import { t as IamClient } from "../../client-0N6XNM6z.js";

//#region src/client/vanilla/index.d.ts
/** Callback invoked when permissions are updated via {@link IamAccessClient.update} or {@link IamAccessClient.merge}. */
type Listener<TAction extends string = string, TResource extends string = string, TScope extends string = string> = (permissions: IamClient.PermissionMap<TAction, TResource, TScope>) => void;
/**
 * Provides framework-agnostic client-side access control.
 *
 * Wraps a {@link IamClient.PermissionMap} (typically fetched from the server) and
 * exposes `.can()` / `.cannot()` checks. Supports reactive updates via
 * `.subscribe()`.
 *
 * @template TAction - Constrains valid action strings.
 * @template TResource - Constrains valid resource strings.
 * @template TScope - Constrains valid scope strings.
 * @example
 * ```ts
 * const access = new IamAccessClient(permissionsFromServer)
 * if (access.can('delete', 'post')) deleteIt()
 * const unsub = access.subscribe(() => rerender())
 * ```
 */
declare class IamAccessClient<TAction extends string = string, TResource extends string = string, TScope extends string = string> {
  private _permissions;
  private _listeners;
  /**
   * Creates a new client wrapping the given permission map.
   *
   * @param permissions - Optional initial permission map (set later via `update`).
   */
  constructor(permissions?: IamClient.PermissionMap<TAction, TResource, TScope>);
  /**
   * Fetches a permission map from `url` and returns a populated client.
   *
   * @template TA - Constrains valid action strings.
   * @template TR - Constrains valid resource strings.
   * @template TS - Constrains valid scope strings.
   * @param url - Specifies the endpoint that returns a JSON permission map.
   * @param init - Optional `fetch` init (auth headers, signal, etc.).
   * @returns A populated {@link IamAccessClient}.
   * @throws Error when the response status is non-2xx.
   */
  static fromServer<TA extends string = string, TR extends string = string, TS extends string = string>(url: string, init?: RequestInit): Promise<IamAccessClient<TA, TR, TS>>;
  /**
   * Returns a readonly view of the current permission map.
   *
   * @returns Readonly map of action/resource keys to boolean grants.
   */
  get permissions(): Readonly<IamClient.PermissionMap<TAction, TResource, TScope>>;
  /**
   * Returns whether the action is granted on the resource.
   *
   * @param action - Specifies the action being checked.
   * @param resource - Specifies the resource type.
   * @param resourceId - Optional resource instance ID.
   * @param scope - Optional scope binding the check.
   * @returns `true` when the permission map grants the combination.
   */
  can(action: TAction, resource: TResource, resourceId?: string, scope?: TScope): boolean;
  /**
   * Returns whether the action is denied on the resource.
   *
   * @param action - Specifies the action being checked.
   * @param resource - Specifies the resource type.
   * @param resourceId - Optional resource instance ID.
   * @param scope - Optional scope binding the check.
   * @returns `true` when the permission map does not grant the combination.
   */
  cannot(action: TAction, resource: TResource, resourceId?: string, scope?: TScope): boolean;
  /**
   * Replaces the current permission map and notifies subscribers.
   *
   * Listener errors are caught so one failing handler cannot block others.
   *
   * @param permissions - Provides the new permission map.
   * @returns Nothing.
   */
  update(permissions: IamClient.PermissionMap<TAction, TResource, TScope>): void;
  /**
   * Shallow-merges the given map into the current permissions and notifies subscribers.
   *
   * @param permissions - Provides the partial permission patch.
   * @returns Nothing.
   */
  merge(permissions: IamClient.PermissionMap<TAction, TResource, TScope>): void;
  /**
   * Registers a listener to run on every permission change.
   *
   * @param fn - Listener invoked with the new permission map.
   * @returns An unsubscribe function.
   */
  subscribe(fn: Listener<TAction, TResource, TScope>): () => void;
  /**
   * Lists every action allowed against the given resource type.
   *
   * Handles all key formats produced by `iamBuildPermissionKey`:
   * `action:resource`, `action:resource:resourceId`, `scope:action:resource`,
   * and `scope:action:resource:resourceId`.
   *
   * @param resource - Specifies the resource type to filter by.
   * @returns Deduplicated array of actions allowed on `resource`.
   */
  allowedActions(resource: TResource): TAction[];
  /**
   * Returns whether at least one action is allowed on the resource.
   *
   * @param resource - Specifies the resource type to probe.
   * @returns `true` when any granted key targets the resource.
   */
  hasAnyOn(resource: TResource): boolean;
}
//#endregion
export { IamAccessClient };
//# sourceMappingURL=index.d.ts.map