/**
 * Generate a JWT for App Store Connect API authentication.
 * Uses ES256 algorithm with the .p8 private key.
 */
export declare function generateJwt(keyId: string, issuerId: string, p8Content: string): string;
/**
 * Verify the API key works and try to detect the team ID from existing certificates.
 * Throws on 401/403 with a user-friendly message.
 */
export declare function verifyApiKey(token: string): Promise<{
    valid: true;
    teamId: string;
}>;
export interface AscDistributionCert {
    id: string;
    name: string;
    serialNumber: string;
    expirationDate: string;
    /**
     * Base64-encoded DER of the certificate. Populated when {@link listDistributionCerts}
     * is called with `includeContent: true` — kept optional so existing callers don't pay
     * the larger payload when they don't need it.
     */
    certificateContent?: string;
}
/**
 * List all iOS distribution certificates.
 *
 * Set `includeContent: true` when you need to compute the cert's SHA1 for
 * matching against a local Keychain identity ({@link findCertIdBySha1}).
 */
export declare function listDistributionCerts(token: string, options?: {
    includeContent?: boolean;
}): Promise<AscDistributionCert[]>;
/**
 * Compute the SHA1 hash of an ASC certificate's base64-DER content. Returns
 * the lowercase 40-char hex string used elsewhere as the canonical identity
 * key — matches the SHA1 reported by `security find-identity` on macOS.
 *
 * SECURITY NOTE on SHA1: this is NOT a security primitive. macOS itself
 * reports code-signing identities as cert-DER SHA1 (via `security
 * find-identity`), and we have to use the same hash to look up an Apple-side
 * cert by its on-Mac counterpart. SHA1 here is a non-secret identifier, not
 * a message digest protecting any data. CodeQL's "weak cryptographic
 * algorithm" rule is suppressed for this reason.
 */
export declare function computeCertSha1(certificateContentBase64: string): string;
/**
 * Match a local Keychain identity (by its SHA1) against an Apple-side
 * certificate and return the Apple certificate ID needed for profile
 * creation. Returns null if no Apple-side cert matches the SHA1.
 */
export declare function findCertIdBySha1(token: string, sha1: string): Promise<string | null>;
/**
 * List all provisioning profiles linked to a specific Apple-side certificate.
 * Used by the import-flow no-match-recovery menu to surface profiles that
 * exist on Apple but haven't been downloaded to the user's Mac.
 */
export interface AscProfileSummary {
    id: string;
    name: string;
    profileType: string;
    profileContent: string;
    expirationDate: string;
    bundleIdentifier: string;
}
export declare function listProfilesForCert(token: string, certificateId: string): Promise<AscProfileSummary[]>;
/**
 * Revoke (delete) a certificate by ID.
 */
export declare function revokeCertificate(token: string, certId: string): Promise<void>;
/**
 * Error thrown when certificate limit is reached.
 * Contains the existing certificates so the UI can ask the user which to revoke.
 */
export declare class CertificateLimitError extends Error {
    readonly certificates: AscDistributionCert[];
    constructor(certificates: AscDistributionCert[]);
}
/**
 * Create a distribution certificate using a CSR.
 * Returns the certificate ID, base64 DER content, expiration date, and team ID.
 *
 * Throws CertificateLimitError if the limit is reached, so the UI can ask
 * the user which certificate to revoke.
 */
export declare function createCertificate(token: string, csrPem: string): Promise<{
    certificateId: string;
    certificateContent: string;
    expirationDate: string;
    teamId: string;
}>;
/**
 * Find an existing bundle ID or register a new one.
 * Returns the Apple resource ID needed for profile creation.
 */
export declare function ensureBundleId(token: string, identifier: string): Promise<{
    bundleIdResourceId: string;
}>;
/**
 * Get the profile name we use for a given appId.
 */
export declare function getCapgoProfileName(appId: string): string;
/**
 * Find existing provisioning profiles matching our naming convention.
 * Only returns profiles we created (named "Capgo <appId> AppStore").
 */
export declare function findCapgoProfiles(token: string, appId: string): Promise<Array<{
    id: string;
    name: string;
    profileType: string;
}>>;
/**
 * Delete a provisioning profile by ID.
 */
export declare function deleteProfile(token: string, profileId: string): Promise<void>;
/**
 * Create an App Store provisioning profile linking a certificate and bundle ID.
 * Returns the base64 mobileprovision content.
 *
 * Throws a DuplicateProfileError if duplicate profiles exist, so the caller
 * can ask the user whether to delete them and retry.
 */
export declare class DuplicateProfileError extends Error {
    readonly profiles: Array<{
        id: string;
        name: string;
        profileType: string;
    }>;
    constructor(profiles: Array<{
        id: string;
        name: string;
        profileType: string;
    }>);
}
export declare function createProfile(token: string, bundleIdResourceId: string, certificateId: string, appId: string): Promise<{
    profileId: string;
    profileName: string;
    profileContent: string;
    expirationDate: string;
}>;