import { x as IamEngine } from "../../index-DiOdpz0c.js";
import { t as IamRequest } from "../../request-BouexCSW.js";
import { IamAdminAudit } from "../generic/index.js";

//#region src/server/hono/index.d.ts
/** Minimal IamHono context shape. */
interface HonoContext {
  req: {
    method: string;
    path: string;
    url: string;
    header(name: string): string | undefined;
    param(name: string): string | undefined;
  };
  get(key: string): unknown;
  set(key: string, value: unknown): void;
  json(data: unknown, status?: number): Response;
  text(data: string, status?: number): Response;
}
/** IamHono next function. */
type HonoNext = () => Promise<void>;
/** IamHono middleware function. */
type HonoMiddleware = (c: HonoContext, next: HonoNext) => Promise<Response | undefined>;
/** IamHono server integration types. Type-only namespace - zero bundle cost. */
declare namespace IamHono {
  /**
   * Describes options for the IamHono {@link iamAccessMiddleware} and {@link iamGuard}.
   *
   * Every extractor has a sensible default.
   *
   * @template TScope - Constrains valid scope strings.
   */
  interface IOptions<TScope extends string = string> {
    /** Extracts the current user ID from the context. */
    getUserId?: (c: HonoContext) => string | null;
    /** Derives the target resource from the context. */
    getResource?: (c: HonoContext) => IamRequest.IResource;
    /** Derives the action being performed from the context. */
    getAction?: (c: HonoContext) => string;
    /** Extracts environment context (IP, user-agent, etc.) from the context. */
    getEnvironment?: (c: HonoContext) => IamRequest.IEnvironment;
    /** Determines the scope used for the access check. */
    getScope?: (c: HonoContext) => TScope | undefined;
    /** Handles a denied request (defaults to 403 JSON). */
    onDenied?: (c: HonoContext) => Response;
    /** Handles thrown errors during evaluation (defaults to 500 JSON). */
    onError?: (err: Error, c: HonoContext) => Response;
  }
  /**
   * Required iamGuard callback for the IamHono admin router.
   *
   * Returning `false` (or throwing) blocks the request.
   */
  type IAdminAuthorize = (c: HonoContext) => boolean | Promise<boolean>;
  /** Describes options for {@link iamBindAdminRouter}. `authorize` is required. */
  interface IAdminOptions extends IamAdminAudit.IOptions {
    /** Required. Runs before every admin handler (read or write). */
    authorize: IAdminAuthorize;
    /** Overrides the 401 unauthorized response. */
    onUnauthorized?: (c: HonoContext) => Response;
    /** Overrides the 500 internal error response. */
    onError?: (err: Error, c: HonoContext) => Response;
    /**
     * Optional audit hook fired AFTER every mutation handler (PUT/POST/
     * DELETE/PATCH) completes - success or failure. The hook is
     * fire-and-forget: a slow or throwing implementation never blocks the
     * request and can never alter the response. GET handlers do not fire it.
     *
     * See {@link IamAdminAudit.IOptions} for additional hardening knobs:
     * `redactPath`, `onAuditHookError`, and `includeErrorMessage`.
     */
    onAdminMutation?: IamAdminAudit.Hook;
  }
  /** Describes the minimal IamHono router surface used by {@link iamBindAdminRouter}. */
  interface IRouterLike {
    get(path: string, handler: (c: HonoContext) => Promise<Response> | Response): unknown;
    put(path: string, handler: (c: HonoContext) => Promise<Response> | Response): unknown;
    post(path: string, handler: (c: HonoContext) => Promise<Response> | Response): unknown;
    delete(path: string, handler: (c: HonoContext) => Promise<Response> | Response): unknown;
  }
}
/**
 * Builds IamHono middleware that runs `engine.can(...)` on every request.
 *
 * Replies 401 when no user is present and 403 when denied.
 *
 * @template TAction - Constrains valid action strings.
 * @template TResource - Constrains valid resource strings.
 * @template TRole - Constrains valid role strings.
 * @template TScope - Constrains valid scope strings.
 * @param engine - Provides the access engine to consult.
 * @param opts - Configures optional extractors and error hooks.
 * @returns A IamHono middleware function.
 * @example
 * ```ts
 * app.use('*', iamAccessMiddleware(engine, {
 *   getUserId: (c) => c.get('userId') as string | null,
 * }))
 * ```
 */
declare function iamAccessMiddleware<TAction extends string = string, TResource extends string = string, TRole extends string = string, TScope extends string = string>(engine: IamEngine<TAction, TResource, TRole, TScope>, opts?: IamHono.IOptions<TScope>): HonoMiddleware;
/**
 * Wires admin CRUD endpoints onto a IamHono router.
 *
 * `authorize` is required and runs before every handler. Throws when the
 * callback is missing.
 *
 * @template TAction - Constrains valid action strings.
 * @template TResource - Constrains valid resource strings.
 * @template TRole - Constrains valid role strings.
 * @template TScope - Constrains valid scope strings.
 * @param router - Provides the existing IamHono router instance.
 * @param engine - Provides the access engine whose `admin` operations are exposed.
 * @param opts - Must include `authorize`.
 * @returns The same router (chainable).
 * @throws Error when `opts.authorize` is not a function.
 * @example
 * ```ts
 * import { IamHono } from 'hono'
 * const admin = new IamHono()
 * iamBindAdminRouter(admin, engine, {
 *   authorize: (c) => isAdmin(c),
 *   onAdminMutation: (e) => auditLog.write(e),
 * })
 * app.route('/admin', admin)
 * ```
 * @example
 * Rate limiting is out of scope; compose at the mount point with a IamHono
 * middleware before the admin sub-app. Pseudocode:
 * ```ts
 * import { rateLimit } from 'some-hono-rate-limit'
 * app.use('/admin/*', rateLimit({ windowMs: 60_000, max: 30 }))
 * app.route('/admin', admin)
 * ```
 */
declare function iamBindAdminRouter<TAction extends string = string, TResource extends string = string, TRole extends string = string, TScope extends string = string>(router: IamHono.IRouterLike, engine: IamEngine<TAction, TResource, TRole, TScope>, opts: IamHono.IAdminOptions): IamHono.IRouterLike;
/**
 * Builds IamHono middleware that checks `(action, resourceType)` for the current
 * user, pulling the resource ID from the `:id` route param.
 *
 * @template TAction - Constrains valid action strings.
 * @template TResource - Constrains valid resource strings.
 * @template TRole - Constrains valid role strings.
 * @template TScope - Constrains valid scope strings.
 * @param engine - Provides the access engine to consult.
 * @param action - Specifies the action being performed.
 * @param resourceType - Specifies the resource type required for the check.
 * @param opts - Configures optional extractors and `scope` override.
 * @returns A IamHono middleware function.
 * @example
 * ```ts
 * app.delete('/posts/:id', iamGuard(engine, 'delete', 'post'), handler)
 * app.post('/admin/users', iamGuard(engine, 'manage', 'user', { scope: 'admin' }), handler)
 * ```
 */
declare function iamGuard<TAction extends string = string, TResource extends string = string, TRole extends string = string, TScope extends string = string>(engine: IamEngine<TAction, TResource, TRole, TScope>, action: TAction, resourceType: TResource, opts?: Pick<IamHono.IOptions<TScope>, 'getUserId' | 'getEnvironment' | 'onDenied' | 'onError'> & {
  scope?: TScope;
}): HonoMiddleware;
//#endregion
export { IamHono, iamAccessMiddleware, iamBindAdminRouter, iamGuard };
//# sourceMappingURL=index.d.ts.map