import { Result } from '@byteslice/result';
import { E as Encrypted } from '../types-dR0dpG6-.js';
import '@cipherstash/protect-ffi';
import '@cipherstash/schema';

type SecretName = string;
type SecretValue = string;
/**
 * Configuration options for initializing the Stash client
 */
interface StashConfig {
    workspaceCRN: string;
    clientId: string;
    clientKey: string;
    environment: string;
    apiKey: string;
    accessKey?: string;
}
/**
 * Secret metadata returned from the API
 */
interface SecretMetadata {
    id?: string;
    name: string;
    environment: string;
    createdAt?: string;
    updatedAt?: string;
}
/**
 * API response for listing secrets
 */
interface ListSecretsResponse {
    environment: string;
    secrets: SecretMetadata[];
}
/**
 * API response for getting a secret
 */
interface GetSecretResponse {
    name: string;
    environment: string;
    encryptedValue: {
        data: Encrypted;
    };
    createdAt?: string;
    updatedAt?: string;
}
interface DecryptedSecretResponse {
    name: string;
    environment: string;
    value: string;
    createdAt?: string;
    updatedAt?: string;
}
/**
 * The Stash client provides a high-level API for managing encrypted secrets
 * stored in CipherStash. Secrets are encrypted locally before being sent to
 * the API, ensuring end-to-end encryption.
 */
declare class Stash {
    private protectClient;
    private config;
    private readonly apiBaseUrl;
    private readonly secretsSchema;
    /**
     * Extracts the workspace ID from a CRN string.
     * CRN format: crn:region.aws:ID
     *
     * @param crn The CRN string to extract from
     * @returns The workspace ID portion of the CRN
     */
    private extractWorkspaceIdFromCrn;
    constructor(config: StashConfig);
    /**
     * Initialize the Stash client and underlying Protect client
     */
    private ensureInitialized;
    /**
     * Get the authorization header for API requests
     */
    private getAuthHeader;
    /**
     * Make an API request with error handling
     */
    private apiRequest;
    /**
     * Store an encrypted secret in the vault.
     * The value is encrypted locally before being sent to the API.
     *
     * @param name - The name of the secret
     * @param value - The plaintext value to encrypt and store
     * @returns A Result indicating success or failure
     *
     * @example
     * ```typescript
     * const stash = new Stash({ ... })
     * const result = await stash.set('DATABASE_URL', 'postgres://user:pass@localhost:5432/mydb')
     * if (result.failure) {
     *   console.error('Failed to set secret:', result.failure.message)
     * }
     * ```
     */
    set(name: SecretName, value: SecretValue): Promise<Result<void, {
        type: string;
        message: string;
    }>>;
    /**
     * Retrieve and decrypt a secret from the vault.
     * The secret is decrypted locally after retrieval.
     *
     * @param name - The name of the secret to retrieve
     * @returns A Result containing the decrypted value or an error
     *
     * @example
     * ```typescript
     * const stash = new Stash({ ... })
     * const result = await stash.get('DATABASE_URL')
     * if (result.failure) {
     *   console.error('Failed to get secret:', result.failure.message)
     * } else {
     *   console.log('Secret value:', result.data)
     * }
     * ```
     */
    get(name: SecretName): Promise<Result<SecretValue, {
        type: string;
        message: string;
    }>>;
    /**
     * Retrieve and decrypt many secrets from the vault.
     * The secrets are decrypted locally after retrieval.
     * This method only triggers a single network request to the ZeroKMS.
     *
     * @param names - The names of the secrets to retrieve
     * @returns A Result containing an object mapping secret names to their decrypted values
     *
     * @example
     * ```typescript
     * const stash = new Stash({ ... })
     * const result = await stash.getMany(['DATABASE_URL', 'API_KEY'])
     * if (result.failure) {
     *   console.error('Failed to get secrets:', result.failure.message)
     * } else {
     *   const dbUrl = result.data.DATABASE_URL // Access by name
     *   const apiKey = result.data.API_KEY
     * }
     * ```
     */
    getMany(names: SecretName[]): Promise<Result<Record<SecretName, SecretValue>, {
        type: string;
        message: string;
    }>>;
    /**
     * List all secrets in the environment.
     * Only names and metadata are returned; values remain encrypted.
     *
     * @returns A Result containing the list of secrets or an error
     *
     * @example
     * ```typescript
     * const stash = new Stash({ ... })
     * const result = await stash.list()
     * if (result.failure) {
     *   console.error('Failed to list secrets:', result.failure.message)
     * } else {
     *   console.log('Secrets:', result.data)
     * }
     * ```
     */
    list(): Promise<Result<SecretMetadata[], {
        type: string;
        message: string;
    }>>;
    /**
     * Delete a secret from the vault.
     *
     * @param name - The name of the secret to delete
     * @returns A Result indicating success or failure
     *
     * @example
     * ```typescript
     * const stash = new Stash({ ... })
     * const result = await stash.delete('DATABASE_URL')
     * if (result.failure) {
     *   console.error('Failed to delete secret:', result.failure.message)
     * }
     * ```
     */
    delete(name: SecretName): Promise<Result<void, {
        type: string;
        message: string;
    }>>;
}

export { type DecryptedSecretResponse, type GetSecretResponse, type ListSecretsResponse, type SecretMetadata, type SecretName, type SecretValue, Stash, type StashConfig };