interface LoginResponse {
    accessToken: string;
    refreshToken: string;
    expiresIn: number;
    user: {
        id: string;
        username: string;
        role: string;
        tenantId: string | null;
    };
}
export interface CertificateMetadata {
    id: string;
    tenantId: string;
    clientId: string;
    kind: string;
    alias: string;
    certificateType: 'PEM' | 'P12' | 'DER';
    fingerprintSha256: string;
    subjectCn: string;
    issuerCn: string;
    notBefore: string;
    notAfter: string;
    status: string;
    version: number;
    daysUntilExpiry: number;
}
export interface DecryptedCertificate {
    id: string;
    certificateData: string;
    certificateType: 'PEM' | 'P12' | 'DER';
    fingerprintSha256: string;
}
export interface SecretMetadata {
    id: string;
    alias: string;
    tenantId: string;
    type: string;
    version: number;
    createdAt: string;
    updatedAt: string;
    expiresAt?: string;
    tags?: string[];
}
export interface DecryptedSecret {
    id: string;
    alias: string;
    type: string;
    version: number;
    data: Record<string, unknown>;
}
export interface ManagedApiKeyBindResponse {
    id: string;
    key: string;
    prefix: string;
    name: string;
    expiresAt: string;
    gracePeriod: string;
    graceExpiresAt?: string;
    rotationMode: 'scheduled' | 'on-use' | 'on-bind';
    permissions: string[];
    nextRotationAt?: string;
    _notice?: string;
}
/**
 * Login and get access token
 */
export declare function login(username: string, password: string): Promise<LoginResponse>;
/**
 * List certificates
 */
export declare function listCertificates(): Promise<{
    items: CertificateMetadata[];
    total: number;
}>;
/**
 * Get certificate metadata
 */
export declare function getCertificate(certId: string): Promise<CertificateMetadata>;
/**
 * Decrypt certificate (get actual cert data)
 */
export declare function decryptCertificate(certId: string, purpose: string): Promise<DecryptedCertificate>;
/**
 * Acknowledge certificate delivery (for tracking)
 */
export declare function ackDelivery(certId: string, hostname: string, version: number): Promise<void>;
/**
 * List secrets
 */
export declare function listSecrets(): Promise<{
    items: SecretMetadata[];
    total: number;
}>;
/**
 * Get secret by ID or alias
 * @param secretId - UUID or alias (e.g., "alias:db/credentials")
 */
export declare function getSecret(secretId: string): Promise<DecryptedSecret>;
/**
 * Get secret metadata only (without decrypting)
 */
export declare function getSecretMetadata(secretId: string): Promise<SecretMetadata>;
/**
 * Check vault connectivity
 */
export declare function checkHealth(): Promise<boolean>;
/**
 * Clear cached token
 */
export declare function clearToken(): void;
/**
 * Check if we have a valid cached token
 */
export declare function hasValidToken(): boolean;
/**
 * Bind to a managed API key and get the current key value
 * @param name - Managed API key name (e.g., "my-api-key")
 * @returns The current API key value
 */
export declare function bindManagedApiKey(name: string): Promise<ManagedApiKeyBindResponse>;
/**
 * API key self-info response
 */
export interface ApiKeySelfInfo {
    id: string;
    name: string;
    prefix: string;
    tenantId: string;
    permissions: string[];
    expiresAt: string;
    expiresInDays: number;
    isExpiringSoon: boolean;
    /** True if this is a managed API key with auto-rotation */
    isManaged?: boolean;
    /** Managed key name (only present if isManaged is true) */
    managedKeyName?: string;
    /** Rotation mode (only for managed keys) */
    rotationMode?: 'scheduled' | 'on-use' | 'on-bind';
    /** Next rotation time (only for managed keys) */
    nextRotationAt?: string;
    /** Grace period expiry (only for managed keys) */
    graceExpiresAt?: string;
}
/**
 * Get info about the current API key (self)
 * Also detects if the key is a managed key
 */
export declare function getApiKeySelf(): Promise<ApiKeySelfInfo>;
/**
 * Result of probing a specific API key value against the vault.
 * - 'valid':   the key authenticated successfully
 * - 'invalid': the vault explicitly rejected the key (401/403)
 * - 'unknown': the vault could not be reached or answered ambiguously
 */
export type ApiKeyProbeResult = 'valid' | 'invalid' | 'unknown';
/**
 * Probe whether a specific API key value still authenticates against the
 * vault, using the cheap authenticated self-info endpoint.
 *
 * Unlike request(), this sends an explicit key (NOT the one from loadConfig)
 * and performs a single attempt with no retries. It never throws: callers
 * use the tri-state result to decide whether a candidate key is safe to
 * persist (e.g. before auto-fixing the managed key file from a possibly
 * stale config value - see INC-2026-06-12-01).
 */
export declare function probeApiKey(key: string): Promise<ApiKeyProbeResult>;
/**
 * Bootstrap response - same format as managed key bind
 */
export interface BootstrapResponse {
    id: string;
    key: string;
    prefix: string;
    name: string;
    expiresAt: string;
    gracePeriod: string;
    graceExpiresAt?: string;
    rotationMode: 'scheduled' | 'on-use' | 'on-bind';
    permissions: string[];
    nextRotationAt?: string;
    _notice?: string;
}
/**
 * Bootstrap an agent using a one-time registration token.
 * This endpoint does NOT require authentication - the token is the auth.
 *
 * @param token - Registration token (format: zrt_<64-hex-chars>)
 * @returns Same response as managed key /bind endpoint
 */
export declare function bootstrapWithToken(token: string): Promise<BootstrapResponse>;
/**
 * Response from agent TLS certificate request/renew
 */
export interface AgentTLSCertificateResponse {
    agentTlsCertId: string;
    certificate: string;
    expiresAt: string;
    hostname?: string;
}
/**
 * Response from get agent TLS certificate
 */
export interface AgentTLSCertificateInfo {
    id: string;
    agentId: string;
    certificateId: string;
    status: 'PENDING' | 'ACTIVE' | 'SUPERSEDED' | 'REVOKED';
    issuedAt: string;
    expiresAt: string;
    activatedAt: string | null;
    certificate: {
        subjectCn: string;
        fingerprintSha256: string;
        notBefore: string;
        notAfter: string;
    } | null;
}
/**
 * Response from get agent TLS CA
 */
export interface AgentTLSCAResponse {
    caId: string;
    certificate: string;
    fingerprintSha256: string;
    subjectCn: string;
    notBefore: string;
    notAfter: string;
}
/**
 * Request a TLS certificate for this agent.
 * Requires PKI_CERT_SIGN permission.
 */
export declare function requestAgentTLSCertificate(agentId: string, options?: {
    hostname?: string;
    ipAddresses?: string[];
    validitySeconds?: number;
}): Promise<AgentTLSCertificateResponse>;
/**
 * Get current TLS certificate for this agent.
 */
export declare function getAgentTLSCertificate(agentId: string): Promise<AgentTLSCertificateInfo>;
/**
 * Renew TLS certificate for this agent.
 */
export declare function renewAgentTLSCertificate(agentId: string): Promise<AgentTLSCertificateResponse>;
/**
 * Activate TLS certificate (acknowledge receipt and installation).
 */
export declare function activateAgentTLSCertificate(agentId: string, agentTlsCertId: string): Promise<{
    activated: boolean;
    activatedAt: string;
}>;
/**
 * Get CA certificate for agent TLS verification.
 */
export declare function getAgentTLSCA(): Promise<AgentTLSCAResponse>;
export {};
//# sourceMappingURL=api.d.ts.map