/**
 * PKCE (Proof Key for Code Exchange) primitives per RFC 7636.
 *
 * @remarks
 * Implements the S256 challenge method only. All functions are pure and
 * isomorphic — they rely on the `crypto.getRandomValues` and
 * `crypto.subtle` Web Crypto APIs available as globals in browsers and
 * Node.js (>= 20).
 *
 * @category Auth
 * @module auth/pkce
 */
/**
 * RFC 7636 §4.1 verifier shape: 43-128 unreserved chars.
 *
 * @category Auth
 */
export declare const PKCE_VERIFIER_PATTERN: RegExp;
/**
 * S256 challenge shape: 43-char base64url (SHA-256 = 32 bytes → 43 chars
 * after base64url-no-padding encoding).
 *
 * @category Auth
 */
export declare const PKCE_CHALLENGE_PATTERN: RegExp;
/**
 * Throws {@link RangeError} unless `verifier` matches RFC 7636 §4.1.
 *
 * @category Auth
 */
export declare function assertValidPkceVerifier(verifier: string): void;
/**
 * Generates a cryptographically random PKCE code verifier.
 *
 * @param length - Verifier length in characters. Must be between 43 and 128
 *   (RFC 7636 §4.1). Defaults to 64.
 * @returns A string of the requested length using only the RFC-allowed
 *   unreserved alphabet.
 */
export declare function generatePkceVerifier(length?: number): string;
/**
 * Computes the S256 PKCE code challenge for a verifier.
 *
 * @param verifier - The PKCE code verifier.
 * @returns The base64url-encoded SHA-256 hash of the verifier (no padding).
 */
export declare function computePkceChallenge(verifier: string): Promise<string>;
/**
 * Verifies that a verifier hashes to the given S256 challenge.
 *
 * @param verifier - The PKCE code verifier presented by the client.
 * @param challenge - The previously stored S256 challenge.
 * @returns `true` when the verifier matches; `false` otherwise.
 */
export declare function verifyPkceChallenge(verifier: string, challenge: string): Promise<boolean>;