/**
 * Console token management HTTP routes — #1795.
 *
 * Provides:
 * - POST /api/console/token/rotate — rotate the primary token with TOTP confirmation
 *
 * Security model:
 * - All endpoints require a valid existing console token. Enforcement
 *   happens via an always-on `createAuthMiddleware` instance mounted at the
 *   top of this router, independent of `DOLLHOUSE_WEB_AUTH_ENABLED`.
 * - Rotation additionally requires TOTP confirmation (Pattern B). Pattern A
 *   (OS dialog fallback) is deferred to a follow-up issue.
 * - A sliding-window rate limit throttles rotation attempts so a bad actor
 *   with a live session can't brute-force TOTP codes by flooding rotations.
 *
 * @since v2.1.0 — Issue #1795
 */
import { Router } from 'express';
import { type ConsoleTokenStore } from '../console/consoleToken.js';
/**
 * Options for the token routes factory.
 */
export interface TokenRoutesOptions {
    store: ConsoleTokenStore;
    /** Maximum rotation attempts per window. Default: 10. */
    rateLimitMax?: number;
    /** Rate limit window in milliseconds. Default: 60_000 (1 minute). */
    rateLimitWindowMs?: number;
}
/**
 * Build the Express router exposing token management endpoints. The returned
 * router should be mounted at `/api/console/token`; the caller does not need
 * to add additional auth middleware — this router enforces its own auth
 * regardless of the global feature flag.
 */
export declare function createTokenRoutes(options: TokenRoutesOptions): Router;
//# sourceMappingURL=tokenRoutes.d.ts.map