import type { AesGcmJsonWire } from "./helpers/types.js";
/**
 * AES-GCM encrypt (128-bit tag). Ciphertext layout matches Web Crypto `AES-GCM`
 * (`ciphertext || tag`). Delegates to {@link aesGcmEncryptSync}.
 *
 * @param nonce IV/nonce; use {@link AES_GCM_NONCE_LENGTH} bytes when possible (minimum 8).
 * @param key Raw AES key: 16, 24, or 32 bytes.
 * @param plaintext Plaintext.
 * @param aad Optional AAD; must match on decrypt.
 * @returns `Uint8Array` ciphertext with tag appended.
 * @throws {Error} Invalid key length, nonce shorter than 8 bytes, or cipher failure.
 */
export declare function aesGcmEncrypt(nonce: Uint8Array, key: Uint8Array, plaintext: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
/**
 * AES-GCM encrypt (128-bit tag); same output layout as Web Crypto `AES-GCM`.
 *
 * @param nonce IV/nonce (≥ 8 bytes; {@link AES_GCM_NONCE_LENGTH} recommended).
 * @param key Raw AES key (16, 24, or 32 bytes).
 * @param plaintext Plaintext.
 * @param aad Optional AAD.
 * @returns Ciphertext with tag appended.
 * @throws {Error} Invalid key or nonce length, or cipher failure.
 */
export declare function aesGcmEncryptSync(nonce: Uint8Array, key: Uint8Array, plaintext: Uint8Array, aad?: Uint8Array): Uint8Array;
/**
 * AES-GCM decrypt and verify. Delegates to {@link aesGcmDecryptSync}.
 *
 * @param nonce Same as encrypt.
 * @param key Same as encrypt.
 * @param ciphertext Ciphertext including 128-bit tag.
 * @param aad Same AAD as encrypt, if any.
 * @returns Plaintext.
 * @throws {Error} Invalid inputs, auth failure, or decrypt failure.
 */
export declare function aesGcmDecrypt(nonce: Uint8Array, key: Uint8Array, ciphertext: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
/**
 * AES-GCM decrypt and verify (`ciphertext` includes tag).
 *
 * @param nonce Same as encrypt.
 * @param key Same as encrypt.
 * @param ciphertext Ciphertext including tag.
 * @param aad Same optional AAD as encrypt.
 * @returns Plaintext.
 * @throws {Error} Invalid inputs or authentication failure.
 */
export declare function aesGcmDecryptSync(nonce: Uint8Array, key: Uint8Array, ciphertext: Uint8Array, aad?: Uint8Array): Uint8Array;
/**
 * AES-128-GCM over `JSON.stringify(data)` with a passphrase string. Key bytes come from
 * {@link aes128StringKeyMaterial} (`padEnd(16)` then UTF-8; must be 16 bytes). Random
 * {@link AES_GCM_NONCE_LENGTH}-byte nonce per call. Returns lowercase hex: `nonce || ct||tag`.
 *
 * @param data Any `JSON.stringify` input.
 * @param key Passphrase (see {@link aes128StringKeyMaterial} constraints).
 * @returns Lowercase hex wire string.
 * @throws {Error} Invalid key material or encrypt failure.
 */
export declare function encryptObjectAes128GcmJsonHex(data: unknown, key: string): string;
/**
 * Inverse of {@link encryptObjectAes128GcmJsonHex}: hex → nonce + ciphertext||tag, then
 * `JSON.parse` on UTF-8 plaintext. Narrow the return type at the call site.
 *
 * @param hex Wire from {@link encryptObjectAes128GcmJsonHex} (hex as accepted by {@link hexToBuffer}).
 * @param key Same passphrase as encrypt.
 * @returns Parsed JSON (`unknown`).
 * @throws {Error} Invalid input or auth failure.
 * @throws {SyntaxError} Invalid JSON in plaintext after decrypt.
 */
export declare function decryptObjectAes128GcmJsonHex(hex: string, key: string): unknown;
/**
 * AES-256-GCM over `JSON.stringify(data)` with random 32-byte key. Wire: {@link AesGcmJsonWire}
 * (Base64 `iv`/`stream`, unpadded Base64url `key`).
 *
 * @param data Any `JSON.stringify` input.
 * @param nonceByteLength Nonce size in bytes; default {@link AES_GCM_NONCE_LENGTH} (8–{@link AES_GCM_ENVELOPE_NONCE_MAX_LENGTH}).
 * @returns Serializable envelope.
 * @throws {Error} Invalid `nonceByteLength`, key or nonce length, encrypt failure, or `JSON.stringify` failure.
 */
export declare function encryptJsonAes256GcmSync(data: unknown, nonceByteLength?: number): AesGcmJsonWire;
/** Async {@link encryptJsonAes256GcmSync}. */
export declare function encryptJsonAes256Gcm(data: unknown, nonceByteLength?: number): Promise<AesGcmJsonWire>;
/**
 * Decrypts {@link AesGcmJsonWire} from {@link encryptJsonAes256GcmSync}. Verifies GCM tag, then
 * `JSON.parse` on UTF-8 plaintext.
 *
 * @param wire Envelope ({@link AesGcmJsonWire}).
 * @returns Parsed JSON (`unknown`).
 * @throws {Error} Bad encoding, lengths, or auth failure.
 * @throws {SyntaxError} Invalid JSON in plaintext after decrypt.
 */
export declare function decryptJsonAes256GcmSync(wire: AesGcmJsonWire): unknown;
/** Async {@link decryptJsonAes256GcmSync}. */
export declare function decryptJsonAes256Gcm(wire: AesGcmJsonWire): Promise<unknown>;
//# sourceMappingURL=aes-gcm.d.ts.map