/**
 * @module infra/exec-approvals-types
 *
 * Type definitions for the exec-approvals security layer.
 */
export type ExecHost = "sandbox" | "gateway" | "node";
export type ExecSecurity = "deny" | "allowlist" | "full";
export type ExecAsk = "off" | "on-miss" | "always";
/** Default security/ask settings applied when no koi-specific override exists. */
export type ExecApprovalsDefaults = {
    security?: ExecSecurity;
    ask?: ExecAsk;
    askFallback?: ExecSecurity;
    autoAllowSkills?: boolean;
};
export type ExecAllowlistEntry = {
    id?: string;
    pattern: string;
    lastUsedAt?: number;
    lastUsedCommand?: string;
    lastResolvedPath?: string;
};
export type ExecApprovalsKoi = ExecApprovalsDefaults & {
    allowlist?: ExecAllowlistEntry[];
};
/** On-disk schema for ~/.skykoi/exec-approvals.json — stores per-koi allowlists and policies. */
export type ExecApprovalsFile = {
    version: 1;
    socket?: {
        path?: string;
        token?: string;
    };
    defaults?: ExecApprovalsDefaults;
    kois?: Record<string, ExecApprovalsKoi>;
};
/** Point-in-time read of the approvals file with hash for optimistic concurrency. */
export type ExecApprovalsSnapshot = {
    path: string;
    exists: boolean;
    raw: string | null;
    file: ExecApprovalsFile;
    hash: string;
};
/** Fully resolved approval settings for a specific koi, with merged defaults and wildcard. */
export type ExecApprovalsResolved = {
    path: string;
    socketPath: string;
    token: string;
    defaults: Required<ExecApprovalsDefaults>;
    koi: Required<ExecApprovalsDefaults>;
    allowlist: ExecAllowlistEntry[];
    file: ExecApprovalsFile;
};
export type ExecApprovalsDefaultOverrides = {
    security?: ExecSecurity;
    ask?: ExecAsk;
    askFallback?: ExecSecurity;
    autoAllowSkills?: boolean;
};
export type CommandResolution = {
    rawExecutable: string;
    resolvedPath?: string;
    executableName: string;
};
export type ExecCommandSegment = {
    raw: string;
    argv: string[];
    resolution: CommandResolution | null;
};
export type ExecCommandAnalysis = {
    ok: boolean;
    reason?: string;
    segments: ExecCommandSegment[];
    chains?: ExecCommandSegment[][];
};
export type ExecAllowlistEvaluation = {
    allowlistSatisfied: boolean;
    allowlistMatches: ExecAllowlistEntry[];
};
export type ExecAllowlistAnalysis = {
    analysisOk: boolean;
    allowlistSatisfied: boolean;
    allowlistMatches: ExecAllowlistEntry[];
    segments: ExecCommandSegment[];
};
export type ExecApprovalDecision = "allow-once" | "allow-always" | "deny";