/**
 * Default roles and permissions for Mastra Studio.
 */
import type { RoleDefinition, RoleMapping } from '../interfaces/index.js';
export type { RoleMapping };
/**
 * Default role definitions for Studio.
 *
 * These roles provide a sensible starting point for most applications:
 * - **owner**: Full access to everything
 * - **admin**: Manage agents, workflows, and users
 * - **member**: Execute agents and workflows, read-only settings
 * - **viewer**: Read-only access
 *
 * Permission patterns:
 * - `*` - Full access to everything
 * - `resource:*` - All actions on a specific resource
 * - `*:action` - An action across all resources (e.g., `*:read` for read-only)
 */
export declare const DEFAULT_ROLES: RoleDefinition[];
export type { Permission, PermissionPattern } from '../interfaces/permissions.generated.js';
/**
 * Get role by ID from default roles.
 *
 * @param roleId - Role ID to find
 * @returns Role definition or undefined
 */
export declare function getDefaultRole(roleId: string): RoleDefinition | undefined;
/**
 * Resolve all permissions for a set of role IDs.
 *
 * Handles role inheritance and deduplication.
 *
 * @param roleIds - Role IDs to resolve
 * @param roles - Role definitions (defaults to DEFAULT_ROLES)
 * @returns Array of resolved permissions
 */
export declare function resolvePermissions(roleIds: string[], roles?: RoleDefinition[]): string[];
/**
 * Check if a permission matches (including wildcard support).
 *
 * Permission format: `{resource}:{action}[:{resource-id}]`
 *
 * Examples:
 * - `*` matches everything
 * - `agents:*` matches `agents:read`, `agents:read:my-agent`
 * - `*:read` matches `agents:read`, `workflows:read` (action across all resources)
 * - `agents:read` matches `agents:read`, `agents:read:my-agent`
 * - `agents:read:my-agent` matches only `agents:read:my-agent`
 * - `agents:*:my-agent` matches `agents:read:my-agent`, `agents:write:my-agent`
 *
 * @param userPermission - Permission the user has
 * @param requiredPermission - Permission being checked
 * @returns True if permission matches
 */
export declare function matchesPermission(userPermission: string, requiredPermission: string): boolean;
/**
 * Check if a user has a specific permission.
 *
 * @param userPermissions - Permissions the user has
 * @param requiredPermission - Permission being checked
 * @returns True if user has the permission
 */
export declare function hasPermission(userPermissions: string[], requiredPermission: string): boolean;
/**
 * Resolve permissions from user roles using a role mapping.
 *
 * This function translates provider-defined roles (from WorkOS, Okta, etc.)
 * to Mastra permissions using a configurable mapping.
 *
 * @example
 * ```typescript
 * const roleMapping = {
 *   "Engineering": ["agents:*", "workflows:*"],
 *   "Product": ["agents:read"],
 *   "_default": [],
 * };
 *
 * // User has "Engineering" and "QA" roles
 * const permissions = resolvePermissionsFromMapping(
 *   ["Engineering", "QA"],
 *   roleMapping
 * );
 * // Result: ["agents:*", "workflows:*"] (QA is unmapped, gets _default)
 * ```
 *
 * @param roles - User's roles from the identity provider
 * @param mapping - Role to permission mapping
 * @returns Array of resolved permissions
 */
export declare function resolvePermissionsFromMapping(roles: string[], mapping: RoleMapping): string[];
//# sourceMappingURL=roles.d.ts.map