/**
 * @fractary/core - Secrets Sanitization Utilities
 *
 * Unified utilities for redacting sensitive values from strings and objects.
 * Used by CLI, MCP server, and other components to prevent token/secret exposure.
 */
/**
 * Sanitize token/secret values from error messages and logs.
 * Replaces common secret patterns with [REDACTED].
 *
 * @param message - Error message or log string
 * @returns Sanitized message with secrets redacted
 *
 * @example
 * ```typescript
 * const safe = sanitizeSecrets('Failed with token ghp_abc123...');
 * // Returns: 'Failed with token [REDACTED_GITHUB_TOKEN]'
 * ```
 */
export declare function sanitizeSecrets(message: string): string;
/**
 * Check if a string contains potential security-sensitive information.
 *
 * @param value - String to check
 * @returns True if string might contain secrets
 *
 * @example
 * ```typescript
 * containsSecrets('my api_key is xyz'); // true
 * containsSecrets('hello world'); // false
 * ```
 */
export declare function containsSecrets(value: string): boolean;
/**
 * Check if a key name indicates it holds a sensitive value.
 *
 * @param key - Key name to check
 * @returns True if the key likely holds a secret
 */
export declare function isSensitiveKey(key: string): boolean;
/**
 * Redact sensitive values from a configuration object for display.
 * Preserves environment variable references like `${GITHUB_TOKEN}`.
 *
 * @param config - Configuration object to redact
 * @returns Deep copy with sensitive values redacted
 *
 * @example
 * ```typescript
 * const config = {
 *   token: 'ghp_secret123',
 *   owner: 'myorg',
 *   nested: { api_key: 'abc123' }
 * };
 * const safe = redactConfig(config);
 * // Returns: { token: '********', owner: 'myorg', nested: { api_key: '********' } }
 * ```
 */
export declare function redactConfig(config: unknown): unknown;
/**
 * Redact a single value if it appears to be a secret.
 *
 * @param value - Value to potentially redact
 * @param key - Optional key name for context-aware redaction
 * @returns Redacted value or original value if not sensitive
 */
export declare function redactValue(value: string, key?: string): string;
//# sourceMappingURL=secrets.d.ts.map