@aigne/afs-dns 1.11.0-beta.10

package/dist/index.d.mts

@@ -0,0 +1,859 @@
+import { z } from "zod";
+import { Route53Client } from "@aws-sdk/client-route-53";
+import { AFSAccessMode, AFSDeleteOptions, AFSDeleteResult, AFSExplainResult, AFSListOptions, AFSListResult, AFSModule, AFSReadOptions, AFSReadResult, AFSSearchResult, AFSStatResult, AFSWriteEntryPayload, AFSWriteOptions, AFSWriteResult, ProviderManifest } from "@aigne/afs";
+
+//#region src/types/record.d.ts
+/**
+ * DNS Record Types
+ *
+ * Standard DNS record types following RFC specifications.
+ * These types are shared across all DNS provider implementations.
+ */
+/**
+ * Supported DNS record types
+ */
+type DNSRecordType = "A" | "AAAA" | "CNAME" | "MX" | "TXT" | "NS" | "SRV" | "CAA" | "PTR" | "SOA";
+/**
+ * MX record value with priority
+ */
+interface MXValue {
+  priority: number;
+  value: string;
+}
+/**
+ * SRV record value
+ */
+interface SRVValue {
+  priority: number;
+  weight: number;
+  port: number;
+  target: string;
+}
+/**
+ * CAA record value
+ */
+interface CAAValue {
+  flags: number;
+  tag: "issue" | "issuewild" | "iodef" | string;
+  value: string;
+}
+/**
+ * SOA record value (read-only)
+ */
+interface SOAValue {
+  mname: string;
+  rname: string;
+  serial: number;
+  refresh: number;
+  retry: number;
+  expire: number;
+  minimum: number;
+}
+/**
+ * Record values type - varies by record type
+ * - A, AAAA, NS, TXT, PTR: string[] (multiple values)
+ * - CNAME: string (single value, for type safety use string[] with one element)
+ * - MX: MXValue[]
+ * - SRV: SRVValue[]
+ * - CAA: CAAValue[]
+ * - SOA: SOAValue
+ */
+type DNSRecordValues = string | string[] | MXValue[] | SRVValue[] | CAAValue[] | SOAValue;
+/**
+ * A single DNS record
+ */
+interface DNSRecord {
+  type: DNSRecordType;
+  ttl: number;
+  values: DNSRecordValues;
+}
+/**
+ * A set of records for a single name (e.g., www.example.com)
+ */
+interface DNSRecordSet {
+  fqdn: string;
+  records: DNSRecord[];
+}
+interface ValidationResult {
+  valid: boolean;
+  error?: string;
+}
+/**
+ * Validate A record values
+ */
+declare function validateARecord(values: string[]): ValidationResult;
+/**
+ * Validate AAAA record values
+ */
+declare function validateAAAARecord(values: string[]): ValidationResult;
+/**
+ * Validate CNAME record value
+ */
+declare function validateCNAMERecord(value: string): ValidationResult;
+/**
+ * Validate MX record values
+ */
+declare function validateMXRecord(values: MXValue[]): ValidationResult;
+/**
+ * Validate TXT record values
+ */
+declare function validateTXTRecord(values: string[]): ValidationResult;
+/**
+ * Validate NS record values
+ */
+declare function validateNSRecord(values: string[]): ValidationResult;
+/**
+ * Validate SRV record values
+ */
+declare function validateSRVRecord(values: SRVValue[]): ValidationResult;
+/**
+ * Validate CAA record values
+ */
+declare function validateCAARecord(values: CAAValue[]): ValidationResult;
+/**
+ * Validate TTL value
+ */
+declare function validateTTL(ttl: number): ValidationResult;
+/**
+ * Record validation result with optional errors array
+ */
+interface RecordValidationResult {
+  valid: boolean;
+  errors?: string[];
+}
+/**
+ * Validate a complete DNS record
+ */
+declare function validateRecord(record: DNSRecord): RecordValidationResult;
+//#endregion
+//#region src/types/zone.d.ts
+/**
+ * DNS Zone Types
+ *
+ * Standard DNS zone type definitions shared across all providers.
+ */
+/**
+ * A DNS hosted zone
+ */
+interface DNSZone {
+  /** Domain name (e.g., "example.com") */
+  domain: string;
+  /** Provider-specific zone ID */
+  id: string;
+  /** Provider name (e.g., "route53", "cloudflare") */
+  provider: string;
+  /** Authoritative nameservers for this zone */
+  nameservers: string[];
+  /** When the zone was created */
+  createdAt?: Date;
+  /** Number of records in the zone */
+  recordCount?: number;
+}
+//#endregion
+//#region src/clouddns/adapter.d.ts
+/**
+ * Google Cloud DNS Zone interface (from @google-cloud/dns)
+ */
+interface CloudDNSZoneInterface {
+  name: string;
+  meta: {
+    dnsName: string;
+    id: string;
+    nameServers?: string[];
+    creationTime?: string;
+  };
+  getRecords(): Promise<[CloudDNSRecordInterface[]]>;
+  createChange(config: {
+    add?: CloudDNSRecordInterface | CloudDNSRecordInterface[];
+    delete?: CloudDNSRecordInterface | CloudDNSRecordInterface[];
+  }): Promise<[{
+    id: string;
+    status: string;
+  }]>;
+  record(type: string, config: {
+    name: string;
+    ttl: number;
+    data: string | string[];
+  }): CloudDNSRecordInterface;
+}
+/**
+ * Google Cloud DNS Record interface
+ */
+interface CloudDNSRecordInterface {
+  name: string;
+  type: string;
+  ttl: number;
+  data: string[];
+}
+/**
+ * Google Cloud DNS client interface (from @google-cloud/dns)
+ */
+interface CloudDNSClientInterface {
+  getZones(): Promise<[CloudDNSZoneInterface[]]>;
+  zone(name: string): CloudDNSZoneInterface | null;
+}
+interface CloudDNSAdapterOptions {
+  /** Google Cloud Project ID */
+  projectId?: string;
+  /** Path to service account key file */
+  keyFilename?: string;
+  /** Pre-configured client (for testing) */
+  client?: CloudDNSClientInterface;
+}
+declare class CloudDNSAdapter {
+  private client;
+  private zoneCache;
+  constructor(options?: CloudDNSAdapterOptions);
+  /**
+   * List all managed zones
+   */
+  listZones(): Promise<DNSZone[]>;
+  /**
+   * List all record names in a zone
+   */
+  listRecords(zoneDomain: string): Promise<string[]>;
+  /**
+   * Get all records for a specific name
+   */
+  getRecord(zoneDomain: string, name: string): Promise<DNSRecordSet>;
+  /**
+   * Get zone metadata
+   */
+  getZoneMetadata(zoneDomain: string): Promise<DNSZone>;
+  /**
+   * Set records for a name (create or update)
+   */
+  setRecord(zoneDomain: string, name: string, records: DNSRecord[], _options?: {
+    force?: boolean;
+  }): Promise<void>;
+  /**
+   * Delete records for a name
+   */
+  deleteRecord(zoneDomain: string, name: string, type?: string, _options?: {
+    force?: boolean;
+  }): Promise<void>;
+  /**
+   * Get zone by domain name
+   */
+  private getZone;
+  /**
+   * Extract record name from FQDN
+   */
+  private extractRecordName;
+  /**
+   * Parse Cloud DNS record to DNSRecord
+   */
+  private parseRecord;
+  /**
+   * Build Cloud DNS record from DNSRecord
+   */
+  private buildCloudRecord;
+}
+//#endregion
+//#region src/errors/index.d.ts
+/**
+ * DNS Provider Errors
+ *
+ * Custom error types and Route53 error mapping.
+ */
+declare class AFSDNSError extends Error {
+  readonly code: string;
+  readonly cause?: Error;
+  constructor(message: string, options?: {
+    code?: string;
+    cause?: Error;
+  });
+}
+declare class AFSDNSNotFoundError extends AFSDNSError {
+  constructor(message: string, options?: {
+    cause?: Error;
+  });
+}
+declare class AFSDNSPermissionDeniedError extends AFSDNSError {
+  constructor(message: string, options?: {
+    cause?: Error;
+  });
+}
+declare class AFSDNSRateLimitError extends AFSDNSError {
+  readonly retryAfter: number;
+  constructor(message: string, options?: {
+    cause?: Error;
+    retryAfter?: number;
+  });
+}
+declare class AFSDNSInvalidArgumentError extends AFSDNSError {
+  constructor(message: string, options?: {
+    cause?: Error;
+  });
+}
+declare class AFSDNSConflictError extends AFSDNSError {
+  constructor(message: string, options?: {
+    cause?: Error;
+  });
+}
+declare class AFSDNSNetworkError extends AFSDNSError {
+  constructor(message: string, options?: {
+    cause?: Error;
+  });
+}
+/**
+ * Map Route53 error to AFS DNS error
+ */
+declare function mapRoute53Error(error: Error): AFSDNSError;
+/**
+ * Check if an error is retryable
+ */
+declare function isRetryableError(error: Error): boolean;
+/**
+ * Sanitize error message to remove sensitive information
+ */
+declare function sanitizeErrorMessage(message: string): string;
+//#endregion
+//#region src/permissions/types.d.ts
+/**
+ * DNS Permission Types
+ *
+ * Defines dangerous operations and permission presets.
+ */
+/**
+ * Dangerous operations that are blocked by default
+ */
+type DangerousOperation = "modify_ns" | "modify_root" | "modify_wildcard" | "delete_zone";
+/**
+ * Permission presets
+ */
+type PermissionPreset = "safe" | "standard" | "full";
+/**
+ * Permission configuration
+ */
+interface PermissionConfig {
+  /** Preset mode */
+  preset?: PermissionPreset;
+  /** Explicit dangerous operation permissions */
+  dangerous?: Partial<Record<DangerousOperation, boolean>>;
+}
+/**
+ * Preset definitions
+ */
+declare const PRESETS: Record<PermissionPreset, {
+  allowDelete: boolean;
+  dangerous: Record<DangerousOperation, boolean>;
+}>;
+//#endregion
+//#region src/permissions/checker.d.ts
+/**
+ * Operation context for permission checking
+ */
+interface OperationContext {
+  /** Record name (e.g., "www", "@", "*") */
+  name: string;
+  /** Record type (e.g., "A", "NS") */
+  type?: string;
+  /** Operation type */
+  operation: "read" | "write" | "delete";
+}
+/**
+ * Permission check result
+ */
+interface PermissionResult {
+  allowed: boolean;
+  reason?: string;
+  requiredConfig?: string;
+  deniedOperation?: string;
+}
+/**
+ * Check if an operation is allowed
+ */
+declare function checkPermission(context: OperationContext, config: PermissionConfig): PermissionResult;
+/**
+ * Get effective permissions by merging preset with explicit config
+ */
+declare function getEffectivePermissions(config: PermissionConfig): {
+  allowDelete: boolean;
+  dangerous: Record<DangerousOperation, boolean>;
+};
+/**
+ * Detect if an operation is dangerous
+ */
+declare function detectDangerousOperation(context: OperationContext): DangerousOperation | null;
+/**
+ * Create a user-friendly error message for permission denial
+ */
+declare function formatPermissionError(result: PermissionResult): string;
+//#endregion
+//#region src/security/audit-log.d.ts
+/**
+ * Audit Logger
+ *
+ * Logs DNS write operations for security auditing.
+ */
+interface AuditLogEntry {
+  timestamp: number;
+  action: "create" | "update" | "delete" | "denied";
+  zone: string;
+  recordName: string;
+  recordType?: string;
+  values?: unknown[];
+  recordCount?: number;
+  operation?: string;
+  reason?: string;
+  context?: {
+    userId?: string;
+    sessionId?: string;
+    [key: string]: unknown;
+  };
+}
+interface AuditLogConfig {
+  /** Custom handler for log entries */
+  handler?: (entry: AuditLogEntry) => void;
+  /** Whether to mask sensitive values */
+  maskValues?: boolean;
+  /** Whether to store entries in memory */
+  storeInMemory?: boolean;
+  /** Maximum entries to keep in memory */
+  maxEntries?: number;
+}
+interface WriteLogParams {
+  zone: string;
+  recordName: string;
+  recordType: string;
+  action: "create" | "update";
+  values: unknown[];
+  context?: Record<string, unknown>;
+}
+interface DeleteLogParams {
+  zone: string;
+  recordName: string;
+  recordType?: string;
+  context?: Record<string, unknown>;
+}
+interface PermissionDeniedLogParams {
+  zone: string;
+  recordName: string;
+  operation: string;
+  reason: string;
+  context?: Record<string, unknown>;
+}
+declare class AuditLogger {
+  private readonly config;
+  private entries;
+  constructor(config?: AuditLogConfig);
+  /**
+   * Log a write operation
+   */
+  logWrite(params: WriteLogParams): void;
+  /**
+   * Log a delete operation
+   */
+  logDelete(params: DeleteLogParams): void;
+  /**
+   * Log a permission denied event
+   */
+  logPermissionDenied(params: PermissionDeniedLogParams): void;
+  /**
+   * Get recent log entries (if storeInMemory is enabled)
+   */
+  getRecentEntries(count: number): AuditLogEntry[];
+  /**
+   * Get entries by zone (if storeInMemory is enabled)
+   */
+  getEntriesByZone(zone: string): AuditLogEntry[];
+  /**
+   * Emit a log entry
+   */
+  private emit;
+  /**
+   * Mask sensitive values
+   */
+  private maskValues;
+  /**
+   * Mask sensitive parts of a string
+   */
+  private maskString;
+}
+//#endregion
+//#region src/types/adapter.d.ts
+/**
+ * DNS Adapter interface that all provider adapters must implement
+ */
+interface DNSAdapter {
+  /**
+   * List all zones available in the provider
+   */
+  listZones(): Promise<DNSZone[]>;
+  /**
+   * List all record names in a zone
+   */
+  listRecords(zoneDomain: string): Promise<string[]>;
+  /**
+   * Get all records for a specific name
+   */
+  getRecord(zoneDomain: string, name: string): Promise<DNSRecordSet>;
+  /**
+   * Get zone metadata
+   */
+  getZoneMetadata(zoneDomain: string): Promise<DNSZone>;
+  /**
+   * Set records for a name (create or update)
+   */
+  setRecord(zoneDomain: string, name: string, records: DNSRecord[], options?: {
+    force?: boolean;
+  }): Promise<void>;
+  /**
+   * Delete records for a name
+   */
+  deleteRecord(zoneDomain: string, name: string, type?: string, options?: {
+    force?: boolean;
+  }): Promise<void>;
+}
+//#endregion
+//#region src/provider/dns-provider.d.ts
+interface DNSProviderOptions {
+  /** Zone domain name (e.g., "example.com") */
+  zone: string;
+  /** DNS adapter (Route53, Cloud DNS, etc.) */
+  adapter: DNSAdapter;
+  /** Access mode (readonly or readwrite) */
+  accessMode?: AFSAccessMode;
+  /** Permission configuration for dangerous operations */
+  permissions?: PermissionConfig;
+  /** Audit logging configuration */
+  auditLog?: AuditLogConfig;
+  /** Enable rate limiting (default: true for Route53) */
+  rateLimiting?: boolean;
+}
+declare class DNSProvider implements AFSModule {
+  readonly name: string;
+  readonly description: string;
+  readonly accessMode: AFSAccessMode;
+  private zone;
+  private adapter;
+  private permissions;
+  private auditLogger;
+  private rateLimiter;
+  /**
+   * Schema for configuration validation
+   */
+  static schema(): z.ZodObject<{
+    zone: z.ZodString;
+  }, z.core.$strip>;
+  /**
+   * Provider manifest for URI-based discovery
+   */
+  static manifest(): ProviderManifest;
+  constructor(options: DNSProviderOptions);
+  list(path: string, options?: AFSListOptions): Promise<AFSListResult>;
+  read(path: string, _options?: AFSReadOptions): Promise<AFSReadResult>;
+  write(path: string, content: AFSWriteEntryPayload, _options?: AFSWriteOptions): Promise<AFSWriteResult>;
+  delete(path: string, _options?: AFSDeleteOptions): Promise<AFSDeleteResult>;
+  private normalizePath;
+  private extractRecordName;
+  private parsePathWithQuery;
+  /**
+   * Sanitize record values to prevent injection attacks
+   */
+  private sanitizeRecordValues;
+  /**
+   * Acquire rate limit token (waits if necessary)
+   */
+  private acquireRateLimit;
+  /**
+   * Extract values from a record for audit logging
+   */
+  private extractValues;
+  stat(path: string): Promise<AFSStatResult>;
+  explain(path: string): Promise<AFSExplainResult>;
+  private explainRoot;
+  private explainZone;
+  search(_path: string, query: string): Promise<AFSSearchResult>;
+  private readCapabilities;
+  private handleValidateZone;
+  private handleExportZone;
+}
+//#endregion
+//#region src/route53/adapter.d.ts
+interface Route53AdapterOptions {
+  /** AWS Region */
+  region?: string;
+  /** Custom endpoint (for LocalStack) */
+  endpoint?: string;
+  /** AWS Credentials */
+  credentials?: {
+    accessKeyId: string;
+    secretAccessKey: string;
+  };
+  /** Pre-configured client (for testing) */
+  client?: Route53Client;
+}
+declare class Route53Adapter {
+  private client;
+  private zoneIdCache;
+  constructor(options?: Route53AdapterOptions);
+  /**
+   * List all hosted zones
+   */
+  listZones(): Promise<DNSZone[]>;
+  /**
+   * List all record names in a zone
+   */
+  listRecords(zoneDomain: string): Promise<string[]>;
+  /**
+   * Get all records for a specific name
+   */
+  getRecord(zoneDomain: string, name: string): Promise<DNSRecordSet>;
+  /**
+   * Get zone metadata
+   */
+  getZoneMetadata(zoneDomain: string): Promise<DNSZone>;
+  /**
+   * Set records for a name (create or update)
+   */
+  setRecord(zoneDomain: string, name: string, records: DNSRecord[], _options?: {
+    force?: boolean;
+  }): Promise<void>;
+  /**
+   * Delete records for a name
+   */
+  deleteRecord(zoneDomain: string, name: string, type?: string, _options?: {
+    force?: boolean;
+  }): Promise<void>;
+  /**
+   * Get zone ID from domain name
+   */
+  private getZoneId;
+  /**
+   * Fetch all record sets for a zone (handles pagination)
+   */
+  private fetchAllRecordSets;
+  /**
+   * Build FQDN from name and zone
+   */
+  private buildFQDN;
+  /**
+   * Build Route53 ResourceRecordSet from DNSRecord
+   */
+  private buildResourceRecordSet;
+  /**
+   * Build Route53 ResourceRecords from DNSRecord values
+   */
+  private buildResourceRecords;
+}
+//#endregion
+//#region src/route53/parser.d.ts
+interface Route53HostedZone {
+  Id: string;
+  Name: string;
+  CallerReference: string;
+  Config: {
+    PrivateZone: boolean;
+    Comment?: string;
+  };
+  ResourceRecordSetCount?: number;
+}
+interface Route53ResourceRecord {
+  Value: string;
+}
+interface Route53AliasTarget {
+  HostedZoneId: string;
+  DNSName: string;
+  EvaluateTargetHealth: boolean;
+}
+interface Route53ResourceRecordSet {
+  Name: string;
+  Type: string;
+  TTL?: number;
+  ResourceRecords?: Route53ResourceRecord[];
+  AliasTarget?: Route53AliasTarget;
+  SetIdentifier?: string;
+  Weight?: number;
+  Region?: string;
+  GeoLocation?: Record<string, string>;
+  Failover?: string;
+  HealthCheckId?: string;
+}
+interface ParsedDNSRecord extends DNSRecord {
+  alias?: {
+    hostedZoneId: string;
+    dnsName: string;
+    evaluateTargetHealth: boolean;
+  };
+}
+interface ParsedRecordSet {
+  name: string;
+  records: ParsedDNSRecord[];
+}
+/**
+ * Parse Route53 hosted zones into DNSZone format
+ */
+declare function parseHostedZones(zones: Route53HostedZone[]): DNSZone[];
+/**
+ * Parse Route53 resource record sets into grouped records by name
+ */
+declare function parseResourceRecordSets(recordSets: Route53ResourceRecordSet[], zoneName: string): ParsedRecordSet[];
+/**
+ * Normalize a Route53 record name to our format
+ *
+ * - Removes trailing dot
+ * - Converts apex to @
+ * - Extracts subdomain part
+ */
+declare function normalizeRecordName(fqdn: string, zoneName: string): string;
+//#endregion
+//#region src/security/input-sanitizer.d.ts
+/**
+ * Input Sanitizer
+ *
+ * Sanitizes DNS record values to prevent injection attacks.
+ */
+interface SanitizeResult {
+  valid: boolean;
+  value?: string;
+  error?: string;
+}
+/**
+ * Sanitize a TXT record value
+ */
+declare function sanitizeTXTValue(value: string): string;
+/**
+ * Reject strings containing null bytes
+ */
+declare function rejectNullBytes(value: string | string[]): void;
+/**
+ * Validate input length based on type
+ */
+declare function validateInputLength(value: string, type: "domain" | "label" | "txt"): {
+  valid: boolean;
+  error?: string;
+};
+/**
+ * Escape special characters based on record type
+ */
+declare function escapeSpecialCharacters(value: string, recordType: string): string;
+/**
+ * Sanitize a record value based on type
+ */
+declare function sanitizeRecordValue(value: string, recordType: string): SanitizeResult;
+//#endregion
+//#region src/security/rate-limiter.d.ts
+/**
+ * Rate Limiter
+ *
+ * Implements rate limiting for Route53 API calls.
+ * Route53 allows 5 requests per second per account.
+ */
+interface RateLimiterConfig {
+  /** Maximum requests per window */
+  maxRequests: number;
+  /** Window size in milliseconds */
+  windowMs: number;
+  /** Whether to queue requests instead of rejecting */
+  queueRequests?: boolean;
+}
+declare class RateLimiter {
+  private tokens;
+  private lastRefill;
+  private readonly config;
+  private queue;
+  constructor(config: RateLimiterConfig);
+  /**
+   * Try to acquire a token without waiting
+   * @returns true if token acquired, false if rate limited
+   */
+  tryAcquire(): Promise<boolean>;
+  /**
+   * Acquire a token, waiting if necessary
+   * Only works if queueRequests is enabled
+   */
+  acquire(): Promise<void>;
+  /**
+   * Get remaining tokens
+   */
+  getRemaining(): number;
+  /**
+   * Get time until next refill in milliseconds
+   */
+  getResetTime(): number;
+  /**
+   * Refill tokens based on elapsed time
+   */
+  private refillTokens;
+  /**
+   * Schedule processing of queued requests
+   */
+  private scheduleQueueProcessing;
+  /**
+   * Process queued requests
+   */
+  private processQueue;
+}
+/**
+ * Create a rate limiter with Route53 defaults
+ */
+declare function createRoute53RateLimiter(overrides?: Partial<RateLimiterConfig>): RateLimiter;
+//#endregion
+//#region src/validation/name-validator.d.ts
+/**
+ * Validate a domain name per RFC 1035
+ *
+ * @param domain - Domain name to validate (e.g., "example.com")
+ * @returns Validation result
+ */
+declare function validateDomainName(domain: string): ValidationResult;
+/**
+ * Normalize a domain name to lowercase
+ *
+ * DNS is case-insensitive per RFC 1035.
+ *
+ * @param domain - Domain name to normalize
+ * @returns Normalized lowercase domain name
+ */
+declare function normalizeDomainName(domain: string): string;
+/**
+ * Validate a record name within a zone
+ *
+ * Record names can be:
+ * - @ for apex (root domain)
+ * - * for wildcard
+ * - *.subdomain for scoped wildcard
+ * - Simple names like "www", "api"
+ * - Multi-level like "blog.dev"
+ * - Service records like "_dmarc", "_acme-challenge"
+ *
+ * @param name - Record name to validate
+ * @param zone - The zone this record belongs to
+ * @returns Validation result
+ */
+declare function validateRecordName(name: string, zone: string): ValidationResult;
+//#endregion
+//#region src/validation/write-validator.d.ts
+interface WriteValidationResult {
+  valid: boolean;
+  error?: string;
+}
+/**
+ * Validate a complete write operation
+ */
+declare function validateWriteOperation(recordName: string, records: DNSRecord[]): WriteValidationResult;
+/**
+ * Validate a record set (array of records)
+ */
+declare function validateRecordSet(records: DNSRecord[]): WriteValidationResult;
+/**
+ * Check for CNAME conflicts - CNAME cannot coexist with other record types
+ */
+declare function checkCNAMEConflict(records: DNSRecord[]): WriteValidationResult;
+/**
+ * Check CNAME at apex - CNAME is not allowed at the root domain
+ */
+declare function checkCNAMEAtApex(recordName: string, records: DNSRecord[]): WriteValidationResult;
+/**
+ * Check SOA protection - SOA records cannot be written
+ */
+declare function checkSOAProtection(records: DNSRecord[]): WriteValidationResult;
+/**
+ * Check for duplicate values within records
+ */
+declare function checkDuplicateValues(records: DNSRecord[]): WriteValidationResult;
+//#endregion
+export { AFSDNSConflictError, AFSDNSError, AFSDNSInvalidArgumentError, AFSDNSNetworkError, AFSDNSNotFoundError, AFSDNSPermissionDeniedError, AFSDNSRateLimitError, AuditLogConfig, AuditLogEntry, AuditLogger, CAAValue, CloudDNSAdapter, CloudDNSAdapterOptions, DNSAdapter, DNSProvider, DNSProviderOptions, DNSRecord, DNSRecordSet, DNSRecordType, DNSRecordValues, DNSZone, DangerousOperation, DeleteLogParams, MXValue, OperationContext, PRESETS, ParsedDNSRecord, ParsedRecordSet, PermissionConfig, PermissionDeniedLogParams, PermissionPreset, PermissionResult, RateLimiter, RateLimiterConfig, RecordValidationResult, Route53Adapter, Route53AdapterOptions, Route53AliasTarget, Route53HostedZone, Route53ResourceRecord, Route53ResourceRecordSet, SOAValue, SRVValue, SanitizeResult, ValidationResult, WriteLogParams, WriteValidationResult, checkCNAMEAtApex, checkCNAMEConflict, checkDuplicateValues, checkPermission, checkSOAProtection, createRoute53RateLimiter, detectDangerousOperation, escapeSpecialCharacters, formatPermissionError, getEffectivePermissions, isRetryableError, mapRoute53Error, normalizeDomainName, normalizeRecordName, parseHostedZones, parseResourceRecordSets, rejectNullBytes, sanitizeErrorMessage, sanitizeRecordValue, sanitizeTXTValue, validateAAAARecord, validateARecord, validateCAARecord, validateCNAMERecord, validateDomainName, validateInputLength, validateMXRecord, validateNSRecord, validateRecord, validateRecordName, validateRecordSet, validateSRVRecord, validateTTL, validateTXTRecord, validateWriteOperation };
+//# sourceMappingURL=index.d.mts.map