export type PermissionEffect = 'Allow' | 'Deny';
export type PermissionConditions = Record<string, Record<string, string[]>>;
/**
 * An immutable representation of a single permission for a specific action.
 *
 * This will eventually have methods like "merge with another permission",
 * "check if overlaps with another permission", "subtract a deny permission",
 * etc and those will all return a new Permission instance.
 */
export declare class Permission {
    readonly effect: PermissionEffect;
    readonly service: string;
    readonly action: string;
    readonly resource: string[] | undefined;
    readonly notResource: string[] | undefined;
    readonly conditions: Record<string, Record<string, string[]>> | undefined;
    constructor(effect: PermissionEffect, service: string, action: string, resource: string[] | undefined, notResource: string[] | undefined, conditions: Record<string, Record<string, string[]>> | undefined);
    /**
     * Returns true if this Permission completely includes the other Permission.
     * Only supports merging of "Allow" permissions (same effect, service, action).
     */
    includes(other: Permission): boolean;
    /**
     * Returns the union of this Permission with another.
     * If one includes the other, return the including Permission.
     * Otherwise, attempt to merge conditions and resource/notResource.
     * If merge yields a single Permission, return it; else return both.
     */
    union(other: Permission): Permission[];
    /**
     * Returns the intersection of this Permission with another.
     * Always returns exactly one Permission. If there is no overlap,
     * returns undefined.
     */
    intersection(other: Permission): Permission | undefined;
    /**
     * Subtract a Deny permission from this Allow permission.
     * Returns an array of resulting Allow permissions (may be empty if fully denied).
     */
    subtract(other: Permission): Permission[];
}
/**
 * Returns a new PermissionConditions object with all operator and context keys lowercased.
 */
export declare function normalizeConditionKeys(conds: PermissionConditions): PermissionConditions;
/**
 * Invert a set of IAM condition clauses for Deny → allow inversion.
 * Preserves ForAllValues:/ForAnyValue: prefixes and IfExists suffixes.
 *
 * @param conds the condition clauses to invert
 * @return a new set of inverted conditions
 */
export declare function invertConditions(conds: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>>;
//# sourceMappingURL=permission.d.ts.map