/**
 * Caveat types + evaluation.
 *
 * A request is allowed only if every caveat on every capability in
 * the delegation chain passes. Unknown caveat types fail closed —
 * a verifier that doesn't understand a caveat cannot prove it holds.
 */
import type { InvocationContext } from './model';
export declare class CaveatViolation extends Error {
    constructor(message: string);
}
export interface Caveat {
    type: string;
    toDict(): Record<string, unknown>;
    check(ctx: InvocationContext): void;
}
/** Verb scope caveat — ctx.verb MUST be one of `verbs`. */
export declare class ValidWhileTrue implements Caveat {
    readonly type = "ValidWhileTrue";
    readonly verbs: string[];
    constructor(verbs?: string[]);
    toDict(): Record<string, unknown>;
    check(ctx: InvocationContext): void;
}
/**
 * invocationTarget path-prefix caveat. Substring match — implementers
 * SHOULD anchor at a directory boundary (`/`) at the end of the
 * prefix to avoid `s3://our-bucketEVIL/` foot-guns.
 */
export declare class PathPrefix implements Caveat {
    readonly type = "PathPrefix";
    readonly prefix: string;
    constructor(prefix?: string);
    toDict(): Record<string, unknown>;
    check(ctx: InvocationContext): void;
}
/** Per-request byte budget caveat. */
export declare class MaxBytes implements Caveat {
    readonly type = "MaxBytes";
    readonly max: number;
    constructor(max?: number);
    toDict(): Record<string, unknown>;
    check(ctx: InvocationContext): void;
}
/** Absolute expiry caveat (ISO 8601). */
export declare class Expires implements Caveat {
    readonly type = "Expires";
    readonly at: string;
    constructor(at?: string);
    toDict(): Record<string, unknown>;
    check(ctx: InvocationContext): void;
}
/**
 * Marks the capability as a leaf — cannot be further delegated.
 * Delegation-time check only (no runtime predicate).
 */
export declare class NonDelegable implements Caveat {
    readonly type = "NonDelegable";
    toDict(): Record<string, unknown>;
    check(_ctx: InvocationContext): void;
}
/**
 * Parse a wire-form caveat dict back to a Caveat instance.
 * Unknown types throw `CaveatViolation` (fail closed).
 */
export declare function caveatFromDict(d: Record<string, unknown>): Caveat;
export declare function isNonDelegable(c: Record<string, unknown>): boolean;
/** ISO 8601 parser — accepts trailing `Z` or `+HH:MM` offset. */
export declare function parseIso8601(s: string): Date;