import type { HarnessApiFormat, HarnessSkill, HarnessTool } from '../../../../../schema/schemas/primitives/harness';
import type { AgentCoreComponentProps } from '../../base-props';
import { aws_iam as iam } from 'aws-cdk-lib';
import { Construct } from 'constructs';
/**
 * A harness tool, as defined in the schema. The role construct only reads
 * `type` and the browser/code-interpreter ARNs from `config` for IAM scoping,
 * but uses the full schema type so it accepts every tool variant the spec allows.
 */
export type HarnessToolConfig = HarnessTool;
export interface HarnessMountConfig {
    readonly accessPointArn: string;
    readonly mountPath: string;
}
export interface HarnessRoleConfig {
    readonly name: string;
    readonly executionRoleArn?: string;
    readonly memoryName?: string;
    /**
     * True when the harness uses managed memory (`memory.mode === 'managed'`). The harness reads/writes
     * its managed memory at RUNTIME using this execution role, so the role needs the memory data-plane
     * actions scoped to the harness's managed-memory ARN pattern. This is the same data-plane set granted
     * for existing memory (see AgentCoreApplication.wireMemoriesToHarnesses) — NOT control-plane: the
     * memory is created by the CFN resource handler (its own role), never by this runtime role.
     */
    readonly managedMemory?: boolean;
    readonly containerUri?: string;
    readonly hasDockerfile?: boolean;
    readonly dockerfile?: string;
    readonly codeLocation?: string;
    readonly tools?: HarnessTool[];
    readonly skills?: HarnessSkill[];
    readonly apiKeyArn?: string;
    readonly efsAccessPoints?: HarnessMountConfig[];
    readonly s3AccessPoints?: HarnessMountConfig[];
    readonly apiFormat?: HarnessApiFormat;
}
export interface AgentCoreHarnessRoleProps extends AgentCoreComponentProps {
    readonly harness: HarnessRoleConfig;
}
/**
 * AgentCore Harness Role construct.
 * Creates (or imports) an IAM execution role for a harness.
 *
 * Creates scoped IAM policies for the harness execution role, with conditional
 * resource-scoped policies for browser, code interpreter, and ECR.
 */
export declare class AgentCoreHarnessRole extends Construct {
    readonly role: iam.IRole;
    readonly roleArn: string;
    private readonly harnessName;
    constructor(scope: Construct, id: string, props: AgentCoreHarnessRoleProps);
    /**
     * Add a policy statement to this harness role.
     *
     * For roles created by this construct the statement is attached normally.
     * For an imported role (`executionRoleArn`, brought in via
     * `fromRoleArn(..., { mutable: false })`) CDK cannot mutate the role, so the
     * statement cannot be attached. Rather than dropping the grant silently — which
     * surfaces only as a runtime AccessDenied — emit a synth-time warning so the
     * user knows the imported role must already carry the required permissions.
     */
    addToPolicy(statement: iam.PolicyStatement): void;
}
//# sourceMappingURL=AgentCoreHarnessRole.d.ts.map