import type { Database as DatabaseType } from "better-sqlite3";
import type { ConfigRepo } from "../repositories/config.repo.js";
import type { SensitiveAccessRequest } from "../types.js";
export interface SensitiveLock {
    type: string;
    id: number;
}
export interface SensitiveKeyEntry {
    type: string;
    ids: number[];
}
export declare class SensitiveDataService {
    private config;
    private db;
    constructor(config: ConfigRepo, db: DatabaseType);
    /**
     * Get all currently locked sensitive keys.
     * Returns a map of type → Set<id>.
     */
    getLockedKeys(): Map<string, Set<number>>;
    /**
     * Save the locked keys map back to config.
     */
    private saveLockedKeys;
    /**
     * Lock specific records as sensitive (requires human/owner action).
     * Locked items are not visible to cross-instance queries.
     */
    lockRecords(type: string, ids: number[]): {
        locked: number;
    };
    /**
     * Unlock specific records (remove sensitivity lock).
     */
    unlockRecords(type: string, ids: number[]): {
        unlocked: number;
    };
    /**
     * Check if a specific record is locked as sensitive.
     */
    isLocked(type: string, id: number): boolean;
    /**
     * Get all locked record IDs for a given type.
     */
    getLockedIds(type: string): number[];
    /**
     * Filter out sensitive records from a result set.
     * Used by cross-instance queries to remove locked items before returning.
     */
    filterSensitive(type: string, records: Record<string, unknown>[]): Record<string, unknown>[];
    /**
     * Get a summary of all locked items across all types.
     */
    getSummary(): {
        type: string;
        count: number;
        ids: number[];
    }[];
    /**
     * Create an access request from a remote instance wanting to view
     * sensitive data. The request stays "pending" until approved/denied.
     */
    createAccessRequest(requesterInstanceId: string, requesterLabel: string | null, targetType: string, targetIds: number[], reason: string | null): SensitiveAccessRequest;
    /**
     * Approve an access request (human action).
     * This unlocks the requested records for the requester.
     */
    approveRequest(requestId: number, resolvedBy?: string): SensitiveAccessRequest | null;
    /**
     * Deny an access request (human action).
     */
    denyRequest(requestId: number, resolvedBy?: string): SensitiveAccessRequest | null;
    /**
     * Get a specific access request by ID.
     */
    getRequest(requestId: number): SensitiveAccessRequest | null;
    /**
     * List access requests, optionally filtered by status.
     */
    listRequests(status?: "pending" | "approved" | "denied"): SensitiveAccessRequest[];
    /**
     * Check if a specific access request has been approved.
     * Used by cross-instance queries to check if locked data can be accessed.
     */
    isAccessApproved(requesterInstanceId: string, targetType: string, targetIds: number[]): boolean;
}
//# sourceMappingURL=sensitive-data.service.d.ts.map