/**
 * HMAC Signature Utilities for Olumi Assistants SDK
 *
 * Provides client-side HMAC-SHA256 signing for API requests with:
 * - Automatic nonce generation (UUID v4)
 * - Timestamp management
 * - Canonical string building
 * - Request signing helpers
 */
/**
 * HMAC signature headers for API requests
 */
export interface HmacHeaders {
    "X-Olumi-Signature": string;
    "X-Olumi-Timestamp": string;
    "X-Olumi-Nonce": string;
}
/**
 * HMAC signing options
 */
export interface HmacSignOptions {
    /** HMAC secret key (required) */
    secret: string;
    /** Optional custom timestamp (defaults to Date.now()) */
    timestamp?: number;
    /** Optional custom nonce (defaults to UUID v4) */
    nonce?: string;
}
/**
 * Generate a cryptographically secure nonce (UUID v4)
 *
 * @returns UUID v4 string
 *
 * @example
 * ```typescript
 * const nonce = generateNonce();
 * // => "550e8400-e29b-41d4-a716-446655440000"
 * ```
 */
export declare function generateNonce(): string;
/**
 * Sign an API request with HMAC-SHA256
 *
 * Generates signature headers for authenticating requests to the
 * Olumi Assistants Service. Includes timestamp and nonce for replay protection.
 *
 * @param method - HTTP method (uppercase, e.g., "POST")
 * @param path - Request path (e.g., "/assist/draft-graph")
 * @param body - Request body as JSON string (or undefined for GET)
 * @param options - HMAC signing options (secret required)
 * @returns HMAC signature headers to include in request
 *
 * @throws {Error} If secret is not provided
 *
 * @example
 * ```typescript
 * const body = JSON.stringify({ brief: "Create a todo app" });
 * const headers = sign("POST", "/assist/draft-graph", body, {
 *   secret: process.env.HMAC_SECRET!
 * });
 *
 * // Include headers in fetch request
 * await fetch(url, {
 *   method: "POST",
 *   headers: {
 *     "Content-Type": "application/json",
 *     ...headers
 *   },
 *   body
 * });
 * ```
 */
export declare function sign(method: string, path: string, body: string | undefined, options: HmacSignOptions): HmacHeaders;
/**
 * Verify response hash (for response integrity checking)
 *
 * Validates that the response body matches the expected hash signature
 * provided by the server. Prevents response tampering.
 *
 * @param responseBody - Response body as string
 * @param expectedHash - Expected SHA256 hash (hex) from X-Olumi-Response-Hash header
 * @returns True if hash matches, false otherwise
 *
 * @example
 * ```typescript
 * const response = await fetch(url);
 * const body = await response.text();
 * const hash = response.headers.get("X-Olumi-Response-Hash");
 *
 * if (hash && !verifyResponseHash(body, hash)) {
 *   throw new Error("Response integrity check failed");
 * }
 * ```
 */
export declare function verifyResponseHash(responseBody: string, expectedHash: string): boolean;
//# sourceMappingURL=hmac.d.ts.map