import type { ConfluentCloudDirectConfig, ConnectionConfig, DirectConnectionConfig, FlinkDirectConfig, KafkaDirectConfig, OAuthConnectionConfig, SchemaRegistryDirectConfig, TableflowDirectConfig, TelemetryDirectConfig } from "../../../../config/models.js"; /** * How the `describe-configured-connection` card treats one connection-config * field. The visibility maps below are keyed `Record` * over each connection arm and service block, so adding a config field fails * `tsc --noEmit` (which runs in the pre-push hook and CI) until it is * classified here — a new knob can never ship without a deliberate * surface/withhold decision, and a secret-leak audit stays a single-file review. * * - `public` — non-secret scalar; surfaced in the card. * - `secret` — credential material (`auth` blocks); never surfaced. Audit these. * - `withheld` — non-secret but deliberately not surfaced: either a structured / * opaque value (`extra_properties`) or one the card surfaces by other means * (`read_only`, echoed as the coerced top-level `readOnly` boolean instead). * - `block` — a nested service block; surfaced via its own map in * {@link SERVICE_BLOCK_VISIBILITY}. Only appears at the connection level. */ export type FieldVisibility = "public" | "secret" | "withheld" | "block"; export declare const KAFKA_FIELD_VISIBILITY: Readonly>; export declare const SCHEMA_REGISTRY_FIELD_VISIBILITY: Readonly>; export declare const CONFLUENT_CLOUD_FIELD_VISIBILITY: Readonly>; export declare const TABLEFLOW_FIELD_VISIBILITY: Readonly>; export declare const TELEMETRY_FIELD_VISIBILITY: Readonly>; export declare const FLINK_FIELD_VISIBILITY: Readonly>; export declare const DIRECT_CONNECTION_FIELD_VISIBILITY: Readonly>; export declare const OAUTH_CONNECTION_FIELD_VISIBILITY: Readonly>; /** * Field-visibility map for each direct-connection service block, keyed by the * block's connection-field name. The keys are exactly the * {@link DIRECT_CONNECTION_FIELD_VISIBILITY} entries classified `"block"` * (pinned by the drift-catch test in `describe-fields.test.ts`). */ export declare const SERVICE_BLOCK_VISIBILITY: Readonly>>>; /** * The config-derived portion of a `describe-configured-connection` card: * `scalars` holds the connection's `public` connection-level fields (e.g. * `type`, `description`, and OAuth's `ccloud_env` / `kafka_debug`); `blocks` * maps each present service block to its `public` fields. Secrets and * `withheld` fields never appear in either. */ export interface ConnectionCard { readonly scalars: Record; readonly blocks: Record>; } /** * Project a connection into its non-secret card, driven entirely by the * visibility maps. OAuth connections carry no service blocks, so `blocks` is * empty for them; the `public`/`secret`/`withheld`/`block` switch is the single * place the surface/withhold decision is enforced at runtime. */ export declare function buildConnectionCard(conn: ConnectionConfig): ConnectionCard; //# sourceMappingURL=describe-fields.d.ts.map