/**
 * Authentication Middleware
 *
 * Validates Bearer tokens and attaches session to request context
 */
import type { User, Membership, RequestContext, Tenant } from '../types/index.js';
import type { SessionStore } from '../session/store.js';
import type { JwtService } from '../auth/jwt.js';
export interface UserStore {
    findById(id: string): Promise<User | null>;
    findByEmail(email: string): Promise<User | null>;
}
export interface MembershipStore {
    find(tenantId: string, userId: string): Promise<Membership | null>;
}
export interface AuthMiddlewareConfig {
    jwtService: JwtService;
    sessionStore: SessionStore;
    userStore?: UserStore;
    membershipStore?: MembershipStore;
    /** Whether to allow anonymous access (no token) */
    allowAnonymous?: boolean;
    /** Required role(s) for access */
    requiredRoles?: string[];
}
export interface AuthResult {
    success: boolean;
    context?: RequestContext;
    error?: {
        code: number;
        message: string;
        wwwAuthenticate?: string;
    };
}
export declare class AuthMiddleware {
    private config;
    constructor(config: AuthMiddlewareConfig);
    /**
     * Authenticate a request
     */
    authenticate(tenant: Tenant, authHeader?: string): Promise<AuthResult>;
    /**
     * Extract Bearer token from Authorization header
     */
    private extractBearerToken;
    /**
     * Build WWW-Authenticate header value
     */
    private buildWwwAuthenticate;
}
/**
 * Check if a role has required permission
 */
export declare function hasPermission(role: string, requiredRoles: string[]): boolean;
/**
 * Parse Mcp-Session-Id header
 */
export declare function parseMcpSessionId(header?: string): string | null;
/**
 * Generate client fingerprint from request
 */
export declare function generateClientFingerprint(request: {
    headers?: Record<string, string>;
    ip?: string;
}): string;
//# sourceMappingURL=auth.d.ts.map