import { TransportType } from "../mcp/transports/types.js";
import { z } from "zod";
/**
 * Connection configuration for a direct (local/Docker/Cloud) Kafka cluster.
 * Corresponds to `connections.<name>` (with `type: direct`) in the YAML configuration.
 * Service blocks are all optional: a connection with no blocks is valid and enables
 * only connection-agnostic tools (e.g. `search-product-docs`). Per-tool predicates
 * in `connection-predicates.ts` decide which tools each connection enables.
 */
export interface DirectConnectionConfig {
    readonly type: "direct";
    readonly kafka?: KafkaDirectConfig;
    readonly schema_registry?: SchemaRegistryDirectConfig;
    readonly confluent_cloud?: ConfluentCloudDirectConfig;
    readonly tableflow?: TableflowDirectConfig;
    readonly telemetry?: TelemetryDirectConfig;
    readonly flink?: FlinkDirectConfig;
}
/**
 * OAuth (PKCE) connection variant. Peer arm of {@link DirectConnectionConfig}
 * inside the `ConnectionConfig` discriminated union. The CCloud REST URL is
 * derived from `ccloud_env` via `getCloudRestUrlForEnv` inside
 * `OAuthClientManager`. No service blocks; OAuth-eligible tools auto-enable
 * OAuth connections (see `connection-predicates.ts`). Resource IDs that direct
 * connections supply via blocks must be passed as tool arguments under OAuth.
 *
 * `ccloud_env` defaults to "prod"
 *
 * `kafka_debug` is the optional librdkafka `debug` contexts string (e.g.
 * "security,broker,protocol", or "all") used as a diagnostic knob when an
 * OAuth/OAUTHBEARER SASL handshake misbehaves. Surfaced through to the
 * `OAuthClientManager` and threaded into the rdkafka client config.
 */
export interface OAuthConnectionConfig {
    readonly type: "oauth";
    readonly ccloud_env: "devel" | "stag" | "prod";
    readonly kafka_debug?: string;
}
/**
 * API key credential pair used throughout connection sub-configs.
 * Corresponds to `auth` blocks nested under each service in `connections.<name>`.
 */
export interface ApiKeyAuthConfig {
    readonly type: "api_key";
    readonly key: string;
    readonly secret: string;
}
export type AuthConfig = ApiKeyAuthConfig;
/**
 * Kafka broker connection parameters.
 * Corresponds to `connections.<name>.kafka` in the YAML configuration.
 */
export interface KafkaDirectConfig {
    readonly bootstrap_servers?: string;
    readonly auth?: AuthConfig;
    readonly rest_endpoint?: string;
    readonly cluster_id?: string;
    readonly env_id?: string;
    readonly extra_properties?: Readonly<Record<string, string>>;
}
/**
 * Schema Registry connection parameters.
 * Corresponds to `connections.<name>.schema_registry` in the YAML configuration.
 */
export interface SchemaRegistryDirectConfig {
    readonly endpoint: string;
    readonly auth?: AuthConfig;
}
/**
 * Confluent Cloud control-plane connection parameters.
 * Corresponds to `connections.<name>.confluent_cloud` in the YAML configuration.
 */
export interface ConfluentCloudDirectConfig {
    readonly endpoint: string;
    readonly auth: AuthConfig;
}
/**
 * Tableflow connection parameters.
 * Corresponds to `connections.<name>.tableflow` in the YAML configuration.
 */
export interface TableflowDirectConfig {
    readonly auth: AuthConfig;
}
/**
 * Telemetry API connection parameters (post-transform output type).
 * Corresponds to `connections.<name>.telemetry` in the YAML configuration.
 */
export interface TelemetryDirectConfig {
    readonly endpoint: string;
    readonly auth: AuthConfig;
}
/**
 * Flink connection parameters.
 * Corresponds to `connections.<name>.flink` in the YAML configuration.
 */
export interface FlinkDirectConfig {
    readonly endpoint: string;
    readonly auth: AuthConfig;
    readonly environment_id: string;
    readonly organization_id: string;
    readonly compute_pool_id: string;
    readonly catalog_name?: string;
    readonly database_name?: string;
}
/**
 * Discriminated union of all connection variants: direct (api-key) and oauth (PKCE).
 */
export type ConnectionConfig = DirectConnectionConfig | OAuthConnectionConfig;
/**
 * MCP server operational settings — transport, auth, and logging.
 * Corresponds to the `server` block at the root of the YAML configuration.
 * Distinct from connection config, which governs Kafka and Confluent Cloud client behaviour.
 */
export interface ServerConfig {
    readonly transports: readonly TransportType[];
    readonly log_level: "fatal" | "error" | "warn" | "info" | "debug" | "trace";
    readonly do_not_track: boolean;
    readonly http: ServerHttpConfig;
    readonly auth: ServerAuthConfig;
    readonly analytics?: ServerAnalyticsConfig;
}
/**
 * Internal-developer-only override for the Segment write key used to emit
 * anonymous usage analytics from this MCP server. Normal builds inject the
 * right value at `npm pack` time via build-config injection; this knob exists
 * so contributors can point analytics at a non-production Segment project
 * during local development. End users should not set it.
 *
 * Deliberately undocumented in the user-facing example YAML templates
 * (`config.example.yaml`, `config.oauth.example.yaml`) — surfacing it there
 * would legitimize a knob that exists only for internal mcp-confluent dev.
 */
export interface ServerAnalyticsConfig {
    readonly write_key: string;
}
/**
 * HTTP/SSE transport bind address and endpoint paths.
 * Corresponds to `server.http` in the YAML configuration.
 */
export interface ServerHttpConfig {
    readonly port: number;
    readonly host: string;
    readonly mcp_endpoint: string;
    readonly sse_endpoint: string;
    readonly sse_message_endpoint: string;
}
/**
 * HTTP/SSE transport authentication settings.
 * Corresponds to `server.auth` in the YAML configuration.
 * `api_key` and `disabled: true` are mutually exclusive.
 */
export interface ServerAuthConfig {
    readonly api_key?: string;
    readonly disabled: boolean;
    readonly allowed_hosts: readonly string[];
}
/**
 * Root configuration object representing the entire MCP server configuration.
 * Validated and constructed from parsed YAML via {@link mcpConfigSchema}.
 */
export declare class MCPServerConfiguration {
    /** Named connection map. Corresponds to the `connections` block at the root of the YAML configuration. */
    readonly connections: Readonly<Record<string, ConnectionConfig>>;
    /** MCP server operational settings. Corresponds to the `server` block at the root of the YAML configuration. */
    readonly server: ServerConfig;
    constructor(data: {
        connections: Record<string, ConnectionConfig>;
        server?: ServerConfig;
    });
    /**
     * Returns the single defined connection in the configuration.
     *
     * @returns the single defined connection
     * @throws Error if 0 or more than 1 connection is defined.
     */
    getSoleConnection(): ConnectionConfig;
    /**
     * Returns the sole connection narrowed to {@link DirectConnectionConfig}, throwing
     * if it is OAuth-typed. Use from callers that need to read service-block fields
     * (e.g., `kafka.cluster_id`, `flink.environment_id`) — the throw replaces what
     * would otherwise be a `conn.type === "direct"` guard at every read site.
     */
    getSoleDirectConnection(): DirectConnectionConfig;
    getConnectionNames(): string[];
}
/**
 * librdkafka property keys that have named YAML equivalents and must not appear in
 * `extra_properties`. Authoring them there is an error in YAML-configured connections;
 * use `bootstrap_servers` or the `auth` block instead.
 *
 * Note: this restriction applies only to YAML-authored configs. The `-k` /
 * `--kafka-config-file` CLI flag is a higher-precedence override mechanism and is
 * permitted to supply these keys (env vars are always lowest precedence).
 */
export declare const KAFKA_PROTECTED_EXTRA_PROPERTY_KEYS: readonly ["bootstrap.servers", "sasl.username", "sasl.password"];
export declare const CONFLUENT_CLOUD_DEFAULT_ENDPOINT = "https://api.confluent.cloud";
/**
 * The default server configuration produced when no `server` block is present in YAML
 * or when MCPServerConfiguration is constructed without an explicit server argument.
 * Derived from serverConfigSchema defaults — single source of truth.
 */
export declare const DEFAULT_SERVER_CONFIG: {
    transports: TransportType[];
    log_level: "info" | "fatal" | "error" | "warn" | "debug" | "trace";
    do_not_track: boolean;
    http: {
        port: number;
        host: string;
        mcp_endpoint: string;
        sse_endpoint: string;
        sse_message_endpoint: string;
    };
    auth: {
        disabled: boolean;
        allowed_hosts: string[];
        api_key?: string | undefined;
    };
    analytics?: {
        write_key: string;
    } | undefined;
};
/**
 * Root configuration schema. This is the single validation and normalisation
 * entry point shared by both configuration paths: YAML files (via
 * {@link parseYamlConfiguration}) and environment variables (via
 * {@link buildConfigFromEnvAndCli}). Transforms and cross-field rules defined here
 * therefore apply equally to both.
 *
 * Parsed output is wrapped in {@link MCPServerConfiguration} by
 * parseYamlConfiguration().
 */
export declare const mcpConfigSchema: z.ZodObject<{
    connections: z.ZodRecord<z.ZodString, z.ZodPipe<z.ZodDiscriminatedUnion<[z.ZodObject<{
        type: z.ZodLiteral<"direct">;
        confluent_cloud: z.ZodOptional<z.ZodObject<{
            endpoint: z.ZodOptional<z.ZodString>;
            auth: z.ZodDiscriminatedUnion<[z.ZodObject<{
                type: z.ZodLiteral<"api_key">;
                key: z.ZodString;
                secret: z.ZodString;
            }, z.core.$strict>], "type">;
        }, z.core.$strict>>;
        kafka: z.ZodOptional<z.ZodObject<{
            bootstrap_servers: z.ZodOptional<z.ZodString>;
            auth: z.ZodOptional<z.ZodDiscriminatedUnion<[z.ZodObject<{
                type: z.ZodLiteral<"api_key">;
                key: z.ZodString;
                secret: z.ZodString;
            }, z.core.$strict>], "type">>;
            rest_endpoint: z.ZodOptional<z.ZodString>;
            cluster_id: z.ZodOptional<z.ZodString>;
            env_id: z.ZodOptional<z.ZodString>;
            extra_properties: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
        }, z.core.$strict>>;
        schema_registry: z.ZodOptional<z.ZodObject<{
            endpoint: z.ZodString;
            auth: z.ZodOptional<z.ZodDiscriminatedUnion<[z.ZodObject<{
                type: z.ZodLiteral<"api_key">;
                key: z.ZodString;
                secret: z.ZodString;
            }, z.core.$strict>], "type">>;
        }, z.core.$strict>>;
        tableflow: z.ZodOptional<z.ZodObject<{
            auth: z.ZodDiscriminatedUnion<[z.ZodObject<{
                type: z.ZodLiteral<"api_key">;
                key: z.ZodString;
                secret: z.ZodString;
            }, z.core.$strict>], "type">;
        }, z.core.$strict>>;
        telemetry: z.ZodOptional<z.ZodObject<{
            endpoint: z.ZodOptional<z.ZodString>;
            auth: z.ZodOptional<z.ZodDiscriminatedUnion<[z.ZodObject<{
                type: z.ZodLiteral<"api_key">;
                key: z.ZodString;
                secret: z.ZodString;
            }, z.core.$strict>], "type">>;
        }, z.core.$strict>>;
        flink: z.ZodOptional<z.ZodObject<{
            endpoint: z.ZodString;
            auth: z.ZodDiscriminatedUnion<[z.ZodObject<{
                type: z.ZodLiteral<"api_key">;
                key: z.ZodString;
                secret: z.ZodString;
            }, z.core.$strict>], "type">;
            environment_id: z.ZodString;
            organization_id: z.ZodString;
            compute_pool_id: z.ZodString;
            catalog_name: z.ZodOptional<z.ZodString>;
            database_name: z.ZodOptional<z.ZodString>;
        }, z.core.$strict>>;
    }, z.core.$strict>, z.ZodObject<{
        type: z.ZodLiteral<"oauth">;
        ccloud_env: z.ZodDefault<z.ZodEnum<{
            devel: "devel";
            stag: "stag";
            prod: "prod";
        }>>;
        kafka_debug: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>], "type">, z.ZodTransform<DirectConnectionConfig | OAuthConnectionConfig, {
        type: "direct";
        confluent_cloud?: {
            auth: {
                type: "api_key";
                key: string;
                secret: string;
            };
            endpoint?: string | undefined;
        } | undefined;
        kafka?: {
            bootstrap_servers?: string | undefined;
            auth?: {
                type: "api_key";
                key: string;
                secret: string;
            } | undefined;
            rest_endpoint?: string | undefined;
            cluster_id?: string | undefined;
            env_id?: string | undefined;
            extra_properties?: Record<string, string> | undefined;
        } | undefined;
        schema_registry?: {
            endpoint: string;
            auth?: {
                type: "api_key";
                key: string;
                secret: string;
            } | undefined;
        } | undefined;
        tableflow?: {
            auth: {
                type: "api_key";
                key: string;
                secret: string;
            };
        } | undefined;
        telemetry?: {
            endpoint?: string | undefined;
            auth?: {
                type: "api_key";
                key: string;
                secret: string;
            } | undefined;
        } | undefined;
        flink?: {
            endpoint: string;
            auth: {
                type: "api_key";
                key: string;
                secret: string;
            };
            environment_id: string;
            organization_id: string;
            compute_pool_id: string;
            catalog_name?: string | undefined;
            database_name?: string | undefined;
        } | undefined;
    } | {
        type: "oauth";
        ccloud_env: "devel" | "stag" | "prod";
        kafka_debug?: string | undefined;
    }>>>;
    server: z.ZodDefault<z.ZodObject<{
        transports: z.ZodDefault<z.ZodArray<z.ZodEnum<{
            http: TransportType.HTTP;
            sse: TransportType.SSE;
            stdio: TransportType.STDIO;
        }>>>;
        log_level: z.ZodDefault<z.ZodEnum<{
            info: "info";
            fatal: "fatal";
            error: "error";
            warn: "warn";
            debug: "debug";
            trace: "trace";
        }>>;
        do_not_track: z.ZodDefault<z.ZodBoolean>;
        http: z.ZodDefault<z.ZodObject<{
            port: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
            host: z.ZodDefault<z.ZodString>;
            mcp_endpoint: z.ZodDefault<z.ZodString>;
            sse_endpoint: z.ZodDefault<z.ZodString>;
            sse_message_endpoint: z.ZodDefault<z.ZodString>;
        }, z.core.$strict>>;
        auth: z.ZodDefault<z.ZodObject<{
            api_key: z.ZodOptional<z.ZodString>;
            disabled: z.ZodDefault<z.ZodBoolean>;
            allowed_hosts: z.ZodDefault<z.ZodArray<z.ZodString>>;
        }, z.core.$strict>>;
        analytics: z.ZodOptional<z.ZodObject<{
            write_key: z.ZodString;
        }, z.core.$strict>>;
    }, z.core.$strict>>;
}, z.core.$strict>;
/** Format Zod issues into a human-readable string */
export declare function formatZodIssues(issues: z.ZodError["issues"]): string;
//# sourceMappingURL=models.d.ts.map