/**
 * @license
 * Copyright 2025 Steven Roussey <sroussey@gmail.com>
 * SPDX-License-Identifier: Apache-2.0
 */
import type { CredentialPutOptions, ICredentialStore } from "@workglow/util";
import type { IKvStorage } from "../kv/IKvStorage";
/**
 * An {@link ICredentialStore} wrapper that starts in a locked state and defers
 * construction of the underlying {@link EncryptedKvCredentialStore} until
 * {@link unlock} is called with a passphrase.
 *
 * **Locked behavior** (before {@link unlock}):
 * - `get()` returns `undefined` (falls through in a {@link ChainedCredentialStore})
 * - `has()` returns `false`
 * - `keys()` returns `[]`
 * - `put()` throws an error
 * - `delete()` returns `false`
 * - `deleteAll()` is a no-op
 *
 * **Unlocked behavior**: all methods delegate to the inner
 * {@link EncryptedKvCredentialStore}.
 *
 * @example
 * ```ts
 * const lazy = new LazyEncryptedCredentialStore(kvStorage);
 * await lazy.get("key"); // undefined (locked)
 *
 * await lazy.unlock("my-passphrase");
 * await lazy.get("key"); // decrypted value
 *
 * lazy.lock(); // discards inner store
 * await lazy.get("key"); // undefined again
 * ```
 */
export declare class LazyEncryptedCredentialStore implements ICredentialStore {
    private readonly kv;
    private inner;
    constructor(kv: IKvStorage<string, unknown>);
    /**
     * Whether the store is currently unlocked and able to decrypt credentials.
     */
    get isUnlocked(): boolean;
    /**
     * Unlock the store by providing a passphrase. Verifies the passphrase
     * against a sentinel marker before assigning the inner store so a
     * mistyped passphrase cannot silently encrypt new entries under the
     * wrong key and diverge from existing entries.
     *
     * Behaviour by KV state:
     *  - **sentinel present + correct passphrase** → unlocks.
     *  - **sentinel present + wrong passphrase**   → throws
     *    `Invalid passphrase for credential store.`
     *  - **sentinel absent + empty KV**            → first-time init: write
     *    the sentinel and unlock.
     *  - **sentinel absent + non-empty KV (legacy migration)** → try to
     *    decrypt one existing row with this passphrase. Success → write
     *    the sentinel and unlock. Failure → throw (legacy rows present and
     *    the supplied passphrase cannot decrypt them, so accepting would
     *    silently fork the store).
     *
     * @throws if the passphrase is empty (`EncryptedKvCredentialStore`),
     *   does not decrypt the sentinel, or fails to decrypt any existing
     *   legacy row during migration.
     */
    unlock(passphrase: string): Promise<void>;
    /**
     * Lock the store, discarding the inner {@link EncryptedKvCredentialStore}
     * and its derived key cache.
     */
    lock(): void;
    get(key: string): Promise<string | undefined>;
    put(key: string, value: string, options?: CredentialPutOptions): Promise<void>;
    delete(key: string): Promise<boolean>;
    has(key: string): Promise<boolean>;
    keys(): Promise<readonly string[]>;
    deleteAll(): Promise<void>;
}
//# sourceMappingURL=LazyEncryptedCredentialStore.d.ts.map