/**
 * CLI capture limits and security defaults.
 *
 * Centralizes the bounded-capture caps and security-default constants
 * used by `peac observe command` and `peac record command`. Mirrored
 * (but enforced separately) by the Zod ranges in
 * `@peac/schema/src/extensions/cli-execution.ts`; keep both sides in
 * sync when changing.
 *
 * All values are POSIX-first. Windows behavior is not guaranteed by
 * the current CLI carrier profile; see `docs/specs/CLI-CARRIER-PROFILE.md`.
 */
/** Bounded-capture caps. */
export declare const CLI_LIMITS: {
    /** Default max bytes retained in the stdout sample buffer (raw mode only). */
    readonly defaultStdoutSampleBytes: 16384;
    /** Default max bytes retained in the stderr sample buffer (raw mode only). */
    readonly defaultStderrSampleBytes: 16384;
    /** Hard ceiling for the stdout / stderr sample buffer (raw mode only). */
    readonly maxStdoutSampleBytes: 65536;
    readonly maxStderrSampleBytes: 65536;
    /** Default max bytes recorded in argv (raw mode only). */
    readonly defaultArgvCaptureBytes: 4096;
    /** Hard ceiling for argv bytes (raw mode only). */
    readonly maxArgvCaptureBytes: 16384;
    /** Hard ceiling for env entry count (deny-by-default; allowlist <= this). */
    readonly maxEnvEntries: 32;
    /** Default wrapper timeout (10 minutes). */
    readonly defaultTimeoutMs: 600000;
    /** Wrapper timeout hard ceiling (24 hours). */
    readonly maxTimeoutMs: 86400000;
    /** Wrapper timeout floor (1 ms). */
    readonly minTimeoutMs: 1;
    /** Default SIGTERM-to-SIGKILL grace (5 seconds). */
    readonly defaultKillGraceMs: 5000;
    /** SIGTERM-to-SIGKILL grace hard ceiling (60 seconds). */
    readonly maxKillGraceMs: 60000;
    /** SIGTERM-to-SIGKILL grace floor. */
    readonly minKillGraceMs: 0;
};
/**
 * Shell binaries that, when detected as the program basename, REQUIRE
 * the explicit `--shell-mode` acknowledgement. PEAC NEVER synthesizes
 * shell syntax; the wrapper is an observer, not a shell orchestrator.
 */
export declare const SHELL_BINARY_BASENAMES: Set<string>;
/** Returns true when the resolved program basename is a known shell binary. */
export declare function isShellBinary(programBasename: string): boolean;
//# sourceMappingURL=cli-limits.d.ts.map