/**
 * @license
 * Copyright 2025 Steven Roussey <sroussey@gmail.com>
 * SPDX-License-Identifier: Apache-2.0
 */
/**
 * Options for {@link OtpPassphraseCache}.
 */
export interface OtpPassphraseCacheOptions {
    /**
     * Absolute time-to-live in milliseconds. The cache is cleared unconditionally
     * after this duration regardless of access. Default: 6 hours.
     */
    readonly hardTtlMs?: number;
    /**
     * Idle time-to-live in milliseconds. The expiry timer resets on each
     * {@link OtpPassphraseCache.retrieve} call. If both `hardTtlMs` and
     * `idleTtlMs` are set, whichever fires first wins.
     */
    readonly idleTtlMs?: number;
    /**
     * Called when the cache expires (either hard or idle TTL). Useful for
     * locking a credential store when the passphrase is no longer available.
     */
    readonly onExpiry?: () => void;
}
/**
 * XOR-masks a passphrase with a random one-time pad so the cache does not
 * retain the plaintext in its internal storage. The masked value and pad are
 * stored as `Uint8Array` instances and zeroed on {@link clear}. Plaintext may
 * still exist transiently as a JavaScript `string` when passed to
 * {@link store} or returned from {@link retrieve}.
 *
 * @example
 * ```ts
 * const cache = new OtpPassphraseCache({ hardTtlMs: 6 * 60 * 60 * 1000 });
 * cache.store("my-secret-passphrase");
 * const passphrase = cache.retrieve(); // "my-secret-passphrase"
 * cache.clear(); // zeroes buffers, fires onExpiry
 * cache.retrieve(); // undefined
 * ```
 */
export declare class OtpPassphraseCache {
    private masked;
    private pad;
    private hardTimer;
    private idleTimer;
    private readonly options;
    constructor(options?: OtpPassphraseCacheOptions);
    /**
     * Store a passphrase in the cache, XOR-masked with a random one-time pad.
     * Any previously cached passphrase is cleared first.
     */
    store(passphrase: string): void;
    /**
     * Recover the passphrase by XOR-ing masked + pad back together.
     * Returns `undefined` if the cache is empty or expired.
     * Resets the idle timer if `idleTtlMs` is configured.
     */
    retrieve(): string | undefined;
    /**
     * Whether the cache currently holds a passphrase.
     */
    get hasValue(): boolean;
    /**
     * Zeroes both buffers, clears timers, and fires the `onExpiry` callback.
     */
    clear(): void;
    private clearInternal;
    private startTimers;
    private resetIdleTimer;
}
//# sourceMappingURL=OtpPassphraseCache.d.ts.map