import { PermissionStore, RoleStore } from '../interfaces/rbac.js';
import { UserIdentity, OperationContext, TransportContext } from '../types.js';
import { Request } from '@modelcontextprotocol/sdk/types.js';
/**
 * Derives a permission string based on the MCP method and parameters.
 * Examples:
 * - `tool:call:<tool_name>`
 * - `resource:read:<uri>` (if fixed URI)
 * - `resource:read:<uri_template>` (if template URI)
 * - `resource:list`
 * - `resource:templates:list`
 * - `prompt:get:<prompt_name>`
 * - `prompt:list`
 * Returns null for protocol-level messages like 'initialize', 'ping'.
 */
export declare function defaultDerivePermission(request: Request, _transportContext: TransportContext): string | null;
/**
 * Simple in-memory RoleStore implementation.
 */
export declare class InMemoryRoleStore implements RoleStore {
    private rolesByUser;
    constructor(initialRoles?: Record<string, string[]>);
    getRoles(identity: UserIdentity, _opCtx: OperationContext): Promise<string[]>;
    /** Adds roles to a user. */
    addUserRoles(userId: string, roles: string[]): void;
    /** Removes roles from a user. */
    removeUserRoles(userId: string, roles: string[]): void;
}
/**
 * Simple in-memory PermissionStore implementation.
 */
export declare class InMemoryPermissionStore implements PermissionStore {
    private permissionsByRole;
    private logger;
    constructor(initialPermissions?: Record<string, string[]>);
    hasPermission(role: string, permission: string, opCtx: OperationContext): Promise<boolean>;
    /** Adds a permission to a role. */
    addPermission(role: string, permission: string): void;
    /** Removes a permission from a role. */
    removePermission(role: string, permission: string): void;
}
