/** * Application Default Credentials (ADC) resolution for Vertex AI. * * Replaces `google-auth-library` with a direct WebCrypto + REST implementation. * Sources, in priority order: * 1. `GOOGLE_APPLICATION_CREDENTIALS` env → file with `type: "service_account"` (RS256 JWT exchange) * or `type: "authorized_user"` (refresh-token exchange). * 2. `~/.config/gcloud/application_default_credentials.json` (user ADC, same authorized_user flow). * 3. GCE / Cloud Run metadata server (`metadata.google.internal`). * * Tokens are cached per source key and refreshed `GOOGLE_VERTEX_REFRESH_SKEW_MS` before expiry * (default 60s). Concurrent callers waiting on a refresh share the same in-flight promise. */ import type { FetchImpl } from "../types"; /** * Returns a Bearer access token suitable for the `Authorization` header on Vertex AI calls. * The token is cached in module scope and refreshed `GOOGLE_VERTEX_REFRESH_SKEW_MS` ms before it expires. */ export declare function getVertexAccessToken(options?: { signal?: AbortSignal; fetch?: FetchImpl; }): Promise; /** Test seam: clears every cached token. */ export declare function __resetVertexTokenCache(): void; /** * Sync best-effort probe for a usable Vertex bearer credential source — an explicit access-token * env var, `GOOGLE_APPLICATION_CREDENTIALS`, a user ADC file, or a GCP runtime whose metadata * server can mint ADC (GCE/Cloud Run/App Engine/Functions). Lets callers prefer the bearer * Interactions transport only when ADC is actually reachable, without paying the async * metadata-probe cost for API-key-only setups. */ export declare function hasVertexBearerCredentialsHint(): boolean;