/**
 * Secret redaction — the single source of truth for scrubbing provider API keys
 * and other credentials out of EVERY server output channel.
 *
 * mcp-security "Secret Confinement Across All Output Paths" requires that a key
 * read for an LLM call never appears in a tool result, telemetry event, log line,
 * or written artifact — extending mcp-quality's error-text sanitization to all
 * channels. This module backs both `sanitizeMcpError` (error text) and the deep
 * `redactSecrets` walker used on structured payloads (telemetry, echoed config).
 *
 * Kept dependency-free so any layer (utils, telemetry, logger) can import it
 * without an import cycle.
 */
/** Redact credential-shaped substrings from a single string. */
export declare function redactSecretString(s: string): string;
/**
 * Deep-redact a value before it leaves the server on a non-error channel:
 * - strings → credential-shaped substrings replaced;
 * - object fields whose KEY name denotes a secret → value replaced with `[REDACTED]`;
 * - arrays/objects → walked recursively.
 * Returns a redacted copy; the input is not mutated. Cycle-safe.
 */
export declare function redactSecrets<T>(value: T, _seen?: WeakSet<object>): T;
//# sourceMappingURL=secret-redaction.d.ts.map