import type { Context } from "../context.ts";
import type { Secret } from "../secret.ts";
import type { AccessIdentityProvider } from "./access-identity-provider.ts";
import type { AccessPolicy } from "./access-policy.ts";
import { type CloudflareApiOptions } from "./api.ts";
import { type Zone } from "./zone.ts";
/**
 * Cloudflare Access application types. Three are strictly typed below;
 * everything else falls back to {@link OtherAccessApplicationProps}.
 *
 * @see https://developers.cloudflare.com/cloudflare-one/applications/
 */
export type AccessApplicationType = "self_hosted" | "saas" | "bookmark" | "ssh" | "vnc" | "rdp" | "app_launcher" | "warp" | "biso" | "dash_sso" | "infrastructure" | "mcp" | "mcp_portal" | "proxy_endpoint" | (string & {});
interface BaseAccessApplicationProps extends CloudflareApiOptions {
    /**
     * Display name shown in the Access dashboard.
     *
     * @default ${app}-${stage}-${id}
     */
    name?: string;
    /**
     * Identity providers permitted to authenticate to this application.
     * If unset, all account IdPs are allowed.
     */
    allowedIdps?: (string | AccessIdentityProvider)[];
    /**
     * Reusable Access policies attached to this application, in priority order.
     */
    policies?: (string | AccessPolicy)[];
    /** Cloudflare duration string, e.g. `"24h"`. */
    sessionDuration?: string;
    /** Show this app in the user-facing App Launcher. */
    appLauncherVisible?: boolean;
    /** Skip the IdP-selection screen when only one IdP applies. */
    autoRedirectToIdentity?: boolean;
    /** Custom message shown to denied users. */
    customDenyMessage?: string;
    /** URL users are redirected to when denied. */
    customDenyUrl?: string;
    /** URL non-identity users (e.g. service tokens) are redirected to when denied. */
    customNonIdentityDenyUrl?: string;
    /** Free-form labels for grouping applications. */
    tags?: string[];
    /** Skip the Access interstitial page on first load. */
    skipInterstitial?: boolean;
    /**
     * For service-token authenticated requests, return 401 on failure
     * (instead of redirecting).
     */
    serviceAuth401Redirect?: boolean;
    /**
     * Adopt an existing application with the same name instead of failing.
     *
     * @default false
     */
    adopt?: boolean;
    /**
     * Whether to delete the application when removed from Alchemy.
     *
     * @default true
     */
    delete?: boolean;
}
/**
 * A self-hosted application protected by Access at a specific domain.
 */
export interface SelfHostedAccessApplicationProps extends BaseAccessApplicationProps {
    type: "self_hosted";
    /** Hostname (or hostname/path prefix) the application lives at. */
    domain: string;
    /**
     * Bind the application to a specific zone. If omitted, the application
     * is account-scoped. Moving between scopes triggers replacement.
     */
    zone?: string | Zone;
}
/**
 * SaaS OIDC integration configuration.
 */
export interface SaasOidcConfig {
    authType: "oidc";
    redirectUris: string[];
    scopes?: ("openid" | "groups" | "email" | "profile")[];
    groupFilterRegex?: string;
}
/**
 * SaaS SAML 2.0 integration configuration.
 */
export interface SaasSamlConfig {
    authType: "saml";
    spEntityId: string;
    consumerServiceUrl: string;
    nameIdFormat?: string;
    defaultRelayState?: string;
}
/**
 * A SaaS application — Cloudflare brokers SSO between your IdP and the SaaS
 * vendor over either OIDC or SAML.
 */
export interface SaasAccessApplicationProps extends BaseAccessApplicationProps {
    type: "saas";
    saas: SaasOidcConfig | SaasSamlConfig;
}
/**
 * A bookmark — a vanity link in the Access launcher with no policy
 * enforcement.
 */
export interface BookmarkAccessApplicationProps extends BaseAccessApplicationProps {
    type: "bookmark";
    /** URL the bookmark points to. */
    domain: string;
    /**
     * Bind the bookmark to a zone. If omitted, the bookmark is account-scoped.
     */
    zone?: string | Zone;
}
/**
 * Catch-all variant for application types not covered by a strict variant
 * (`ssh`, `vnc`, `rdp`, `app_launcher`, `warp`, `biso`, `dash_sso`,
 * `infrastructure`, `mcp`, `mcp_portal`, `proxy_endpoint`, or future types).
 */
export interface OtherAccessApplicationProps extends BaseAccessApplicationProps {
    type: Exclude<AccessApplicationType, "self_hosted" | "saas" | "bookmark">;
    /** Required for `ssh`, `vnc`, `rdp`, `proxy_endpoint`. */
    domain?: string;
    /** Zone-scope the application where supported by the type. */
    zone?: string | Zone;
}
/**
 * Properties for creating or updating an {@link AccessApplication}.
 */
export type AccessApplicationProps = SelfHostedAccessApplicationProps | SaasAccessApplicationProps | BookmarkAccessApplicationProps | OtherAccessApplicationProps;
/**
 * Output for an {@link AccessApplication}.
 */
export type AccessApplication = Omit<AccessApplicationProps, "adopt" | "delete" | "zone"> & {
    /** Cloudflare-assigned application UUID. */
    id: string;
    /** Display name. */
    name: string;
    /**
     * Audience tag (used to validate Access JWTs at your origin).
     */
    aud: string;
    /**
     * Resolved zone ID, if the application is zone-scoped.
     */
    zoneId?: string;
    /**
     * SaaS OIDC client identifier (only set for SaaS OIDC apps).
     */
    clientId?: string;
    /**
     * SaaS OIDC client secret (only returned on creation; retained on update).
     */
    clientSecret?: Secret;
    /** ISO 8601 creation timestamp. */
    createdAt: string;
    /** ISO 8601 last-update timestamp. */
    updatedAt: string;
};
/**
 * Type guard for {@link AccessApplication}.
 */
export declare function isAccessApplication(resource: any): resource is AccessApplication;
/**
 * Creates a Cloudflare Zero Trust [Access application](https://developers.cloudflare.com/cloudflare-one/applications/)
 * — a protected resource users authenticate to via Access.
 *
 * @example
 * // Self-hosted application protected by an Access policy.
 * const app = await AccessApplication("admin", {
 *   type: "self_hosted",
 *   name: "Internal Admin",
 *   domain: "admin.acme.com",
 *   policies: [employeesPolicy],
 *   sessionDuration: "8h",
 * });
 *
 * @example
 * // Bookmark in the Access launcher.
 * const wiki = await AccessApplication("wiki", {
 *   type: "bookmark",
 *   name: "Internal Wiki",
 *   domain: "https://wiki.acme.com",
 *   appLauncherVisible: true,
 * });
 *
 * @example
 * // SaaS OIDC integration.
 * const slack = await AccessApplication("slack-saas", {
 *   type: "saas",
 *   name: "Slack",
 *   saas: {
 *     authType: "oidc",
 *     redirectUris: ["https://acme.slack.com/oidc/callback"],
 *     scopes: ["openid", "email", "profile"],
 *   },
 *   policies: [employeesPolicy],
 * });
 */
export declare const AccessApplication: (((this: any, id: string, props?: {}) => never) & (new (_: never) => never)) | ((this: Context<AccessApplication>, id: string, props: AccessApplicationProps) => Promise<AccessApplication>);
export {};
//# sourceMappingURL=access-application.d.ts.map