string;
+  redirectUri: string;
+  nonce: string;
+  authorizationEndpoint?: string;
+  scope?: string;
+  idTokenType?: string;
+  clientMetadata?: SiopClientMetadata;
+  requestUri?: string;
+}): string;
+/**
+ * Parse a SIOP v2 authorization request URL
+ * Used by the Self-Issued OP to extract the RP's request parameters
+ */
+declare function parseSiopAuthorizationRequest(url: string): SiopConfig & {
+  clientId: string;
+  redirectUri: string;
+};
+/**
+ * Generate a SIOP v2 Self-Issued ID Token
+ * Signs with ES256K using the user's Nostr secp256k1 private key
+ * iss = sub = did:nostr:<hex_pubkey>
+ *
+ * Note: Uses @noble/secp256k1 directly because Web Crypto (which jose relies on)
+ * does not support the P-256K (secp256k1) curve in most environments.
+ */
+declare function generateSiopIdToken(config: SiopConfig & {
+  secretKey: Uint8Array;
+}): Promise<string>;
+/**
+ * Verify a SIOP v2 Self-Issued ID Token
+ * Validates signature using the pubkey from the did:nostr sub claim
+ */
+declare function verifySiopIdToken(token: string): Promise<{
+  valid: boolean;
+  payload: Record<string, unknown>;
+  error?: string;
+}>;
+/**
+ * Generate a SIOP v2 authorization response (redirect back to RP)
+ */
+declare function buildSiopAuthorizationResponse(redirectUri: string, idToken: string, state?: string): string;
+//#endregion
+//#region src/services/nip42.d.ts
+/**
+ * Normalize a relay URL per NIP-42 conventions
+ */
+declare function normalizeRelayUrl(url: string): string;
+/**
+ * Build a NIP-42 AUTH event (kind 22242)
+ */
+declare function buildAuthEvent(challenge: string, relayUrl: string, secretKey: Uint8Array, jwt?: string): Promise<Event$1>;
+/**
+ * Authenticate to a Nostr relay using NIP-42
+ * Full WebSocket handshake: connect → receive challenge → sign → send → await OK
+ */
+declare function authenticateToRelay(options: Nip42AuthOptions & {
+  secretKey: Uint8Array;
+}): Promise<Nip42AuthResult>;
+/**
+ * Wait for AUTH challenge from relay
+ * Returns the challenge string
+ */
+declare function waitForAuthChallenge(websocket: WebSocket, timeoutMs?: number): Promise<string>;
+/**
+ * Send AUTH event to relay and wait for OK response
+ */
+declare function sendAuthEvent(websocket: WebSocket, authEvent: Event$1, timeoutMs?: number): Promise<boolean>;
+//#endregion
+//#region src/services/did-nostr.d.ts
+/**
+ * Generate a did:nostr identifier from a hex pubkey
+ */
+declare function pubkeyToDid(pubkey: string): string;
+/**
+ * Extract the hex pubkey from a did:nostr identifier
+ */
+declare function didToPubkey(did: string): string;
+/**
+ * Convert a hex pubkey to a Multikey publicKeyMultibase value
+ * per the did:nostr spec: prepend 0x02 (even y), then multicodec varint, then multibase base16-lower
+ */
+declare function pubkeyToMultikey(pubkey: string): string;
+/**
+ * Generate a minimal DID:nostr document from a pubkey alone (offline, no network)
+ */
+declare function generateMinimalDidDocument(pubkey: string): DidNostrDocument;
+/**
+ * Generate an enhanced DID:nostr document with relay services
+ */
+declare function generateEnhancedDidDocument(pubkey: string, options?: {
+  relays?: string[];
+  alsoKnownAs?: string[];
+  profile?: DidNostrProfile;
+  follows?: string[];
+}): DidNostrDocument;
+/**
+ * Resolve a did:nostr identifier to a DID document
+ * This is offline-first — generates the minimal document from the pubkey alone
+ */
+declare function resolveDidNostr(did: string): DidNostrDocument;
+/**
+ * Validate a did:nostr identifier
+ */
+declare function isValidDidNostr(did: string): boolean;
+//#endregion
+//#region src/services/oauth.d.ts
+/**
+ * Built-in OAuth provider presets
+ */
+declare const BUILTIN_PROVIDERS: Record<string, OAuthProviderPreset>;
+/**
+ * Build OAuth authorization URL with PKCE
+ */
+declare function buildAuthorizationUrl(config: {
+  authorizationUrl: string;
+  clientId: string;
+  redirectUri: string;
+  scope: string;
+  codeChallenge: string;
+  state?: string;
+}): string;
+/**
+ * Exchange authorization code for tokens
+ */
+declare function exchangeCodeForTokens(config: {
+  tokenUrl: string;
+  clientId: string;
+  redirectUri: string;
+  code: string;
+  codeVerifier: string;
+}): Promise<{
+  accessToken: string;
+  refreshToken?: string;
+  expiresIn: number;
+  scope: string;
+  idToken?: string;
+}>;
+/**
+ * Decode a JWT payload (no signature verification)
+ */
+declare function decodeJwtPayload(token: string): Record<string, unknown>;
+/**
+ * Extract pubkey from JWT claims
+ */
+declare function getPubkeyFromJwt(token: string, claimName?: string): string;
+/**
+ * Encrypt a refresh token with AES-GCM using a PRF-derived key
+ */
+declare function encryptRefreshToken(refreshToken: string, secretKey: Uint8Array): Promise<EncryptedOAuthBundle>;
+/**
+ * Decrypt a refresh token with AES-GCM using a PRF-derived key
+ */
+declare function decryptRefreshToken(bundle: EncryptedOAuthBundle, secretKey: Uint8Array): Promise<string>;
+/**
+ * Refresh an access token using a stored refresh token
+ */
+declare function refreshAccessToken(config: {
+  tokenUrl: string;
+  clientId: string;
+  refreshToken: string;
+}): Promise<{
+  accessToken: string;
+  refreshToken?: string;
+  expiresIn: number;
+  scope: string;
+}>;
+/**
+ * Initiate OAuth flow — redirects to provider's authorization page
+ */
+declare function initiateOAuthFlow(config: {
+  provider: string;
+  clientId: string;
+  redirectUri: string;
+  scope: string;
+  authorizationUrl?: string;
+  state?: string;
+}): Promise<{
+  codeVerifier: string;
+  state: string;
+}>;
+/**
+ * Handle OAuth callback — extract code, exchange for tokens
+ */
+declare function handleOAuthCallback(currentUrl?: string): Promise<{
+  code: string;
+  state: string;
+  pkceState: {
+    codeVerifier: string;
+    provider: string;
+    clientId: string;
+    redirectUri: string;
+    scope: string;
+    tokenUrl?: string;
+  };
+}>;
+/**
+ * Complete OAuth flow — exchange code for tokens and return result
+ */
+declare function completeOAuthFlow(currentUrl?: string): Promise<OAuthAuthResult>;
+//#endregion
+export { AllVerificationResults, AuthService, type AuthServiceConfig, type AuthState, BUILTIN_PROVIDERS, CreateGroupOptions, type DidNostrDocument, type DidNostrProfile, type DidNostrService, type DidNostrVerificationMethod, type EUDIClaims, type EUDILegalClaims, EUDIService, type EUDISession, type EUDISessionRequest, type EUDIVerificationResponse, type EUDIVerifierConfig, EncryptedMultisigBundle, type EncryptedOAuthBundle, type Event, type FollowEntry, GetPrfSecretOptions, GroupManager, GroupMessage, IndexedDBGroupStateBackend, IndexedDBKeyPackageStore, IndexedDBKeyValueBackend, IndividualTrustService, type KERIAConnection, type KERIACredential, KERIAService, type KERISignature, KeyCacheOptions, KeyInfo, KeyManager, KeyManagerLike, KeyManagerOptions, KeyOptions, KeyRecovery, type LinkedProviderStatus, MultisigConfig, MultisigImportOptions, MultisigManager, MultisigMember, MultisigSetupOptions, MultisigSetupResult, type MultisigVLEIConfig, type Nip42AuthOptions, type Nip42AuthResult, NostrKeyStorageOptions, type OAuthAuthResult, type OAuthProviderConfig, type OAuthProviderPreset, OrganizationTrustService, PasskeyCreationOptions, PasswordProtectedBundle, PeerInfo, type ProfileMetadata, RelayService, type RelayServiceConfig, type RootOfTrustInfo, RootOfTrustVerificationResult, ShareCredentialMessage, SignOptions, SigningMode, SigningRequest, type SiopAuthResult, type SiopClientMetadata, type SiopConfig, type TrustLevel, type TrustProviderEntry, type VLEICredentials, type VLEITagData, type VerificationStatus, type ZKMMembershipProof, type ZKMScheme, ZKMService, type ZKMVerificationRequest, type ZKMVerifierConfig, type ZKPClaims, type ZKPScope, ZKPService, type ZKPVerifierConfig, aesGcmDecrypt, aesGcmEncrypt, buildAuthEvent, buildAuthorizationUrl, buildSiopAuthorizationResponse, buildSiopAuthorizationUrl, bytesToHex, checkPRFSupport, completeOAuthFlow, createPasskey, createRecoveryTag, createShareMessage, createSigningRequest, decodeJwtPayload, decryptRefreshToken, deriveAesGcmKey, deriveNostrPrivateKey, deriveSaltFromUsername, didToPubkey, encryptRefreshToken, exchangeCodeForTokens, generateEnhancedDidDocument, generateMinimalDidDocument, generatePasswordProtectedKey, generateSiopIdToken, getPrfSecret, getPubkeyFromJwt, getPublicKeyFromPassword, getRecoverySignature, getTrustLevelLabel, getVerificationSummary, handleOAuthCallback, hasAnyVerifiedRootOfTrust, hexToBytes, importPublicKeyFromBundle, initiateOAuthFlow, isEUDIAvailable, isKERIAAvailable, isPrfSupported, isTrustExpired, isValidDidNostr, isZKMAvailable, isZKPAvailable, authenticateToRelay as nip42Authenticate, normalizeRelayUrl, parseRecoveryTag, parseShareMessage, parseSigningRequest, parseSiopAuthorizationRequest, pubkeyToDid, pubkeyToMultikey, refreshAccessToken, registerDummyPasskey, resolveDidNostr, sendAuthEvent, unwrapPasswordProtectedPrivateKey, verifyAllRootOfTrusts, verifyEUDILegalTag, verifyEUDITag, verifyRecoverySignature, verifySiopIdToken, verifyVLEITag, verifyZKMTag, verifyZKPTag, waitForAuthChallenge };
+//# sourceMappingURL=browser-index.d.cts.map