//#region src/index.d.ts
/**
 * Options for customizing the sealing and unsealing process.
 */
interface SealOptions {
  /**
   * Additional Associated Data (AAD) to be authenticated but not encrypted.
   * This can be used to bind the ciphertext to a specific context.
   */
  aad?: Record<string, unknown>;
  /**
   * The number of iterations to use for the PBKDF2 key derivation function.
   * A higher number increases security but also increases the time it takes to seal/unseal.
   * @default 600_000
   */
  iterations?: number;
  /**
   * A function to encode the input data into a Uint8Array before encryption.
   * @default // A function that handles JSON-serializable data.
   */
  encode?: (data: unknown) => Uint8Array | Promise<Uint8Array>;
  /**
   * A function to decode a Uint8Array back into the original data format after decryption.
   * @default // A function that parses a UTF-8 string as JSON.
   */
  decode?: (data: Uint8Array<ArrayBuffer>) => unknown | Promise<unknown>;
}
/**
 * Default options for the seal and unseal operations.
 */
declare const defaults: Readonly<Required<Omit<SealOptions, 'aad'>>>;
/**
 * Generates a `CryptoKey` from a password string for use in key derivation.
 * The key is suitable for use with PBKDF2.
 *
 * @param password The password to derive the key from.
 * @returns A promise that resolves to a `CryptoKey`.
 */
declare function generateKey(password: string): Promise<CryptoKey>;
/**
 * Encrypts and authenticates data using a password-derived key.
 * This process uses a Key-Wrapping mechanism (AES-KW) with a Data Encryption Key (DEK)
 * and AES-GCM for the actual encryption.
 *
 * @param key The master `CryptoKey` derived from a password, used as a Key Encryption Key (KEK).
 * @param data The data to be encrypted. Must be serializable by the `encode` function.
 * @param options Optional settings to customize the sealing process.
 * @returns A promise that resolves to a base64url-encoded string representing the sealed data.
 */
declare function seal(key: CryptoKey, data: unknown, {
  aad: custom,
  iterations: it,
  encode
}?: SealOptions): Promise<string>;
/**
 * Decrypts and authenticates data that was sealed with the `seal` function.
 * It performs the operations in reverse, unwrapping the DEK and then decrypting the ciphertext.
 * This function is time-safe; it takes a similar amount of time to execute whether
 * the decryption is successful or not, which helps prevent timing attacks.
 *
 * @param key The master `CryptoKey` that was used to seal the data.
 * @param sealed The base64url-encoded string from the `seal` function.
 * @param options Optional settings to customize the unsealing process. Must match the options used for sealing.
 * @returns A promise that resolves with the decrypted data, or `undefined` if decryption or authentication fails for any reason.
 */
declare function unseal(key: CryptoKey, sealed: string, {
  aad: custom,
  iterations: it,
  encode,
  decode
}?: SealOptions): Promise<unknown>;
/**
 * A manager class that encapsulates a base key and provides convenience methods
 * for sealing and unsealing data.
 */
declare class CryptoManager {
  #private;
  /**
   * Creates a new CryptoManager instance with a pre-existing CryptoKey.
   * @param baseKey The master `CryptoKey` to be used for all operations.
   * @param options Default `SealOptions` to apply to all seal/unseal operations.
   */
  constructor(baseKey: CryptoKey, options?: SealOptions);
  /**
   * Creates a new `CryptoManager` instance by deriving a key from a password.
   *
   * @param password The password to generate the key from.
   * @param options Default `SealOptions` to apply to all seal/unseal operations.
   * @returns A promise that resolves to a new `CryptoManager` instance.
   */
  static fromPassword(password: string, options?: SealOptions): Promise<CryptoManager>;
  /**
   * Seals data using the manager's internal base key and default options.
   *
   * @param data The data to seal.
   * @param options Options to override the manager's default seal options for this operation.
   * @returns A promise that resolves to the sealed data string.
   */
  seal(data: unknown, options?: SealOptions): Promise<string>;
  /**
   * Unseals data using the manager's internal base key and default options.
   *
   * @param data The sealed data string to unseal.
   * @param options Options to override the manager's default unseal options for this operation.
   * @returns A promise that resolves with the decrypted data, or `undefined` on failure.
   */
  unseal(data: string, options?: SealOptions): Promise<unknown>;
}
//#endregion
export { CryptoManager, SealOptions, defaults, generateKey, seal, unseal };