import * as t from 'io-ts';
/** Default Argon2id parameters per RFC 9106 second recommendation
 * @see https://www.rfc-editor.org/rfc/rfc9106#section-4
 */
export declare const ARGON2_DEFAULTS: {
    readonly memorySize: 65536;
    readonly iterations: 3;
    readonly parallelism: 4;
    readonly hashLength: 32;
    readonly saltLength: 16;
};
/** AES-256-GCM IV length in bytes */
export declare const GCM_IV_LENGTH = 12;
/** HKDF per-call salt length in bytes */
export declare const HKDF_SALT_LENGTH = 32;
declare const V2EnvelopeCodec: t.IntersectionC<[t.TypeC<{
    v: t.LiteralC<2>;
    m: t.Type<number, number, unknown>;
    t: t.Type<number, number, unknown>;
    p: t.Type<number, number, unknown>;
    salt: t.Type<string, string, unknown>;
    iv: t.Type<string, string, unknown>;
    ct: t.Type<string, string, unknown>;
}>, t.PartialC<{
    /** Base64-encoded per-call HKDF salt -- present only in session-produced envelopes */
    hkdfSalt: t.Type<string, string, unknown>;
    /** Additional authenticated data for context binding (e.g. transaction hash + derivation path) */
    adata: t.StringC;
}>]>;
export type V2Envelope = t.TypeOf<typeof V2EnvelopeCodec>;
export declare function argon2ToHkdfKey(password: string, salt: Uint8Array, params: {
    memorySize: number;
    iterations: number;
    parallelism: number;
}): Promise<CryptoKey>;
export declare function hkdfDeriveAesKey(hkdfKey: CryptoKey, hkdfSalt: Uint8Array, usage: KeyUsage): Promise<CryptoKey>;
export declare function aesGcmEncrypt(key: CryptoKey, iv: Uint8Array, plaintext: string, additionalData?: Uint8Array): Promise<Uint8Array>;
export declare function aesGcmDecrypt(key: CryptoKey, iv: Uint8Array, ct: Uint8Array, additionalData?: Uint8Array): Promise<string>;
export declare function parseV2Envelope(ciphertext: string): V2Envelope;
/**
 * Encrypt plaintext using Argon2id KDF + AES-256-GCM.
 *
 * Returns a self-describing JSON v2 envelope containing all Argon2id parameters,
 * salt, IV, and ciphertext -- fully standalone for decryption.
 *
 * For multi-call operations (MPC signing, wallet creation), prefer
 * createEncryptionSession to run Argon2id once and derive per-call keys via HKDF.
 */
export declare function encryptV2(password: string, plaintext: string, options?: {
    salt?: Uint8Array;
    iv?: Uint8Array;
    memorySize?: number;
    iterations?: number;
    parallelism?: number;
    adata?: string;
}): Promise<string>;
/**
 * Decrypt a v2 envelope (Argon2id + AES-256-GCM).
 *
 * Handles both envelope types automatically:
 *   - Standard  (no hkdfSalt): Argon2id -> AES-GCM
 *   - Session   (hkdfSalt present): Argon2id -> HKDF -> AES-GCM
 *
 * All parameters are stored in the envelope -- no session context required.
 */
export declare function decryptV2(password: string, ciphertext: string): Promise<string>;
export {};
//# sourceMappingURL=encryptV2.d.ts.map