import type { Token } from '@furystack/inject';
import type { User } from './models/user.js';
/**
 * Provides authentication and authorization context for the current
 * request/session.
 *
 * The default implementation exposed by the {@link IdentityContext} token is
 * intentionally minimal: `isAuthenticated` and `isAuthorized` both resolve to
 * `false`, and `getCurrentUser` rejects. Applications override this by
 * rebinding the token on the request-scoped injector — typically from an
 * authentication provider.
 *
 * @example
 * ```ts
 * requestScope.bind(IdentityContext, () => myAuthenticatedContext)
 *
 * const authenticated = await isAuthenticated(requestScope)
 * const authorized = await isAuthorized(requestScope, 'admin')
 * const user = await getCurrentUser(requestScope)
 * ```
 */
export interface IdentityContext {
    isAuthenticated(): Promise<boolean>;
    /** Returns `true` only when the user holds **every** role. */
    isAuthorized(...roles: string[]): Promise<boolean>;
    /**
     * Resolves with the current user. The default implementation rejects
     * because no user is bound — applications override the token on the
     * request scope to provide an authenticated identity.
     *
     * @typeParam TUser - Concrete user type the caller expects.
     */
    getCurrentUser<TUser extends User>(): Promise<TUser>;
}
/**
 * DI token for the current {@link IdentityContext}. Scoped — each injector
 * scope resolves and caches its own context. Default factory is
 * unauthenticated; rebind on the request scope to inject an authenticated
 * identity.
 */
export declare const IdentityContext: Token<IdentityContext, 'scoped'>;
//# sourceMappingURL=identity-context.d.ts.map