/**
 * @license
 * Copyright 2025 Vybestack LLC
 * SPDX-License-Identifier: Apache-2.0
 */
import { type OAuthToken, type BucketStats } from './types.js';
import { type TokenStore } from './token-store.js';
import { SecureStore } from '../storage/secure-store.js';
/**
 * Keyring-backed token store with filesystem advisory locks.
 *
 * @internal **DO NOT instantiate directly in consumer code.**
 * Use `createTokenStore()` from `credential-store-factory.ts` instead.
 * This ensures proper environment detection (sandbox vs. direct mode)
 * and consistent singleton management across the application.
 *
 * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
 * @plan PLAN-20250214-CREDPROXY.P36
 */
export declare class KeyringTokenStore implements TokenStore {
    private readonly secureStore;
    private readonly logger;
    private readonly lockDir;
    constructor(options?: {
        secureStore?: SecureStore;
        lockDir?: string;
    });
    private validateName;
    private accountKey;
    /**
     * Non-cryptographic FNV-1a hash for debug log identifiers.
     * Account keys are configuration labels (not secrets), but we still
     * one-way hash them for log brevity. Using FNV-1a instead of
     * crypto.createHash avoids a false-positive CodeQL alert
     * (js/insufficient-password-hash) that cannot distinguish log
     * identifiers from password storage.
     */
    private hashIdentifier;
    private lockFilePath;
    private authLockFilePath;
    /**
     * Ensures the lock directory exists.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    private ensureLockDir;
    /**
     * Shared lock acquisition logic used by both refresh and auth locks.
     * @plan project-plans/issue1652/plan.md Phase 2
     */
    private acquireLock;
    /**
     * Shared lock release logic used by both refresh and auth locks.
     * @plan project-plans/issue1652/plan.md Phase 2
     */
    private releaseLock;
    /**
     * Validates and persists an OAuth token to SecureStore.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    saveToken(provider: string, token: OAuthToken, bucket?: string): Promise<void>;
    /**
     * Retrieves and validates an OAuth token from SecureStore.
     * Returns null for missing or corrupt data (logged with hashed identifier).
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    getToken(provider: string, bucket?: string): Promise<OAuthToken | null>;
    /**
     * Removes a token from SecureStore. Best-effort — errors are swallowed.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    removeToken(provider: string, bucket?: string): Promise<void>;
    /**
     * Lists all unique provider names from SecureStore keys.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    listProviders(): Promise<string[]>;
    /**
     * Lists all bucket names for a given provider.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    listBuckets(provider: string): Promise<string[]>;
    /**
     * Returns placeholder bucket statistics if a token exists for the given bucket.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    getBucketStats(provider: string, bucket: string): Promise<BucketStats | null>;
    /**
     * Acquires a filesystem-based advisory lock for token refresh.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    acquireRefreshLock(provider: string, options?: {
        waitMs?: number;
        staleMs?: number;
        bucket?: string;
    }): Promise<boolean>;
    /**
     * Releases a filesystem-based advisory lock. Idempotent.
     * @plan PLAN-20260213-KEYRINGTOKENSTORE.P06
     */
    releaseRefreshLock(provider: string, bucket?: string): Promise<void>;
    /**
     * Acquires a filesystem-based advisory lock for interactive authentication.
     * @plan project-plans/issue1652/plan.md Phase 2
     */
    acquireAuthLock(provider: string, options?: {
        waitMs?: number;
        staleMs?: number;
        bucket?: string;
    }): Promise<boolean>;
    /**
     * Releases the auth lock for a provider. Idempotent.
     * @plan project-plans/issue1652/plan.md Phase 2
     */
    releaseAuthLock(provider: string, bucket?: string): Promise<void>;
}