/**
 * Central Microsoft Graph permission scope map (audit round-8 Wave C).
 *
 * Source of truth: Microsoft Graph permissions reference
 * (https://learn.microsoft.com/en-us/graph/permissions-reference). Each
 * command's `graphDocsUrl` Learn page documents the required scope(s).
 *
 * Convention: list the LEAST-PRIVILEGED scope Microsoft documents for the
 * delegated permissions path. When multiple alternatives exist (e.g.
 * `Mail.Read` OR `Mail.ReadBasic` OR `Mail.ReadWrite`) we pick the most
 * read-only choice. The basic Teams web client token grants ~30 scopes
 * (`User.Read`, `Mail.Read`, `Calendars.Read`, `Files.Read`, `Tasks.Read`,
 * `Notes.Read.All`, `Sites.Read.All`, `Group.Read.All`, `Team.ReadBasic.All`,
 * `Channel.ReadBasic.All`, `People.Read`, `MailboxSettings.Read`, etc.). The
 * M365ChatClient elevated identity adds `Chat.ReadBasic` and ODSP allow-list
 * access (covered by `needsElevatedToken: true` per command).
 *
 * Surface: this map is read by `docs.ts toEntry` at manifest-render time
 * and merged into each command's `scopesRequired`. Per-command inline
 * `meta.scopesRequired` takes precedence (so command files can override).
 * An LLM uses this with `scopes-check` to predict 403s pre-flight.
 *
 * Lifecycle / meta commands intentionally absent (empty array would imply
 * "no scope needed" which is true for them but also true of `update`,
 * `docs`, `help-json` — none of which call Graph).
 */
declare const GRAPH_SCOPES_BY_COMMAND: Readonly<Record<string, ReadonlyArray<string>>>;
declare const lookupScopes: (commandName: string) => ReadonlyArray<string> | undefined;
export { GRAPH_SCOPES_BY_COMMAND, lookupScopes };