/**
 * Resolves a ToolContext from whatever identity information is available.
 *
 * This is the single convergence point for all three invocation paths.
 * Each path calls `resolveToolContext()` with whatever identity data
 * it has, and gets back the same ToolContext shape.
 */
import type { LTEnvelope } from '../../types/envelope';
import type { ToolContext } from '../../types/tool-context';
import type { OrchestratorContext } from '../interceptor/types';
/**
 * Source data for resolving a ToolContext.
 * Callers pass whichever fields they have; resolution picks the best available.
 */
export interface ToolContextSource {
    /** Direct userId (e.g., from _auth injection or envelope). */
    userId?: string;
    /** Account type override (for known bot invocations). */
    accountType?: 'user' | 'bot';
    /** Existing delegation token to decode instead of minting new. */
    delegationToken?: string;
    /** Scopes for delegation token (defaults to ['mcp:tool:call']). */
    scopes?: string[];
    /** Envelope from workflow args. */
    envelope?: LTEnvelope;
    /** OrchestratorContext from AsyncLocalStorage. */
    orchestratorContext?: OrchestratorContext;
    /** _auth from MCP tool args. */
    _auth?: {
        userId?: string;
        token?: string;
    };
    /** Trace IDs for audit lineage. */
    traceId?: string;
    spanId?: string;
}
/**
 * Resolve identity from any available source, load roles, mint delegation token.
 *
 * Resolution priority for userId:
 * 1. Explicit `_auth.userId` (MCP server tool path)
 * 2. Explicit `userId` parameter
 * 3. `envelope.lt.userId` (workflow/envelope path)
 * 4. `orchestratorContext.userId` (proxy activity path)
 *
 * Returns null when no identity can be resolved (anonymous/system context).
 */
export declare function resolveToolContext(source: ToolContextSource): Promise<ToolContext | null>;