import type { CredentialStore } from '../credentials/credential-store.js';
import type { HttpPort } from '../platform/http.js';
import { mirrorActiveOauthVaultIfApplicable } from './active-vault-mirror.js';
import type { UsageCache } from './usage-cache.js';
export { mirrorActiveOauthVaultIfApplicable };
/**
 * Read the OAuth tokens (accessToken / refreshToken / expiresAt) for a
 * specific account from its saved snapshot file, without touching the
 * active-account state in `~/.claude.json` or the Keychain.
 *
 * Used by per-account usage refresh so we can hit the Anthropic usage
 * endpoint on behalf of a NON-active account — e.g. to refresh the GUI's
 * cached numbers for the second account in a multi-account setup
 * without forcing the user to switch into it first.
 *
 * Returns null if the account file doesn't exist, isn't parseable, or
 * doesn't carry an accessToken.
 */
export declare function readAccountOauth(email: string, accountsDirPath: string): {
    accessToken: string;
    refreshToken?: string;
    expiresAt?: number | string;
} | null;
/**
 * Persist a refreshed OAuth bundle back to the account file so the next
 * read sees the new (non-stale) tokens. Writes the tokens to BOTH locations
 * `readAccountOauth` probes: the top-level fields AND the
 * `_keychain.claudeAiOauth` block. The latter is read FIRST, so writing only
 * the top-level fields would leave the stale `_keychain` token shadowing the
 * refreshed one and force a re-refresh on every call. Updating `_keychain`
 * also keeps the block `load()` would restore current. Everything else in the
 * snapshot (apiKey, prefs) is preserved.
 */
export declare function persistRefreshedOauth(email: string, accountsDirPath: string, oauth: {
    accessToken: string;
    refreshToken?: string;
    expiresAt: number;
}): void;
/**
 * Refresh the cached usage snapshot for any saved account (active or
 * not). Loads that account's OAuth tokens from its snapshot file,
 * refreshes them via the Anthropic OAuth endpoint if expired, then
 * calls fetchUsage and writes the per-account cache.
 *
 * Throws when the account isn't saved or has no usable refresh token.
 * Network failures fall through and surface via the returned cache's
 * shape (no payload, no rateLimitedUntil — the caller can decide).
 */
export declare function refreshUsageForAccount(email: string, accountsDirPath: string, deps?: {
    credentials?: CredentialStore;
    claudeJsonPath?: string;
    http?: HttpPort;
}): Promise<UsageCache>;
/**
 * Pull the OAuth access token. On macOS this comes from the login Keychain;
 * on Linux/Windows it lives in `~/.claude.json` under `oauthAccount.accessToken`
 * (Claude Code does not use a system credential store there).
 */
export declare function getAccessTokenFromKeychain(claudeJsonPathStr?: string): string | null;