/**
 * Dual-mode authentication middleware for PRD #380.
 *
 * Validates Bearer tokens in two modes:
 * 1. JWT (HMAC-SHA256) — returns UserIdentity when valid
 * 2. Legacy DOT_AI_AUTH_TOKEN — constant-time comparison fallback
 *
 * All existing tests continue to pass because the legacy path is preserved.
 */
import { IncomingMessage } from 'node:http';
import type { AuthResult } from './types';
/**
 * Check Bearer token authentication (dual-mode: JWT + legacy token).
 *
 * Order: JWT verification first, legacy DOT_AI_AUTH_TOKEN fallback second.
 * When neither auth method is configured, authentication is disabled (backward compatible).
 *
 * @param req - The incoming HTTP request
 * @returns AuthResult with optional UserIdentity when JWT auth succeeds
 */
export declare function checkBearerAuth(req: IncomingMessage): AuthResult;
/**
 * Check if authentication is enabled.
 * True when either legacy token or JWT secret is configured.
 */
export declare function isAuthEnabled(): boolean;
//# sourceMappingURL=middleware.d.ts.map