/**
 * Gatekeeper Policy Engine
 *
 * Centralized access control enforcement for MCP-AQL operations.
 * Implements a multi-layer defense-in-depth model:
 *
 * Layer 1: Route Validation (existing - validates endpoint/operation matching)
 * Layer 2: Safety Tier Check (integrates @dollhousemcp/safety)
 * Layer 3: Element Policy Check (active element restrictions)
 * Layer 4: Permission Level Enforcement (AUTO_APPROVE, CONFIRM, DENY)
 *
 * Design Principles:
 * - "LLM instructions are suggestions. Adapter policies are enforcement."
 * - Session-scoped confirmations (no cross-session leakage)
 * - Security-first (crash = fresh session)
 * - Audit logging for all decisions
 */
import { CRUDEndpoint } from './OperationRouter.js';
import { GatekeeperSession, type ClientInfo } from './GatekeeperSession.js';
import { type GatekeeperConfigOptions } from './GatekeeperConfig.js';
import { PermissionLevel, type GatekeeperDecision, type EndpointPermissions, type CliApprovalRecord, type CliApprovalScope } from './GatekeeperTypes.js';
import { type ActiveElement } from './policies/index.js';
/**
 * Input for Gatekeeper enforcement.
 * Contains all context needed to make an access control decision.
 */
export interface EnforceInput {
    /** The operation being requested */
    operation: string;
    /** The CRUD endpoint being called */
    endpoint: CRUDEndpoint;
    /** Element type being operated on (if applicable) */
    elementType?: string;
    /** Currently active elements for policy evaluation */
    activeElements?: ActiveElement[];
    /**
     * Skip Layer 2 (element policy resolution) — use route-level defaults only.
     * Used for gatekeeper infrastructure operations (confirm_operation, verify_challenge)
     * to prevent cascading confirmation loops. Issue #758.
     */
    skipElementPolicies?: boolean;
}
/**
 * Gatekeeper Policy Engine.
 *
 * Central enforcement point for MCP-AQL access control.
 * Validates that operations are called correctly and enforces
 * permission policies based on operation type and active elements.
 */
export declare class Gatekeeper {
    private readonly session;
    private readonly config;
    /**
     * Permission flags for each CRUDE endpoint.
     * These define the security characteristics of each endpoint.
     */
    private static readonly ENDPOINT_PERMISSIONS;
    constructor(clientInfo?: ClientInfo, configOptions?: GatekeeperConfigOptions);
    /**
     * Get the session ID for this Gatekeeper instance.
     */
    get sessionId(): string;
    /**
     * Get a summary of the current session.
     */
    getSessionSummary(): ReturnType<GatekeeperSession['getSummary']>;
    /**
     * Whether permission_prompt has been invoked this session (Issue #625 Phase 4).
     */
    get isPermissionPromptActive(): boolean;
    /**
     * Mark that permission_prompt has been invoked (Issue #625 Phase 4).
     */
    markPermissionPromptActive(): void;
    /**
     * Validates that an operation is being called via the correct endpoint.
     * Throws an error if the operation doesn't exist or is called via wrong endpoint.
     *
     * This is Layer 1: Route Validation (existing PermissionGuard behavior).
     *
     * @param operation - The operation being called (e.g., 'create_element')
     * @param calledEndpoint - The endpoint it was called through (e.g., 'CREATE')
     * @throws Error if operation unknown or endpoint mismatch
     */
    validateRoute(operation: string, calledEndpoint: CRUDEndpoint): void;
    /**
     * Enforce access control for an operation.
     * This is the main entry point for policy enforcement.
     *
     * Checks:
     * 1. Route validation (operation exists and matches endpoint)
     * 2. Element policies (active elements' allow/confirm/deny lists)
     * 3. Session confirmations (cached approvals)
     * 4. Default operation policies (permission levels)
     *
     * @param input - The enforcement input containing operation context
     * @returns A GatekeeperDecision indicating whether the operation is allowed
     */
    enforce(input: EnforceInput): GatekeeperDecision;
    /**
     * Record a confirmation for an operation.
     * Called when the user approves an operation that requires confirmation.
     *
     * @param operation - The operation being confirmed
     * @param level - The permission level (CONFIRM_SESSION or CONFIRM_SINGLE_USE)
     * @param elementType - Optional element type scope
     */
    recordConfirmation(operation: string, level: PermissionLevel.CONFIRM_SESSION | PermissionLevel.CONFIRM_SINGLE_USE, elementType?: string): void;
    /**
     * Revoke a confirmation for an operation.
     *
     * @param operation - The operation to revoke
     * @param elementType - Optional element type scope
     * @returns true if a confirmation was revoked
     */
    revokeConfirmation(operation: string, elementType?: string): boolean;
    /**
     * Revoke all confirmations for this session.
     * Useful when security-sensitive changes occur.
     */
    revokeAllConfirmations(): void;
    /**
     * Create a CLI approval request.
     * Delegates to session and logs the event.
     */
    createCliApprovalRequest(toolName: string, toolInput: Record<string, unknown>, riskLevel: string, riskScore: number, irreversible: boolean, denyReason: string, policySource?: string, ttlMs?: number): string;
    /**
     * Approve a pending CLI approval request.
     */
    approveCliRequest(requestId: string, scope?: CliApprovalScope): CliApprovalRecord | undefined;
    /**
     * Check if a CLI tool call has a valid approval.
     */
    checkCliApproval(toolName: string, toolInput: Record<string, unknown>): CliApprovalRecord | undefined;
    /**
     * Get all pending CLI approval requests.
     */
    getPendingCliApprovals(): CliApprovalRecord[];
    /**
     * Gets the permission flags for an endpoint.
     *
     * @param endpoint - The CRUD endpoint to get permissions for
     * @returns The permission flags for the endpoint
     */
    static getPermissions(endpoint: CRUDEndpoint): EndpointPermissions;
    /**
     * Static validation method for backward compatibility with PermissionGuard.
     * Validates that an operation is being called via the correct endpoint.
     *
     * @param operation - The operation being called
     * @param calledEndpoint - The endpoint it was called through
     * @throws Error if operation unknown or endpoint mismatch
     *
     * @deprecated Use instance method validateRoute() or enforce() instead
     */
    static validate(operation: string, calledEndpoint: CRUDEndpoint): void;
    /**
     * Get the default permission level for an operation.
     *
     * @param operation - The operation name
     * @returns The default permission level
     */
    getDefaultPermissionLevel(operation: string): PermissionLevel;
    /**
     * Returns a human-readable reason for the permission classification.
     */
    private getPermissionReason;
    /**
     * Static version of getPermissionReason for backward compatibility.
     */
    private static getPermissionReasonStatic;
    /**
     * Log an audit event for a Gatekeeper decision.
     */
    private logAuditEvent;
}
export { PermissionLevel, GatekeeperErrorCode } from './GatekeeperTypes.js';
export type { GatekeeperDecision, EndpointPermissions, ElementGatekeeperPolicy, ConfirmationRecord, CliApprovalRecord, CliApprovalScope, CliApprovalPolicy, RiskAssessment, } from './GatekeeperTypes.js';
export type { ClientInfo } from './GatekeeperSession.js';
//# sourceMappingURL=Gatekeeper.d.ts.map