import { BunRequest } from "../core/request";
import type { BunResponse } from "../core/response";
export type TokenPair = {
    accessToken: string;
    refreshToken: string;
};
export interface VaultEntry {
    familyId: string;
    sub: string;
    exp: number;
    payload: Record<string, unknown>;
}
export interface VaultStore {
    /** Persist a newly issued refresh token entry. */
    set(jti: string, entry: VaultEntry): Promise<void>;
    /**
     * Atomically consume a token entry.
     * Returns the entry if valid (first use).
     * Returns null if the jti is unknown or was already revoked via revokeFamily.
     * Returns false if the jti was already consumed (reuse attack signal).
     */
    consume(jti: string): Promise<VaultEntry | null | false>;
    /** Revoke all tokens belonging to a family (breach response / logout-all). */
    revokeFamily(familyId: string): Promise<void>;
}
export interface CookieConfig {
    name: string;
    httpOnly?: boolean;
    secure?: boolean;
    sameSite?: "strict" | "lax" | "none";
    path?: string;
    domain?: string;
}
export interface TokenVaultOptions {
    accessSecret: string;
    refreshSecret: string;
    accessExpiresIn: number;
    refreshExpiresIn: number;
    store?: VaultStore;
    cookie?: CookieConfig;
    onReuse?: (familyId: string, req?: BunRequest) => Promise<void> | void;
}
export interface TokenVault {
    issue(payload: Record<string, unknown>): Promise<TokenPair>;
    issue(payload: Record<string, unknown>, res: BunResponse): Promise<{
        accessToken: string;
    }>;
    rotate(token: string): Promise<TokenPair>;
    rotate(req: BunRequest, res: BunResponse): Promise<{
        accessToken: string;
    }>;
    revoke(token: string): Promise<void>;
    revoke(req: BunRequest, res: BunResponse): Promise<void>;
    revokeAll(familyId: string): Promise<void>;
}
export declare class VaultMemoryStore implements VaultStore {
    private tokens;
    private consumed;
    private sweepInterval;
    constructor();
    private sweep;
    set(jti: string, entry: VaultEntry): Promise<void>;
    consume(jti: string): Promise<VaultEntry | null | false>;
    revokeFamily(familyId: string): Promise<void>;
    /** Stop the background GC sweep and release the timer (e.g. in test teardown). */
    dispose(): void;
    size(): number;
    consumedCount(): number;
    clear(): void;
}
export declare function tokenVault(options: TokenVaultOptions): TokenVault;
//# sourceMappingURL=token-vault.d.ts.map