/**
 * Secure GitHub token management and validation
 */
import { RateLimiter } from '../update/RateLimiter.js';
export interface TokenScopes {
    required: string[];
    optional?: string[];
}
export interface TokenValidationResult {
    isValid: boolean;
    scopes?: string[];
    rateLimit?: {
        remaining: number;
        resetTime: Date;
    };
    rateLimitExceeded?: boolean;
    retryAfterMs?: number;
    error?: string;
}
/**
 * Secure GitHub token manager with validation and protection
 */
export declare class TokenManager {
    private static readonly GITHUB_TOKEN_PATTERNS;
    private static readonly TOKEN_DIR;
    private static readonly TOKEN_FILE;
    private static readonly ALGORITHM;
    private static readonly KEY_LENGTH;
    private static readonly IV_LENGTH;
    private static readonly TAG_LENGTH;
    private static readonly SALT_LENGTH;
    private static readonly ITERATIONS;
    private static tokenValidationLimiter;
    /**
     * Get or create the token validation rate limiter
     * Prevents brute force token validation attacks
     */
    private static getTokenValidationLimiter;
    /**
     * Create a rate limiter specifically for token validation
     * Conservative limits to prevent abuse while allowing legitimate usage
     */
    static createTokenValidationLimiter(): RateLimiter;
    /**
     * Reset the token validation rate limiter
     * Useful for testing or manual intervention
     */
    static resetTokenValidationLimiter(): void;
    /**
     * Validate GitHub token format
     */
    static validateTokenFormat(token: string): boolean;
    /**
     * Get GitHub token from environment with validation
     */
    static getGitHubToken(): string | null;
    /**
     * Redact token for safe logging
     */
    static redactToken(token: string): string;
    /**
     * Get token type from format
     */
    static getTokenType(token: string): string;
    /**
     * Get safe token prefix for logging
     */
    static getTokenPrefix(token: string): string;
    /**
     * Validate token scopes via GitHub API
     */
    static validateTokenScopes(token: string, requiredScopes: TokenScopes): Promise<TokenValidationResult>;
    /**
     * Create safe error message without token exposure
     */
    static createSafeErrorMessage(error: string, token?: string): string;
    /**
     * Get minimum required scopes for different operations
     *
     * NOTE: The 'marketplace' scope identifier is kept for backward compatibility
     * with existing token validations. This is an internal scope name and does not
     * affect user-facing functionality. (PR #280)
     */
    static getRequiredScopes(operation: 'read' | 'write' | 'marketplace' | 'collection' | 'gist'): TokenScopes;
    /**
     * Check if token has sufficient permissions for operation
     *
     * NOTE: The 'marketplace' operation type is kept for backward compatibility.
     * This is called internally when accessing collection features. (PR #280)
     */
    static ensureTokenPermissions(operation: 'read' | 'write' | 'marketplace' | 'collection' | 'gist'): Promise<TokenValidationResult>;
    /**
     * Derive encryption key from a passphrase
     */
    private static deriveKey;
    /**
     * Get machine-specific passphrase for encryption
     * Uses a combination of machine ID and user info for uniqueness
     */
    private static getMachinePassphrase;
    /**
     * Store GitHub token securely to file
     */
    static storeGitHubToken(token: string): Promise<void>;
    /**
     * Retrieve GitHub token from secure storage
     */
    static retrieveGitHubToken(): Promise<string | null>;
    /**
     * Remove stored GitHub token
     */
    static removeStoredToken(): Promise<void>;
    /**
     * Get GitHub token from environment or secure storage
     * Updated to check secure storage if environment variable not set
     */
    static getGitHubTokenAsync(): Promise<string | null>;
}
//# sourceMappingURL=tokenManager.d.ts.map