import avro from '@avro/types';
import crypto from 'crypto';
export declare const envelopeErrorCodes: import("@opvious/stl-errors").ErrorCodesFor<{
    decryptionFailed: (cause: ReadonlyArray<unknown>) => {
        message: string;
        cause: readonly unknown[];
    };
    incompatibleKey: (ix: number) => {
        message: string;
    };
    signatureMismatch: string;
    unrecoverable: (env: string, cause?: unknown) => {
        message: string;
        tags: {
            env: string;
        };
        cause: unknown;
    };
    unverifiableContents: string;
}>;
export declare function toEnvelope(contents: EnvelopeContents, opts?: ToEnvelopeOptions): string;
export interface EnvelopeContents {
    readonly data: Buffer;
    /**
     * Convenience version number to store alongside the data. This may help
     * consumers evolve their data format without having to add the version
     * explicitly into the data's schema.
     */
    readonly version?: number;
    /** Convenience unstructured metadata to store alongside the data. */
    readonly annotation?: string;
}
export interface EnvelopeProtection {
    readonly kind: 'encrypt' | 'sign';
    readonly secretKey: crypto.KeyObject;
}
export interface ToEnvelopeOptions {
    /** Protection to apply to the envelope. */
    readonly protection?: EnvelopeProtection;
    /**
     * If present, this length must be a multiple of 4. The resulting string will
     * be padded with random bytes to have a final envelope representation of at
     * least this length.
     */
    readonly minimumLength?: number;
}
export declare function fromEnvelope(arg: string, opts?: FromEnvelopeOptions): EnvelopeContents;
export interface FromEnvelopeOptions {
    /** Decryption and verification keys. They will be tried in order. */
    readonly secretKeys?: ReadonlyArray<crypto.KeyObject>;
    /**
     * Allow decoding of unprotected envelope contents. This option defaults to
     * false if at least one key was specified and true otherwise.
     */
    readonly allowUnprotected?: boolean;
}
/** Convenience function to generate a secret key suitable for envelope use. */
export declare function envelopeKey(secret: crypto.BinaryLike, salt?: string): crypto.KeyObject;
/** Convenience class to obfuscate values using an Avro type. */
export declare class Obfuscator {
    private readonly key;
    constructor(key: crypto.KeyObject);
    /**
     * Transforms the input value into an opaque string. The string is signed
     * using the obfuscator's key. Note that values are obfuscated but _not_
     * encrypted. This should not be used to protect sensitive information.
     */
    obfuscate<V>(arg: V, tp: avro.Type<V>): string;
    /**
     * Recovers a value from its obfuscated representation. If the opaque value's
     * signature doesn't match, this method will throw an UNRECOVERABLE error.
     */
    recover<V>(arg: string, tp: avro.Type<V>): V;
}