/**
 * Pattern Encryption Service for Memory Security
 *
 * Part of Issue #1321 Phase 2: Memory Security Architecture
 *
 * PURPOSE:
 * Encrypts dangerous patterns extracted from FLAGGED memories using AES-256-GCM.
 * Ensures patterns are never stored in plain text while remaining accessible
 * for authorized security research outside LLM contexts.
 *
 * ARCHITECTURE:
 * - Uses AES-256-GCM for authenticated encryption
 * - Derives keys from DOLLHOUSE_ENCRYPTION_SECRET via PBKDF2
 * - Generates unique IV for each encryption operation
 * - Provides GCM authentication tags for integrity verification
 *
 * SECURITY:
 * - Patterns encrypted at rest
 * - Decryption only outside LLM context
 * - All decryption attempts logged
 * - Key rotation supported
 *
 * REFACTOR NOTE:
 * Converted from static class to instance-based for DI architecture compatibility.
 *
 * @module PatternEncryptor
 */
/**
 * Encrypted pattern structure
 * Contains ciphertext, algorithm metadata, and authentication data
 */
export interface EncryptedPattern {
    /** Base64-encoded encrypted data */
    encryptedData: string;
    /** Encryption algorithm (always 'aes-256-gcm') */
    algorithm: 'aes-256-gcm';
    /** Base64-encoded initialization vector */
    iv: string;
    /** Base64-encoded GCM authentication tag for integrity */
    authTag: string;
}
/**
 * Configuration for pattern encryption
 */
export interface EncryptionConfig {
    /** Enable encryption (default: true in production) */
    enabled: boolean;
    /** Encryption secret (from environment) */
    secret?: string;
    /** PBKDF2 iterations (default: 100000) */
    iterations: number;
    /** Salt for key derivation (default: 'dollhouse-pattern-encryption-v1') */
    salt: string;
}
/**
 * PatternEncryptor service
 *
 * Handles encryption and decryption of dangerous patterns using AES-256-GCM.
 * Provides authenticated encryption with integrity protection via GCM mode.
 *
 * DI-COMPATIBLE: Instance-based service for dependency injection.
 */
export declare class PatternEncryptor {
    private readonly ALGORITHM;
    private readonly KEY_LENGTH;
    private readonly IV_LENGTH;
    private readonly AUTH_TAG_LENGTH;
    private config;
    private encryptionKey?;
    private isInitialized;
    /**
     * Create a new PatternEncryptor instance
     *
     * @param config - Optional configuration overrides
     */
    constructor(config?: Partial<EncryptionConfig>);
    /**
     * Initialize encryption with configuration
     *
     * @param config - Optional configuration overrides
     * @throws Error if encryption secret is not provided when enabled
     */
    initialize(config?: Partial<EncryptionConfig>): Promise<void>;
    /**
     * Encrypt a pattern using AES-256-GCM
     *
     * @param pattern - Plain text pattern to encrypt
     * @returns Encrypted pattern with metadata
     * @throws Error if encryption not initialized or pattern is empty
     */
    encrypt(pattern: string): EncryptedPattern;
    /**
     * Decrypt an encrypted pattern
     *
     * @param encrypted - Encrypted pattern structure
     * @returns Decrypted plain text pattern
     * @throws Error if decryption fails or authentication fails
     */
    decrypt(encrypted: EncryptedPattern): string;
    /**
     * Derive encryption key from secret using PBKDF2
     *
     * @param secret - Master secret from environment
     * @param salt - Salt for key derivation
     * @param iterations - Number of PBKDF2 iterations
     * @returns Derived encryption key
     */
    private deriveKey;
    /**
     * Check if encryption is enabled
     *
     * @returns true if encryption is enabled and initialized
     */
    isEnabled(): boolean;
    /**
     * Get encryption configuration status
     *
     * @returns Configuration status (without exposing secrets)
     */
    getStatus(): {
        enabled: boolean;
        initialized: boolean;
        algorithm: string;
        keyLength: number;
        iterations: number;
        hasSecret: boolean;
    };
    /**
     * Securely clear encryption key from memory
     * SECURITY FIX: Overwrites key buffer with zeros before releasing
     *
     * This prevents key recovery from memory dumps or process inspection.
     * Should be called when encryption is no longer needed.
     */
    private secureKeyClear;
    /**
     * Reset the encryptor (useful for testing)
     * SECURITY FIX: Now performs secure key clearing
     * WARNING: This will securely clear the encryption key from memory
     */
    reset(): void;
    /**
     * Securely reset the encryptor and clear all sensitive data
     * SECURITY: Explicitly clears encryption keys from memory
     *
     * Use this when:
     * - Shutting down the application
     * - Rotating encryption keys
     * - Responding to security incidents
     */
    secureReset(): void;
    /**
     * Dispose of the encryptor and securely clear all data
     * Implements cleanup for proper DI lifecycle management
     */
    dispose(): Promise<void>;
}
//# sourceMappingURL=PatternEncryptor.d.ts.map