/** * Token Vault * * Secure encrypted storage for OAuth tokens with per-tenant encryption keys * Uses AES-256-GCM for authenticated encryption */ export interface TokenVault { /** * Encrypt a token for storage */ encrypt(tenantId: string, plaintext: string): Promise; /** * Decrypt a stored token */ decrypt(tenantId: string, ciphertext: string): Promise; /** * Rotate the encryption key for a tenant */ rotateKey?(tenantId: string): Promise; } export interface TokenVaultConfig { /** Master key for deriving tenant keys (min 32 bytes) */ masterKey: string; /** Salt for key derivation */ salt?: string; /** Key derivation iterations (default: 100000) */ iterations?: number; } /** * Simple token vault using derived keys from a master key * Suitable for development or single-instance deployments * * For production multi-instance, use KmsTokenVault with AWS KMS/GCP KMS/HashiCorp Vault */ export declare class LocalTokenVault implements TokenVault { private masterKey; private salt; private keyCache; constructor(config: TokenVaultConfig); encrypt(tenantId: string, plaintext: string): Promise; decrypt(tenantId: string, ciphertext: string): Promise; /** * Derive a tenant-specific key from the master key */ private deriveKey; /** * Clear the key cache (call after key rotation) */ clearCache(): void; } export interface KmsClient { /** * Encrypt data using a KMS key */ encrypt(keyId: string, plaintext: Buffer): Promise; /** * Decrypt data using a KMS key */ decrypt(keyId: string, ciphertext: Buffer): Promise; /** * Generate a data key for envelope encryption */ generateDataKey(keyId: string): Promise<{ plaintext: Buffer; ciphertext: Buffer; }>; } export interface KmsTokenVaultConfig { /** KMS client instance */ kms: KmsClient; /** Function to get the KMS key ID for a tenant */ getKeyId: (tenantId: string) => Promise; } /** * Token vault using external KMS (AWS KMS, GCP KMS, etc.) * Uses envelope encryption for efficiency */ export declare class KmsTokenVault implements TokenVault { private kms; private getKeyId; private dataKeyCache; constructor(config: KmsTokenVaultConfig); encrypt(tenantId: string, plaintext: string): Promise; decrypt(tenantId: string, ciphertext: string): Promise; rotateKey(tenantId: string): Promise; /** * Get or generate a data key for envelope encryption */ private getDataKey; } export type TokenVaultType = 'local' | 'kms'; export interface CreateTokenVaultOptions { type: TokenVaultType; masterKey?: string; kms?: KmsClient; getKeyId?: (tenantId: string) => Promise; } export declare function createTokenVault(options: CreateTokenVaultOptions): TokenVault; export declare function getTokenVault(): TokenVault; export declare function initTokenVault(options: CreateTokenVaultOptions): TokenVault; /** Reset the singleton — for testing only. */ export declare function resetTokenVault(): void; //# sourceMappingURL=token-vault.d.ts.map