import { IamCollectClient } from '../collect/client.js';
import { type WhoCanPrincipalScope } from './whoCan.js';
/**
 * Resolves a `WhoCanPrincipalScope` into concrete sets of account IDs and principal ARNs
 * using the collect client for OU lookups.
 *
 * `scope.principals` are kept separate from `scope.accounts` — a scope like
 * `{ principals: ['arn:...:role/Foo'] }` tests only that one role and does NOT
 * expand to search every principal in Foo's account.
 *
 * @param client The collect client used to resolve OU paths to account IDs.
 * @param scope The principal scope to resolve.
 * @returns An object with `accounts` and `principals` sets.
 */
export declare function resolvePrincipalScope(client: IamCollectClient, scope: WhoCanPrincipalScope): Promise<{
    accounts: Set<string>;
    principals: Set<string>;
}>;
/**
 * Intersects the resource-policy-derived scope with a caller-supplied principal scope.
 * Returns the narrowed set of accounts (for full-account search) and principals
 * (for individual principal testing).
 *
 * @param resourcePolicyAccounts Account IDs derived from the resource policy.
 * @param resourcePolicyPrincipals Individual principal ARNs derived from the resource policy.
 * @param resourcePolicyCheckAllAccounts Whether the resource policy implies all accounts should be checked.
 * @param scopeAccounts Account IDs from the resolved principal scope.
 * @param suggestedPrincipals Principal ARNs from the resolved principal scope.
 * @returns The intersected accounts and principals to search.
 */
export declare function intersectWithPrincipalScope(resourcePolicyAccounts: string[], resourcePolicyPrincipals: string[], resourcePolicyCheckAllAccounts: boolean, scopeAccounts: Set<string>, scopePrincipals: Set<string>): {
    accounts: string[];
    principals: string[];
};
//# sourceMappingURL=principalScope.d.ts.map