/**
 * Ed25519 key management for Permission Slip.
 *
 * Keys are stored in OpenSSH format:
 *   Private: ~/.ssh/permission_slip_agent
 *   Public:  ~/.ssh/permission_slip_agent.pub
 *
 * We use Node's built-in `crypto` module and `child_process` (ssh-keygen) to
 * generate the key pair, matching the existing manual flow agents used to do.
 */
import crypto from "node:crypto";
export interface KeyPair {
    privateKeyFile: string;
    publicKey: string;
}
/**
 * Returns true if a Permission Slip key pair already exists.
 */
export declare function keyPairExists(): boolean;
/**
 * Reads the public key from disk.
 * Returns the full "ssh-ed25519 AAAA..." string (just key type + base64, no comment).
 */
export declare function readPublicKey(): string;
/**
 * Loads the private key from disk as a Node KeyObject.
 *
 * Supports both PKCS8 PEM (`-----BEGIN PRIVATE KEY-----`, what Node natively
 * understands) and the OpenSSH native format (`-----BEGIN OPENSSH PRIVATE KEY-----`,
 * what `ssh-keygen` produces by default). For OpenSSH keys, the 32-byte ed25519
 * seed is extracted manually and converted to a JWK before construction.
 */
export declare function loadPrivateKey(): crypto.KeyObject;
/**
 * Generates a new Ed25519 key pair using ssh-keygen and saves it to
 * ~/.ssh/permission_slip_agent{,.pub}.
 *
 * Throws if ssh-keygen is not available or if keys already exist and
 * overwrite is false.
 */
export declare function generateKeyPair(overwrite?: boolean): KeyPair;
/**
 * Returns a path relative to home for display purposes.
 */
export declare function displayPath(absPath: string): string;
//# sourceMappingURL=keys.d.ts.map