/** * Update managed key configuration after bind * Stores the new key value and rotation metadata * * IMPORTANT: Also updates process.env.ZNVAULT_API_KEY to ensure that * subsequent calls to loadConfig() return the new key, even if the * agent was started with the env var set (which would otherwise override * the config file value). */ export declare function updateManagedKey(newKey: string, metadata: { nextRotationAt?: string; graceExpiresAt?: string; rotationMode?: 'scheduled' | 'on-use' | 'on-bind'; }): void; /** * Check if using managed key mode */ export declare function isManagedKeyMode(): boolean; /** * Result of probing a candidate key against the vault. * Mirrors ApiKeyProbeResult in lib/api.ts (kept structural to avoid a * static import cycle: api.ts -> config barrel -> managed-key.ts). */ export type ManagedKeyProbeResult = 'valid' | 'invalid' | 'unknown'; /** * Probe function signature - injectable for tests. */ export type ManagedKeyProbe = (key: string) => Promise; /** * Result of a managed key file sync attempt. */ export interface ManagedKeySyncResult { synced: boolean; wasOutOfSync: boolean; recoveredFromBackup?: boolean; /** The existing on-disk key was kept because the config value failed verification. */ keptExistingFile?: boolean; /** The config key value was explicitly rejected by the vault (stale config). */ staleConfigValue?: boolean; error?: string; } /** * Verify and sync managed key file on startup. * Includes backup recovery if main file is corrupted/missing. * * SAFETY (INC-2026-06-12-01): before overwriting a valid-looking on-disk key * with a *different* value from config, the config value is probed against * the vault. If the vault rejects it, the on-disk file is preserved - a * stale read-only system config must never clobber a working key file. * * @param options.probeKey - Injectable key probe (defaults to the vault API * self-info endpoint). Tests can inject a mock. */ export declare function syncManagedKeyFile(options?: { probeKey?: ManagedKeyProbe; }): Promise; //# sourceMappingURL=managed-key.d.ts.map