import type { AuthPatternFinding } from '../../doctor/types.js';
import type { ValidationIssue } from './types.js';
export interface SecurityCheckResult {
    /** All security-class findings for this install (errors + warnings). */
    findings: AuthPatternFinding[];
    /**
     * Error-severity findings that must block a successful install. Empty when the
     * install is secure; a non-empty list means install should not report success.
     */
    blocking: AuthPatternFinding[];
}
/**
 * Run the security subset of doctor's auth-pattern checks against an install
 * directory. Pure file inspection — no network — so it is safe to call both
 * inside the installer's self-correction loop and as the final pre-success gate.
 *
 * This closes the install-validate ↔ doctor gap: previously install could report
 * `success: true` while `workos doctor` immediately found a security hole,
 * because neither the retry loop nor `validateInstallation` ran these checks.
 */
export declare function runInstallSecurityChecks(integration: string, installDir: string): Promise<SecurityCheckResult>;
/** Convert security findings into ValidationIssues for the emitter/report surfaces. */
export declare function securityFindingsToIssues(findings: AuthPatternFinding[]): ValidationIssue[];
/**
 * Build an agent correction prompt from security findings so the installer's
 * self-correction loop fixes them before declaring success. Returns an empty
 * string when there is nothing to correct.
 */
export declare function formatSecurityFindingsForAgent(findings: AuthPatternFinding[]): string;
/**
 * Build the error message thrown when error-severity security findings survive
 * the installer's retries — the message that turns a silent insecure "success"
 * into a visible failure.
 */
export declare function formatBlockingSecurityError(blocking: AuthPatternFinding[]): string;