/**
 * Aggregate-only telemetry events the CLI may send to the backend when the
 * user has explicitly opted in via `.cdk-insights.json -> telemetry.enabled`.
 *
 * Privacy posture (Phase 1):
 *   - Off by default. Never enabled implicitly — only when the config flag
 *     is explicitly true.
 *   - License IDs are sha256-hashed before transmission so the backend can
 *     count unique customers without being able to reverse-map to a key.
 *   - No resource names, file paths, construct paths, code, or fingerprints
 *     ever leave the machine. Only severity counts, rule-id histograms,
 *     and timing.
 *   - Calls are fire-and-forget with a hard 1.5s timeout — telemetry must
 *     never block, slow, or fail a user-facing run.
 */
export interface BaselineWrittenEvent {
    type: 'baseline_written';
    totalFindings: number;
    severityCounts: SeverityCounts;
    /**
     * Map of `ruleId -> count` for every issue captured. Rule IDs only
     * (`AwsSolutions-S10`, `CDKI-S3-ENCRYPTION`, etc.) — no resource
     * identifiers. Top-N capped server-side; we send the full histogram.
     */
    ruleHistogram: Record<string, number>;
    uniqueServices: number;
}
export interface DiffRunEvent {
    type: 'diff_run';
    newFindings: number;
    existingSuppressed: number;
    newSeverities: SeverityCounts;
    /** ISO 8601 of the baseline's generatedAt — lets us compute baseline age server-side. */
    baselineGeneratedAt?: string;
    /** True if --failOnCritical fired (i.e. exit code 1). */
    failedOnCritical: boolean;
}
export interface FixRunEvent {
    type: 'fix_run';
    mode: 'dry-run' | 'apply';
    applied: number;
    skipped: number;
    errored: number;
    /** Map of `ruleId -> apply count` for the rules the run touched. */
    rulesFixed: Record<string, number>;
    /** Optional rule filter the user passed via --rule. */
    ruleFilter?: string;
}
export type TelemetryEvent = BaselineWrittenEvent | DiffRunEvent | FixRunEvent;
export interface SeverityCounts {
    CRITICAL: number;
    HIGH: number;
    MEDIUM: number;
    LOW: number;
}
interface RecordEventInput {
    enabled: boolean;
    licenseKey?: string;
    authToken?: string;
    tier?: string;
    event: TelemetryEvent;
}
/**
 * Best-effort send. Returns immediately; never throws. Drops the event
 * silently when:
 *   - the user has not opted in (`enabled !== true`)
 *   - no license key is available (free tier without an account ↔ we have
 *     nothing to hash so we don't synthesise an anonymous id either)
 *   - the network call exceeds the timeout
 *   - the backend returns an error
 *
 * In all of these cases the user's run continues unaffected.
 */
export declare const recordTelemetryEvent: ({ enabled, licenseKey, authToken, tier, event, }: RecordEventInput) => Promise<void>;
/**
 * Build a severity-count object from a record of issue groups. Used by
 * the analyse and fix wirings; lives here to keep the recordTelemetryEvent
 * call sites tiny.
 */
export declare const buildSeverityCounts: (issues: Array<{
    severity?: string;
}>) => SeverityCounts;
export {};