/**
 * Branch-mutation denylist for the git-shim binary (T1118 L2).
 *
 * When CLEO_AGENT_ROLE is set to a restricted role (worker|lead|subagent),
 * any git invocation matching an entry in this list is rejected with exit 1
 * and a structured error on stderr.
 *
 * The allowlist is implicit: any subcommand NOT in the denylist passes through
 * to real git transparently.
 *
 * @task T1118
 * @task T1121
 */
import type { DeniedGitOp } from '@cleocode/contracts';
/**
 * Roles that are subject to the branch-mutation denylist.
 *
 * Orchestrators bypass the shim entirely.
 *
 * @task T1118
 * @task T1121
 */
export declare const RESTRICTED_ROLES: Set<string>;
/**
 * Branch-mutating git operations that are denied for restricted roles.
 *
 * Entries are matched against argv[1] (subcommand) and optional flags.
 * When a flag is present, BOTH the subcommand AND the flag must appear.
 *
 * @remarks
 * - `flag: undefined` means any invocation of the subcommand is denied.
 * - `flag: "--hard"` means only `git reset --hard` is denied; `git reset
 *   --soft` passes through.
 *
 * @task T1118
 * @task T1121
 */
export declare const GIT_OP_DENYLIST: ReadonlyArray<DeniedGitOp>;
/**
 * Determine whether a git invocation should be denied for a restricted role.
 *
 * @param subcommand - The git subcommand (argv[1]).
 * @param args - The remaining arguments (argv[2..]).
 * @returns The matching {@link DeniedGitOp} if denied, or null if allowed.
 */
export declare function findDeniedOp(subcommand: string, args: string[]): DeniedGitOp | null;
//# sourceMappingURL=denylist.d.ts.map