/**
 * Lightweight HTTP proxy that injects credentials into upstream requests.
 * Includes lazy token refresh - refreshes proactively when token is expiring soon.
 */
export interface RefreshConfig {
    /** AuthKit domain for refresh endpoint */
    authkitDomain: string;
    /** OAuth client ID */
    clientId: string;
    /** Threshold in ms - refresh when token expires within this window (default: 60000 = 1 min) */
    refreshThresholdMs?: number;
    /** Callback when refresh succeeds */
    onRefreshSuccess?: () => void;
    /** Callback when refresh fails permanently (token expired, invalid_grant) */
    onRefreshExpired?: () => void;
}
export interface CredentialProxyOptions {
    /** Upstream URL to forward requests to */
    upstreamUrl: string;
    /** Optional: specific port to bind (default: random) */
    port?: number;
    /** Optional: refresh configuration for lazy token refresh */
    refresh?: RefreshConfig;
}
export interface CredentialProxyHandle {
    /** Port the proxy is listening on */
    port: number;
    /** Full URL for the proxy (e.g., http://localhost:54321) */
    url: string;
    /** Stop the proxy server */
    stop: () => Promise<void>;
}
/**
 * Start the credential injector proxy with optional lazy refresh.
 */
export declare function startCredentialProxy(options: CredentialProxyOptions): Promise<CredentialProxyHandle>;
/**
 * Start a lightweight proxy that injects claim token headers for unclaimed environments.
 * No refresh logic — claim tokens are assumed valid for the duration of an install session.
 */
export declare function startClaimTokenProxy(options: {
    upstreamUrl: string;
    claimToken: string;
    clientId: string;
}): Promise<CredentialProxyHandle>;