import { Policy } from '@cloud-copilot/iam-policy';
import { Permission, PermissionEffect } from './permission.js';
/**
 * A permission set will be a collection of permissions for a specific effect (Allow or Deny).
 * So this will be used to represent things like "all the allowed permissions in a set of SCPs"
 * and "all the deny's that apply to a principal"
 */
export declare class PermissionSet {
    readonly effect: PermissionEffect;
    private permissions;
    constructor(effect: PermissionEffect);
    addPermission(newPermission: Permission): void;
    getPermissions(service: string, action: string): Permission[];
    hasService(service: string): boolean;
    hasAction(service: string, action: string): boolean;
    getAllPermissions(): Permission[];
    /**
     * Return a new PermissionSet containing the intersection of this set and another.
     * Only permissions that overlap (same effect, service, action, and intersecting resources/conditions)
     * will be included.
     */
    intersection(other: PermissionSet): PermissionSet;
    subtract(deny: PermissionSet): {
        allow: PermissionSet;
        deny: PermissionSet;
    };
    /**
     * Deep clones the PermissionSet.
     *
     * @returns a new PermissionSet instance with the same permissions.
     */
    clone(): PermissionSet;
}
/**
 * Given an array of IAM Policy objects, extract every "Allow" statement
 * and load it into a PermissionSet.  Each AWS action is split into its
 * service ("s3", "ec2", etc.) and the individual action name ("GetObject", "StartInstances", etc.).
 *
 * Assumptions:
 * 1. The Policy type comes from `@cloud-copilot/iam-policy`.  Each Policy has a `.statements` array.
 * 2. Each Statement has at least these fields (per AWS IAM JSON):
 *      - Effect: "Allow" | "Deny"
 *      - Action: string | string[]
 *      - Resource?: string | string[]
 *      - NotResource?: string | string[]
 *      - Condition?: Record<string, Record<string, string | string[]>>
 *
 * 3. We ignore any statements whose Effect ≠ "Allow".
 * 4. We do not expand wildcards here—if a statement’s Action is "s3:*",
 *    we leave it as the pattern "s3:*".  (If you want to expand all wildcards,
 *    run these policies through iam-expand first, then call this function.)
 *
 * Returns a PermissionSet containing one Permission object for each (service, action, resource, notResource, condition)
 * triple where Effect == "Allow".
 */
export declare function buildPermissionSetFromPolicies(effect: PermissionEffect, policies: Policy[]): Promise<PermissionSet>;
export declare function addPoliciesToPermissionSet(permissionSet: PermissionSet, effect: PermissionEffect, policies: Policy[]): Promise<void>;
export declare function toPolicyStatements(set: PermissionSet): any;
//# sourceMappingURL=permissionSet.d.ts.map