import type { ProviderId } from './types.js';
export type SecretName = 'DEEPSEEK_API_KEY' | 'TAVILY_API_KEY' | 'SMTP_USER' | 'SMTP_PASSWORD' | 'SMTP_PROVIDER' | 'SMTP_FROM_NAME' | 'SMTP_HOST' | 'SMTP_PORT';
export interface SecretDefinition {
    id: SecretName;
    label: string;
    description: string;
    envVar: SecretName;
    providers: ProviderId[];
}
export declare class MissingSecretError extends Error {
    readonly secret: SecretDefinition;
    constructor(secret: SecretDefinition);
}
export declare function listSecretDefinitions(): SecretDefinition[];
export declare function getSecretDefinition(id: SecretName): SecretDefinition | null;
export declare function getSecretValue(id: SecretName): string | null;
/**
 * Load all stored secrets into process.env at startup.
 * This ensures secrets are available before any provider checks.
 *
 * IMPORTANT: Stored secrets always take precedence over environment variables
 * for provider API keys. This ensures keys set via /secrets are used even if
 * the user has old/stale keys exported in their shell environment.
 */
export declare function loadAllSecrets(): void;
export declare function setSecretValue(id: SecretName, rawValue: string): void;
export declare function maskSecret(value: string): string;
export declare function ensureSecretForProvider(provider: ProviderId): string;
export declare function getSecretDefinitionForProvider(provider: ProviderId): SecretDefinition | null;
/**
 * Sanitize error messages to remove potential API keys and secrets.
 * This prevents accidental token leakage in logs, error reports, and console output.
 *
 * @param message - The error message or string to sanitize
 * @returns The sanitized string with secrets replaced by [REDACTED]
 */
export declare function sanitizeErrorMessage(message: string): string;
/**
 * Sanitize an Error object's message and stack trace.
 * Returns a new error message string with secrets removed.
 */
export declare function sanitizeError(error: Error): string;
/**
 * Create a safe error message from an unknown error value.
 * Ensures no secrets are leaked regardless of error type.
 */
export declare function safeErrorMessage(error: unknown): string;
//# sourceMappingURL=secretStore.d.ts.map