/**
 * SessionManager - Stateless HMAC-SHA256 token generation and validation.
 *
 * Tokens encode call_id, function name, expiry and a nonce, signed with a
 * shared secret. No server-side state is stored.
 */
/** Decoded token debug info matching the Python SDK's nested return structure. */
export interface DebugTokenResult {
    valid_format: boolean;
    components?: {
        call_id: string;
        function: string;
        expiry: string;
        expiry_date: string | null;
        nonce: string;
        signature: string;
    };
    status?: {
        current_time: number;
        is_expired: boolean | null;
        expires_in_seconds: number | null;
    };
    parts_count?: number;
    token_length?: number;
    error?: string;
}
/** Stateless HMAC-SHA256 token manager for SWAIG function call authentication and per-session metadata storage. */
export declare class SessionManager {
    /** Token validity duration in seconds. */
    tokenExpirySecs: number;
    /** HMAC signing secret. */
    secretKey: string;
    /**
     * When true, {@link debugToken} decodes token internals.
     * When false (default), it returns `{ error: "debug mode not enabled" }`.
     */
    debugMode: boolean;
    private sessionMetadata;
    private sessionTimestamps;
    private log;
    /**
     * Create a new SessionManager.
     * @param tokenExpirySecs - Token validity duration in seconds (default 900).
     * @param secretKey - HMAC signing secret; a random key is generated if omitted.
     */
    constructor(tokenExpirySecs?: number, secretKey?: string);
    /**
     * Return the given callId or generate a new random session identifier.
     * @param callId - Existing call ID to reuse.
     * @returns The call ID string.
     */
    createSession(callId?: string): string;
    /**
     * Generate a signed, base64url-encoded token binding a function name to a call ID.
     * @param functionName - The SWAIG function name to bind.
     * @param callId - The call ID to bind.
     * @returns A base64url-encoded token string.
     */
    generateToken(functionName: string, callId: string): string;
    /**
     * Alias for {@link generateToken}.
     * @param functionName - The SWAIG function name to bind.
     * @param callId - The call ID to bind.
     * @returns A base64url-encoded token string.
     */
    createToolToken(functionName: string, callId: string): string;
    /**
     * Validate a token against the expected call ID and function name.
     * @param callId - The expected call ID.
     * @param functionName - The expected function name.
     * @param token - The base64url-encoded token to validate.
     * @returns True if the token is valid and not expired.
     */
    validateToken(callId: string, functionName: string, token: string): boolean;
    /**
     * Alias for {@link validateToken} with reordered parameters.
     * @param functionName - The expected function name.
     * @param token - The base64url-encoded token to validate.
     * @param callId - The expected call ID.
     * @returns True if the token is valid and not expired.
     */
    validateToolToken(functionName: string, token: string, callId: string): boolean;
    /**
     * Debug a token without validating it.
     *
     * Requires {@link debugMode} to be `true`. When disabled, returns
     * `{ error: "debug mode not enabled" }` matching the Python SDK behaviour.
     *
     * @param token - The base64url-encoded token to decode.
     * @returns A nested debug structure matching the Python SDK, or an error object.
     */
    debugToken(token: string): DebugTokenResult;
    /**
     * Retrieve metadata associated with a session.
     *
     * Returns an empty object when no metadata has been stored for the session,
     * matching Python SDK behavior (`get_session_metadata` always returns `{}`).
     * Callers can safely check truthiness or iterate keys without a null guard.
     *
     * @param sessionId - The session identifier.
     * @returns The metadata record for the session, or `{}` if no metadata exists.
     */
    getSessionMetadata(sessionId: string): Record<string, unknown>;
    /**
     * Merge metadata into a session, creating the entry if it does not exist.
     *
     * Supports two call signatures for Python SDK compatibility:
     * - `setSessionMetadata(sessionId, metadata)` — bulk merge (TS-native)
     * - `setSessionMetadata(sessionId, key, value)` — single key/value (Python-compatible)
     *
     * @param sessionId - The session identifier.
     * @param metadataOrKey - A metadata record to merge, or a string key when called with three arguments.
     * @param value - The value to set when called with a string key.
     */
    setSessionMetadata(sessionId: string, metadataOrKey: Record<string, unknown>): void;
    setSessionMetadata(sessionId: string, key: string, value: unknown): boolean;
    /**
     * Remove session metadata entries older than `maxAgeMs`.
     * @param maxAgeMs - Maximum age in milliseconds (defaults to `tokenExpirySecs * 1000`).
     */
    cleanup(maxAgeMs?: number): void;
    /**
     * Legacy method retained for API compatibility with the Python SDK.
     * Does nothing and returns `true`.
     * @param _callId - The call/session identifier (unused).
     * @returns Always `true`.
     */
    activateSession(_callId: string): boolean;
    /**
     * Legacy method retained for API compatibility with the Python SDK.
     * Does nothing and returns `true`.
     * @param _callId - The call/session identifier (unused).
     * @returns Always `true`.
     */
    endSession(_callId: string): boolean;
    /**
     * Delete all metadata for a session.
     * @param sessionId - The session identifier.
     * @returns True if the session existed and was deleted.
     */
    deleteSessionMetadata(sessionId: string): boolean;
}