import * as Effect from "../../Effect.ts";
/**
 * Defines the domain-separation string embedded in canonical session
 * authentication payloads.
 *
 * **When to use**
 *
 * Use when you need the domain-separation string used to build canonical
 * event-log session authentication payloads.
 *
 * @category constants
 * @since 4.0.0
 */
export declare const AuthPayloadContext = "eventlog-auth-v1";
/**
 * Defines the required byte length for raw Ed25519 public keys used in session
 * authentication.
 *
 * **When to use**
 *
 * Use when you need to validate the byte length of raw Ed25519 public keys for
 * session authentication.
 *
 * @category constants
 * @since 4.0.0
 */
export declare const Ed25519PublicKeyLength = 32;
/**
 * Defines the required byte length for Ed25519 signatures used in session authentication.
 *
 * **When to use**
 *
 * Use when you need to validate the byte length of Ed25519 signatures for
 * session authentication.
 *
 * @category constants
 * @since 4.0.0
 */
export declare const Ed25519SignatureLength = 64;
/**
 * Defines the number of random bytes generated for a session authentication
 * challenge.
 *
 * **When to use**
 *
 * Use when you need the challenge size for event-log session authentication.
 *
 * @category constants
 * @since 4.0.0
 */
export declare const SessionAuthChallengeLength = 32;
/**
 * Defines the time-to-live, in milliseconds, for a pending session
 * authentication challenge.
 *
 * **When to use**
 *
 * Use when you need the timeout for pending event-log session authentication
 * challenges.
 *
 * @category constants
 * @since 4.0.0
 */
export declare const SessionAuthChallengeTimeToLiveMillis = 30000;
/**
 * Payload fields that are canonicalized and signed during session
 * authentication.
 *
 * @category models
 * @since 4.0.0
 */
export interface SessionAuthPayload {
    readonly remoteId: string | Uint8Array;
    readonly challenge: Uint8Array;
    readonly publicKey: string;
    readonly signingPublicKey: Uint8Array;
}
declare const EventLogSessionAuthError_base: new <A extends Record<string, any> = {}>(args: import("../../Types.ts").VoidIfEmpty<{ readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }>) => import("../../Cause.ts").YieldableError & {
    readonly _tag: "EventLogSessionAuthError";
} & Readonly<A>;
/**
 * Error raised while encoding, decoding, signing, verifying, or generating
 * session authentication challenges.
 *
 * @category errors
 * @since 4.0.0
 */
export declare class EventLogSessionAuthError extends EventLogSessionAuthError_base<{
    readonly reason: "InvalidPayload" | "InvalidContext" | "InvalidAlgorithm" | "InvalidSigningPublicKeyLength" | "InvalidSignatureLength" | "InvalidSigningPrivateKey" | "CryptoUnavailable" | "CryptoFailure";
    readonly message: string;
    readonly cause?: unknown;
}> {
}
/**
 * Encodes a session authentication payload into the canonical byte format.
 *
 * **Details**
 *
 * The canonical payload format uses ordered big-endian length-prefixed fields:
 *
 * 1. context (fixed: eventlog-auth-v1)
 * 2. remoteId
 * 3. challenge bytes
 * 4. publicKey
 * 5. signingPublicKey bytes
 *
 * @category encoding
 * @since 4.0.0
 */
export declare const encodeSessionAuthPayload: (payload: SessionAuthPayload) => Effect.Effect<Uint8Array<ArrayBuffer>, EventLogSessionAuthError, never>;
/**
 * Decodes a canonical session authentication payload.
 *
 * **Details**
 *
 * The decoder validates the context field, UTF-8 fields, signing public key
 * length, and rejects truncated or trailing bytes.
 *
 * @category encoding
 * @since 4.0.0
 */
export declare const decodeSessionAuthPayload: (payload: Uint8Array<ArrayBufferLike>) => Effect.Effect<SessionAuthPayload, EventLogSessionAuthError, never>;
/**
 * Creates a canonical session authentication signature with an Ed25519 private key.
 *
 * **Details**
 *
 * The private key must be PKCS#8-encoded bytes importable by `SubtleCrypto`.
 *
 * @category signing
 * @since 4.0.0
 */
export declare const signSessionAuthPayloadBytes: (options: {
    readonly payload: Uint8Array;
    readonly signingPrivateKey: Uint8Array;
}) => Effect.Effect<Uint8Array<ArrayBuffer>, EventLogSessionAuthError, never>;
/**
 * Verifies an Ed25519 signature for canonical session authentication payload
 * bytes.
 *
 * **Details**
 *
 * The payload, signing public key, and signature lengths are validated before
 * calling `SubtleCrypto.verify`.
 *
 * @category verification
 * @since 4.0.0
 */
export declare const verifySessionAuthPayloadBytes: (options: {
    readonly payload: Uint8Array;
    readonly signingPublicKey: Uint8Array;
    readonly signature: Uint8Array;
}) => Effect.Effect<boolean, EventLogSessionAuthError, never>;
/**
 * Encodes a session authentication payload in canonical form and signs it with an
 * Ed25519 private key.
 *
 * @category signing
 * @since 4.0.0
 */
export declare const signSessionAuthPayload: (options: SessionAuthPayload & {
    readonly signingPrivateKey: Uint8Array;
}) => Effect.Effect<Uint8Array<ArrayBuffer>, EventLogSessionAuthError, never>;
/**
 * Encodes a session authentication payload in canonical form and verifies its
 * Ed25519 signature.
 *
 * @category verification
 * @since 4.0.0
 */
export declare const verifySessionAuthPayload: (options: SessionAuthPayload & {
    readonly signature: Uint8Array;
}) => Effect.Effect<boolean, EventLogSessionAuthError, never>;
/**
 * Generates a random session authentication challenge using `globalThis.crypto`.
 *
 * @category challenge
 * @since 4.0.0
 */
export declare const makeSessionAuthChallenge: Effect.Effect<Uint8Array<ArrayBuffer>, EventLogSessionAuthError>;
/**
 * Verifies an authentication request by requiring the `Ed25519` algorithm and
 * checking the signature over the canonical session authentication payload.
 *
 * @category verification
 * @since 4.0.0
 */
export declare const verifySessionAuthenticateRequest: (options: {
    readonly remoteId: string | Uint8Array;
    readonly challenge: Uint8Array;
    readonly publicKey: string;
    readonly signingPublicKey: Uint8Array;
    readonly signature: Uint8Array;
    readonly algorithm: string;
}) => Effect.Effect<boolean, EventLogSessionAuthError, never>;
export {};
//# sourceMappingURL=EventLogSessionAuth.d.ts.map