import { InterventionHandler } from '../../interventions/handler.js';
import type { InterventionAction } from '../../interventions/actions.js';
import type { BeforeToolCallEvent } from '../../hooks/events.js';
import type { OnError } from '../../interventions/handler.js';
import { type CedarValueJson, type TypeAndId, type EntityJson } from '@cedar-policy/cedar-wasm/nodejs';
/**
 * Minimal tool definition for schema generation. Matches MCP tool format.
 */
export interface ToolDefinition {
    name: string;
    inputSchema?: {
        type: string;
        properties?: Record<string, CedarValueJson>;
        required?: string[];
    };
    description?: string;
}
/**
 * Configuration for the {@link CedarAuthorization} intervention handler.
 *
 * @see {@link https://docs.cedarpolicy.com/syntax-policy.html | Cedar policy syntax}
 */
export interface CedarAuthorizationConfig {
    /** Cedar policy text, or a path to a `.cedar` file on disk. */
    policies: string;
    /** Tool definitions (MCP format) for auto schema generation. Use with `CedarAuthorization.create()`. */
    tools?: ToolDefinition[];
    /** Entity data (array or path to `.json` file). Only needed for Cedar entity hierarchy. */
    entities?: EntityJson[] | string;
    /** Cedar schema for policy validation. Auto-generated when `tools` is provided. */
    schema?: string;
    /**
     * Cedar namespace for actions and resources. When set, the authorization request uses
     * namespaced types (e.g. `Agent::Action::"search"` instead of `Action::"search"`), and
     * schema generation preserves the namespace wrapper.
     *
     * Use this when your policies are generated by tools like `cedar-agent-policy-builder`
     * that produce namespaced Cedar policies.
     */
    namespace?: string;
    /** Static principal. Defaults to `User::"anonymous"`. Mutually exclusive with `principalResolver`. */
    principal?: TypeAndId;
    /**
     * Dynamic principal resolver for multi-tenant agents.
     * Return `undefined` to deny (fail-closed). Mutually exclusive with `principal`.
     */
    principalResolver?: ((invocationState: Record<string, unknown>) => TypeAndId | undefined) | undefined;
    /**
     * Injects extra fields into `context.session`. Cannot overwrite `hour_utc` or `call_count`.
     * Use to forward `invocationState` values (role, environment, etc.) into Cedar context.
     *
     * @see {@link https://docs.cedarpolicy.com/policies/syntax-operators.html | Cedar `has` operator}
     */
    contextEnricher?: ((context: {
        toolName: string;
        toolInput: Record<string, unknown>;
        invocationState: Record<string, unknown>;
    }) => Record<string, CedarValueJson>) | undefined;
    /**
     * Error handling: `'throw'` (default), `'deny'` (fail-closed), `'proceed'` (dangerous: fail-open).
     */
    onError?: OnError | undefined;
}
/**
 * Cedar authorization intervention handler. Evaluates policies before each tool call.
 *
 * Each tool maps to: Action = tool name, Resource = unconstrained,
 * Context = `{ input: <tool args>, session: { hour_utc, call_count, ...enricher } }`.
 *
 * @see {@link https://cedarpolicy.com | Cedar} · {@link https://github.com/cedar-policy/cedar-for-agents | cedar-for-agents}
 *
 * @example
 * ```typescript
 * const cedar = new CedarAuthorization({
 *   policies: 'permit(principal, action == Action::"search", resource);',
 * })
 *
 * // With schema validation:
 * const cedar = await CedarAuthorization.create({ policies: '...', tools: [searchTool] })
 * ```
 */
export declare class CedarAuthorization extends InterventionHandler {
    readonly name = "cedar-authorization";
    readonly onError: OnError;
    private _policies;
    private _entities;
    private _schema;
    private readonly _policySource;
    private readonly _entitySource;
    private readonly _schemaSource;
    private readonly _principal;
    private readonly _principalResolver;
    private readonly _contextEnricher;
    private readonly _tools;
    private readonly _schemaGenerator;
    private readonly _actionType;
    private readonly _resourceType;
    private readonly _resourceId;
    private readonly _callCounts;
    private static readonly _stateKey;
    constructor(config: CedarAuthorizationConfig);
    beforeToolCall(event: BeforeToolCallEvent): InterventionAction;
    /** Clears rate-limit call counters. */
    resetCallCounts(agent: {
        appState: {
            set: (key: string, value: unknown) => void;
        };
    }): void;
    /** Reloads policies/entities/schema from disk. Validates before committing. */
    reload(): void;
    private _incrementCallCount;
    private _decrementCallCount;
}
//# sourceMappingURL=cedar.d.ts.map