/**
 * Remote MCP server client helpers — tenant-scoped discovery + connection.
 *
 * Two responsibilities:
 *
 *   1. {@link listConnectedMcpServers} — enumerate the servers a tenant has
 *      an authorized OAuth token for in the vault. Does NOT connect; a pure
 *      metadata lookup.
 *
 *   2. {@link buildRemoteMcpClient} — load the stored server URL + OAuth
 *      meta for `(tenant, server)` and return a configured {@link McpClient}.
 *      The client is configured but NOT yet connected — callers invoke
 *      `connect()` themselves so they can manage teardown.
 *
 * Both helpers were originally defined alongside each other in the admin
 * app: {@link listConnectedMcpServers} as inline logic in the
 * `/api/mcp/remote-servers` route, {@link buildRemoteMcpClient} as the
 * admin-local `lib/mcp/remote-server-client.ts`. They moved here so the API
 * app can use the same path enumeration + client-construction logic without
 * duplicating admin code.
 */
import { type ElicitationHandler, McpClient, type SamplingHandler } from './client.js';
import { type Vault } from './oauth.js';
/**
 * List the MCP servers that tenant `tenantId` has authorized OAuth tokens
 * for in the vault. Enumerates `mcp/<tenantId>/<server>/tokens` entries
 * and returns the unique server IDs, sorted ascending.
 *
 * A server appears here if and only if a successful OAuth flow has landed
 * a `tokens` blob at that path. Tokens may be expired — refresh/rotation
 * is the transport's concern via the `OAuthClientProvider` hooks. Callers
 * should treat this list as "has been authorized at least once" rather
 * than "is definitely healthy right now".
 *
 * @throws {RevvaultError} when the vault `list` call fails or when
 *   `tenantId` contains characters that would be unsafe to pass to the
 *   vault.
 */
export declare function listConnectedMcpServers(vault: Vault, tenantId: string): Promise<string[]>;
/** Stored alongside tokens by the OAuth callback. */
export interface RemoteServerMeta {
    serverUrl: string;
    connectedAt: string;
    connectedBy: string;
}
export declare class RemoteServerNotConnectedError extends Error {
    readonly tenant: string;
    readonly server: string;
    constructor(tenant: string, server: string);
}
export interface BuildRemoteMcpClientOptions {
    tenant: string;
    server: string;
    /** Injected for tests; defaults to the revvault-backed vault. */
    vault?: Vault;
    /** Client name reported during `initialize`. */
    clientName?: string;
    /** Client version reported during `initialize`. */
    clientVersion?: string;
    /**
     * Handler invoked when the server sends `elicitation/create`. Registered
     * on the `McpClient` at construction time so capability advertisement
     * matches what the caller can actually service.
     */
    elicitationHandler?: ElicitationHandler;
    /**
     * Handler invoked when the server sends `sampling/create`. Registered
     * on the `McpClient` at construction time so capability advertisement
     * matches what the caller can actually service. Typically built via
     * `createSamplingHandler` from `@revealui/ai`, which routes the request
     * through the caller's configured LLM with an optional model allowlist
     * for cost safety.
     */
    samplingHandler?: SamplingHandler;
}
export interface BuiltRemoteMcpClient {
    client: McpClient;
    meta: RemoteServerMeta;
}
/**
 * Load OAuth credentials + server URL and return a configured `McpClient`.
 * Throws {@link RemoteServerNotConnectedError} if no meta record exists for
 * the `(tenant, server)` pair.
 */
export declare function buildRemoteMcpClient(options: BuildRemoteMcpClientOptions): Promise<BuiltRemoteMcpClient>;
//# sourceMappingURL=remote-client.d.ts.map