/**
 * MCP Auth Bridge
 *
 * JWT claims validation and tool-level authorization for MCP server launchers.
 * Does NOT verify JWT signatures  -  that is the transport layer's responsibility.
 * This module validates the claims structure, expiration, and tier-based ACL.
 */
import { z } from '@revealui/contracts';
/** JWT claims expected from RevealUI auth tokens */
export declare const McpAuthClaimsSchema: z.ZodObject<{
    sub: z.ZodString;
    tier: z.ZodEnum<{
        free: "free";
        pro: "pro";
        max: "max";
        enterprise: "enterprise";
    }>;
    iss: z.ZodOptional<z.ZodString>;
    iat: z.ZodOptional<z.ZodNumber>;
    exp: z.ZodOptional<z.ZodNumber>;
    permissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
}, z.core.$strip>;
export type McpAuthClaims = z.infer<typeof McpAuthClaimsSchema>;
/**
 * Validate and decode MCP auth claims from a JWT payload.
 * Does NOT verify signature  -  that should be done by the transport layer.
 * This validates the claims structure and expiration.
 */
export declare function validateMcpClaims(payload: unknown): {
    valid: boolean;
    claims?: McpAuthClaims;
    error?: string;
};
/**
 * Check if claims authorize a specific tool invocation.
 * Verifies both tier level and explicit permissions list (if present).
 */
export declare function authorizeToolCall(claims: McpAuthClaims, toolName: string, requiredTier?: string): {
    authorized: boolean;
    reason?: string;
};
//# sourceMappingURL=auth.d.ts.map