/**
 * AWS Signature Version 4 signer for the Cloudflare R2 (S3-compatible) API.
 *
 * Replaces the request signing that @aws-sdk/client-s3 used to do for us.
 * Uses only node:crypto — no external dependencies, no regex.
 *
 * The core (`computeSigV4`) is verified byte-for-byte against the official AWS
 * SigV4 test-suite `get-vanilla` vector in __tests__/_sigv4.test.ts.
 *
 * Server-only. Do NOT import from client-side code or edge runtime.
 */
/** Hex SHA-256 of the empty string — the payload hash for body-less requests. */
export declare const EMPTY_SHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
/** Hex SHA-256 of arbitrary bytes (request payload hashing). */
export declare function sha256Hex(data: string | Uint8Array): string;
/**
 * RFC 3986 percent-encoding per the AWS SigV4 spec. `encodeSlash` is false for
 * path segments (slashes are separators) and true for query keys/values.
 */
export declare function awsUriEncode(input: string, encodeSlash: boolean): string;
/** Inputs to the verified SigV4 core. All path/header values must be final. */
export interface CanonicalInput {
    method: string;
    /** Already AWS-URI-encoded path (slashes preserved). */
    canonicalPath: string;
    /** Raw (unencoded) query pairs; encoded + sorted by the signer. */
    query: [string, string][];
    /** Exact header set to sign (any case; lowercased + trimmed internally). */
    headersToSign: Record<string, string>;
    payloadHash: string;
    amzDate: string;
    region: string;
    service: string;
    accessKeyId: string;
    secretAccessKey: string;
}
export interface SigV4Result {
    signature: string;
    signedHeaders: string;
    scope: string;
    canonicalQuery: string;
}
/**
 * The verified SigV4 computation: canonical request → string-to-sign → signing
 * key → signature. Verified against AWS's official `get-vanilla` test vector.
 */
export declare function computeSigV4(input: CanonicalInput): SigV4Result;
/** Inputs for an R2/S3 request signature. */
export interface SignS3Input {
    method: 'GET' | 'PUT' | 'DELETE';
    accountId: string;
    bucket: string;
    /** Object key; omit for bucket-level operations (e.g. ListObjectsV2). */
    key?: string;
    /** Query params; `undefined` values are dropped before signing. */
    query?: Record<string, string | undefined>;
    region: string;
    accessKeyId: string;
    secretAccessKey: string;
    /** Hex SHA-256 of the body, or EMPTY_SHA256 for body-less requests. */
    payloadHash: string;
    /** Extra headers to send + sign (content-type, cache-control, x-amz-meta-*). */
    extraHeaders?: Record<string, string>;
    now: Date;
}
export interface SignedS3Request {
    url: string;
    headers: Record<string, string>;
}
/**
 * Build a signed R2 request: a path-style URL + AWS4-HMAC-SHA256 Authorization
 * header. The `host` header is signed but not returned — fetch/undici sets it
 * from the URL (same value), and `Host` is a forbidden header to set manually.
 */
export declare function signS3Request(input: SignS3Input): SignedS3Request;
//# sourceMappingURL=_sigv4.d.ts.map