//#region extensions/crypto/src/services/credential-vault.d.ts
/**
 * Credential Vault — centralized secret access with leak scanning.
 *
 * Inspired by IronClaw's credential boundary injection pattern.
 * Instead of tools reading process.env directly, they request secrets
 * through this vault. The vault:
 * 1. Provides secrets on demand (single point of access)
 * 2. Tracks which tools accessed which secrets (audit log)
 * 3. Scans outbound strings for leaked credentials before they reach the LLM
 *
 * This does NOT encrypt secrets at rest (they're still in env vars / Fly secrets).
 * What it does is:
 * - Prevent accidental secret exposure in tool output
 * - Create an audit trail of secret access
 * - Provide a single place to rotate/revoke secrets
 * - Scan LLM-bound text for credential leaks
 */
interface SecretAccess {
  key: string;
  tool: string;
  timestamp: number;
}
interface LeakScanResult {
  clean: boolean;
  leaks: Array<{
    type: string;
    pattern: string;
    position: number;
  }>;
  redactedText: string;
}
declare class CredentialVault {
  private accessLog;
  private readonly MAX_LOG_SIZE;
  /**
   * Get a secret value by its logical name.
   * Returns null if not configured.
   */
  getSecret(name: string, tool: string): string | null;
  /**
   * Check if a secret is configured (without revealing its value).
   */
  hasSecret(name: string): boolean;
  /**
   * Get the raw env var for a logical secret name.
   * Use this only when you need to pass the env var name (not value) to something.
   */
  getEnvVarName(name: string): string | null;
  /**
   * Scan text for credential leaks.
   * Returns a result with any detected leaks and a redacted version of the text.
   */
  scanForLeaks(text: string): LeakScanResult;
  /**
   * Get recent access log entries (for diagnostics).
   */
  getAccessLog(limit?: number): SecretAccess[];
  /**
   * Get a summary of configured vs unconfigured secrets.
   */
  getConfigurationSummary(): Array<{
    name: string;
    envVar: string;
    description: string;
    configured: boolean;
    sensitive: string;
  }>;
  private logAccess;
}
declare function getCredentialVault(): CredentialVault;
declare function resetCredentialVault(): void;
//#endregion
export { LeakScanResult, SecretAccess, getCredentialVault, resetCredentialVault };
//# sourceMappingURL=credential-vault.d.mts.map