import type { CommandModule } from 'yargs';
interface FixCommandArgs {
    rule?: string;
    dryRun?: boolean;
    apply?: boolean;
    all?: boolean;
}
export type SafePathResult = {
    ok: true;
    absolutePath: string;
} | {
    ok: false;
    reason: string;
};
/**
 * Reject paths that would let a malicious CDK construct or manifest divert
 * fix's write to somewhere outside the user's project. `filePath` originates
 * from `sourceLocation.filePath` on a finding — that field comes from
 * CDK manifest traces or cdk-insights aspect metadata, both of which a
 * hostile construct can populate. We require:
 *
 *   - after `path.resolve`, the path stays inside `projectRoot`
 *   - the target is NOT a symlink (so a planted `lib/Stack.ts -> ~/.zshrc`
 *     in an upstream project can't trick a downstream contributor's
 *     `fix --apply` into overwriting their dotfiles)
 *
 * The follow-up atomic-rename pattern is what actually replaces the file
 * safely; this check makes the refusal explicit and surfaces a clear error
 * outcome to the user rather than silently turning a symlink into a regular
 * file.
 */
export declare const resolveSafeWritePath: (filePath: string, projectRoot: string) => SafePathResult;
/**
 * Replace the file at `target` with `content` atomically: write to a
 * sibling temp file then rename. POSIX rename(2) replaces the target
 * inode atomically, which means a half-written file is never observable
 * and — as a side effect — a symlink at `target` gets replaced rather
 * than followed. The temp name is randomised so two concurrent fix
 * invocations don't collide on the same path.
 */
export declare const atomicWriteFile: (target: string, content: string) => void;
export declare const fixCommand: CommandModule<Record<string, unknown>, FixCommandArgs>;
export {};