/**
 * Generic HMAC Signing Utilities
 *
 * Provides HMAC-SHA256 signing and verification for any JSON-serializable data.
 * Protects against data tampering when stored in external systems.
 *
 * @example
 * ```typescript
 * import { signData, verifyData } from '@frontmcp/utils';
 *
 * // Sign any data
 * const signed = signData({ userId: '123', role: 'admin' }, { secret: 'my-secret' });
 *
 * // Verify and extract
 * const data = verifyData(signed, { secret: 'my-secret' });
 * if (data) {
 *   console.log(data.userId); // '123'
 * }
 * ```
 */
/**
 * Signed data wrapper structure.
 * Contains the data and its HMAC signature.
 */
export interface SignedData<T> {
    /** The signed data */
    data: T;
    /** HMAC-SHA256 signature in base64url format */
    sig: string;
    /** Signature version for future algorithm changes */
    v: 1;
}
/**
 * Configuration for HMAC signing operations.
 */
export interface HmacSigningConfig {
    /**
     * The secret key used for HMAC signing.
     * Should be at least 32 bytes for security.
     */
    secret: string;
}
/**
 * Sign data with HMAC-SHA256.
 *
 * Creates a tamper-evident wrapper around the data.
 * Any modification to the data will invalidate the signature.
 *
 * @param data - The data to sign (must be JSON-serializable)
 * @param config - Signing configuration with secret
 * @returns JSON string containing signed data
 *
 * @example
 * ```typescript
 * const signed = signData({ key: 'value' }, { secret: 'my-secret' });
 * await redis.set('mykey', signed);
 * ```
 */
export declare function signData<T>(data: T, config: HmacSigningConfig): string;
/**
 * Verify and extract signed data.
 *
 * Validates the HMAC signature and returns the data if valid.
 * Returns null if the signature is invalid or the data is corrupted.
 *
 * @param signedJson - JSON string from signData()
 * @param config - Signing configuration with secret
 * @returns The verified data or null if invalid
 *
 * @example
 * ```typescript
 * const raw = await redis.get('mykey');
 * const data = verifyData<MyType>(raw, { secret: 'my-secret' });
 * if (!data) {
 *   // Data was tampered with or corrupted
 * }
 * ```
 */
export declare function verifyData<T>(signedJson: string, config: HmacSigningConfig): T | null;
/**
 * Check if a stored value is signed data.
 * Useful for migrating from unsigned to signed data.
 *
 * @param json - Raw JSON string from storage
 * @returns true if the data appears to be signed
 */
export declare function isSignedData(json: string): boolean;
/**
 * Verify or parse data, supporting both signed and unsigned formats.
 * Useful for backwards compatibility during migration.
 *
 * @param json - Raw JSON string from storage
 * @param config - Signing configuration with secret
 * @returns The data (verified if signed, parsed if unsigned) or null
 */
export declare function verifyOrParseData<T>(json: string, config: HmacSigningConfig): T | null;