import type { Clock, GitHubInstallationRepository, InstallationPermissions } from '@cat-factory/kernel';
export interface GitHubAppAuthDependencies {
    appId: string;
    /** App private key in PKCS#8 PEM (`-----BEGIN PRIVATE KEY-----`). */
    privateKeyPem: string;
    installationRepository: GitHubInstallationRepository;
    clock: Clock;
    apiBase: string;
}
export declare class GitHubAppAuth {
    private readonly deps;
    private keyPromise?;
    constructor(deps: GitHubAppAuthDependencies);
    /** A short-lived RS256 JWT authenticating as the App. */
    appJwt(): Promise<string>;
    /**
     * A valid installation access token, minting + caching one if needed. Pass
     * `forceRefresh` to bypass the in-memory cache and mint a fresh token: a token
     * bakes in its repo set + permission scopes at mint time, so one minted before
     * the user granted the App access keeps reporting the old (no-write) grant for up
     * to ~1h. The fresh mint replaces the cached entry, so subsequent calls (and the
     * bootstrap push token, which reads the same cache) pick up the new grant too.
     */
    installationToken(installationId: number, opts?: {
        forceRefresh?: boolean;
    }): Promise<string>;
    /**
     * The permissions the installation token actually carries (App ∩ what the
     * install approved) — the source of truth for capability checks. Comes free
     * with the mint response and is cached alongside the token, so a warm process
     * answers without a network call. Used by the provisioner to guard privileged
     * actions (e.g. repo creation) before attempting them.
     */
    installationPermissions(installationId: number): Promise<InstallationPermissions>;
    private cachedToken;
    private mintInstallationToken;
    private importKey;
}
//# sourceMappingURL=GitHubAppAuth.d.ts.map