/**
 * SecurityUtils - Shared security utility functions.
 *
 * Provides prototype pollution protection, SSRF guards, header filtering,
 * URL credential redaction, hostname validation, and input length limits.
 */
/** Maximum allowed input length for skill handler arguments (characters). */
export declare const MAX_SKILL_INPUT_LENGTH = 1000;
/**
 * Copy properties from `source` to `target`, filtering out prototype-pollution keys.
 * Drop-in replacement for `Object.assign(target, source)` where `source` is untrusted.
 * @param target - The object to assign into.
 * @param source - The object to copy properties from.
 * @returns The target object.
 */
export declare function safeAssign<T extends Record<string, unknown>>(target: T, source: Record<string, unknown>): T;
/**
 * Return a copy of `headers` with sensitive entries (authorization, cookie, etc.) removed.
 * @param headers - Original header record.
 * @returns A new record with sensitive headers removed.
 */
export declare function filterSensitiveHeaders(headers: Record<string, string>): Record<string, string>;
/**
 * Redact credentials embedded in a URL (e.g. `https://user:secret@host` -> `https://user:****@host`).
 * Returns the URL unchanged if no credentials are present.
 * @param url - The URL string to redact.
 * @returns The URL with the password portion replaced by `****`.
 */
export declare function redactUrl(url: string): string;
/**
 * Validate that a hostname string does not contain whitespace, slashes, or control characters.
 * @param host - Hostname to validate.
 * @returns True if the hostname is valid.
 */
export declare function isValidHostname(host: string): boolean;
/**
 * Check whether an IP address belongs to a private/reserved range.
 * Covers RFC1918, loopback, link-local, IPv6 private (fc/fd, ::1, fe80).
 * @param ip - The IP address string to check.
 * @returns True if the IP is private/reserved.
 */
export declare function isPrivateIp(ip: string): boolean;
/**
 * DNS-resolve a URL's hostname and reject it if it points to a private IP.
 * @param url - The full URL to validate.
 * @param allowPrivate - When true, skip the private-IP check (default false).
 * @throws If the resolved IP is private and `allowPrivate` is false.
 */
export declare function resolveAndValidateUrl(url: string, allowPrivate?: boolean): Promise<void>;
/**
 * Validate that a URL is safe to fetch (not pointing to private/internal resources).
 *
 * Matches Python's `validate_url(url, allow_private=False) -> bool` — returns `true`
 * if the URL is safe, `false` otherwise (never throws).
 *
 * @param url - The URL to validate.
 * @param allowPrivate - When true, allow private IP ranges (default false).
 * @returns `true` if the URL is safe to fetch, `false` otherwise.
 */
export declare function validateUrl(url: string, allowPrivate?: boolean): Promise<boolean>;
/**
 * Whether the current process is running in a serverless environment
 * (anything other than a long-lived ``server`` runtime).
 *
 * Python parity: ``signalwire.utils.is_serverless_mode``.
 */
export declare function isServerlessMode(): boolean;