/**
 * Static RBAC provider with config-based roles.
 */
import type { RoleDefinition, RoleMapping, IRBACProvider } from '../../interfaces/index.js';
/**
 * Options for StaticRBACProvider.
 *
 * Use ONE of the following approaches:
 * - `roles`: Define role structures with permissions (Mastra's native role system)
 * - `roleMapping`: Map provider roles directly to permissions (simpler for external providers)
 */
export type StaticRBACProviderOptions<TUser = unknown> = {
    /** Role definitions (Mastra's native role system) */
    roles: RoleDefinition[];
    /** Function to get user's role IDs */
    getUserRoles: (user: TUser) => string[] | Promise<string[]>;
    roleMapping?: never;
} | {
    /**
     * Role mapping for translating provider roles to permissions.
     * Use this when your identity provider has roles that need to be
     * mapped to Mastra permissions.
     */
    roleMapping: RoleMapping;
    /** Function to get user's role IDs from the provider */
    getUserRoles: (user: TUser) => string[] | Promise<string[]>;
    roles?: never;
};
/**
 * Static RBAC provider.
 *
 * Supports two modes:
 * 1. **Role definitions**: Use Mastra's native role system with structured roles
 * 2. **Role mapping**: Directly map provider roles to permissions
 *
 * @example Using role definitions (Mastra's native system)
 * ```typescript
 * const rbac = new StaticRBACProvider({
 *   roles: DEFAULT_ROLES,
 *   getUserRoles: (user) => [user.role],
 * });
 * ```
 *
 * @example Using role mapping (for external providers)
 * ```typescript
 * const rbac = new StaticRBACProvider({
 *   roleMapping: {
 *     "Engineering": ["agents:*", "workflows:*"],
 *     "Product": ["agents:read", "workflows:read"],
 *     "_default": [],
 *   },
 *   getUserRoles: (user) => user.providerRoles,
 * });
 * ```
 *
 * @example Async role lookup
 * ```typescript
 * const rbac = new StaticRBACProvider({
 *   roles: DEFAULT_ROLES,
 *   getUserRoles: async (user) => {
 *     return db.getUserRoles(user.id);
 *   },
 * });
 * ```
 */
export declare class StaticRBACProvider<TUser = unknown> implements IRBACProvider<TUser> {
    private roles?;
    private _roleMapping?;
    private getUserRolesFn;
    private permissionCache;
    /** Expose roleMapping for middleware access */
    get roleMapping(): RoleMapping | undefined;
    constructor(options: StaticRBACProviderOptions<TUser>);
    getRoles(user: TUser): Promise<string[]>;
    hasRole(user: TUser, role: string): Promise<boolean>;
    getPermissions(user: TUser): Promise<string[]>;
    hasPermission(user: TUser, permission: string): Promise<boolean>;
    hasAllPermissions(user: TUser, permissions: string[]): Promise<boolean>;
    hasAnyPermission(user: TUser, permissions: string[]): Promise<boolean>;
    /**
     * Clear the permission cache.
     */
    clearCache(): void;
    /**
     * Get all role definitions.
     * Only available when using role definitions mode (not role mapping).
     */
    getRoleDefinitions(): RoleDefinition[];
    /**
     * Get a specific role definition.
     * Only available when using role definitions mode (not role mapping).
     */
    getRoleDefinition(roleId: string): RoleDefinition | undefined;
    /**
     * Get all available roles in the system.
     */
    getAvailableRoles(): Promise<{
        id: string;
        name: string;
    }[]>;
    /**
     * Get the resolved permissions for a specific role.
     */
    getPermissionsForRole(roleId: string): Promise<string[]>;
}
//# sourceMappingURL=static.d.ts.map