/**
 * `@sylphx/management/adminSecrets` — operator-driven secret rotation
 * audit ledger (G-5).
 *
 * @privilege-asymmetry:O-2 — `break-glass` appears as a rotatable secret
 * type; see docs/catalog/subsystems/privilege-asymmetry.md §3.2.
 *
 * Mirrors `/admin/secrets/*` in
 * `apps/api/src/server/platform/routes/admin/secrets.ts`.
 *
 * Auth: service token + scope `platform:secrets:rotate`. Super-admin
 * sessions are explicitly NOT accepted by the server — rotation MUST be
 * a programmatic step in an Ops runbook.
 *
 * Typical use:
 *
 *   sylphx admin rotate-secret --type break-glass --dry-run
 *   sylphx admin rotate-secret --type break-glass --reason "scheduled 90d cadence"
 *
 * dispatches here via `requireAuthEffect` + `withAuthedSdk`. The endpoint
 * NEVER mints the new secret value; operators update the configured secret
 * target per `docs/runbooks/secret-rotation.md`.
 */
import type { Client } from './client.js';
/** Catalog entry shape mirrored from `AdminSecretStatus` in the contract. */
export interface AdminSecretStatus {
    readonly type: 'break-glass' | 'encryption-key' | 'jwt-signing';
    readonly lastRotatedAt: string | null;
    readonly ageDays: number | null;
    readonly cadenceDays: number;
    readonly overdue: boolean;
    readonly rotationTarget: string;
}
export interface ListSecretsResult {
    readonly secrets: ReadonlyArray<AdminSecretStatus>;
}
export interface RotateSecretInput {
    readonly type: 'break-glass' | 'encryption-key' | 'jwt-signing';
    readonly dryRun?: boolean;
    readonly reason?: string;
}
export interface RotateSecretResult {
    readonly rotated: boolean;
    readonly status: AdminSecretStatus;
    readonly auditLogId: string | null;
    readonly message: string;
}
/**
 * List the rotation status of every rotatable platform secret.
 *
 * Used by the `sylphx_secret_age_days` Prometheus alert evaluator and
 * the Console operator dashboard's secret-rotation widget.
 */
export declare const list: (client: Client) => Promise<ListSecretsResult>;
/**
 * Record a rotation event.
 *
 * `dryRun=true` returns the eligibility report without writing an
 * `audit_logs` row (the `secret_rotation_events` row is still inserted
 * with `is_real=false` so the alert evaluator can read fresh state).
 */
export declare const rotate: (client: Client, body: RotateSecretInput) => Promise<RotateSecretResult>;
//# sourceMappingURL=adminSecrets.d.ts.map