/** * Secret persistence utilities for storing encryption secrets. * * Follows the same pattern as OAuth JWK dev-key-persistence for consistency. * Stores a random secret to a JSON file for use when no environment variable is set. * * This enables development environments to have consistent encryption keys * without requiring manual configuration. * * @module @frontmcp/utils/secret-persistence */ import type { SecretData, SecretPersistenceOptions } from './types'; /** * Check if secret persistence is enabled based on environment and options. * * By default, persistence is: * - Enabled in development (NODE_ENV !== 'production') * - Disabled in production unless forceEnable is true * * @param options - Persistence options * @returns true if persistence is enabled */ export declare function isSecretPersistenceEnabled(options?: SecretPersistenceOptions): boolean; /** * Resolve the secret file path. * * @param options - Persistence options * @returns Absolute path to secret file */ export declare function resolveSecretPath(options?: SecretPersistenceOptions): string; /** * Load persisted secret from file. * * @param options - Persistence options * @returns The loaded secret data or null if not found/invalid */ export declare function loadSecret(options?: SecretPersistenceOptions): Promise; /** * Save secret to file. * * Uses atomic write (temp file + rename) to prevent corruption. * Sets file permissions to 0o600 (owner read/write only) for security. * * @param secretData - Secret data to persist * @param options - Persistence options * @returns true if save succeeded, false otherwise */ export declare function saveSecret(secretData: SecretData, options?: SecretPersistenceOptions): Promise; /** * Delete persisted secret. * * @param options - Persistence options * @returns true if deleted or didn't exist, false on error */ export declare function deleteSecret(options?: SecretPersistenceOptions): Promise; /** * Generate a new random secret. * * @param bytes - Number of random bytes (default 32 = 256 bits) * @returns Base64url-encoded random string */ export declare function generateSecret(bytes?: number): string; /** * Create a new secret data object with current timestamp. * * @param options - Options including secret bytes * @returns New SecretData object */ export declare function createSecretData(options?: SecretPersistenceOptions): SecretData; /** * Get or create a persisted secret. * * This is the main entry point for getting a secret. * It will: * 1. Return cached secret if available (for this name) * 2. Load from file if exists * 3. Generate new secret and persist it * * Thread-safe: concurrent calls will share the same generation promise. * * @param options - Persistence options * @returns The secret string */ export declare function getOrCreateSecret(options?: SecretPersistenceOptions): Promise; /** * Clear the cached secret (for testing). * * @param options - Options to identify which secret to clear (by path) */ export declare function clearCachedSecret(options?: SecretPersistenceOptions): void; /** * Check if a secret is cached. * * @param options - Options to identify which secret to check * @returns true if cached */ export declare function isSecretCached(options?: SecretPersistenceOptions): boolean;