import { type VerificationDocument } from "./verifier.js";
import type { SessionRecoveryToken } from "./encrypted-body-fetch.js";
/**
 * Transport mode for secure communication with the enclave.
 *
 * - `'ehbp'` - HPKE encryption via the Encrypted HTTP Body Protocol (default).
 *   End-to-end encrypted, works through proxies.
 * - `'tls'` - TLS certificate pinning. Requires direct connection to the enclave;
 *   requests through a proxy will fail.
 *
 * @see https://docs.tinfoil.sh/resources/ehbp - EHBP Protocol specification
 */
export type TransportMode = 'ehbp' | 'tls';
/**
 * Configuration options for SecureClient.
 */
export interface SecureClientOptions {
    /**
     * Override the base URL for API requests.
     * When set, requests are sent to this URL instead of directly to the enclave.
     * Useful for proxying requests through your own backend.
     * @see https://docs.tinfoil.sh/guides/proxy-server
     */
    baseURL?: string;
    /**
     * Explicit enclave URL. When set, this takes precedence over the domain
     * returned by the attestation bundle.
     * Use this when connecting to a custom enclave endpoint rather than the default router.
     */
    enclaveURL?: string;
    /** GitHub repo for code verification. Defaults to tinfoilsh/confidential-model-router. */
    configRepo?: string;
    /**
     * Transport mode for secure communication.
     * @default 'ehbp'
     */
    transport?: TransportMode;
    /** URL to fetch the attestation bundle from. */
    attestationBundleURL?: string;
}
/**
 * Low-level secure client providing a verified fetch function for custom HTTP requests.
 *
 * SecureClient performs enclave attestation verification and provides a `fetch` function
 * that encrypts all request bodies end-to-end. Use this when you need direct control
 * over HTTP requests or want to use a different OpenAI client.
 *
 * For most use cases, prefer {@link TinfoilAI} which wraps this with an OpenAI-compatible API.
 *
 * @example
 * ```typescript
 * import { SecureClient } from "tinfoil";
 *
 * const client = new SecureClient();
 * await client.ready();
 *
 * // Use with OpenAI SDK
 * const openai = new OpenAI({
 *   apiKey: "your-key",
 *   baseURL: client.getBaseURL(),
 *   fetch: client.fetch,
 * });
 * ```
 *
 * @example
 * ```typescript
 * // Direct fetch for custom requests
 * const response = await client.fetch("/v1/chat/completions", {
 *   method: "POST",
 *   headers: { "Content-Type": "application/json" },
 *   body: JSON.stringify({ model: "llama3-3-70b", messages: [...] }),
 * });
 * ```
 *
 * @see https://docs.tinfoil.sh/sdk/javascript-sdk
 * @see https://docs.tinfoil.sh/guides/proxy-server - Proxy server setup
 */
export declare class SecureClient {
    private readonly config;
    private initPromise;
    private verificationDocument;
    private _transport;
    private resolvedEnclaveURL?;
    private resolvedBaseURL?;
    constructor(options?: SecureClientOptions);
    /**
     * Wait for the client to complete verification and be ready for requests.
     *
     * This performs enclave attestation, code verification, and establishes
     * the secure transport. Must be called before using `fetch`.
     *
     * @throws Error if verification fails
     */
    ready(): Promise<void>;
    /**
     * Clear derived state without touching initPromise (preserves deduplication).
     */
    private clearDerivedState;
    /**
     * Reset the client, clearing all verification state and transport.
     *
     * After calling reset(), the next call to `ready()` or `fetch()` will
     * perform a fresh attestation and establish a new secure transport.
     *
     * Use this for retry logic when the enclave may have restarted with new keys,
     * or when you want to force re-verification.
     *
     * @example
     * ```typescript
     * // Force re-attestation
     * client.reset();
     * await client.ready();
     *
     * // Or let it re-attest lazily on next request
     * client.reset();
     * await client.fetch("/v1/chat/completions", { ... });
     * ```
     */
    reset(): void;
    private initSecureClient;
    /**
     * Get the verification document containing attestation details.
     *
     * @returns The verification document with attestation results
     * @see https://docs.tinfoil.sh/verification/attestation-architecture
     */
    getVerificationDocument(): VerificationDocument;
    /**
     * Get the base URL for API requests.
     *
     * Returns the base URL requests will be sent to.
     */
    getBaseURL(): string | undefined;
    /**
     * Get the URL of the enclave endpoint, or undefined before ready().
     */
    getEnclaveURL(): string | undefined;
    private createTransport;
    /**
     * Secure fetch function that encrypts request bodies end-to-end.
     *
     * Use this as a drop-in replacement for global `fetch`. Request bodies are
     * encrypted using HPKE (or TLS pinning if configured) so only the verified
     * enclave can decrypt them.
     *
     * On `KeyConfigMismatchError` (server key rotation), automatically re-attests
     * and retries the request once. All other errors propagate to the caller.
     *
     * @example
     * ```typescript
     * const response = await client.fetch("/v1/chat/completions", {
     *   method: "POST",
     *   headers: { "Content-Type": "application/json" },
     *   body: JSON.stringify({ model: "llama3-3-70b", messages: [...] }),
     * });
     * ```
     */
    get fetch(): typeof fetch;
    /**
     * Returns the session recovery token for the most recent request.
     *
     * The token is overwritten on every request, so it must be captured
     * immediately after the relevant `fetch()` resolves and before issuing
     * another request on this client.
     */
    getSessionRecoveryToken(): Promise<SessionRecoveryToken>;
}
//# sourceMappingURL=secure-client.d.ts.map