import * as _nuxt_schema from '@nuxt/schema';
import { FetchOptions } from 'ofetch';
import { RegistryScripts, FirstPartyPrivacy, NuxtConfigScriptRegistry, NuxtUseScriptOptionsSerializable, NuxtUseScriptInput, ResolvedProxyAutoInject, ProxyConfig } from '../dist/runtime/types.js';
export { FirstPartyPrivacy } from '../dist/runtime/types.js';

interface ResolvedProxySecret {
    secret: string;
    /** True when the secret exists only in memory (dev-only fallback; won't survive restarts). */
    ephemeral: boolean;
    /** Where the secret came from, for logging. */
    source: 'config' | 'env' | 'dotenv-generated' | 'memory-generated';
}
/**
 * Resolve the HMAC signing secret used for proxy URL signing.
 *
 * Precedence:
 * 1. `scripts.security.secret` in nuxt.config
 * 2. `NUXT_SCRIPTS_PROXY_SECRET` env var
 * 3. Dev-only auto-generation: write to `.env` (or keep in memory as last resort)
 * 4. Empty string (prod without secret; caller decides whether this is fatal)
 */
declare function resolveProxySecret(rootDir: string, isDev: boolean, configSecret?: string, autoGenerate?: boolean): ResolvedProxySecret | undefined;
declare function isProxyDisabled(registryKey: string, registry?: NuxtConfigScriptRegistry, runtimeConfig?: Record<string, any>): boolean;
declare function applyAutoInject(registry: NuxtConfigScriptRegistry, runtimeConfig: Record<string, any>, proxyPrefix: string, registryKey: string, autoInject: ResolvedProxyAutoInject): void;
declare function resolveConfiguredProxyDomains(config: Record<string, any> | undefined, proxyConfig?: Pick<ProxyConfig, 'autoInject' | 'configDomainFields'>): string[];
interface ModuleOptions {
    /**
     * Base path prefix for all script endpoints (proxy and bundled assets).
     *
     * Proxy endpoints are served at `<prefix>/p/**` and bundled assets at `<prefix>/assets/**`.
     *
     * @default '/_scripts'
     * @example '/_tracking'
     */
    prefix?: string;
    /**
     * Global privacy override for all proxied scripts.
     *
     * By default (`undefined`), each script uses its own privacy controls from the registry.
     * - `true`: full anonymization (IP, UA, language, screen, timezone, hardware)
     * - `false`: passthrough (still strips sensitive auth headers)
     * - `{ ip: true }`: selective override per flag
     *
     * @default undefined (per-script defaults)
     */
    privacy?: FirstPartyPrivacy;
    /**
     * The registry of supported third-party scripts. Presence enables infrastructure (proxy routes, types, bundling, composable auto-imports).
     * Scripts only auto-load globally when `trigger` is explicitly set in the config object.
     */
    registry?: NuxtConfigScriptRegistry;
    /**
     * Default options for scripts.
     */
    defaultScriptOptions?: NuxtUseScriptOptionsSerializable;
    /**
     * Register scripts that should be loaded globally on all pages.
     */
    globals?: Record<string, NuxtUseScriptInput | [NuxtUseScriptInput, NuxtUseScriptOptionsSerializable]>;
    /** Configure the way scripts assets are exposed */
    assets?: {
        /**
         * Scripts assets are exposed as public assets as part of the build.
         *
         * TODO Make configurable in future.
         */
        strategy?: 'public';
        /**
         * Fallback to src if bundle fails to load.
         * The default behavior is to stop the bundling process if a script fails to be downloaded.
         * @default false
         */
        fallbackOnSrcOnBundleFail?: boolean;
        /**
         * Configure the fetch options used for downloading scripts.
         */
        fetchOptions?: FetchOptions;
        /**
         * Cache duration for bundled scripts in milliseconds.
         * Scripts older than this will be re-downloaded during builds.
         * @default 604800000 (7 days)
         */
        cacheMaxAge?: number;
        /**
         * Enable automatic integrity hash generation for bundled scripts.
         * When enabled, calculates SRI (Subresource Integrity) hash and injects
         * integrity attribute along with crossorigin="anonymous".
         *
         * @default false
         */
        integrity?: boolean | 'sha256' | 'sha384' | 'sha512';
    };
    /**
     * Proxy endpoint security.
     *
     * Several proxy endpoints (Google Static Maps, Geocode, Gravatar, embed image proxies)
     * inject server-side API keys or forward requests to third-party services. Without
     * signing, these are open to cost/quota abuse. Enable signing to require that only
     * URLs generated server-side (during SSR/prerender, or via `/_scripts/sign`) are
     * accepted.
     *
     * The secret must be deterministic across deployments so that prerendered URLs
     * remain valid. Set it via `NUXT_SCRIPTS_PROXY_SECRET` or `security.secret`.
     */
    security?: {
        /**
         * HMAC secret used to sign proxy URLs.
         *
         * Falls back to `process.env.NUXT_SCRIPTS_PROXY_SECRET` if unset. In dev,
         * the module auto-generates a secret into your `.env` file when neither is
         * provided (disable via `autoGenerateSecret: false`). In production, a
         * missing secret logs a warning; proxy endpoints remain functional but unprotected.
         *
         * Generate one with: `npx @nuxt/scripts generate-secret`
         */
        secret?: string;
        /**
         * Automatically generate and persist a signing secret to `.env` when running
         * `nuxt dev` without one configured.
         *
         * @default true
         */
        autoGenerateSecret?: boolean;
        /**
         * How long (in seconds) a page token issued during SSR remains valid on the
         * client. Client-driven proxy requests (dynamic fetches, runtime image
         * helpers) attach this token so `withSigning` accepts them without each URL
         * being HMAC-signed up front.
         *
         * The default of 1 hour is safe for SSR; for SSG or prerendered routes,
         * deployed HTML carries the build-time token, so bump this (e.g. `2592000`
         * for 30 days) to keep client-side proxy calls working after the build.
         * Longer TTLs widen the replay window if a token is scraped, so prefer the
         * shortest value that covers your cache horizon.
         *
         * @default 3600
         */
        pageTokenMaxAge?: number;
    };
    /**
     * Google Static Maps proxy configuration.
     * Proxies static map images through your server to fix CORS issues and enable caching.
     */
    googleStaticMapsProxy?: {
        /**
         * Enable proxying Google Static Maps through your own origin.
         * @default false
         */
        enabled?: boolean;
        /**
         * Cache duration for static map images in seconds.
         * @default 3600 (1 hour)
         */
        cacheMaxAge?: number;
    };
    /**
     * Enable standalone devtools mode.
     * When enabled, exposes a dev-only API endpoint that bridges script state
     * between the running Nuxt app and a standalone devtools UI.
     * This allows opening the devtools in a separate browser tab and connecting
     * to the dev server without the Nuxt DevTools iframe.
     *
     * @default false
     */
    /** @internal */
    _standaloneDevtools?: boolean;
    /**
     * Whether the module is enabled.
     *
     * @default true
     */
    enabled: boolean;
    /**
     * Enables debug mode.
     *
     * @false false
     */
    debug: boolean;
}
interface ModuleHooks {
    'scripts:registry': (registry: RegistryScripts) => void | Promise<void>;
}
declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;

export { applyAutoInject, _default as default, isProxyDisabled, resolveConfiguredProxyDomains, resolveProxySecret };
export type { ModuleHooks, ModuleOptions, ResolvedProxySecret };