/**
 * Provisioning Lifecycle Extension Schema
 *
 * Extension namespace: `org.peacprotocol/provisioning-lifecycle`
 * Record type URIs:    10 (one per `*-observed` event family)
 *
 * Records reported provisioning lifecycle events from external systems.
 * Caller systems (agents, agent-driven workflows, control planes, CLIs,
 * or providers themselves) report what happened when services, accounts,
 * resources, credentials, payment authorizations, budgets, subscriptions,
 * domains, or deployments were provisioned through external providers;
 * the issuance path issues a record using the caller-provided issuer key.
 * PEAC provides the record format, validation, and signing path. PEAC
 * does not authorize the action, verify legal acceptance, provision
 * resources, validate credentials, process payments, vouch for provider
 * state, settle transactions, manage credential vaults, or operate the
 * runtime. PEAC does not implement OAuth, DPoP, OAuth Protected Resource
 * Metadata, or Shared Payment Tokens.
 *
 * No-credential-leak invariant (grammar-based + recursive walker; enforced
 * by both the exported `ProvisioningLifecycleSchema` and the structured
 * `validateProvisioningLifecycle` validator):
 *   - 20 forbidden top-level credential-bearing keys reject with
 *     `provisioning.inline_credential_blocked`.
 *   - The recursive walker inspects key names AND value strings at every
 *     depth past the top level. Nested forbidden key names reject with
 *     `provisioning.forbidden_key_name`; values matching generic
 *     credential-shaped regex patterns reject with
 *     `provisioning.token_material_blocked` (or
 *     `provisioning.inline_credential_blocked` for the env_assignment
 *     pattern).
 *   - All `*_ref` fields are validated by the `OpaqueRefSchema` grammar.
 *   - All `*_digest` fields are validated by the `Sha256DigestSchema` grammar.
 *
 * Vendor neutrality: the normative validator's regex panel contains only
 * generic credential categories (jwt_compact, bearer_token,
 * pem_private_key, env_assignment, connection_string_with_credentials).
 * Provider-prefix scanning belongs to the public-artifact layer
 * (`scripts/check-public-artifacts.mjs`), not the protocol schema.
 *
 * Validation returns the structured error contract:
 *   `{ ok: true, value }` or `{ ok: false, errors: [{ code, path?, message }] }`.
 */
import { z } from 'zod';
export declare const PROVISIONING_LIFECYCLE_EXTENSION_KEY: "org.peacprotocol/provisioning-lifecycle";
/** All 10 provisioning lifecycle record type URIs (one per event family). */
export declare const PROVISIONING_LIFECYCLE_TYPE_URIS: readonly ["org.peacprotocol/provisioning-catalog-observed", "org.peacprotocol/provisioning-provider-link-observed", "org.peacprotocol/provisioning-account-observed", "org.peacprotocol/provisioning-resource-observed", "org.peacprotocol/provisioning-credential-observed", "org.peacprotocol/provisioning-payment-authorization-observed", "org.peacprotocol/provisioning-budget-observed", "org.peacprotocol/provisioning-subscription-observed", "org.peacprotocol/provisioning-domain-observed", "org.peacprotocol/provisioning-deployment-observed"];
export type ProvisioningLifecycleTypeUri = (typeof PROVISIONING_LIFECYCLE_TYPE_URIS)[number];
/** Event-kind discriminator literals (drop the `org.peacprotocol/` prefix). */
declare const EVENT_KINDS: readonly ["provisioning-catalog-observed", "provisioning-provider-link-observed", "provisioning-account-observed", "provisioning-resource-observed", "provisioning-credential-observed", "provisioning-payment-authorization-observed", "provisioning-budget-observed", "provisioning-subscription-observed", "provisioning-domain-observed", "provisioning-deployment-observed"];
export type ProvisioningEventKind = (typeof EVENT_KINDS)[number];
/** Stable error codes for `validateProvisioningLifecycle`. */
export declare const PROVISIONING_LIFECYCLE_ERROR_CODES: {
    readonly inlineCredentialBlocked: "provisioning.inline_credential_blocked";
    readonly opaqueRefGrammarViolation: "provisioning.opaque_ref_grammar_violation";
    readonly tokenMaterialBlocked: "provisioning.token_material_blocked";
    readonly forbiddenKeyName: "provisioning.forbidden_key_name";
    readonly invalidStorageSurface: "provisioning.invalid_storage_surface";
    readonly invalidMaterialRedaction: "provisioning.invalid_material_redaction";
    readonly invalidEventKind: "provisioning.invalid_event_kind";
    readonly invalidSubEvent: "provisioning.invalid_sub_event";
    readonly invalidSchemeId: "provisioning.invalid_scheme_id";
    readonly unrecognizedField: "provisioning.unrecognized_field";
    readonly invalidAmountMinor: "provisioning.invalid_amount_minor";
    readonly invalidObservedAt: "provisioning.invalid_observed_at";
    readonly invalidRetrievedAt: "provisioning.invalid_retrieved_at";
    readonly invalidExpiresAt: "provisioning.invalid_expires_at";
    readonly invalidCurrency: "provisioning.invalid_currency";
    readonly fieldTooLarge: "provisioning.field_too_large";
    readonly replacementCharacterInString: "provisioning.replacement_character_in_string";
    readonly structureTooDeep: "provisioning.structure_too_deep";
    readonly structureTooLarge: "provisioning.structure_too_large";
    readonly missingRequiredField: "provisioning.missing_required_field";
    readonly invalidUtf8: "provisioning.invalid_utf8";
};
/**
 * Base discriminated union over `event_kind`. Internal; the public
 * `ProvisioningLifecycleSchema` below wraps this in a `.superRefine()`
 * that runs the recursive credential-material walker so
 * `safeParse()` enforces the no-credential-leak invariant alongside
 * structural validation.
 */
declare const ProvisioningLifecycleBaseSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
    catalog: z.ZodObject<{
        service_id: z.ZodString;
        entry_digest: z.ZodOptional<z.ZodString>;
        retrieved_at: z.ZodString;
        terms_digest: z.ZodOptional<z.ZodString>;
        pricing_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-catalog-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-provider-link-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    account: z.ZodObject<{
        sub_event: z.ZodEnum<{
            authorized: "authorized";
            created: "created";
            linked: "linked";
            updated: "updated";
        }>;
        account_ref: z.ZodString;
        terms_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-account-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    resource: z.ZodObject<{
        kind: z.ZodString;
        resource_ref: z.ZodString;
        sub_event: z.ZodEnum<{
            updated: "updated";
            requested: "requested";
            provisioned: "provisioned";
            removed: "removed";
        }>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-resource-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    credential: z.ZodObject<{
        sub_event: z.ZodEnum<{
            issued: "issued";
            rotated: "rotated";
            revoked: "revoked";
            synced: "synced";
        }>;
        issuer_ref: z.ZodOptional<z.ZodString>;
        subject_ref: z.ZodOptional<z.ZodString>;
        scope_digest: z.ZodOptional<z.ZodString>;
        storage_surface: z.ZodOptional<z.ZodObject<{
            kind: z.ZodEnum<{
                unknown: "unknown";
                none: "none";
                external_secret_store: "external_secret_store";
                local_encrypted_file: "local_encrypted_file";
                local_plaintext_file: "local_plaintext_file";
                environment_file: "environment_file";
                runtime_secret_binding: "runtime_secret_binding";
            }>;
            provider_ref: z.ZodOptional<z.ZodString>;
            surface_ref: z.ZodOptional<z.ZodString>;
            material_redaction: z.ZodEnum<{
                never_capture: "never_capture";
                redacted_capture: "redacted_capture";
                hashed_capture: "hashed_capture";
            }>;
        }, z.core.$strict>>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-credential-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    payment_authorization_observation: z.ZodObject<{
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
        authorization_ref: z.ZodString;
        issuer_ref: z.ZodString;
        scope_digest: z.ZodOptional<z.ZodString>;
        limits_digest: z.ZodOptional<z.ZodString>;
        currency: z.ZodOptional<z.ZodString>;
        max_amount_minor: z.ZodOptional<z.ZodString>;
        expires_at: z.ZodOptional<z.ZodString>;
        sub_event: z.ZodOptional<z.ZodEnum<{
            granted: "granted";
            expired: "expired";
            revoked: "revoked";
            observed: "observed";
            consumed: "consumed";
        }>>;
        material_redaction: z.ZodEnum<{
            never_capture: "never_capture";
            redacted_capture: "redacted_capture";
            hashed_capture: "hashed_capture";
        }>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-payment-authorization-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    budget: z.ZodObject<{
        budget_ref: z.ZodString;
        limits_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-budget-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    subscription: z.ZodObject<{
        sub_event: z.ZodEnum<{
            updated: "updated";
            started: "started";
            cancelled: "cancelled";
        }>;
        subscription_ref: z.ZodString;
        plan_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-subscription-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    domain: z.ZodObject<{
        domain_ref: z.ZodString;
        sub_event: z.ZodEnum<{
            registered: "registered";
            transferred: "transferred";
            released: "released";
        }>;
        registrar_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-domain-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    deployment: z.ZodObject<{
        deployment_ref: z.ZodString;
        artifact_digest: z.ZodOptional<z.ZodString>;
        sub_event: z.ZodEnum<{
            failed: "failed";
            started: "started";
            completed: "completed";
            rolled_back: "rolled_back";
        }>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-deployment-observed">;
}, z.core.$strict>], "event_kind">;
interface WalkerOptions {
    maxStringBytes?: number;
    maxDepth?: number;
    maxNodes?: number;
}
interface WalkerViolation {
    code: 'provisioning.token_material_blocked' | 'provisioning.inline_credential_blocked' | 'provisioning.forbidden_key_name' | 'provisioning.field_too_large' | 'provisioning.replacement_character_in_string' | 'provisioning.structure_too_deep' | 'provisioning.structure_too_large';
    pathSegments: ReadonlyArray<string | number>;
    message: string;
    pattern?: string;
}
/**
 * Recursive walker (deterministic key-sorted traversal; structure- and
 * size-bounded; depth-aware key-name dispatch).
 *
 * Top-level forbidden credential-bearing keys are NOT emitted by the
 * walker; they are surfaced by the preflight in
 * `validateProvisioningLifecycle`. This avoids duplicate codes for the
 * same offending top-level key.
 */
declare function scanProvisioningLifecycleForCredentialMaterial(obj: unknown, options?: WalkerOptions): WalkerViolation[];
/**
 * Public canonical schema. Wraps the base discriminated union in a
 * `.superRefine()` that runs the recursive credential-material walker
 * so callers using `ProvisioningLifecycleSchema.safeParse()` get the
 * full no-credential-leak invariant in one call. The structured
 * `validateProvisioningLifecycle` validator below adds preflight
 * checks (top-level forbidden keys, missing required fields,
 * invalid event_kind) on top of the same base+walker pair so the two
 * entry points enforce the same guarantees with the same stable codes.
 */
export declare const ProvisioningLifecycleSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
    catalog: z.ZodObject<{
        service_id: z.ZodString;
        entry_digest: z.ZodOptional<z.ZodString>;
        retrieved_at: z.ZodString;
        terms_digest: z.ZodOptional<z.ZodString>;
        pricing_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-catalog-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-provider-link-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    account: z.ZodObject<{
        sub_event: z.ZodEnum<{
            authorized: "authorized";
            created: "created";
            linked: "linked";
            updated: "updated";
        }>;
        account_ref: z.ZodString;
        terms_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-account-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    resource: z.ZodObject<{
        kind: z.ZodString;
        resource_ref: z.ZodString;
        sub_event: z.ZodEnum<{
            updated: "updated";
            requested: "requested";
            provisioned: "provisioned";
            removed: "removed";
        }>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-resource-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    credential: z.ZodObject<{
        sub_event: z.ZodEnum<{
            issued: "issued";
            rotated: "rotated";
            revoked: "revoked";
            synced: "synced";
        }>;
        issuer_ref: z.ZodOptional<z.ZodString>;
        subject_ref: z.ZodOptional<z.ZodString>;
        scope_digest: z.ZodOptional<z.ZodString>;
        storage_surface: z.ZodOptional<z.ZodObject<{
            kind: z.ZodEnum<{
                unknown: "unknown";
                none: "none";
                external_secret_store: "external_secret_store";
                local_encrypted_file: "local_encrypted_file";
                local_plaintext_file: "local_plaintext_file";
                environment_file: "environment_file";
                runtime_secret_binding: "runtime_secret_binding";
            }>;
            provider_ref: z.ZodOptional<z.ZodString>;
            surface_ref: z.ZodOptional<z.ZodString>;
            material_redaction: z.ZodEnum<{
                never_capture: "never_capture";
                redacted_capture: "redacted_capture";
                hashed_capture: "hashed_capture";
            }>;
        }, z.core.$strict>>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-credential-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    payment_authorization_observation: z.ZodObject<{
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
        authorization_ref: z.ZodString;
        issuer_ref: z.ZodString;
        scope_digest: z.ZodOptional<z.ZodString>;
        limits_digest: z.ZodOptional<z.ZodString>;
        currency: z.ZodOptional<z.ZodString>;
        max_amount_minor: z.ZodOptional<z.ZodString>;
        expires_at: z.ZodOptional<z.ZodString>;
        sub_event: z.ZodOptional<z.ZodEnum<{
            granted: "granted";
            expired: "expired";
            revoked: "revoked";
            observed: "observed";
            consumed: "consumed";
        }>>;
        material_redaction: z.ZodEnum<{
            never_capture: "never_capture";
            redacted_capture: "redacted_capture";
            hashed_capture: "hashed_capture";
        }>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-payment-authorization-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    budget: z.ZodObject<{
        budget_ref: z.ZodString;
        limits_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-budget-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    subscription: z.ZodObject<{
        sub_event: z.ZodEnum<{
            updated: "updated";
            started: "started";
            cancelled: "cancelled";
        }>;
        subscription_ref: z.ZodString;
        plan_digest: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-subscription-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    domain: z.ZodObject<{
        domain_ref: z.ZodString;
        sub_event: z.ZodEnum<{
            registered: "registered";
            transferred: "transferred";
            released: "released";
        }>;
        registrar_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-domain-observed">;
}, z.core.$strict>, z.ZodObject<{
    provider: z.ZodOptional<z.ZodObject<{
        provider_ref: z.ZodString;
        account_ref: z.ZodOptional<z.ZodString>;
        scheme_id: z.ZodOptional<z.ZodString>;
        scheme_ref: z.ZodOptional<z.ZodString>;
    }, z.core.$strict>>;
    deployment: z.ZodObject<{
        deployment_ref: z.ZodString;
        artifact_digest: z.ZodOptional<z.ZodString>;
        sub_event: z.ZodEnum<{
            failed: "failed";
            started: "started";
            completed: "completed";
            rolled_back: "rolled_back";
        }>;
    }, z.core.$strict>;
    observed_by_ref: z.ZodOptional<z.ZodString>;
    upstream_event_ref: z.ZodOptional<z.ZodString>;
    upstream_artifact_digest: z.ZodOptional<z.ZodString>;
    observed_at: z.ZodString;
    event_kind: z.ZodLiteral<"provisioning-deployment-observed">;
}, z.core.$strict>], "event_kind">;
export type ProvisioningLifecycle = z.infer<typeof ProvisioningLifecycleBaseSchema>;
export interface ProvisioningLifecycleValidationError {
    code: string;
    path?: string;
    message: string;
}
export type ProvisioningLifecycleValidationResult = {
    ok: true;
    value: ProvisioningLifecycle;
} | {
    ok: false;
    errors: ProvisioningLifecycleValidationError[];
};
/**
 * Validate a provisioning lifecycle observation payload. Mirrors the
 * `validateLifecycleObservation` structured-error contract.
 *
 * Pre-flight order:
 *   1. forbidden top-level credential-bearing keys -> provisioning.inline_credential_blocked
 *   2. recursive credential-material walker (key names + value strings;
 *      depth-aware; structure-bounded) -> provisioning.{forbidden_key_name |
 *      token_material_blocked | inline_credential_blocked | field_too_large |
 *      replacement_character_in_string | structure_too_deep |
 *      structure_too_large}
 *   3. event_kind presence/value -> missing_required_field / invalid_event_kind
 *   4. observed_at presence -> missing_required_field
 *   5. per-event-kind required fields
 *   6. Zod schema parse with priority-mapped stable codes
 */
export declare function validateProvisioningLifecycle(data: unknown): ProvisioningLifecycleValidationResult;
/** @internal Test-only export: forbidden top-level credential-bearing keys. */
export declare const PROVISIONING_FORBIDDEN_TOP_LEVEL_KEYS_INTERNAL: readonly ["token", "access_token", "refresh_token", "id_token", "api_key", "apikey", "secret", "private_key", "privatekey", "password", "passphrase", "authorization", "cookie", "session", "credential_value", "credentialvalue", "spt", "shared_payment_token", "sharedpaymenttoken", "env"];
/** @internal Test-only export: recursive credential-material walker. */
export declare const scanProvisioningLifecycleForCredentialMaterialInternal: typeof scanProvisioningLifecycleForCredentialMaterial;
export {};
//# sourceMappingURL=provisioning-lifecycle.d.ts.map