import type { SecretMapping, SecretFilesResult, ExtendedSecretMapping, EnvFileMapping } from './types.js'; /** * Fetch secrets and build environment variables * Handles vault secrets, literal values, and managed API keys */ export declare function buildSecretEnv(mappings: (SecretMapping & { literal?: string; })[]): Promise>; /** * Extract unique secret IDs from mappings (for WebSocket subscription) * Excludes literal values and API key references since they don't need vault subscription */ export declare function extractSecretIds(mappings: (SecretMapping & { literal?: string; })[]): string[]; /** * Extract unique API key names from mappings (for potential future renewal tracking) */ export declare function extractApiKeyNames(mappings: (SecretMapping & { literal?: string; })[]): string[]; /** * Fetch secrets and write to secure files instead of env vars * * This avoids secrets appearing in: * - Process command line arguments * - sudo logs (when using --preserve-env) * - systemd journal * * For each secret with outputToFile=true: * - Writes value to /run/zn-vault-agent/secrets/ * - Sets _FILE=/run/zn-vault-agent/secrets/ in env * * For secrets with outputToFile=false (default): * - Sets = in env (traditional behavior) */ export declare function buildSecretEnvWithFiles(mappings: ExtendedSecretMapping[]): Promise; /** * Mark specific environment variable names as requiring file output * These are typically sensitive values that shouldn't appear in logs */ export declare const SENSITIVE_ENV_VARS: Set; /** * Check if an environment variable name is considered sensitive */ export declare function isSensitiveEnvVar(name: string): boolean; /** * Build environment variables from env file secrets * Each env file secret should contain key-value pairs that become env vars * Later mappings override earlier ones */ export declare function buildEnvFromEnvFiles(mappings: EnvFileMapping[]): Promise>; /** * Extract unique secret IDs from env file mappings (for WebSocket subscription) */ export declare function extractEnvFileSecretIds(mappings: EnvFileMapping[]): string[]; //# sourceMappingURL=builder.d.ts.map