/**
 * HTTP adapter for the OAuth 2.1 authorization server.
 *
 * Bridges Node's IncomingMessage / ServerResponse to the pure-function
 * `AuthRequest` / `AuthResponse` shape that the endpoint handlers speak.
 * Same composition pattern as `handleStreamableHTTP` in
 * src/auto-ui/streamable-http-transport.ts: returns `true` when the
 * request was matched + handled, `false` so the host HTTP server can
 * fall through to other routes.
 *
 * Routes mounted:
 *   GET  /tenant/<slug>/.well-known/oauth-authorization-server
 *   GET  /tenant/<slug>/.well-known/oauth-protected-resource
 *   GET  /tenant/<slug>/authorize
 *   POST /tenant/<slug>/token
 *   POST /tenant/<slug>/register
 *   GET  /tenant/<slug>/consent
 *   POST /tenant/<slug>/consent
 *   POST /tenant/<slug>/revoke
 *   POST /tenant/<slug>/introspect
 *
 * `<slug>` is optional when `singleTenant` is configured — the same
 * routes are also accepted at the path root for self-host deployments.
 */
import type { IncomingMessage, ServerResponse } from 'http';
import type { Serv } from '../index.js';
import type { Tenant } from '../types/index.js';
export interface AuthServerHTTPOptions {
    /** The Serv instance that owns the AS state. */
    serv: Serv;
    /**
     * Resolve the tenant for a request. Typical implementations pull the
     * slug from the URL path (`/tenant/<slug>/...`), look it up in the
     * tenant store, and return the Tenant row (or null for 404).
     */
    resolveTenant: (req: IncomingMessage, slug: string | null) => Promise<Tenant | null>;
    /**
     * Resolve the caller identity from the request. Returns `undefined` for
     * unauthenticated requests — `/authorize` will then redirect to the
     * configured login URL with `return_to`. For the self-host
     * `PHOTON_SINGLE_USER=1` short-circuit, bake the tenant-owner id into
     * the return value so every request lands authenticated.
     */
    resolveUserId: (req: IncomingMessage, tenant: Tenant) => Promise<string | undefined>;
    /**
     * When set, also accept the AS endpoints at the root path (no
     * `/tenant/<slug>/` prefix). The `resolveTenant` callback will be
     * invoked with `slug = null` so the host can return the single tenant.
     */
    singleTenant?: boolean;
    /** Optional structured logger. Best-effort. */
    log?: (level: 'info' | 'warn' | 'error', msg: string, meta?: Record<string, unknown>) => void;
}
/**
 * Match + handle an AS HTTP request. Returns `false` when the request's
 * path doesn't belong to the AS so the host can fall through to other
 * mounts. Returns `true` for handled, rejected, or errored requests.
 */
export declare function handleAuthServerHTTP(req: IncomingMessage, res: ServerResponse, options: AuthServerHTTPOptions): Promise<boolean>;
//# sourceMappingURL=http-adapter.d.ts.map