export { hasGlobalEscalationAccess } from '../../services/user';
export declare function getVisibleRoles(userId: string): Promise<string[] | undefined>;
export declare function validateIds(ids: unknown): ids is string[];
export declare function checkBulkPermission(userId: string, ids: string[]): Promise<{
    allowed: true;
} | {
    allowed: false;
    status: 403;
    error: string;
}>;
/**
 * Identity to provision when the assignee doesn't exist in lt_users
 * or lacks the required role. Only honored for callers with global
 * escalation access (superadmin, admin/admin).
 */
export interface ProvisionIfAbsent {
    displayName?: string;
    email?: string;
    roles?: Array<{
        role: string;
        type?: string;
    }>;
}
/**
 * Resolve an optional assignee external_id to an internal userId.
 * When omitted, returns the caller's userId from auth.
 *
 * When `provisionIfAbsent` is provided and the caller has global access,
 * the user is JIT-provisioned if absent and roles are ensured. This avoids
 * pre-flight queries — the happy path (user exists) is one lookup.
 */
export declare function resolveAssignee(assignee: string | undefined, auth: {
    userId: string;
}, provisionIfAbsent?: ProvisionIfAbsent): Promise<{
    userId: string;
} | {
    error: {
        status: number;
        error: string;
    };
}>;
/**
 * Ensure a user has the required role for an escalation.
 * Called after claim when the atomic SQL returns null due to role mismatch.
 * Only adds the role if `provisionIfAbsent` declares it and caller has authority.
 */
export declare function ensureRoleMembership(userId: string, requiredRole: string, callerUserId: string, provisionIfAbsent?: ProvisionIfAbsent): Promise<boolean>;
export declare function publishBulkClaimEvents(ids: string[], assignedTo: string): void;