import type { ConnectionConfig } from "../../config/models.js";
/**
 * A connection predicate's verdict on whether a tool should be enabled for a
 * given connection. Carries a {@linkcode ToolDisabledReason} when disabled so
 * that downstream consumers (startup logging, diagnostic tooling) can group
 * identical failures and render actionable messages to the user.
 */
export type PredicateResult = {
    readonly enabled: true;
} | {
    readonly enabled: false;
    readonly reason: ToolDisabledReason;
};
export type ConnectionPredicate = (conn: ConnectionConfig) => PredicateResult;
export declare const ENABLED: PredicateResult;
/**
 * Block-level — required by any tool that needs Kafka access regardless of
 * transport (native client or REST proxy).
 */
export declare function hasKafka(conn: ConnectionConfig): PredicateResult;
/**
 * Field-level — required by tools that drive the native Kafka
 * admin/producer/consumer client (the broker address lives on
 * `bootstrap_servers`).
 */
export declare function hasKafkaBootstrap(conn: ConnectionConfig): PredicateResult;
/**
 * Field-level — required by tools that perform authenticated Kafka calls.
 */
export declare function hasKafkaAuth(conn: ConnectionConfig): PredicateResult;
/**
 * Field-level — required by tools that talk to the Kafka REST proxy
 * (`/kafka/v3` endpoints); needs both `rest_endpoint` and `auth` on the
 * `kafka` block.
 */
export declare function hasKafkaRestWithAuth(conn: ConnectionConfig): PredicateResult;
/**
 * Block-level — required by tools that read or write through the Schema
 * Registry.
 */
export declare function hasSchemaRegistry(conn: ConnectionConfig): PredicateResult;
/**
 * Block-level — verdict on whether the connection can reach the Confluent
 * Cloud control-plane REST surface, accepting either flavor. Direct
 * connections satisfy this when they carry a `confluent_cloud` block; OAuth
 * connections satisfy it unconditionally (the cloud REST URL is derived from
 * the Auth0 environment).
 *
 * Pair: {@linkcode hasConfluentCloud} for the direct-only verdict.
 */
export declare const hasConfluentCloudOrOAuth: ConnectionPredicate;
/**
 * Block-level — verdict that holds only for direct connections carrying a
 * `confluent_cloud` block. Use this on handlers that are not yet OAuth-capable
 * and call `getSoleDirectConnection()` inside `handle()`. Once a handler
 * widens to OAuth, switch its predicate to
 * {@linkcode hasConfluentCloudOrOAuth}.
 */
export declare function hasConfluentCloud(conn: ConnectionConfig): PredicateResult;
/**
 * Block-level — required by tools that drive Flink SQL or its catalog.
 */
export declare function hasFlink(conn: ConnectionConfig): PredicateResult;
/**
 * Block-level — required by tools that read metrics from the Telemetry API.
 */
export declare function hasTelemetry(conn: ConnectionConfig): PredicateResult;
/**
 * Block-level — required by tools that manage Tableflow topics or catalog
 * entries.
 */
export declare function hasTableflow(conn: ConnectionConfig): PredicateResult;
/**
 * Field-level — verdict that holds when the `schema_registry` block is
 * present and its `auth` field is `api_key`-typed. That combination is the
 * reliable signal that the SR is CCloud-hosted and therefore exposes the
 * `/catalog/v1/` endpoints. A vanilla CP SR has no auth, so it disables
 * even when the `schema_registry` block itself is present.
 */
export declare function hasCCloudCatalogSupport(conn: ConnectionConfig): PredicateResult;
/**
 * Predicate that returns {@linkcode ENABLED} for every connection. Use as
 * the {@linkcode BaseToolHandler.predicate} for tools with no service-block
 * requirement (e.g., generic docs search).
 */
export declare const alwaysEnabled: ConnectionPredicate;
/**
 * Combine predicates with logical AND, short-circuiting on the first
 * failure. Returns {@linkcode ENABLED} only when every predicate passes for
 * the given connection; otherwise returns the first failing verdict so the
 * specific reason propagates downstream to startup logging and the
 * diagnostic-tool surface.
 *
 * Use this — never raw `predA(conn) && predB(conn)`. JavaScript boolean
 * composition silently drops the first operand because every
 * `PredicateResult` is a truthy object.
 */
export declare function allOf(...predicates: ConnectionPredicate[]): ConnectionPredicate;
/**
 * Wrap a predicate so OAuth connections always answer enabled. Use this on
 * tool handlers that have been adapted to operate against an OAuth-typed
 * connection at call time — the wrapped predicate's block-based verdict
 * still governs direct connections, while OAuth's "no service blocks"
 * early-exit is overridden.
 */
export declare function widenForOAuth(predicate: ConnectionPredicate): ConnectionPredicate;
/**
 * The native-Kafka client gate, widened to admit OAuth. Direct connections
 * still need `kafka.bootstrap_servers`; OAuth connections satisfy it
 * unconditionally (the broker URL is synthesized from the Auth0 environment).
 * Use on handlers that have been brought into the OAuth fold.
 */
export declare const kafkaBootstrapOrOAuth: ConnectionPredicate;
/**
 * The Kafka REST client gate, widened to admit OAuth. Direct connections still
 * need both `kafka.rest_endpoint` and `kafka.auth`; OAuth connections satisfy
 * it unconditionally (the per-cluster REST URL is resolved at call time via
 * the cmk REST API and the bearer middleware handles auth). Use on REST-tool
 * handlers (`get-topic-config`, `alter-topic-config`).
 */
export declare const kafkaRestWithAuthOrOAuth: ConnectionPredicate;
/**
 * The Schema Registry gate, widened to admit OAuth. Direct connections still
 * need a `schema_registry` block; OAuth connections satisfy it unconditionally
 * (the SR cluster + endpoint are auto-resolved at call time from
 * `environment_id`).
 */
export declare const hasSchemaRegistryOrOAuth: ConnectionPredicate;
/**
 * Gate for tools that create connectors against the direct Confluent Cloud
 * REST surface: requires both a `confluent_cloud` block (the `/connect/v1`
 * endpoint) and `kafka.auth` (the connector spec carries kafka API
 * credentials). Strict-direct — OAuth connections answer `OAuthNotDirectCapable`
 * because the handler calls `getSoleDirectConnection()`.
 */
export declare const canCreateDirectConnector: ConnectionPredicate;
/**
 * Gate for tools that read telemetry metrics about Flink statements:
 * requires both the `flink` block (to address a statement) and the
 * `telemetry` block (to query the metrics API).
 */
export declare const flinkWithTelemetry: ConnectionPredicate;
/**
 * Every reason a {@linkcode ConnectionPredicate} can return `enabled: false`.
 * The symbol is the wire-stable identifier (referenced from predicate bodies
 * and tests); the value is the human-readable phrasing surfaced to end users
 * through startup logs and diagnostic tooling.
 *
 * Adding a reason: name the symbol after what's missing from the connection
 * config (not which predicate emitted it — multiple predicates may share a
 * reason), and write the value as a declarative phrase a misconfigured user
 * could act on.
 */
export declare enum ToolDisabledReason {
    MissingKafkaBlock = "no 'kafka' block in connection config",
    MissingKafkaBootstrap = "'kafka' block does not have 'bootstrap_servers' field",
    MissingKafkaAuth = "'kafka' block does not have 'auth' field",
    MissingKafkaRestEndpoint = "'kafka' block does not have 'rest_endpoint' field",
    MissingSchemaRegistryBlock = "no 'schema_registry' block in connection config",
    MissingSchemaRegistryApiKeyAuth = "'schema_registry' block does not have 'auth' field of type 'api_key'",
    MissingConfluentCloudBlock = "no 'confluent_cloud' block in connection config",
    MissingFlinkBlock = "no 'flink' block in connection config",
    MissingTelemetryBlock = "no 'telemetry' block in connection config",
    MissingTableflowBlock = "no 'tableflow' block in connection config",
    OAuthNoServiceBlocks = "OAuth connections carry no service blocks",
    OAuthNotDirectCapable = "OAuth connection cannot satisfy a direct-only requirement"
}
//# sourceMappingURL=connection-predicates.d.ts.map