import * as plugins from '../../plugins.js';
import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
import type { ISmartProxyOptions, ISmartProxySecurityPolicy, IActiveConnectionSnapshot, IActiveConnectionSnapshotOptions } from './models/interfaces.js';
import type { IRouteConfig } from './models/route-types.js';
import type { IMetrics } from './models/metrics-types.js';
import type { IRustCertificateStatus, IRustStatistics } from './models/rust-types.js';
type TChallengeProvider = plugins.smartchallenge.IChallengeProvider;
/**
 * SmartProxy - Rust-backed proxy engine with TypeScript configuration API.
 *
 * All networking (TCP, TLS, HTTP reverse proxy, connection management, security)
 * is handled by the Rust binary. TypeScript is only:
 * - The npm module interface (types, route helpers)
 * - The thin IPC wrapper (this class)
 * - Socket-handler callback relay (for JS-defined handlers)
 * - Certificate provisioning callbacks (certProvisionFunction)
 */
export declare class SmartProxy extends plugins.EventEmitter {
    settings: ISmartProxyOptions;
    routeManager: RouteManager;
    private bridge;
    private preprocessor;
    private socketHandlerServer;
    private datagramHandlerServer;
    private challengeProviderRelayServer;
    private challengeProviders;
    private challengeRuntimeOptions?;
    private metricsAdapter;
    private nftablesManager;
    private routeUpdateLock;
    private stopping;
    private certProvisionPromise;
    constructor(settingsArg: ISmartProxyOptions);
    /**
     * Register a runtime challenge provider family. Routes reference providerId + challengeType;
     * deployment wiring and provider secrets stay outside route configs.
     */
    registerChallengeProvider(providerId: string, provider: TChallengeProvider): void;
    /**
     * Start the proxy.
     * Spawns the Rust binary, configures socket relay if needed, sends routes, handles cert provisioning.
     */
    start(): Promise<void>;
    /**
     * Stop the proxy.
     */
    stop(): Promise<void>;
    /**
     * Update routes atomically.
     */
    updateRoutes(newRoutes: IRouteConfig[]): Promise<void>;
    /**
     * Update the global ingress security policy without changing routes.
     * The Rust engine applies this before route selection and backend connection.
     */
    updateSecurityPolicy(policy: ISmartProxySecurityPolicy): Promise<void>;
    /**
     * Provision a certificate for a named route.
     */
    provisionCertificate(routeName: string): Promise<void>;
    /**
     * Force renewal of a certificate.
     */
    renewCertificate(routeName: string): Promise<void>;
    /**
     * Get certificate status for a route (async - calls Rust).
     */
    getCertificateStatus(routeName: string): Promise<IRustCertificateStatus | null>;
    /**
     * Get the metrics interface.
     */
    getMetrics(): IMetrics;
    /**
     * Get sanitized active connection snapshots from the Rust engine.
     */
    getActiveConnectionSnapshots(options?: IActiveConnectionSnapshotOptions): Promise<IActiveConnectionSnapshot[]>;
    /**
     * Get statistics (async - calls Rust).
     */
    getStatistics(): Promise<IRustStatistics>;
    /**
     * Add a listening port at runtime.
     */
    addListeningPort(port: number): Promise<void>;
    /**
     * Remove a listening port at runtime.
     */
    removeListeningPort(port: number): Promise<void>;
    /**
     * Get all currently listening ports (async - calls Rust).
     */
    getListeningPorts(): Promise<number[]>;
    /**
     * Get eligible domains for ACME certificates (sync - reads local routes).
     */
    getEligibleDomainsForCertificates(): string[];
    /**
     * Get NFTables status.
     */
    getNfTablesStatus(): plugins.smartnftables.INftStatus | null;
    private cleanupRuntimeResourcesAfterStartFailure;
    /**
     * Apply NFTables rules for routes using the nftables forwarding engine.
     */
    private applyNftablesRules;
    /**
     * Build the Rust configuration object from TS settings.
     */
    private buildRustConfig;
    private hasChallengeRoutes;
    private ensureChallengeProviderRelay;
    private validateChallengeRoutes;
    private validateChallengeIntentShape;
    private validateAllowedChallengeKeys;
    private isPlainRecord;
    private collectForbiddenChallengeKeys;
    private looksLikeRuntimeChallengeValue;
    /**
     * For routes with certificate: 'auto', call certProvisionFunction if set.
     * If the callback returns a cert object, load it into Rust.
     * If it returns 'http01', let Rust handle ACME.
     */
    private provisionCertificatesViaCallback;
    /**
     * Provision a single domain's certificate via the callback.
     * Includes per-domain timeout and shutdown checks.
     */
    private provisionSingleDomain;
    /**
     * Race a promise against a timeout. Rejects with the given message if the timeout fires first.
     */
    private withTimeout;
    /**
     * Normalize routing glob patterns into valid domain identifiers for cert provisioning.
     * - `*nevermind.cloud` → `['nevermind.cloud', '*.nevermind.cloud']`
     * - `*.lossless.digital` → `['*.lossless.digital']` (already valid wildcard)
     * - `code.foss.global` → `['code.foss.global']` (plain domain)
     * - `*mid*.example.com` → skipped with warning (unsupported glob)
     */
    private normalizeDomainsForCertProvisioning;
    private isValidDomain;
}
export {};