import type { Clock, GitHubInstallationRepository, InstallationPermissions } from '@cat-factory/kernel';
/**
 * Turn a failed installation-token mint into an actionable message (error-message coverage C3).
 * The App JWT → `/access_tokens` call is not a `VcsClient` request, so it doesn't route through
 * `describeVcsApiError`; this is the local equivalent for that one endpoint.
 *
 * IMPORTANT: the first line is UNCHANGED — `Failed to mint installation token for <id> (HTTP
 * <status>)` — because the stale-installation reconcile classifies purely by matching this phrase
 * (`isInstallationTokenGoneError` regex `/Failed to mint installation token .*\(HTTP (404|410)\)/`
 * and `isInstallationGoneError` `/\(HTTP (401|404|410)\)/` in `reconcileStaleRepos.ts`). We only
 * APPEND a cause + remedy so elaborating the text never changes classification. Exported for
 * unit testing, mirroring `explainMigrationFailure`.
 */
export declare function explainInstallationTokenMintFailure(installationId: number, status: number): string;
export interface GitHubAppAuthDependencies {
    appId: string;
    /** App private key in PKCS#8 PEM (`-----BEGIN PRIVATE KEY-----`). */
    privateKeyPem: string;
    installationRepository: GitHubInstallationRepository;
    clock: Clock;
    apiBase: string;
}
export declare class GitHubAppAuth {
    private readonly deps;
    private keyPromise?;
    constructor(deps: GitHubAppAuthDependencies);
    /** A short-lived RS256 JWT authenticating as the App. */
    appJwt(): Promise<string>;
    /**
     * A valid installation access token, minting + caching one if needed. Pass
     * `forceRefresh` to bypass the in-memory cache and mint a fresh token: a token
     * bakes in its repo set + permission scopes at mint time, so one minted before
     * the user granted the App access keeps reporting the old (no-write) grant for up
     * to ~1h. The fresh mint replaces the cached entry, so subsequent calls (and the
     * bootstrap push token, which reads the same cache) pick up the new grant too.
     */
    installationToken(installationId: number, opts?: {
        forceRefresh?: boolean;
        repositoryIds?: number[];
    }): Promise<string>;
    /**
     * The permissions the installation token actually carries (App ∩ what the
     * install approved) — the source of truth for capability checks. Comes free
     * with the mint response and is cached alongside the token, so a warm process
     * answers without a network call. Used by the provisioner to guard privileged
     * actions (e.g. repo creation) before attempting them.
     */
    installationPermissions(installationId: number): Promise<InstallationPermissions>;
    private cachedToken;
    private mintInstallationToken;
    private importKey;
}
//# sourceMappingURL=GitHubAppAuth.d.ts.map