/**
 * Tenant context resolution and validation for multi-tenant gateway.
 *
 * Maps IAM user claims + connect params to a TenantContext that scopes
 * sessions, canvas, and billing to a specific org/project.
 */
import type { GatewayIamAuthResult } from "./auth-iam.js";
export type TenantContext = {
    /** Organization ID (required for tenant mode). */
    orgId: string;
    /** Project ID within the org (optional). */
    projectId?: string;
    /** User ID (from JWT sub claim). */
    userId: string;
    /** User display name or email. */
    userName?: string;
    /** Environment tag (e.g. "production", "staging"). */
    env?: string;
};
/**
 * Resolve tenant context from IAM auth result + connect params.
 *
 * Priority for orgId:
 *   1. Explicit `tenant.orgId` from connect params
 *   2. IAM auth result's `currentOrgId`
 *   3. First org in IAM auth result's `orgIds`
 *
 * Returns null if no org can be determined (personal/self-hosted mode).
 */
export declare function resolveTenantContext(params: {
    iamResult: GatewayIamAuthResult & {
        ok: true;
    };
    requestedTenant?: {
        orgId?: string;
        projectId?: string;
        env?: string;
    };
}): TenantContext | null;
/**
 * Validate that the user has access to the requested tenant (org/project).
 * Returns an error reason if access is denied, or null if allowed.
 */
export declare function validateTenantAccess(params: {
    iamResult: GatewayIamAuthResult & {
        ok: true;
    };
    tenant: TenantContext;
}): string | null;