/**
 * @fractary/core - GitHub App Authentication
 *
 * Full GitHub App authentication with JWT generation, token exchange, and caching.
 */
import type { GitHubAppConfig } from './types';
/**
 * GitHub App authentication handler
 *
 * Handles the complete GitHub App authentication flow:
 * 1. Generates JWT signed with the app's private key
 * 2. Exchanges JWT for an installation access token via GitHub API
 * 3. Caches tokens and auto-refreshes before expiration
 *
 * @example
 * ```typescript
 * const auth = new GitHubAppAuth({
 *   id: '123456',
 *   installation_id: '789012',
 *   private_key_path: '/path/to/private-key.pem'
 * });
 *
 * const token = await auth.getInstallationToken();
 * ```
 */
export declare class GitHubAppAuth {
    private readonly config;
    private readonly privateKey;
    private cachedToken;
    /** In-flight token request promise (for race condition prevention) */
    private pendingTokenRequest;
    /** Token refresh buffer - refresh 5 minutes before expiration */
    private static readonly REFRESH_BUFFER_MS;
    /** JWT expiration time - 10 minutes (GitHub's maximum) */
    private static readonly JWT_EXPIRATION_SECONDS;
    /**
     * Create a new GitHub App authentication handler
     *
     * @param config GitHub App configuration
     * @throws AuthenticationError if private key cannot be loaded
     */
    constructor(config: GitHubAppConfig);
    /**
     * Load private key from file or environment variable
     *
     * @returns The PEM-encoded private key
     * @throws AuthenticationError if private key cannot be loaded
     */
    private loadPrivateKey;
    /**
     * Generate a JWT for GitHub App authentication
     *
     * The JWT is signed with the app's private key using RS256.
     *
     * @returns Signed JWT string
     */
    private generateJWT;
    /**
     * Exchange JWT for an installation access token
     *
     * @returns Installation access token response from GitHub
     * @throws AuthenticationError if token exchange fails
     */
    private exchangeJWTForToken;
    /**
     * Check if the cached token is still valid
     *
     * A token is considered valid if it exists and won't expire within
     * the refresh buffer window (5 minutes).
     *
     * @returns true if cached token is valid and not near expiration
     */
    private isCachedTokenValid;
    /**
     * Get a valid installation access token
     *
     * Returns a cached token if still valid, otherwise generates a new one.
     * Tokens are automatically refreshed 5 minutes before expiration.
     *
     * Thread-safe: concurrent calls will share the same pending request
     * to prevent redundant API calls and potential rate limiting.
     *
     * @returns Installation access token string
     * @throws AuthenticationError if token cannot be obtained
     */
    getInstallationToken(): Promise<string>;
    /**
     * Internal method to fetch and cache token
     * Separated from getInstallationToken to enable promise sharing
     */
    private fetchAndCacheToken;
    /**
     * Clear the cached token
     *
     * Forces the next getInstallationToken() call to fetch a fresh token.
     * Note: Does not cancel any in-flight request.
     */
    clearCache(): void;
    /**
     * Get information about the cached token (for debugging)
     *
     * @returns Object with cache status, or null if no cached token
     */
    getCacheInfo(): {
        expiresAt: Date;
        isValid: boolean;
    } | null;
}
//# sourceMappingURL=github-app-auth.d.ts.map