import { type EvaluationResult, type RequestAnalysis } from '@cloud-copilot/iam-simulate';
import type { Job } from '@cloud-copilot/job';
import { IamCollectClient } from '../collect/client.js';
import type { S3AbacOverride } from '../utils/s3Abac.js';
import type { WhoCanAllowed } from './whoCan.js';
export interface WhoCanWorkItem {
    resource: string | undefined;
    resourceAccount: string | undefined;
    action: string;
    principal: string;
    strictContextKeys: string[] | undefined;
    collectDenyDetails: boolean;
}
/**
 * Execution result when the principal is allowed access.
 */
export interface AllowedWhoCanExecutionResult {
    type: 'allowed';
    workItem: WhoCanWorkItem;
    allowed: WhoCanAllowed;
}
/**
 * Execution result when the principal is denied access, without detailed analysis.
 */
export interface DeniedWhoCanExecutionResult {
    type: 'denied';
    workItem: WhoCanWorkItem;
}
/**
 * Execution result when the principal is denied access for a single resource pattern,
 * with detailed analysis included.
 */
export interface DeniedSingleWhoCanExecutionResult {
    type: 'denied_single';
    workItem: WhoCanWorkItem;
    analysis: RequestAnalysis;
}
/**
 * Details about a denied resource pattern, including the analysis for why it was denied.
 */
export interface WhoCanDenyResourceDetails {
    /**
     * The resource pattern that was tested.
     */
    pattern: string;
    /**
     * The type of resource for the pattern.
     */
    resourceType: string;
    /**
     * The analysis explaining why the request was denied.
     */
    analysis: RequestAnalysis;
}
/**
 * Execution result when the principal is denied access for a wildcard resource,
 * with detailed analysis for each denied pattern.
 */
export interface DeniedWildcardWhoCanExecutionResult {
    type: 'denied_wildcard';
    workItem: WhoCanWorkItem;
    overallResult: EvaluationResult;
    deniedPatterns: WhoCanDenyResourceDetails[];
}
/**
 * The result of executing a whoCan work item.
 * Contains either the allowed result or the deny analysis (but not both).
 */
export type WhoCanExecutionResult = AllowedWhoCanExecutionResult | DeniedWhoCanExecutionResult | DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult;
/**
 * Union type for denied execution results that include detailed analysis.
 */
export type DeniedWhoCanExecutionResultWithDetails = DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult;
/**
 * The possible values for the `type` discriminator of a WhoCanExecutionResult.
 */
export type WhoCanExecutionResultType = WhoCanExecutionResult['type'];
export declare function createJobForWhoCanWorkItem(workItem: WhoCanWorkItem, collectClient: IamCollectClient, whoCanOptions: WhoCanOptions): Job<WhoCanExecutionResult, Record<string, unknown>>;
export interface WhoCanOptions {
    s3AbacOverride?: S3AbacOverride;
    collectDenyDetails?: boolean;
    collectGrantDetails?: boolean;
    strictContextKeys?: string[];
}
export declare function executeWhoCan(workItem: WhoCanWorkItem, collectClient: IamCollectClient, whoCanOptions: WhoCanOptions): Promise<WhoCanExecutionResult>;
//# sourceMappingURL=WhoCanWorker.d.ts.map