import { Address, Hex, WebCryptoP256 } from 'ox';
import { KeyAuthorization } from 'ox/tempo';
import type { Client, Transport } from 'viem';
import { Account as TempoAccount } from 'viem/tempo';
import type { OneOf } from '../internal/types.js';
import type * as Store from './Store.js';
/** Access-key publication states. */
export declare const status: {
    /** No matching usable access key was found. */
    readonly missing: "missing";
    /** A matching key exists locally and still needs its first transaction to publish the authorization. */
    readonly pending: "pending";
    /** A matching key exists on-chain and can be used. */
    readonly published: "published";
    /** A matching key exists but is past its expiry. */
    readonly expired: "expired";
};
/** Publication state for an access key. */
export type Status = (typeof status)[keyof typeof status];
/** Access key entry stored alongside accounts. */
export type AccessKey = {
    /** Access key address. */
    address: Address.Address;
    /** Owner of the access key. */
    access: Address.Address;
    /** Chain ID this access key authorization is scoped to. */
    chainId: number;
    /** Unix timestamp when the access key expires. */
    expiry?: number | undefined;
    /** Signed key authorization to attach to the first transaction. Consumed on use. */
    keyAuthorization?: KeyAuthorization.Signed | undefined;
    /** Key type. */
    keyType: 'secp256k1' | 'p256' | 'webAuthn' | 'webCrypto';
    /** TIP-20 spending limits for the access key. */
    limits?: {
        token: Address.Address;
        limit: bigint;
        period?: number | undefined;
    }[] | undefined;
    /** Call scopes restricting which contracts/selectors this key can call. */
    scopes?: {
        address: Address.Address;
        selector?: Hex.Hex | string | undefined;
        recipients?: readonly Address.Address[] | undefined;
    }[] | undefined;
} & OneOf<{} | {
    /** The exported private key backing the access key. */
    privateKey: Hex.Hex;
} | {
    /** The WebCrypto key pair backing the access key. */
    keyPair: Awaited<ReturnType<typeof WebCryptoP256.createKeyPair>>;
}>;
/** Returns the pending key authorization for an access key account without removing it. */
export declare function getPending(account: TempoAccount.Account, options: {
    store: Store.Store;
}): KeyAuthorization.Signed | undefined;
/** Generates a P256 key pair and access key account. */
export declare function generate(options?: generate.Options): Promise<generate.ReturnType>;
export declare namespace generate {
    type Options = {
        /** Root account to attach to the access key. */
        account?: TempoAccount.Account | undefined;
    };
    type ReturnType = {
        /** The generated access key account. */
        accessKey: TempoAccount.AccessKeyAccount;
        /** Generated key pair to pass to `authorizeAccessKey`. */
        keyPair: Awaited<globalThis.ReturnType<typeof WebCryptoP256.createKeyPair>>;
    };
}
/** Prepares an unsigned key authorization and local key material when needed. */
export declare function prepareAuthorization(options: prepareAuthorization.Options): Promise<prepareAuthorization.ReturnType>;
export declare namespace prepareAuthorization {
    /** Options for {@link prepareAuthorization}. */
    type Options = {
        /** External access key address. Alternative to `publicKey`. */
        address?: Address.Address | undefined;
        /** Chain ID the key authorization is scoped to. */
        chainId: bigint | number;
        /** Unix timestamp when the key expires. */
        expiry: number;
        /** External key type. Defaults to `secp256k1` for external keys. */
        keyType?: 'secp256k1' | 'p256' | 'webAuthn' | undefined;
        /** TIP-20 spending limits for this key. */
        limits?: readonly KeyAuthorization.TokenLimit[] | undefined;
        /** External public key to derive the access key address from. */
        publicKey?: Hex.Hex | undefined;
        /** Call scopes restricting which contracts/selectors this key can call. */
        scopes?: readonly KeyAuthorization.Scope[] | undefined;
    };
    /** Prepared unsigned key authorization and optional local key material. */
    type ReturnType = {
        /** Unsigned key authorization to sign with the root account. */
        keyAuthorization: KeyAuthorization.KeyAuthorization<false>;
        /** Generated WebCrypto key pair for local access keys. */
        keyPair?: Awaited<globalThis.ReturnType<typeof WebCryptoP256.createKeyPair>> | undefined;
    };
}
/** Saves a prepared access key authorization with an existing signature. */
export declare function saveAuthorization(options: saveAuthorization.Options): saveAuthorization.ReturnType;
export declare namespace saveAuthorization {
    /** Options for {@link saveAuthorization}. */
    type Options = {
        /** Root account address that owns this access key. */
        address: Address.Address;
        /** Prepared unsigned key authorization returned by {@link prepareAuthorization}. */
        prepared: prepareAuthorization.ReturnType;
        /** Signature over the key authorization digest. */
        signature: Hex.Hex;
        /** Reactive state store. */
        store: Store.Store;
    };
    /** Signed key authorization in RPC form. */
    type ReturnType = KeyAuthorization.Rpc;
}
/** Prepares, signs, and saves an access key authorization. */
export declare function authorize(options: authorize.Options): Promise<authorize.ReturnType>;
export declare namespace authorize {
    /** Options for {@link authorize}. */
    type Options = {
        /** Root account that owns this access key and signs its authorization. */
        account: TempoAccount.Account;
        /** Default chain ID for the authorization when `parameters.chainId` is not set. */
        chainId: bigint | number;
        /** Access key authorization parameters. */
        parameters: Omit<prepareAuthorization.Options, 'chainId'> & {
            /** Chain ID the key authorization is scoped to. */
            chainId?: bigint | number | undefined;
        };
        /** Reactive state store. */
        store: Store.Store;
    };
    /** Signed key authorization in RPC form. */
    type ReturnType = KeyAuthorization.Rpc;
}
/** Hydrates an access key entry to a viem Account. Only works for locally-generated keys. */
export declare function hydrate(accessKey: AccessKey): TempoAccount.Account;
/** Removes an access key entry for the given account from the store. */
export declare function remove(account: TempoAccount.Account, options: {
    store: Store.Store;
}): void;
/** Invalidates a stored access key when the error proves it is no longer usable. */
export declare function invalidate(account: TempoAccount.Account, error: unknown, options: invalidate.Options): boolean;
export declare namespace invalidate {
    /** Options for {@link invalidate}. */
    type Options = {
        /** Reactive state store. */
        store: Store.Store;
    };
}
/** Permanently removes the pending key authorization for an access key account. */
export declare function removePending(account: TempoAccount.Account, options: {
    store: Store.Store;
}): void;
/** Selects and hydrates a locally-signable access key account for a root account. */
export declare function selectAccount(options: selectAccount.Options): TempoAccount.AccessKeyAccount | undefined;
export declare namespace selectAccount {
    /** Options for {@link selectAccount}. */
    type Options = {
        /** Root account address. */
        address: Address.Address;
        /** Calls to match against access key scopes. */
        calls?: readonly {
            to?: Address.Address | undefined;
            data?: Hex.Hex | undefined;
        }[] | undefined;
        /** Chain ID the access key must be authorized on. */
        chainId: number;
        /** Reactive state store. */
        store: Store.Store;
    };
}
/** Returns publication status for a stored or on-chain access key. */
export declare function getStatus(options: getStatus.Options): Promise<getStatus.ReturnType>;
export declare namespace getStatus {
    /** Options for {@link getStatus}. */
    type Options = {
        /** Root account address that owns the access key. */
        address: Address.Address;
        /** Specific access key address to query. When omitted, the first locally matching key is used. */
        accessKey?: Address.Address | undefined;
        /** Calls to match against access key scopes. */
        calls?: readonly {
            to?: Address.Address | undefined;
            data?: Hex.Hex | undefined;
        }[] | undefined;
        /** Chain ID the access key must be authorized on. */
        chainId: number;
        /** Client used to verify published state on-chain. */
        client?: Client<Transport> | undefined;
        /** Current Unix timestamp in seconds. Defaults to `Date.now() / 1000`. */
        now?: number | undefined;
        /** Reactive state store. */
        store: Store.Store;
    };
    /** Access-key publication status. */
    type ReturnType = Status;
}
/** Removes an access key from the store. */
export declare function revoke(options: revoke.Options): void;
export declare namespace revoke {
    type Options = {
        /** Root account address. */
        address: Address.Address;
        /** Reactive state store. */
        store: Store.Store;
    };
}
/** Saves an access key to the store with its one-time key authorization. */
export declare function save(options: save.Options): void;
export declare namespace save {
    type Options = {
        /** Root account address that owns this access key. */
        address: Address.Address;
        /** Signed key authorization to attach to the first transaction. */
        keyAuthorization: KeyAuthorization.Signed;
        /** The exported private key backing the access key. */
        privateKey?: Hex.Hex | undefined;
        /** The WebCrypto key pair backing the access key. Only present for locally-generated keys. */
        keyPair?: Awaited<ReturnType<typeof WebCryptoP256.createKeyPair>> | undefined;
        /** Reactive state store. */
        store: Store.Store;
    };
}
//# sourceMappingURL=AccessKey.d.ts.map