/**
 * CryptoStorage - Device crypto record storage
 *
 * This module provides storage for device crypto records and UAK key pairs.
 * It uses the infrastructure StorageManager internally but provides a
 * higher-level API specific to device bootstrap and ZKP operations.
 */
export interface DeviceCryptoRecord {
    key: string;
    userid: string;
    configId: string;
    algorithmType: string;
    keyset: string;
    hindex: string;
    salt1: string;
    salt2: string;
    combinedprs: string;
    peerPublicKeyJWK: JsonWebKey;
    iv0: string;
    timestamp: number;
    /** When set, the client should stop attempting device bootstrap after this time. */
    expiresAt?: number;
    /** Schema version for forward-compatible record evolution. Absent = v1. */
    schemaVersion?: number;
    /** Crypto algorithm suite used when this record was created (e.g. "x25519+ed25519"). */
    cryptoSuite?: string;
}
/**
 * CryptoStorage - Handles device crypto record persistence
 *
 * Uses IndexedDB with in-memory fallback for environments where
 * IndexedDB is not available (e.g., Node.js, some private browsing modes).
 */
export declare class CryptoStorage {
    private dbPromise;
    private readonly memory;
    private _isPersistent;
    init(): Promise<void>;
    /**
     * Returns true if storage is backed by IndexedDB (persistent across sessions).
     * Returns false if using in-memory fallback (will not persist).
     * Must call init() first or this will return null.
     */
    isPersistent(): boolean | null;
    saveDeviceRecord(record: DeviceCryptoRecord): Promise<void>;
    saveUakKeyPair(key: string, keyPair: CryptoKeyPair): Promise<void>;
    /**
     * Check if a device record exists for the given key.
     * Used to determine if we should attempt ZKP authentication mode.
     */
    hasDeviceRecord(key: string): Promise<boolean>;
    /**
     * Get a device record by key.
     * Returns null if not found.
     */
    getDeviceRecord(key: string): Promise<DeviceCryptoRecord | null>;
    /**
     * Get a UAK key pair by key.
     * Returns null if not found.
     */
    getUakKeyPair(key: string): Promise<CryptoKeyPair | null>;
    /**
     * Delete a device record by key.
     * Does not throw if record doesn't exist.
     */
    deleteDeviceRecord(key: string): Promise<void>;
    /**
     * Delete a UAK key pair by key.
     * Does not throw if key pair doesn't exist.
     */
    deleteUakKeyPair(key: string): Promise<void>;
    /**
     * Clear all crypto data for a given identifier (userid + configId).
     * Removes both the device record and associated UAK keys.
     */
    clearAllForIdentifier(userid: string, configId: string): Promise<void>;
    /**
     * Normalize key for case-insensitive email handling
     * Extracts userid from key format "userid+configId" and lowercases it
     */
    private normalizeKey;
    private ensureDb;
    private openDatabase;
}
export declare function encodeBytes(bytes: Uint8Array | ArrayBuffer): string;