import type { ProviderSnapshot } from './session.types';
import type { TokenStore } from './token.store';
import type { TokenVault } from './token.vault';
export type TokenRefreshCtx = {
    /** The provider we’re refreshing for. */
    providerId: string;
    /** Caller-provided session facade (only what a refresher may need). */
    session: {
        id: string;
        scopeId: string;
        /** Current snapshot (mutable by the session after refresh). */
        authorizedProviders: Record<string, ProviderSnapshot>;
        /** Optional helper if the refresher wants to call other providers. */
        getToken?: (pid: string, opts?: {
            refreshSkewSec?: number;
            forceRefresh?: boolean;
        }) => Promise<string | undefined>;
    };
    /** Current access token (if known); may be undefined/expired. */
    accessToken?: string;
    /**
     * Refresh token (if accessible by the embedding mode).
     * For `ref` mode this is usually `undefined`; the refresher should use `store`/`vault`.
     */
    refreshToken?: string;
    /** The snapshot we’re refreshing (same as authorizedProviders[providerId]). */
    snapshot: ProviderSnapshot;
    /**
     * External storage interfaces, present for `ref` mode to avoid revealing plaintext tokens.
     * - `store` holds opaque encrypted blobs
     * - `vault` handles AEAD encryption/decryption of secrets
     */
    store?: TokenStore;
    vault?: TokenVault;
};
export type TokenRefreshResult = {
    /** New access token (if rotated). */
    accessToken?: string;
    /** New refresh token (optional). */
    refreshToken?: string;
    /** New absolute expiry (seconds since epoch preferred; ms also accepted). */
    exp: number;
    /** Optional opaque payload returned by the AS (id_token claims, etc.). */
    payload?: Record<string, unknown>;
};
export type TokenRefresher = (ctx: TokenRefreshCtx) => Promise<TokenRefreshResult>;
/** Convert seconds/ms epoch or Date to epoch seconds. */
export declare function toEpochSeconds(exp?: number | Date): number | undefined;
/** Returns true if `exp` will occur within `skewSec` from now (or already past). */
export declare function isSoonExpiring(exp?: number | Date, skewSec?: number): boolean;
/**
 * Synchronous check against a provider snapshot’s `exp` field.
 * Note: In `ref` mode the exact expiry may live in the store; this helper
 * intentionally remains synchronous and only uses the snapshot’s `exp`.
 */
export declare function isSoonExpiringProvider(sessionLike: {
    authorizedProviders: Record<string, ProviderSnapshot>;
}, providerId: string, skewSec?: number): boolean;
/** Best-effort extraction of `exp` from a JWT without verification. */
export declare function tryJwtExp(token?: string): number | undefined;