export type PermissionEffect = 'Allow' | 'Deny';
export type PermissionConditions = Record<string, Record<string, string[]>>;
/**
 * An immutable representation of a single permission for a specific action.
 *
 * This will eventually have methods like "merge with another permission",
 * "check if overlaps with another permission", "subtract a deny permission",
 * etc and those will all return a new Permission instance.
 */
export declare class Permission {
    readonly effect: PermissionEffect;
    readonly service: string;
    readonly action: string;
    readonly resource: string[] | undefined;
    readonly notResource: string[] | undefined;
    readonly conditions: Record<string, Record<string, string[]>> | undefined;
    constructor(effect: PermissionEffect, service: string, action: string, resource: string[] | undefined, notResource: string[] | undefined, conditions: Record<string, Record<string, string[]>> | undefined);
    /**
     * Returns true if this Permission completely includes the other Permission.
     * Only supports merging of "Allow" permissions (same effect, service, action).
     */
    includes(other: Permission): boolean;
    /**
     * Returns the union of this Permission with another.
     * If one includes the other, return the including Permission.
     * Otherwise, attempt to merge conditions and resource/notResource.
     * If merge yields a single Permission, return it; else return both.
     */
    union(other: Permission): Permission[];
    /**
     * Returns the intersection of this Permission with another.
     * Always returns exactly one Permission. If there is no overlap,
     * returns undefined.
     *
     * @param other The other Permission to intersect with.
     * @returns A new Permission representing the intersection of other and this, or undefined if there is no intersection.
     */
    intersection(other: Permission): Permission | undefined;
    /**
     * Subtract a Deny permission from this Allow permission.
     *
     * Returns the resulting permissions, this can be:
     * - An empty array if the Allow is fully denied by the Deny
     * - A modified Allow permission or multiple Allow permissions
     * - It could also return the original Allow and Deny permission if subtraction cannot be expressed purely in Allow statements
     *
     * @param other the Deny permission to subtract
     */
    subtract(other: Permission): Permission[];
}
/**
 * Attempt to union two sets of permission conditions.
 *
 * If the conditions can be merged into a single block that allows all cases allowed by either,
 * returns the merged conditions. If they cannot be merged cleanly (e.g., differing operators
 * or incompatible numeric boundaries), returns null.
 *
 * @param a First set of conditions
 * @param b Second set of conditions
 * @returns Merged conditions or null if they cannot be merged
 */
export declare function unionConditions(a: Record<string, Record<string, string[]>>, b: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>> | null;
/**
 * Intersect two sets of permission conditions.
 *
 * Attempt to find the intersection of two sets of IAM condition clauses. This will
 * combine condition operators and context keys, retaining only values that satisfy
 * both sets of conditions. If the intersection is empty or cannot be expressed
 * cleanly, returns null.
 *
 * @param conditionsA First set of conditions
 * @param conditionsB Second set of conditions
 * @returns Intersected conditions or null if intersection is empty or cannot be expressed
 */
export declare function intersectConditions(a: Record<string, Record<string, string[]>>, b: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>> | null;
/**
 * Returns a new PermissionConditions object with all operator and context keys lowercased.
 */
export declare function normalizeConditionKeys(conds: PermissionConditions): PermissionConditions;
/**
 * Invert a set of IAM condition clauses for Deny → allow inversion.
 * Preserves ForAllValues:/ForAnyValue: prefixes and IfExists suffixes.
 *
 * @param conds the condition clauses to invert
 * @return a new set of inverted conditions
 */
export declare function invertConditions(conds: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>>;
/**
 * Apply Deny conditions to an Allow permission.
 *
 * A Deny permission with conditions (whether multiple operators or multiple keys under one
 * operator) acts as an AND, meaning the Allow needs to escape ANY one of them (OR when inverted).
 * Each condition key-value pair is inverted and creates a separate Allow permission.
 *
 * It is possible for any given condition to fully deny the Allow, in which case
 * that condition will produce no resulting Allow permission. The result is an array
 * of Allow permissions that apply after each Deny condition is applied.
 *
 * This may result in multiple Allow permission or an empty array if all are denied.
 *
 * @param allow the Allow permission
 * @param deny the Deny permission
 * @returns an array of resulting Allow permissions after applying Deny conditions
 */
export declare function applyDenyConditionsToAllow(allow: Permission, deny: Permission): Permission[];
//# sourceMappingURL=permission.d.ts.map