/**
 * Tipos de Client API Keys org-scopeadas (ADR-023). Contrato espejo de
 * `lambdas/org` `/org/api-keys/*`. El orgID se resuelve del JWT (ActiveOrgID),
 * no va en el path.
 */
export interface ClientApiKey {
    keyId: string;
    name: string;
    organizationId: string;
    status: string;
    permissions: string[];
    rateLimit?: number;
    expiresAt?: string;
    allowedIps?: string[];
    createdBy: string;
    createdAt: string;
    lastUsedAt?: string;
}
/** Solo en la respuesta de creación: el secreto se muestra UNA vez. */
export interface ClientApiKeyWithSecret extends ClientApiKey {
    secret: string;
}
export interface CreateApiKeyRequest {
    name: string;
    permissions: string[];
    rateLimit?: number;
    expiresInDays?: number;
    allowedIps?: string[];
}
export interface CreateApiKeyResponse {
    operationId: string;
    key: ClientApiKeyWithSecret;
}
export interface ListApiKeysResponse {
    operationId: string;
    keys: ClientApiKey[];
    nextToken?: string;
}
export interface AvailablePermissionsResponse {
    operationId: string;
    permissions: string[];
}
export interface RevokeApiKeyResponse {
    operationId: string;
    message: string;
}