/**
 * MCP Security - Authentication, authorization, and rate limiting
 *
 * Provides security policies for MCP servers.
 */
/**
 * Security policy type
 */
export type SecurityPolicyType = 'allow' | 'deny' | 'authenticate' | 'rate-limit';
/**
 * Authentication method
 */
export type AuthMethod = 'none' | 'api-key' | 'bearer' | 'basic' | 'oauth';
/**
 * Rate limit config
 */
export interface RateLimitConfig {
    /** Requests per window */
    requests: number;
    /** Window duration in ms */
    windowMs: number;
    /** Key function to identify client */
    keyFn?: (request: any) => string;
}
/**
 * Security policy
 */
export interface SecurityPolicy {
    id: string;
    name: string;
    type: SecurityPolicyType;
    /** Paths/methods this applies to */
    match?: {
        path?: string;
        method?: string;
    };
    /** Auth config */
    auth?: {
        method: AuthMethod;
        validate?: (token: string) => Promise<boolean>;
    };
    /** Rate limit config */
    rateLimit?: RateLimitConfig;
    /** Priority (higher = first) */
    priority?: number;
}
/**
 * Security context
 */
export interface SecurityContext {
    authenticated: boolean;
    userId?: string;
    roles?: string[];
    permissions?: string[];
    metadata?: Record<string, any>;
}
/**
 * Security result
 */
export interface SecurityResult {
    allowed: boolean;
    reason?: string;
    context?: SecurityContext;
}
/**
 * MCPSecurity - Security manager for MCP servers
 */
export declare class MCPSecurity {
    readonly id: string;
    private policies;
    private apiKeys;
    private rateLimits;
    private logging;
    constructor(config?: {
        policies?: SecurityPolicy[];
        apiKeys?: string[];
        logging?: boolean;
    });
    /**
     * Add API key
     */
    addApiKey(key: string): void;
    /**
     * Remove API key
     */
    removeApiKey(key: string): boolean;
    /**
     * Add security policy
     */
    addPolicy(policy: SecurityPolicy): void;
    /**
     * Remove policy
     */
    removePolicy(id: string): boolean;
    /**
     * Check request against security policies
     */
    check(request: {
        path?: string;
        method?: string;
        headers?: Record<string, string>;
        clientId?: string;
    }): Promise<SecurityResult>;
    /**
     * Validate API key
     */
    validateApiKey(key: string): boolean;
    /**
     * Extract token from headers
     */
    extractToken(headers: Record<string, string>): string | null;
    /**
     * Check rate limit
     */
    checkRateLimit(clientId: string, config: RateLimitConfig): boolean;
    /**
     * Get rate limit remaining
     */
    getRateLimitRemaining(clientId: string, config: RateLimitConfig): number;
    /**
     * Match policy against request
     */
    private matchPolicy;
    /**
     * Evaluate policy
     */
    private evaluatePolicy;
    /**
     * Clear rate limits
     */
    clearRateLimits(): void;
    /**
     * Get stats
     */
    getStats(): {
        policyCount: number;
        apiKeyCount: number;
        rateLimitEntries: number;
    };
}
/**
 * Create security instance
 */
export declare function createMCPSecurity(config?: {
    policies?: SecurityPolicy[];
    apiKeys?: string[];
}): MCPSecurity;
/**
 * Create API key authentication policy
 */
export declare function createApiKeyPolicy(name: string, validate?: (key: string) => Promise<boolean>): SecurityPolicy;
/**
 * Create rate limit policy
 */
export declare function createRateLimitPolicy(name: string, requests: number, windowMs: number): SecurityPolicy;
export default MCPSecurity;