import { type Ed25519Keypair } from "./crypto.js";
/**
 * Minimal backend interface for credential reads/writes. Swappable so
 * tests can inject a controlled in-memory store without touching the OS
 * keyring (which is shared with the developer's own credentials).
 *
 * Errors thrown by `read`/`write`/`delete` signal "backend unavailable on
 * this platform" — callers fall back to the file store on first failure.
 * Returning `undefined` from `read` means "no such entry" (a normal,
 * non-error condition).
 */
export interface KeyStoreBackend {
    read(service: string, account: string): Promise<string | undefined>;
    write(service: string, account: string, value: string): Promise<void>;
    delete(service: string, account: string): Promise<boolean>;
}
/** Test-only: swap (or clear with `null`) the keyring backend. */
export declare function _setKeyStoreBackendForTest(backend: KeyStoreBackend | null): void;
/**
 * Returns the Pi-secret Ed25519 keypair, generating + persisting one on
 * first call. Resolution order:
 *   1. New keyring service `dev.remotepi.pi`
 *   2. Old keyring service `dev.remotepi.mac` (migrate → step 1, delete old)
 *   3. File `~/.pi/remote/identity.json` (headless-Linux fallback)
 *   4. Generate a fresh keypair + persist to the first available backend
 *
 * Idempotent: subsequent calls return the same identity. The migration
 * runs at most once per machine (the old entry is deleted after copy).
 */
export declare function getOrCreateEd25519Keypair(): Promise<Ed25519Keypair>;
export interface PeerRecord {
    name: string;
    remote_epk: string;
    paired_at: string;
}
export declare function listPeers(): Promise<PeerRecord[]>;
export declare function addPeer(record: PeerRecord): Promise<void>;
/**
 * Returns the set of distinct `remote_epk` values in peers.json.
 *
 * In the current pairing model (plan/23 + plan/24), each `remote_epk` is the
 * Owner's Ed25519 pubkey — and we treat each as a distinct Owner the Pi has
 * been paired with. Used by the mesh self-revoke poller (plan/24 Wave 3) to
 * know which Owners' mesh blobs to fetch.
 */
export declare function listOwnerPubkeys(): Promise<string[]>;
export declare function removePeer(remoteEpk: string): Promise<boolean>;
/** Test-only: expose the identity-file path so tests can clean it. */
export declare const _IDENTITY_FILE_FOR_TEST: string;
/** Test-only: expose unlink for cleanup. */
export declare const _unlinkIdentityFileForTest: () => Promise<void>;