/**
 * Nexus Action Integrity — Anti-CSRF & Anti-Replay Protection.
 *
 * Every Server Action invocation is protected by an ephemeral, HMAC-signed,
 * single-use token. The flow:
 *
 *   1. Server renders an island → calls generateActionToken(sessionId, action)
 *   2. Token is embedded in the HTML as a data attribute on the island
 *   3. Client POSTs the action with the token in x-nexus-action-token header
 *   4. Server calls validateActionToken() — verifies HMAC, session, expiry, and
 *      "burns" the token (single-use). A replay of the same token → blocked.
 *
 * Properties:
 *  - HMAC-SHA256 signed with the app secret (tamper-proof)
 *  - Bound to sessionId + actionName (no cross-action reuse)
 *  - Expires after ACTION_TOKEN_TTL (default 15 min)
 *  - Single-use: consumed on first valid use (replay attack prevention)
 *  - Constant-time comparison to prevent timing attacks
 */
/** Request header name for the action token. */
export declare const ACTION_TOKEN_HEADER = "x-nexus-action-token";
/**
 * Canonical session cookie name used across Nexus (CSRF binding, cache-control).
 * Override with NEXUS_SESSION_COOKIE env var to match your auth layer's cookie name.
 *
 * Examples: 'next-auth.session-token', '__Secure-next-auth.session-token', 'sb-access-token'
 */
export declare const SESSION_COOKIE_NAME: string;
export interface TokenValidationResult {
    valid: boolean;
    reason?: string;
    /** True if the token was valid but has been consumed (replay attempt). */
    replayed?: boolean;
}
/**
 * Generates a signed, single-use action token.
 *
 * @param sessionId   Unique identifier for the current user session (cookie, JWT sub, etc.)
 * @param actionName  The action being authorized (e.g. 'capture', 'update-favorites')
 * @param secret      App-level secret — should come from process.env.NEXUS_SECRET
 * @returns           base64url-encoded token safe to embed in HTML
 */
export declare function generateActionToken(sessionId: string, actionName: string, secret: string): string;
/**
 * Validates and consumes an action token. Calling this twice with the same
 * token will return `{ valid: false, replayed: true }` on the second call.
 *
 * @param token       Token from x-nexus-action-token header
 * @param sessionId   Current user's session ID
 * @param actionName  The action being invoked
 * @param secret      Same secret used during generation
 */
export declare function validateActionToken(token: string, sessionId: string, actionName: string, secret: string): TokenValidationResult;
/**
 * Extracts session ID from a request using the canonical session cookie
 * (SESSION_COOKIE_NAME / NEXUS_SESSION_COOKIE env var).
 *
 * Falls back to an HMAC fingerprint of IP + User-Agent when no session cookie
 * is present (anonymous users). The fingerprint is keyed with the app secret
 * so it cannot be reproduced without knowing NEXUS_SECRET.
 *
 * In production, override this by passing a custom `sessionId` to
 * `generateActionToken` / `validateActionToken` from your auth middleware.
 */
export declare function extractSessionId(request: Request): string;
/**
 * Generates a session ID that is safe to store in a cookie.
 */
export declare function generateSessionId(): string;
//# sourceMappingURL=csrf.d.ts.map