/**
 * OAuth JWT Bearer Token Validation
 *
 * Validates JWT access tokens on incoming MCP requests.
 * Verifies the signature, issuer, audience, expiration, and scope.
 *
 * Tokens are scoped to a specific KB via the audience claim:
 *   aud = "{baseUrl}/mcp/{kbId}"
 */
import type { HarperRequest } from '../types.ts';
export interface ValidatedCaller {
    /** User identifier (from JWT sub claim, e.g. "github:octocat") */
    userId: string;
    /** OAuth client ID */
    clientId: string;
    /** Granted scopes */
    scopes: string[];
    /** Knowledge base this caller is scoped to (from URL path) */
    kbId: string;
}
export interface AuthResult {
    /** Validated caller, or null if no valid token */
    caller: ValidatedCaller | null;
    /** Whether an Authorization header with Bearer token was present */
    hasToken: boolean;
}
/**
 * Validate the Bearer token from an MCP request.
 *
 * The kbId is extracted from the URL path and used as part of the
 * expected audience claim — tokens issued for one KB cannot be used
 * on another.
 *
 * Returns { caller, hasToken } so the MCP middleware can distinguish:
 * - No token → anonymous read-only access
 * - Valid token → authenticated access with granted scopes
 * - Invalid token → 401 (token present but verification failed)
 */
export declare function validateMcpAuth(request: HarperRequest, kbId: string): Promise<AuthResult>;
//# sourceMappingURL=validate.d.ts.map