import type { Buffer } from 'node:buffer';
export interface ServiceAccountKey {
    type: 'service_account';
    client_email: string;
    private_key: string;
    project_id: string;
    token_uri: string;
    private_key_id?: string;
    client_id?: string;
}
export type ValidationResult = {
    ok: true;
    serviceAccountEmail: string;
    projectId: string;
} | {
    ok: false;
    kind: 'shape-error';
    message: string;
} | {
    ok: false;
    kind: 'token-error';
    message: string;
} | {
    ok: false;
    kind: 'no-app-access';
    message: string;
    serviceAccountEmail: string;
} | {
    ok: false;
    kind: 'network-error';
    message: string;
};
export interface ValidateOptions {
    jsonBytes: Buffer;
    packageName: string;
    signal?: AbortSignal;
    /** Override per-request timeout. Defaults to 30s. */
    timeoutMs?: number;
    /** Test-only injection point. Defaults to globalThis.fetch. */
    fetchImpl?: typeof fetch;
}
/**
 * Parse + minimally validate the service account JSON structure.
 *
 * Google's SA JSON for `service_account` type has more optional fields, but
 * these five are the ones we actually need to authenticate. Missing any of
 * them means we can't proceed — surface a precise error so the user knows
 * what's wrong rather than discovering it at token-exchange time with an
 * opaque crypto error.
 */
export declare function parseServiceAccountKey(jsonBytes: Buffer): ServiceAccountKey;
/**
 * Run the full validation chain. The function never throws — all failure
 * shapes are returned as `{ ok: false, kind: … }` so the UI can react to each
 * case independently (e.g. "no-app-access" routes to a recovery screen with
 * actionable Play Console invite instructions).
 */
export declare function validateServiceAccountJson(opts: ValidateOptions): Promise<ValidationResult>;