/**
 * WorkOS RBAC provider for Mastra.
 *
 * Integrates WorkOS organization memberships and roles with Mastra's
 * permission-based access control system.
 */
import type { IRBACProvider, RoleMapping } from './_types/@internal_auth/dist/ee/index.d.ts';
import type { WorkOSUser, MastraRBACWorkosOptions } from './types.js';
export declare class MastraRBACWorkos implements IRBACProvider<WorkOSUser> {
    private workos;
    private options;
    /**
     * Single cache for roles (the expensive WorkOS API call).
     * Permissions are derived from roles on-the-fly (cheap, synchronous).
     * Storing promises handles concurrent request deduplication.
     */
    private rolesCache;
    /**
     * Expose roleMapping for middleware access.
     * This allows the authorization middleware to resolve permissions
     * without needing to call the async methods.
     */
    get roleMapping(): RoleMapping;
    /**
     * Create a new WorkOS RBAC provider.
     *
     * @param options - RBAC configuration options
     */
    constructor(options: MastraRBACWorkosOptions);
    /**
     * Get all roles for a user from their WorkOS organization memberships.
     *
     * Fetches organization memberships from WorkOS and extracts role slugs.
     * If an organizationId is configured, only returns roles from that organization.
     * Otherwise, returns roles from all organizations the user belongs to.
     *
     * Results are cached and concurrent requests are deduplicated.
     *
     * @param user - WorkOS user to get roles for
     * @returns Array of role slugs
     */
    getRoles(user: WorkOSUser): Promise<string[]>;
    /**
     * Fetch roles from WorkOS API.
     */
    private fetchRolesFromWorkOS;
    /**
     * Check if a user has a specific role.
     *
     * @param user - WorkOS user to check
     * @param role - Role slug to check for
     * @returns True if user has the role
     */
    hasRole(user: WorkOSUser, role: string): Promise<boolean>;
    /**
     * Get all permissions for a user by mapping their WorkOS roles.
     *
     * Uses the configured roleMapping to translate WorkOS role slugs
     * into Mastra permission strings. Roles are cached; permissions
     * are derived on-the-fly (cheap, synchronous operation).
     *
     * If the user has no roles (no organization memberships), the
     * _default permissions from the role mapping are applied.
     *
     * @param user - WorkOS user to get permissions for
     * @returns Array of permission strings
     */
    getPermissions(user: WorkOSUser): Promise<string[]>;
    /**
     * Check if a user has a specific permission.
     *
     * Uses wildcard matching to check if any of the user's permissions
     * grant access to the required permission.
     *
     * @param user - WorkOS user to check
     * @param permission - Permission to check for (e.g., 'agents:read')
     * @returns True if user has the permission
     */
    hasPermission(user: WorkOSUser, permission: string): Promise<boolean>;
    /**
     * Check if a user has ALL of the specified permissions.
     *
     * @param user - WorkOS user to check
     * @param permissions - Array of permissions to check for
     * @returns True if user has all permissions
     */
    hasAllPermissions(user: WorkOSUser, permissions: string[]): Promise<boolean>;
    /**
     * Check if a user has ANY of the specified permissions.
     *
     * @param user - WorkOS user to check
     * @param permissions - Array of permissions to check for
     * @returns True if user has at least one permission
     */
    hasAnyPermission(user: WorkOSUser, permissions: string[]): Promise<boolean>;
    /**
     * Get all available roles defined in the role mapping.
     *
     * Returns role IDs and names derived from the roleMapping keys,
     * excluding the `_default` fallback entry.
     */
    getAvailableRoles(): Promise<{
        id: string;
        name: string;
    }[]>;
    /**
     * Get resolved permissions for a specific role.
     *
     * Looks up the role in the roleMapping and returns its permissions.
     */
    getPermissionsForRole(roleId: string): Promise<string[]>;
    /**
     * Clear the roles cache.
     *
     * Call this when system-wide role changes occur.
     * For individual user changes, prefer clearUserCache() instead.
     */
    clearCache(): void;
    /**
     * Clear cached roles for a specific user.
     *
     * Call this when a user's roles change to ensure fresh permission resolution
     * on their next request. This is more efficient than clearing the entire cache.
     *
     * @param userId - The user ID to clear from cache
     */
    clearUserCache(userId: string): void;
    /**
     * Get cache statistics for monitoring.
     *
     * @returns Object with cache size and max size
     */
    getCacheStats(): {
        size: number;
        maxSize: number;
    };
    /**
     * Extract role slugs from memberships attached to the user object.
     *
     * @param user - WorkOS user with memberships
     * @returns Array of role slugs
     */
    private extractRolesFromMemberships;
}
//# sourceMappingURL=rbac-provider.d.ts.map