import type { Issue, ServiceName } from '../../types/analysis.types';
export type OutputFormat = 'json' | 'table' | 'markdown' | 'summary' | 'sarif' | 'github-actions' | 'pdf';
export interface AnalyzeCommandArgs {
    stackName?: string;
    ci?: boolean;
    withIssue?: boolean;
    output?: string;
    all?: boolean;
    services?: ServiceName[];
    format?: string;
    yes?: boolean;
    reset?: boolean;
    failOnCritical?: boolean;
    ruleFilter?: string[];
    ignoreRules?: string[];
    ignorePaths?: string[];
    github?: boolean;
    redact?: boolean;
    summaryOnly?: boolean;
    synth?: boolean;
    noCache?: boolean;
    allowOveruse?: boolean;
    local?: boolean;
    warnSensitive?: boolean;
    prComment?: boolean;
    model?: string;
    /** Filter findings to only show those new since the saved baseline. */
    diff?: boolean;
    /** Save current findings as the new baseline (suppresses fail-on-critical). */
    writeBaseline?: boolean;
    /** Override path to baseline file (default `.cdk-insights-baseline.json`). */
    baseline?: string;
    /**
     * Watch CDK source files and re-run static analysis on save. Reuses
     * cdk.json's `watch.include` / `watch.exclude` block when present
     * (same conventions as `cdk watch`). AI analysis, baseline writes,
     * GitHub issue creation, PR comments and scan history upload are all
     * disabled while in watch mode.
     */
    watch?: boolean;
    cache?: {
        enabled?: boolean;
        ttl?: number;
        maxSize?: number;
    };
    /**
     * AI analysis configuration carried through from the user config
     * (.cdk-insights.json). Same shape as UserConfig.ai. Without this
     * the merge step silently drops `ai.model` and `ai.batchSize`,
     * making both fields no-ops at the call sites in analyse.ts.
     */
    ai?: {
        model?: string;
        batchSize?: number;
    };
}
/** Configuration for sensitive data detection */
export interface SensitiveDataDetectionConfig {
    /** Enable/disable sensitive data detection (default: true) */
    enabled?: boolean;
    /** Treat as warning instead of critical - same as --warn-sensitive flag (default: false) */
    warnOnly?: boolean;
    /** Property name patterns to ignore (regex strings) */
    allowPatterns?: string[];
    /** Specific property paths to ignore (e.g., "Environment.Variables.SAFE_VALUE") */
    ignoreProperties?: string[];
    /** Extra strict detection - more false positives but catches more secrets (default: false) */
    strictMode?: boolean;
}
/** Project-level user configuration */
export interface UserConfig {
    failOnCritical?: boolean;
    stackName?: string;
    output?: OutputFormat;
    services?: ServiceName[];
    redact?: boolean;
    withIssue?: boolean;
    summaryOnly?: boolean;
    synth?: boolean;
    ruleFilter?: string[];
    noCache?: boolean;
    allowOveruse?: boolean;
    local?: boolean;
    warnSensitive?: boolean;
    allowSensitive?: boolean;
    /** Disable the interactive feedback prompt after analysis (default: true) */
    feedback?: boolean;
    /** Sensitive data detection configuration */
    sensitiveDataDetection?: SensitiveDataDetectionConfig;
    /**
     * Rule IDs to suppress project-wide. Matched against `Issue.ruleId`
     * — supports exact match or a trailing `*` wildcard (e.g.
     * `CDK-INSIGHTS-SENSITIVE-*` suppresses every sensitive-data finding).
     * Use this to silence rules that don't apply to your architecture
     * instead of patching each call site.
     */
    ignoreRules?: string[];
    /**
     * Resource paths (CDK construct paths or logical IDs) to skip entirely.
     * Matched against the resource's `aws:cdk:path` Metadata and its
     * logical ID — supports exact match or trailing `*` wildcard. Use
     * this to carve out a subtree of the template (e.g. an imported
     * third-party construct whose findings are someone else's problem).
     */
    ignorePaths?: string[];
    cache?: {
        enabled?: boolean;
        ttl?: number;
        maxSize?: number;
    };
    /**
     * AI analysis configuration. The `model` field selects which Bedrock
     * model handles AI insights — see `cli/config/aiModel.ts` for the
     * registry of available aliases. Resolution precedence is
     * `--model` flag → `cdk.json` `cdkInsights:aiModel` context →
     * this user config → tier default.
     */
    ai?: {
        model?: string;
        /**
         * Group N resources into a single batched call to the backend's
         * `/v1/analyze/batch` endpoint instead of making one call per
         * resource. Higher values amortize the system prompt across more
         * resources, dramatically reducing per-insight cost.
         *
         * Defaults to 1 (off — uses the per-resource path). Recommended
         * range is 2–10. The backend caps batch size at 10 to avoid
         * Bedrock context-window pressure; the CLI clamps to that.
         */
        batchSize?: number;
    };
    /**
     * Anonymous, aggregate-only telemetry. Default is OFF — nothing leaves
     * the machine unless the user opts in. When `enabled: true`, the CLI
     * sends three event types to the backend (`baseline_written`,
     * `diff_run`, `fix_run`) carrying severity counts, rule-id histograms,
     * and timing. Resource names, construct paths, file paths, and code
     * are never included. The license ID is sha256-hashed before
     * transmission so even the operator of the backend can't tie events
     * back to a specific customer without the original key.
     */
    telemetry?: {
        enabled?: boolean;
    };
    /**
     * Scan history. Default is OFF — when `enabled: true` the CLI uploads
     * the full scan report (all stacks, all findings) to the user's CDK
     * Insights account at the end of every `analyse` run. Findings can
     * then be viewed at https://cdkinsights.dev/dashboard/scans/{scanId}.
     *
     * Privacy posture: scans are scoped to a sha256-hashed license id
     * server-side, encrypted at rest, and TTL-deleted per the user's
     * configured retention. Resource names, code snippets, and source
     * paths from the user's CDK app are part of the report — same data
     * the CLI prints to stdout when `--output json` is set. The user has
     * authenticated via `cdk-insights login` and explicitly opted in.
     */
    scanHistory?: {
        enabled?: boolean;
    };
    [key: string]: unknown;
}
export interface AnalysisSuccess {
    status: 'success';
    redactedId: string;
    resourceKey: string;
    remappedIssues: Issue[];
    resourceName?: string;
}
export interface AnalysisTimeout {
    status: 'timeout';
    redactedId: string;
}
export interface AnalysisFailure {
    status: 'fail';
    redactedId: string;
    error: unknown;
}
export interface AnalysisSkipped {
    status: 'skipped';
    redactedId: string;
}
export type ResourceAnalysisResult = AnalysisSuccess | AnalysisTimeout | AnalysisFailure | AnalysisSkipped;
export interface ErrorHandlerParams {
    analysisError: unknown;
    redactedId: string;
}
export type ErrorHandler = (params: ErrorHandlerParams) => ResourceAnalysisResult;