/**
 * Outcome of a shim invocation that warrants an audit entry.
 *
 * @task T1591
 */
export type AuditOutcome = 'blocked' | 'bypassed-allow-git' | 'bypassed-orchestrate-merge';
/**
 * Single JSONL record written to the audit log.
 *
 * @task T1591
 */
export interface AuditRecord {
    /** ISO 8601 UTC timestamp. */
    ts: string;
    /** What happened. */
    outcome: AuditOutcome;
    /**
     * Boundary letter (a-d), "denylist" for legacy denylist hits,
     * "isolation" for the T1761 cwd-outside-worktree check, or
     * "absolute-path" for the T1852 absolute-path enforcement layer.
     */
    boundary: 'a' | 'b' | 'c' | 'd' | 'denylist' | 'isolation' | 'absolute-path';
    /** CLEO error code, when blocked. */
    code: string;
    /** Git subcommand. */
    subcommand: string;
    /** Argv tail after subcommand. */
    args: string[];
    /** Working directory at invocation time. */
    cwd: string;
    /** Active worktree, when resolvable. */
    worktree_path: string | null;
    /** Task ID extracted from the worktree, when resolvable. */
    task_id: string | null;
    /** Agent role from CLEO_AGENT_ROLE. */
    role: string | null;
    /** Free-form context from the boundary predicate. */
    context: Record<string, string>;
}
/**
 * Resolve the audit log file path.
 *
 * Honours `CLEO_AUDIT_LOG_PATH` (test/owner override), otherwise defaults
 * to the XDG-conformant location.
 *
 * @returns Absolute path to the jsonl file.
 *
 * @task T1591
 */
export declare function resolveAuditLogPath(): string;
/**
 * Append a single record to the audit log.
 *
 * Best-effort: failures are swallowed so the shim can never wedge a git
 * invocation. The record is also echoed to stderr so operators see it
 * even if the file write fails.
 *
 * @param record - The audit record to persist.
 *
 * @task T1591
 */
export declare function writeAuditRecord(record: AuditRecord): void;
//# sourceMappingURL=audit-log.d.ts.map