import { promises as fs } from "node:fs";
/**
 * Result of secure path resolution.
 */
export type SecurePathResult = {
    /** Resolved real path (symlinks followed) */
    realPath: string;
    /** The allowed base directory that contains this path */
    allowedBase: string;
};
/**
 * Securely resolves a path, following symlinks and verifying containment.
 *
 * Addresses symlink following attacks by:
 * 1. Resolving all symlinks using fs.realpath()
 * 2. Checking containment against the real paths
 *
 * @param allowedDirs - Directories the path is allowed to be within
 * @param target - The target path to resolve
 * @returns The resolved real path and the base directory it's within
 * @throws Error if path is outside allowed directories or doesn't exist
 */
export declare function pathResolveSecure(allowedDirs: string[], target: string): Promise<SecurePathResult>;
/**
 * Synchronous version that checks if a path would be within allowed dirs.
 * Does NOT resolve symlinks - use only when you've already resolved.
 */
export declare function isWithinSecure(base: string, target: string): boolean;
/**
 * Opens a file handle securely with O_NOFOLLOW semantics.
 * This prevents TOCTOU attacks by atomically opening without following symlinks.
 *
 * @param filePath - Path to open
 * @param flags - File system flags (e.g., "r", "w", "a")
 * @returns File handle
 */
export declare function openSecure(filePath: string, flags: string): Promise<fs.FileHandle>;
//# sourceMappingURL=pathResolveSecure.d.ts.map