/**
 * UpdateChecker - Secure GitHub release update checking with comprehensive sanitization
 *
 * Security measures implemented:
 * 1. XSS Protection: DOMPurify with strict no-tags/no-attributes policy
 * 2. Command Injection Prevention: Multiple regex patterns for various escape sequences
 * 3. URL Validation: Whitelist approach allowing only http/https schemes
 * 4. Information Disclosure Prevention: Sanitized logging of sensitive data
 * 5. Length Limits: Configurable limits to prevent DoS attacks
 * 6. OWASP Patterns: Protection against PHP, ASP, hex, unicode, and octal escapes
 *
 * Performance optimizations:
 * - Cached DOMPurify instance to avoid recreation overhead
 * - Single-pass regex processing for injection patterns
 * - Exponential backoff for network retries
 */
import { VersionManager } from './VersionManager.js';
import { RateLimiter } from './RateLimiter.js';
import { SignatureVerifier } from './SignatureVerifier.js';
export interface UpdateCheckResult {
    currentVersion: string;
    latestVersion: string;
    isUpdateAvailable: boolean;
    releaseDate: string;
    releaseNotes: string;
    releaseUrl: string;
    tagName?: string;
    signatureVerified?: boolean;
    signerInfo?: string;
}
export declare class UpdateChecker {
    private versionManager;
    private rateLimiter;
    private signatureVerifier;
    private static purifyWindow;
    private static purify;
    /**
     * Lazily initialize DOMPurify to prevent crashes during startup
     * CRITICAL FIX: Prevents jsdom from crashing during MCP initialization
     */
    private initializeDOMPurify;
    private readonly releaseNotesMaxLength;
    private readonly urlMaxLength;
    private readonly securityLogger?;
    private readonly requireSignedReleases;
    constructor(versionManager: VersionManager, options?: {
        releaseNotesMaxLength?: number;
        urlMaxLength?: number;
        securityLogger?: (event: string, details: any) => void;
        rateLimiter?: RateLimiter;
        signatureVerifier?: SignatureVerifier;
        requireSignedReleases?: boolean;
    });
    /**
     * Execute a network operation with retry logic and exponential backoff
     * @param operation - The async operation to execute
     * @param maxRetries - Maximum number of retry attempts (default: 3)
     * @param baseDelay - Base delay in milliseconds for exponential backoff (default: 1000ms)
     * @returns Promise resolving to the operation result
     * @throws The last error if all retries fail
     */
    private retryNetworkOperation;
    /**
     * Check for updates from GitHub releases with security and error handling
     * @returns UpdateCheckResult if update info is available, null if no releases found
     * @throws Error for network or API failures or rate limit exceeded
     */
    checkForUpdates(): Promise<UpdateCheckResult | null>;
    /**
     * Get current rate limit status
     * @returns Current rate limit status including remaining requests and reset time
     */
    getRateLimitStatus(): {
        allowed: boolean;
        remainingRequests: number;
        resetTime: Date;
        waitTimeSeconds?: number;
    };
    /**
     * Format update check results for display with comprehensive sanitization
     * @param result - The update check result to format
     * @param error - Optional error from update check
     * @param personaIndicator - Optional persona indicator prefix
     * @returns Formatted string safe for display
     */
    formatUpdateCheckResult(result: UpdateCheckResult | null, error?: Error, personaIndicator?: string): string;
    /**
     * Sanitize URLs to prevent dangerous schemes and information disclosure
     *
     * Security measures:
     * - Length validation to prevent DoS
     * - Whitelist approach: only http/https allowed
     * - Sanitized logging to prevent sensitive data exposure
     *
     * @param url - The URL to sanitize
     * @returns Empty string if invalid/dangerous, original URL if safe
     */
    private sanitizeUrl;
    /**
     * Sanitize release notes to prevent XSS, command injection, and DoS
     *
     * Security layers:
     * 1. Length limiting (configurable, default 5000 chars)
     * 2. HTML/JS sanitization via DOMPurify (no tags/attributes allowed)
     * 3. Command injection pattern removal (backticks, command substitution)
     * 4. OWASP pattern removal (PHP, ASP, hex/unicode/octal escapes)
     *
     * @param notes - The release notes to sanitize
     * @returns Sanitized release notes safe for display
     */
    private sanitizeReleaseNotes;
    /**
     * Format date to human-readable format with consistent timezone handling
     * @param dateStr - ISO date string to format
     * @returns Human-readable date string (e.g., "January 5, 2025")
     */
    private formatDate;
    /**
     * Log security events for monitoring and alerting
     * Only logs if securityLogger callback was provided in constructor
     * @param event - The security event type
     * @param details - Event details (sanitized to prevent info disclosure)
     */
    private logSecurityEvent;
    /**
     * Reset static DOMPurify cache (useful for long-running processes)
     * This prevents memory accumulation in services that run for extended periods
     * @static
     */
    static resetCache(): void;
}
//# sourceMappingURL=UpdateChecker.d.ts.map