/**
 * Secret-scan regex set for bounded-capture samples.
 *
 * Secret-scan is ON by default. When raw sample emission is possible
 * (`--capture-mode raw && --unsafe-allow-raw-capture`), the wrapper
 * runs this regex set against each candidate sample BEFORE emission.
 * If a token-like pattern matches, the sample is suppressed and
 * replaced with `{ sample_suppressed_reason: "secret_pattern_detected",
 * matched_pattern_category: <category> }`. The literal match is NEVER
 * recorded.
 *
 * The regex set is intentionally small (5 named patterns). False
 * positives are tolerated; the suppression itself is observable so a
 * verifier can detect over-suppression.
 *
 * Disabling secret-scan under raw capture requires the third unsafe
 * flag (`--unsafe-disable-secret-scan`); enforcement lives in the
 * subcommand flag-parse layer, not here.
 */
export type SecretCategory = 'bearer-token' | 'api-key' | 'jwt' | 'aws-access-key' | 'generic-high-entropy';
export interface SecretMatch {
    category: SecretCategory;
}
/**
 * Scan a buffer or string for token-like patterns. Returns the first
 * match (by pattern declaration order); the literal match is NEVER
 * returned to callers.
 */
export declare function scanForSecrets(input: string | Uint8Array): SecretMatch | null;
/**
 * Scan an argv element. Same shape as `scanForSecrets` but documents
 * intent: argv elements are scanned independently of stream samples.
 */
export declare function scanArgvElement(token: string): SecretMatch | null;
//# sourceMappingURL=secret-scan.d.ts.map