import DataLoader from 'dataloader';
import type { BusinessMembership } from '../../../shared/types/auth.js';
import { TenantAwareDBClient } from '../../app-providers/tenant-db-client.js';
import { AuditLogsProvider } from '../../common/providers/audit-logs.provider.js';
import type { IInsertBusinessUserParams } from '../types.js';
import { AuthContextProvider } from './auth-context.provider.js';
import { Auth0ManagementProvider } from './auth0-management.provider.js';
/** A user linked to a business, enriched with their Auth0 identity. */
export type BusinessUserRecord = {
    id: string;
    email: string;
    name: string | null;
    roleId: string;
    createdAt: Date;
};
export declare class BusinessUsersProvider {
    private db;
    private authContextProvider;
    private auth0ManagementProvider;
    private auditLogsProvider;
    constructor(db: TenantAwareDBClient, authContextProvider: AuthContextProvider, auth0ManagementProvider: Auth0ManagementProvider, auditLogsProvider: AuditLogsProvider);
    private batchBusinessUsersByAuth0Ids;
    getBusinessUsersByAuth0IdsLoader: DataLoader<string, import("../types.js").IGetBusinessUsersByAuth0IdsResult[], string>;
    /**
     * Resolve every business membership for an authenticated Auth0 user.
     * Reuses the batching loader; returns an empty array when the user has no
     * memberships.
     */
    getMembershipsByAuth0UserId(auth0UserId: string): Promise<BusinessMembership[]>;
    insertBusinessUser(params: IInsertBusinessUserParams): Promise<import("../types.js").IInsertBusinessUserResult[]>;
    /**
     * List all users linked to the current business.
     * Restricted to business owners and strictly scoped to the caller's tenant.
     * Email/name are enriched from Auth0 (the identity system of record), with the
     * linked invitation email used as a fallback when an Auth0 lookup is unavailable.
     */
    listBusinessUsers(): Promise<BusinessUserRecord[]>;
    /**
     * Remove a user's membership from the current business.
     * Restricted to business owners and strictly scoped to the caller's tenant, so
     * a membership belonging to another business can never be removed. Deleting the
     * relation does not touch the user's global Auth0 identity.
     * Owners cannot remove themselves, which would cause an immediate self-lockout
     * (and orphan the tenant if they were the sole owner).
     * Returns false when no matching membership exists in the current business.
     */
    removeBusinessUser(userId: string): Promise<boolean>;
    private requireBusinessOwner;
}
