import type { AccessToken } from '../domain/access-token.js';
import type { Result } from '../domain/result.js';
import type { FileSystem } from '../use-cases/ports/filesystem.js';
import type { Logger } from '../use-cases/ports/logger.js';
import type { BrowserAuth, ElevatedFailureReason } from './browser-auth.js';
type AuthError = {
    type: 'auth_failed';
    message: string;
} | {
    type: 'auth_cancelled';
};
/**
 * Outcome of the elevated-token capture leg of the most recent
 * browser-acquired session. Read by `login.execute` to surface a
 * `{ elevated: 'captured' | 'failed', elevatedReason?: ... }` field on
 * the login response so an LLM consumer can predict whether the
 * elevated-dependent commands (chat metadata, historical-version
 * downloads) will work without invoking them. Login-fix round-1 Wave D.
 */
type ElevatedOutcome = {
    captured: true;
} | {
    captured: false;
    reason: ElevatedFailureReason | 'unknown_error';
};
type AuthManager = {
    getAccessToken: () => Promise<Result<AccessToken, AuthError>>;
    /**
     * Returns a Graph token issued for an app on Microsoft's ODSP
     * `logicalPermissions` allow-list. Falls through cache → re-capture
     * via headless Playwright. Used by the 3 historical-version commands.
     */
    getElevatedAccessToken: () => Promise<Result<AccessToken, AuthError>>;
    /**
     * Returns a chatsvcagg-audience token (same Teams web client identity
     * as `getAccessToken`, but issued for the chatsvcagg resource). Falls
     * through cache → re-capture via headless Playwright. Used by the
     * `list-teams-chats-with-messages` family of commands.
     */
    getChatsvcaggAccessToken: () => Promise<Result<AccessToken, AuthError>>;
    /**
     * Returns the regional segment used to construct chatsvcagg substrate
     * URLs (`teams.microsoft.com/api/csa/<region>/api/...`). Captured at
     * login from the first such URL the chatsvcagg bearer rides on. Falls
     * back to `DEFAULT_CHATSVCAGG_REGION` ('emea') when the cache is
     * either absent or pre-2026-05-migration. Synchronous on cache; calls
     * `getChatsvcaggAccessToken()` first if no cache exists so a region is
     * available immediately after login.
     */
    getChatsvcaggRegion: () => Promise<string>;
    /**
     * Returns an IC3-audience bearer (Teams web client identity, aud
     * `https://ic3.teams.office.com`). Falls through cache → re-capture
     * via headless Playwright. Used by `list-teams-chat-history` to walk
     * paginated chat-message history beyond the 200-message chatsvcagg cap.
     */
    getIc3AccessToken: () => Promise<Result<AccessToken, AuthError>>;
    logout: () => Promise<Result<void, AuthError>>;
    /**
     * Inspect the elevated-capture outcome from the most recent
     * `acquireViaBrowser` invocation. Returns null if no browser-acquired
     * session has happened in this process (cache hit / refresh-only).
     * Login-fix round-1 Wave D.
     */
    getLastElevatedOutcome: () => ElevatedOutcome | null;
    /**
     * Inspect the chatsvcagg-capture outcome from the most recent
     * `acquireViaBrowser` invocation. Same shape and lifetime semantics
     * as `getLastElevatedOutcome`.
     */
    getLastChatsvcaggOutcome: () => ElevatedOutcome | null;
};
declare const createAuthManagerFromApi: (browserAuth: BrowserAuth, cachePath: string, browserProfileDir: string, logger: Logger, fs: FileSystem) => AuthManager;
declare const createAuthManager: (deps: {
    cachePath: string;
    logger: Logger;
    fs?: FileSystem;
    browserProfileDir?: string;
}) => AuthManager;
export { createAuthManager, createAuthManagerFromApi };
export type { AuthError, AuthManager, ElevatedOutcome };