import { CanActivate, ExecutionContext, Logger } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { UserContext } from '../context';
export declare class RolesGuard implements CanActivate {
    protected reflector: Reflector;
    protected readonly logger: Logger;
    constructor(reflector: Reflector);
    canActivate(context: ExecutionContext): Promise<boolean>;
    /**
     * Verify tenant access.
     * This method checks if the user has valid tenant access, including
     * validation for header-based tenant override.
     */
    protected verifyTenant(context: ExecutionContext): Promise<boolean>;
    /**
     * Check if tenant code was provided via header override (no custom:tenant in JWT).
     * Override this method to customize header override detection logic.
     */
    protected isHeaderOverride(context: ExecutionContext, userContext: UserContext): boolean;
    /**
     * Check if user can override tenant via header.
     * Override this method to implement custom authorization logic for cross-tenant access.
     *
     * Default behavior:
     * - Allow access to common tenant codes (e.g., 'common')
     * - Allow users with cross-tenant roles (e.g., 'system_admin')
     */
    protected canOverrideTenant(context: ExecutionContext, userContext: UserContext): boolean;
    /**
     * Get list of common tenant codes that anyone can access via header.
     * By default, reads from COMMON_TENANT_CODES environment variable (comma-separated).
     * Override this method to customize common tenant codes.
     *
     * Example override in application:
     * ```typescript
     * protected getCommonTenantCodes(): string[] {
     *   const codes = this.configService.get('COMMON_TENANT_CODES', 'common')
     *   return codes.split(',').map(c => c.trim())
     * }
     * ```
     */
    protected getCommonTenantCodes(): string[];
    /**
     * Get list of roles that can perform cross-tenant operations via header override.
     * By default, reads from CROSS_TENANT_ROLES environment variable (comma-separated).
     * Override this method to customize cross-tenant roles.
     *
     * Example override in application:
     * ```typescript
     * protected getCrossTenantRoles(): string[] {
     *   const roles = this.configService.get('CROSS_TENANT_ROLES', 'system_admin,general_manager')
     *   return roles.split(',').map(r => r.trim())
     * }
     * ```
     */
    protected getCrossTenantRoles(): string[];
    /**
     * Get JWT authorizer claims from execution context.
     * This is a helper method that can be used by subclasses.
     */
    protected getAuthorizerClaims(context: ExecutionContext): import("../context").JwtClaims;
    protected verifyRole(context: ExecutionContext): Promise<boolean>;
    protected getUserRole(context: ExecutionContext): Promise<string>;
}