//#region extensions/crypto/src/services/keychain-secrets.d.ts
/**
 * Keychain Secrets — macOS Keychain storage for LLM API keys.
 *
 * Stores API keys in macOS Keychain (via `security` CLI) so they persist
 * across sessions without living in plaintext .env files. On Linux/Docker,
 * falls back to an encrypted file at ~/.openclawnch/api-keys.enc.
 *
 * On startup, keys are loaded from Keychain into process.env so the
 * credential vault and agent orchestrator find them automatically.
 *
 * No new dependencies — uses the same Keychain pattern as keychain-wallet.ts.
 */
interface ApiKeyEntry {
  /** Provider name (e.g., 'anthropic'). */
  provider: string;
  /** The API key value. */
  key: string;
  /** When the key was stored. */
  storedAt: string;
}
/** Known LLM providers and their env var mappings. */
declare const PROVIDERS: Record<string, {
  envVar: string;
  label: string;
  prefix?: string;
}>;
/**
 * Store an API key for a provider.
 * On macOS: stored in Keychain. On Linux: stored in encrypted file.
 */
declare function storeApiKey(provider: string, key: string): void;
/**
 * Load an API key for a provider.
 * Returns null if not stored.
 */
declare function loadApiKey(provider: string): string | null;
/**
 * Remove an API key for a provider.
 * Returns true if a key was deleted.
 */
declare function removeApiKey(provider: string): boolean;
/**
 * List all providers that have stored keys.
 * Returns provider names only — never the key values.
 */
declare function listStoredProviders(): string[];
/**
 * Get the currently active LLM provider.
 */
declare function getActiveProvider(): string;
/**
 * Set the active LLM provider. Persists to config.
 */
declare function setActiveProvider(provider: string): void;
/**
 * Load all stored API keys into process.env on startup.
 * Called once during gateway_start to hydrate the credential vault.
 * Keys from Keychain/file are only loaded if the env var isn't already set
 * (env vars take precedence over stored keys).
 */
declare function hydrateApiKeys(): {
  loaded: string[];
  skipped: string[];
};
/**
 * Mask an API key for display (show first 6 + last 4 chars).
 */
declare function maskKey(key: string): string;
//#endregion
export { ApiKeyEntry, PROVIDERS, getActiveProvider, hydrateApiKeys, listStoredProviders, loadApiKey, maskKey, removeApiKey, setActiveProvider, storeApiKey };
//# sourceMappingURL=keychain-secrets.d.mts.map