import type { RawAuth } from '../../../plugins/auth-plugin.js';
import type { AuthContext } from '../../../shared/types/auth.js';
import type { Environment } from '../../../shared/types/index.js';
import { DBProvider } from '../../app-providers/db.provider.js';
type QueryableDB = Pick<DBProvider, 'query'>;
export declare function handleDevBypassAuth(db: QueryableDB, userId: string): Promise<AuthContext | null>;
export declare class AuthContextProvider {
    private env;
    private rawAuth;
    private db;
    private cachedContext;
    private handlingAuth;
    constructor(env: Environment, rawAuth: RawAuth, db: DBProvider);
    getJwtIdentity(): Promise<{
        auth0UserId: string;
        email: string | null;
        emailVerified: boolean;
    } | null>;
    getAuthContext(): Promise<AuthContext | null>;
    /**
     * Resolve the request's read scope and attach it to the context.
     *
     * - Defaults to every business the user belongs to.
     * - When a valid `X-Business-Scope` header is present, narrows to that subset;
     *   rejects (returns null) if it requests a business outside the memberships
     *   or if the header was malformed.
     * - API keys are pinned to their single business and ignore the header.
     */
    private applyRequestedReadScope;
    private handleDevBypassAuth;
    private handleApiKeyAuth;
    private resolveApiKeyContext;
    private handleGatewayControlPlaneAuth;
    private handleJwtAuth;
    private mapAuth0UserToLocal;
}
export {};
