import type { AgentEnvSpec } from '../../../../../schema';
import type { AgentCoreComponentProps } from '../../base-props';
import { aws_iam as iam, aws_s3_assets as s3_assets } from 'aws-cdk-lib';
import { Construct } from 'constructs';
/**
 * Props for AgentCore Runtime.
 */
export interface AgentCoreRuntimeProps extends AgentCoreComponentProps {
    /** The agent configuration (v2 schema) */
    agent: AgentEnvSpec;
    /** The bundled code asset (for CodeZip builds) */
    codeAsset?: s3_assets.Asset;
    /** Container URI (for Container builds) */
    containerUri?: string;
    /** ECR repository ARN (for Container builds, used to scope pull permissions) */
    ecrRepositoryArn?: string;
    /** KMS key ARN used to encrypt the ECR repository (for Container builds) */
    ecrEncryptionKeyArn?: string;
    /**
     * Environment variables to set on the runtime.
     */
    environmentVariables?: Record<string, string>;
}
/**
 * AgentCore Runtime component construct.
 * Creates a CfnRuntime resource based on the runtime configuration.
 *
 * Uses L1 constructs to ensure stable logical IDs and deterministic CloudFormation updates.
 *
 * Supports both CodeZip and ContainerImage artifacts:
 * - CodeZip: S3 bucket/key, Python runtime version, entry point
 * - ContainerImage: ECR container URI
 */
export declare class AgentCoreRuntime extends Construct {
    readonly runtimeId: string;
    readonly runtimeArn: string;
    readonly roleArn: string;
    /** The IAM role used by this runtime. Used for granting permissions. */
    readonly role: iam.IRole;
    private readonly cfnRuntime;
    private credentialAccessGranted;
    constructor(scope: Construct, id: string, props: AgentCoreRuntimeProps);
    /**
     * Add additional policy statements to the execution role.
     * Uses L2 construct pattern - accepts IAM PolicyStatement objects.
     * Silently no-ops when using an imported role (mutable: false).
     */
    addToPolicy(statement: iam.PolicyStatement): void;
    /**
     * Grant a principal permission to invoke this runtime.
     * Adds bedrock-agentcore:InvokeAgentRuntime and InvokeAgentRuntimeForUser permissions.
     */
    grantInvoke(grantee: iam.IGrantable): iam.Grant;
    /** Grant a principal permission to execute commands in this runtime's container. */
    grantExec(grantee: iam.IGrantable): iam.Grant;
    /** Grant invoke + exec permissions. Use grantInvoke() alone if shell access is not needed. */
    grantInvokeAll(grantee: iam.IGrantable): iam.Grant;
    /**
     * Grant AgentCore Identity, API key, and OAuth2 credential permissions.
     * Only needed when the project has credentials configured.
     * Safe to call multiple times — permissions are granted only once.
     * Silently no-ops when using an imported role (mutable: false).
     */
    grantCredentialAccess(): void;
    /**
     * Add an environment variable to the runtime.
     * Merges with existing environment variables.
     */
    addEnvironmentVariable(key: string, value: string): void;
}
//# sourceMappingURL=AgentCoreRuntime.d.ts.map