/**
 * RBAC Enforcement Module (PRD #392 Milestone 1)
 *
 * Wraps Kubernetes SubjectAccessReview to check tool-level permissions
 * for OAuth-authenticated users. Token users bypass RBAC entirely.
 *
 * Uses the virtual API group "dot-ai.devopstoolkit.ai" — no CRDs needed.
 * Kubernetes evaluates RBAC rules as pure string matching on the group,
 * resource, resourceName, and verb fields.
 */
import type { UserIdentity } from '../../interfaces/oauth/types';
/**
 * Whether RBAC enforcement is enabled.
 * When disabled (default), all authenticated users have full access.
 * Set DOT_AI_RBAC_ENABLED=true to enforce tool-level RBAC via SubjectAccessReview.
 */
export declare function isRbacEnabled(): boolean;
export interface RbacCheckResult {
    allowed: boolean;
    reason?: string;
    evaluationError?: string;
}
export interface RbacCheckParams {
    toolName: string;
    namespace?: string;
    resource?: string;
    verb?: string;
}
/**
 * Check whether the given identity is authorized to use the specified tool.
 *
 * - Token users (`source: 'token'`) always bypass RBAC.
 * - OAuth users are checked via SubjectAccessReview against the virtual
 *   API group `dot-ai.devopstoolkit.ai`.
 */
export declare function checkToolAccess(identity: UserIdentity | undefined, params: RbacCheckParams): Promise<RbacCheckResult>;
/**
 * Check which tools from a list the identity is authorized for.
 * Runs checks in parallel for efficiency.
 */
export declare function filterAuthorizedTools<T extends {
    name: string;
}>(identity: UserIdentity | undefined, tools: T[]): Promise<T[]>;
/**
 * Reset the cached API client (for testing).
 */
export declare function resetAuthzApi(): void;
//# sourceMappingURL=check-access.d.ts.map