/**
 * Capabilities detection and response building for EE authentication.
 */
import type { MastraAuthProvider } from '../../server/index.js';
import type { IRBACProvider } from './interfaces/rbac.js';
import type { EEUser } from './interfaces/user.js';
/**
 * Public capabilities response (no authentication required).
 * Contains just enough info to render the login page.
 */
export interface PublicAuthCapabilities {
    /** Whether auth is enabled */
    enabled: boolean;
    /** Login configuration (null if no auth or no SSO) */
    login: {
        /** Type of login available */
        type: 'sso' | 'credentials' | 'both';
        /** Whether sign-up is enabled (defaults to true) */
        signUpEnabled?: boolean;
        /** SSO configuration */
        sso?: {
            /** Provider name */
            provider: string;
            /** Button text */
            text: string;
            /** Icon URL */
            icon?: string;
            /** Login URL */
            url: string;
        };
    } | null;
}
/**
 * User info for authenticated response.
 */
export interface AuthenticatedUser {
    /** User ID */
    id: string;
    /** User email */
    email?: string;
    /** Display name */
    name?: string;
    /** Avatar URL */
    avatarUrl?: string;
}
/**
 * Capability flags indicating which EE features are available.
 */
export interface CapabilityFlags {
    /** IUserProvider is implemented and licensed */
    user: boolean;
    /** ISessionProvider is implemented and licensed */
    session: boolean;
    /** ISSOProvider is implemented and licensed */
    sso: boolean;
    /** IRBACProvider is implemented and licensed */
    rbac: boolean;
    /** IACLProvider is implemented and licensed */
    acl: boolean;
}
/**
 * User's access (roles and permissions).
 */
export interface UserAccess {
    /** User's roles */
    roles: string[];
    /** User's resolved permissions */
    permissions: string[];
}
/**
 * Authenticated capabilities response.
 * Extends public capabilities with user context and feature flags.
 */
export interface AuthenticatedCapabilities extends PublicAuthCapabilities {
    /** Current authenticated user */
    user: AuthenticatedUser;
    /** Available EE capabilities */
    capabilities: CapabilityFlags;
    /** User's access (if RBAC available) */
    access: UserAccess | null;
}
/**
 * Type guard to check if response is authenticated.
 */
export declare function isAuthenticated(caps: PublicAuthCapabilities | AuthenticatedCapabilities): caps is AuthenticatedCapabilities;
/**
 * Options for building capabilities.
 */
export interface BuildCapabilitiesOptions {
    /**
     * RBAC provider for role-based access control (EE feature).
     * Separate from the auth provider to allow mixing different providers.
     *
     * @example
     * ```typescript
     * const rbac = new StaticRBACProvider({
     *   roles: DEFAULT_ROLES,
     *   getUserRoles: (user) => [user.role],
     * });
     *
     * buildCapabilities(auth, request, { rbac });
     * ```
     */
    rbac?: IRBACProvider<EEUser>;
    /**
     * API route prefix used to construct SSO login URLs.
     * Defaults to `/api` when not provided.
     *
     * @example `/mastra` results in SSO URL `/mastra/auth/sso/login`
     */
    apiPrefix?: string;
}
/**
 * Build capabilities response based on auth configuration and request state.
 *
 * This function determines what capabilities are available and, if the user
 * is authenticated, includes their user info and access permissions.
 *
 * @param auth - Auth provider (or null if no auth configured)
 * @param request - Incoming HTTP request
 * @param options - Optional configuration (roleMapping, etc.)
 * @returns Capabilities response (public or authenticated)
 */
export declare function buildCapabilities(auth: MastraAuthProvider | null, request: Request, options?: BuildCapabilitiesOptions): Promise<PublicAuthCapabilities | AuthenticatedCapabilities>;
//# sourceMappingURL=capabilities.d.ts.map