/**
 * File-backed implementation of the runtime-neutral {@link MCPOAuthStore}
 * defined in `vcp-common/mcp-oauth.ts`.
 *
 * Persists discovered OAuth metadata, registered DCR client info, and
 * obtained tokens under `~/.builder/config/mcp/`:
 *
 *   ~/.builder/config/mcp/
 *     servers.json   # discovered metadata + DCR client info per serverUrl
 *     tokens.json    # access/refresh tokens per serverUrl
 *
 * Path resolution priority:
 *   1. The `BUILDER_DEV_TOOLS_CREDS_DIR` env var (override for tests /
 *      sandboxed envs). When set, files live directly under that dir.
 *   2. The `baseDir` constructor option (used by tests).
 *   3. `~/.builder/config/mcp/` — same `homedir()` pattern that
 *      `getUserScopedCredentialsPath` (cli/credentials.ts:115-117) uses for
 *      `~/.builder/config/data.json`.
 *
 * Server URL is the canonical key. We do NOT normalize the URL — different
 * paths under the same host can be different OAuth realms (e.g. v1 vs v2),
 * and case-folding the host is risky for IdPs that include case-sensitive
 * tokens in the path.
 *
 * PKCE state rows live in-memory: the loopback redirect runs in-process and
 * the state is short-lived (typically <60s between the SDK's `state()` call
 * and the user finishing browser auth). Persisting them buys nothing for
 * the local provider.
 */
import type { MCPOAuthMetadata, MCPOAuthState, MCPOAuthStore, MCPOAuthTokens } from "#vcp-common/mcp-oauth.js";
/**
 * Resolve the directory that holds `servers.json` / `tokens.json`. See the
 * module-level docstring for priority order.
 */
export declare function resolveMCPCredentialsDir(baseDir?: string): string;
export interface FileMCPOAuthStoreOptions {
    /** OAuth-scoped server URL. Used verbatim as the canonical store key. */
    serverUrl: string;
    /**
     * Override for the credentials directory. Mostly for tests — production
     * callers should rely on the env var or default
     * (`~/.builder/config/mcp/`).
     */
    baseDir?: string;
}
/**
 * File-backed {@link MCPOAuthStore}. Each instance is bound to a single
 * `serverUrl`; the JSON files on disk hold many entries keyed by server URL,
 * so multiple instances coexist safely.
 */
export declare class FileMCPOAuthStore implements MCPOAuthStore {
    private readonly serverUrl;
    private readonly dir;
    private readonly serversPath;
    private readonly tokensPath;
    private readonly pkceStates;
    constructor(opts: FileMCPOAuthStoreOptions);
    getMetadata(): Promise<MCPOAuthMetadata | undefined>;
    saveMetadata(metadata: MCPOAuthMetadata): Promise<void>;
    markDiscoveryFailed(reason: string): Promise<void>;
    isDiscoveryFailed(): Promise<boolean>;
    getTokens(): Promise<MCPOAuthTokens | undefined>;
    saveTokens(tokens: MCPOAuthTokens): Promise<void>;
    invalidateCredentials(scope: "all" | "client" | "tokens" | "verifier" | "discovery"): Promise<void>;
    saveOAuthState(state: MCPOAuthState): Promise<void>;
    consumeOAuthState(stateValue: string): Promise<MCPOAuthState | undefined>;
    private ensureDir;
    private removeTokenEntry;
    private updateServerEntry;
}