/**
 * Security Console — user-facing security settings (Management plane).
 *
 * Mirrors `apps/api/src/server/platform/routes/security/*`. Paths come
 * from `@sylphx/contract` (`securityEndpoints`, mount `/security/*`).
 *
 * This is the SDK surface the CLI / Console UI use to drive the
 * authenticated user's own security settings — distinct from
 * `@sylphx/sdk.auth` (BaaS plane, end-user sign-in/sign-up) and from
 * `authSettings.ts` (Management plane, project-level OAuth/SAML config).
 *
 * Initial scope (ADR-089 closure for P0-1 — email change). Other
 * sub-namespaces (2FA, OAuth, password, passkeys, sessions, score,
 * alerts) follow the same pattern as endpoints stabilise.
 */
import type { Client } from './client.js';
export interface EmailChangeRequestInput {
    readonly newEmail: string;
}
export interface EmailChangeRequestResult {
    readonly success: boolean;
    readonly message: string;
    readonly expiresAt: string;
}
/**
 * Request a change of the authenticated user's email address.
 *
 * The Platform issues a 32-byte verification token, persists a pending
 * `email_change_requests` row, and emails the verification link to the
 * **new** address. The current address is left untouched until the user
 * confirms via {@link confirmEmailChange}. Audit-emitted as
 * `email_change.create` with the new address masked.
 *
 * Errors:
 *   - 409 — `newEmail` is already in use by another account
 *   - 404 — current user not found (should not happen for a valid session)
 */
export declare const requestEmailChange: (client: Client, body: EmailChangeRequestInput) => Promise<EmailChangeRequestResult>;
export interface EmailChangeConfirmInput {
    readonly token: string;
}
export interface EmailChangeConfirmResult {
    readonly success: boolean;
    readonly newEmail: string;
}
/**
 * Confirm a pending email change using the token delivered via email.
 *
 * On success the `users.email` column is updated, the pending request is
 * deleted, a security alert is recorded, and a notification is sent to
 * the **previous** address. Audit-emitted as `user.update` with
 * `metadata.action = 'email_changed'`.
 *
 * Errors:
 *   - 422 — invalid or expired token (the row is cleaned up on expiry)
 */
export declare const confirmEmailChange: (client: Client, body: EmailChangeConfirmInput) => Promise<EmailChangeConfirmResult>;
//# sourceMappingURL=security.d.ts.map