/**
 * Central security helpers for Photon runtime.
 * Covers path validation, request authentication, input sanitization,
 * rate limiting, body size limits, and security headers.
 */
import type { IncomingMessage, ServerResponse } from 'http';
/**
 * Returns true if `candidate` resolves to a location within `root`.
 * Uses realpath-style resolution and ensures trailing separator check
 * to prevent prefix-matching attacks (e.g. /tmp/foo vs /tmp/foobar).
 */
export declare function isPathWithin(candidate: string, root: string): boolean;
/**
 * Validates that an asset path does not contain traversal sequences
 * or absolute path components. Returns the sanitized path or throws.
 */
export declare function validateAssetPath(assetPath: string): string;
/**
 * Returns true if the request originates from localhost.
 */
export declare function isLocalRequest(req: IncomingMessage): boolean;
/**
 * Constant-time string comparison to prevent timing attacks.
 */
export declare function timingSafeEqual(a: string, b: string): boolean;
export declare function validateNpmPackageName(input: string): boolean;
/**
 * Escapes HTML special characters to prevent XSS.
 */
export declare function escapeHtml(str: string): string;
/**
 * Checks if a template expression contains forbidden identifiers
 * that could be used for code injection. Returns the forbidden token or null.
 */
export declare function findForbiddenIdentifier(expr: string): string | null;
/**
 * Reads the request body with a size limit. Rejects if the body exceeds maxBytes.
 */
export declare function readBody(req: IncomingMessage, maxBytes?: number): Promise<string>;
/**
 * Returns true if the given Origin header value is a localhost address.
 * Same-origin requests (no Origin header) are considered safe.
 */
export declare function isLocalhostOrigin(origin: string | undefined): boolean;
/**
 * Returns the CORS origin to use in Access-Control-Allow-Origin, or undefined
 * if the request origin is not from localhost (in which case the header should be omitted).
 */
export declare function getCorsOrigin(req: IncomingMessage): string | undefined;
/**
 * Sets standard security headers on an HTTP response.
 */
export declare function setSecurityHeaders(res: ServerResponse): void;
/**
 * Return true when `ip` is inside any of the given CIDR ranges or equals
 * any literal entry. Silently ignores malformed CIDRs (the caller should
 * log them at config-parse time).
 */
export declare function ipInAllowlist(ip: string, ranges: string[]): boolean;
/**
 * Parse a comma-separated list of CIDR ranges / literal IPs from env
 * config. Empty string → empty array (allow all). Malformed entries are
 * dropped (matching the ipInAllowlist tolerance).
 */
export declare function parseAllowlistEnv(raw: string | undefined): string[];
/**
 * Simple in-memory rate limiter using a sliding window.
 */
export declare class SimpleRateLimiter {
    private readonly maxRequests;
    private readonly windowMs;
    private windows;
    constructor(maxRequests?: number, windowMs?: number);
    /**
     * Returns true if the request is allowed, false if rate-limited.
     */
    isAllowed(key: string): boolean;
    /**
     * Resets the rate limiter for a specific key or all keys.
     */
    reset(key?: string): void;
}
/**
 * Verifies that content matches an expected SHA-256 hash.
 */
export declare function verifyContentHash(content: string, expectedHash: string): boolean;
/**
 * Scans JavaScript/TypeScript source code for dangerous patterns.
 * Returns a list of warnings (not blocking — informational only).
 */
export declare function warnIfDangerous(source: string): string[];
//# sourceMappingURL=security.d.ts.map