import { type Policy, type Statement } from '@cloud-copilot/iam-policy';
import { Permission, type PermissionEffect } from './permission.js';
/**
 * A permission set will be a collection of permissions for a specific effect (Allow or Deny).
 * So this will be used to represent things like "all the allowed permissions in a set of SCPs"
 * and "all the deny's that apply to a principal"
 */
export declare class PermissionSet {
    readonly effect: PermissionEffect;
    private permissions;
    constructor(effect: PermissionEffect);
    /**
     * Add a new permission to the set.  If the new permission overlaps with an existing one,
     * they will be unioned together to avoid redundancy.
     *
     * @param newPermission the permission to add
     */
    addPermission(newPermission: Permission): void;
    /**
     * Get the permissions for a specific service and action.
     *
     * @param service the service to get permissions for
     * @param action the action to get permissions for
     * @returns the permissions that match the service and action
     */
    getPermissions(service: string, action: string): Permission[];
    /**
     * Check if the permission set has any permissions for a specific service
     *
     * @param service the service to check permissions for
     * @returns true if the permission set has permissions for the service, false otherwise
     */
    hasService(service: string): boolean;
    /**
     * Check if the permission set has any permissions for a specific action
     *
     * @param service the service the action belongs to
     * @param action the action to check permissions for
     * @returns true if the permission set has permissions for the action, false otherwise
     */
    hasAction(service: string, action: string): boolean;
    /**
     * Check if the permission set is empty (has no permissions)
     * @returns true if the permission set is empty, false otherwise
     */
    isEmpty(): boolean;
    /**
     * Get all the permissions in the permission set
     *
     * @returns a copy of all the permissions in the permission set
     */
    getAllPermissions(): Permission[];
    /**
     * Return a new PermissionSet containing the intersection of this set and another.
     * Only permissions that overlap (same effect, service, action, and intersecting resources/conditions)
     * will be included.
     *
     * @param other The other PermissionSet to intersect with.
     * @returns A new PermissionSet containing the intersecting permissions.
     * @throws Error if the effects of the two PermissionSets do not match.
     */
    intersection(other: PermissionSet): PermissionSet;
    /**
     * Subtract a Deny PermissionSet from this Allow PermissionSet.
     *
     * Returns two PermissionSets: one with the remaining Allow permissions,
     * and one with any Deny permissions that were created as a result of the subtraction.
     *
     * @param deny the Deny PermissionSet to subtract
     * @returns an object containing the resulting Allow and Deny PermissionSets
     */
    subtract(deny: PermissionSet): {
        allow: PermissionSet;
        deny: PermissionSet;
    };
    /**
     * Add all permissions from another PermissionSet to this one.
     *
     * @param others the other PermissionSet (or array of PermissionSets) to add permissions from
     * @throws Error if the effects of the two PermissionSets do not match
     */
    addAll(others: PermissionSet[] | PermissionSet): void;
    /**
     * Deep clones the PermissionSet.
     *
     * @returns a new PermissionSet instance with the same permissions.
     */
    clone(): PermissionSet;
}
/**
 * Given an array of IAM Policy objects, extract every "Allow" statement
 * and load it into a PermissionSet.  Each AWS action is split into its
 * service ("s3", "ec2", etc.) and the individual action name ("GetObject", "StartInstances", etc.).
 *
 * Assumptions:
 * 1. The Policy type comes from `@cloud-copilot/iam-policy`.  Each Policy has a `.statements` array.
 * 2. Each Statement has at least these fields (per AWS IAM JSON):
 *      - Effect: "Allow" | "Deny"
 *      - Action: string | string[]
 *      - Resource?: string | string[]
 *      - NotResource?: string | string[]
 *      - Condition?: Record<string, Record<string, string | string[]>>
 *
 * 3. We ignore any statements whose Effect ≠ "Allow".
 * 4. We do not expand wildcards here—if a statement’s Action is "s3:*",
 *    we leave it as the pattern "s3:*".  (If you want to expand all wildcards,
 *    run these policies through iam-expand first, then call this function.)
 *
 * Returns a PermissionSet containing one Permission object for each (service, action, resource, notResource, condition)
 * triple where Effect == "Allow".
 */
export declare function buildPermissionSetFromPolicies(effect: PermissionEffect, policies: Policy[]): Promise<PermissionSet>;
export declare function addPoliciesToPermissionSet(permissionSet: PermissionSet, effect: PermissionEffect, policies: Policy[]): Promise<void>;
/**
 * Add a single Statement to a PermissionSet, expanding it into one or more Permissions as needed.
 *
 * @param statement the IAM policy statement to add
 * @param permissionSet the PermissionSet to add the statement to
 * @returns nothing; the PermissionSet is modified in place
 */
export declare function addStatementToPermissionSet(statement: Statement, permissionSet: PermissionSet): Promise<void>;
/**
 * Convert a PermissionSet into an array of IAM policy statements.
 *
 * @param set the PermissionSet to convert
 * @returns an array of IAM policy statements
 */
export declare function toPolicyStatements(set: PermissionSet): any;
//# sourceMappingURL=permissionSet.d.ts.map