@ahksolution/permissions-sdk 1.0.0

package/dist/guards/permissions.guard.js

@@ -0,0 +1,139 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var PermissionsGuard_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionsGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const permissions_grpc_client_1 = require("../client/permissions-grpc.client");
+const types_1 = require("../types");
+/**
+ * NestJS Guard that checks permissions via the Permissions gRPC Service
+ *
+ * This guard:
+ * 1. Extracts permission requirements from the @RequirePermissions decorator
+ * 2. Gets the user ID from the request (expects JWT auth to have run first)
+ * 3. Calls the permissions microservice via gRPC to verify access
+ * 4. Throws ForbiddenException if permission is denied
+ *
+ * @example
+ * ```typescript
+ * // Use globally
+ * @Module({
+ *   providers: [
+ *     {
+ *       provide: APP_GUARD,
+ *       useClass: PermissionsGuard,
+ *     },
+ *   ],
+ * })
+ * export class AppModule {}
+ *
+ * // Or use on specific controllers/routes
+ * @Controller('orders')
+ * @UseGuards(JwtAuthGuard, PermissionsGuard)
+ * export class OrdersController { ... }
+ * ```
+ */
+let PermissionsGuard = PermissionsGuard_1 = class PermissionsGuard {
+    reflector;
+    permissionsClient;
+    logger = new common_1.Logger(PermissionsGuard_1.name);
+    constructor(reflector, permissionsClient) {
+        this.reflector = reflector;
+        this.permissionsClient = permissionsClient;
+    }
+    async canActivate(context) {
+        const metadata = this.getPermissionsMetadata(context);
+        if (metadata === undefined || metadata.permissions.length === 0) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const { user } = request;
+        if (user === undefined || user.id === '') {
+            this.logger.warn('Permission check failed: No authenticated user found');
+            throw new common_1.ForbiddenException('Authentication required');
+        }
+        const { permissions, options } = metadata;
+        const mode = options.mode ?? 'all';
+        try {
+            const hasPermission = await this.evaluatePermissions(user.id, [...permissions], mode, request, options.includeResourceContext ?? false);
+            if (!hasPermission) {
+                const errorMessage = options.errorMessage ??
+                    `Access denied. Required permission(s): ${permissions.join(', ')}`;
+                this.logger.debug(`Permission denied for user ${user.id}: ${permissions.join(', ')} (mode: ${mode})`);
+                throw new common_1.ForbiddenException(errorMessage);
+            }
+            return true;
+        }
+        catch (error) {
+            if (error instanceof common_1.ForbiddenException) {
+                throw error;
+            }
+            this.logger.error(`Permission check failed for user ${user.id}`, error instanceof Error ? error.stack : String(error));
+            throw new common_1.ForbiddenException('Permission check failed');
+        }
+    }
+    /**
+     * Get permission metadata from the handler or class
+     */
+    getPermissionsMetadata(context) {
+        return this.reflector.getAllAndOverride(types_1.PERMISSIONS_METADATA_KEY, [context.getHandler(), context.getClass()]);
+    }
+    /**
+     * Evaluate permissions based on mode
+     */
+    async evaluatePermissions(userId, permissions, mode, request, includeResourceContext) {
+        const requestContext = this.buildRequestContext(request);
+        const resourceContext = includeResourceContext ? this.buildResourceContext(request) : undefined;
+        if (permissions.length === 1) {
+            const [firstPermission] = permissions;
+            const result = await this.permissionsClient.checkPermission(userId, firstPermission, {
+                request: requestContext,
+                resource: resourceContext,
+            });
+            return result.allowed;
+        }
+        if (mode === 'all') {
+            return await this.permissionsClient.hasAllPermissions(userId, permissions);
+        }
+        return await this.permissionsClient.hasAnyPermission(userId, permissions);
+    }
+    /**
+     * Build request context from the HTTP request
+     */
+    buildRequestContext(request) {
+        const userAgent = request.headers?.['user-agent'];
+        return {
+            ip: request.ip,
+            userAgent: Array.isArray(userAgent) ? userAgent[0] : userAgent,
+            method: request.method,
+            path: request.path ?? request.url,
+        };
+    }
+    /**
+     * Build resource context from request params/query
+     */
+    buildResourceContext(request) {
+        return {
+            id: request.params?.id,
+            ...request.params,
+            ...request.query,
+        };
+    }
+};
+exports.PermissionsGuard = PermissionsGuard;
+exports.PermissionsGuard = PermissionsGuard = PermissionsGuard_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector,
+        permissions_grpc_client_1.PermissionsGrpcClient])
+], PermissionsGuard);
+//# sourceMappingURL=permissions.guard.js.map

package/dist/guards/permissions.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.guard.js","sourceRoot":"","sources":["../../src/guards/permissions.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,2CAMwB;AACxB,uCAAyC;AAEzC,+EAA0E;AAE1E,oCAAoD;AAwBpD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEI,IAAM,gBAAgB,wBAAtB,MAAM,gBAAgB;IAIR;IACA;IAJF,MAAM,GAAG,IAAI,eAAM,CAAC,kBAAgB,CAAC,IAAI,CAAC,CAAC;IAE5D,YACmB,SAAoB,EACpB,iBAAwC;QADxC,cAAS,GAAT,SAAS,CAAW;QACpB,sBAAiB,GAAjB,iBAAiB,CAAuB;IACxD,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAmB,CAAC;QACrE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;QACzB,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;YACzC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YACzE,MAAM,IAAI,2BAAkB,CAAC,yBAAyB,CAAC,CAAC;QAC1D,CAAC;QACD,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAClD,IAAI,CAAC,EAAE,EACP,CAAC,GAAG,WAAW,CAAC,EAChB,IAAI,EACJ,OAAO,EACP,OAAO,CAAC,sBAAsB,IAAI,KAAK,CACxC,CAAC;YACF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,YAAY,GAChB,OAAO,CAAC,YAAY;oBACpB,0CAA0C,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrE,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,8BAA8B,IAAI,CAAC,EAAE,KAAK,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,GAAG,CACnF,CAAC;gBACF,MAAM,IAAI,2BAAkB,CAAC,YAAY,CAAC,CAAC;YAC7C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,2BAAkB,EAAE,CAAC;gBACxC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oCAAoC,IAAI,CAAC,EAAE,EAAE,EAC7C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CACrD,CAAC;YACF,MAAM,IAAI,2BAAkB,CAAC,yBAAyB,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED;;OAEG;IACK,sBAAsB,CAAC,OAAyB;QACtD,OAAO,IAAI,CAAC,SAAS,CAAC,iBAAiB,CACrC,gCAAwB,EACxB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC3C,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,mBAAmB,CAC/B,MAAc,EACd,WAAqB,EACrB,IAAmB,EACnB,OAAwB,EACxB,sBAA+B;QAE/B,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;QACzD,MAAM,eAAe,GAAG,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAChG,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,eAAe,CAAC,GAAG,WAAW,CAAC;YACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,eAAe,CAAC,MAAM,EAAE,eAAe,EAAE;gBACnF,OAAO,EAAE,cAAc;gBACvB,QAAQ,EAAE,eAAe;aAC1B,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,OAAO,CAAC;QACxB,CAAC;QACD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YACnB,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC7E,CAAC;QACD,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC,gBAAgB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC5E,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,OAAwB;QAClD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAC,CAAC;QAClD,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;YAC9D,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG;SAClC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,oBAAoB,CAAC,OAAwB;QACnD,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE;YACtB,GAAG,OAAO,CAAC,MAAM;YACjB,GAAG,OAAO,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;CACF,CAAA;AA9GY,4CAAgB;2BAAhB,gBAAgB;IAD5B,IAAA,mBAAU,GAAE;qCAKmB,gBAAS;QACD,+CAAqB;GALhD,gBAAgB,CA8G5B"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export * from './client';
+export * from './guards';
+export * from './decorators';
+export * from './types';
+export * from './constants';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,UAAU,CAAC;AAGzB,cAAc,UAAU,CAAC;AAGzB,cAAc,cAAc,CAAC;AAG7B,cAAc,SAAS,CAAC;AAGxB,cAAc,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,27 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// Client
+__exportStar(require("./client"), exports);
+// Guards
+__exportStar(require("./guards"), exports);
+// Decorators
+__exportStar(require("./decorators"), exports);
+// Types
+__exportStar(require("./types"), exports);
+// Constants
+__exportStar(require("./constants"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,SAAS;AACT,2CAAyB;AAEzB,SAAS;AACT,2CAAyB;AAEzB,aAAa;AACb,+CAA6B;AAE7B,QAAQ;AACR,0CAAwB;AAExB,YAAY;AACZ,8CAA4B"}

package/dist/proto/permissions.proto

@@ -0,0 +1,150 @@
+syntax = "proto3";
+
+package permissions;
+
+/**
+ * Permissions Service
+ * Provides gRPC endpoints for permission evaluation in a microservice architecture.
+ * Supports RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control).
+ */
+service PermissionsService {
+  /**
+   * Check a single permission for a user with optional ABAC context
+   */
+  rpc CheckPermission(CheckPermissionRequest) returns (CheckPermissionResponse);
+
+  /**
+   * Check multiple permissions at once for efficiency
+   */
+  rpc CheckBulkPermissions(CheckBulkPermissionsRequest) returns (CheckBulkPermissionsResponse);
+
+  /**
+   * Get all effective permissions for a user (computed from roles + custom assignments)
+   */
+  rpc GetEffectivePermissions(GetEffectivePermissionsRequest) returns (GetEffectivePermissionsResponse);
+
+  /**
+   * Simple boolean check - does user have this permission?
+   */
+  rpc HasPermission(HasPermissionRequest) returns (HasPermissionResponse);
+
+  /**
+   * Check if user has ALL of the specified permissions
+   */
+  rpc HasAllPermissions(HasMultiplePermissionsRequest) returns (HasPermissionResponse);
+
+  /**
+   * Check if user has ANY of the specified permissions
+   */
+  rpc HasAnyPermission(HasMultiplePermissionsRequest) returns (HasPermissionResponse);
+}
+
+// ============================================================================
+// Request Messages
+// ============================================================================
+
+message CheckPermissionRequest {
+  string user_id = 1;
+  string permission_code = 2;
+  optional ResourceContext resource_context = 3;
+  optional RequestContext request_context = 4;
+}
+
+message CheckBulkPermissionsRequest {
+  string user_id = 1;
+  repeated string permission_codes = 2;
+  optional ResourceContext resource_context = 3;
+  optional RequestContext request_context = 4;
+}
+
+message GetEffectivePermissionsRequest {
+  string user_id = 1;
+}
+
+message HasPermissionRequest {
+  string user_id = 1;
+  string permission_code = 2;
+}
+
+message HasMultiplePermissionsRequest {
+  string user_id = 1;
+  repeated string permission_codes = 2;
+}
+
+// ============================================================================
+// Response Messages
+// ============================================================================
+
+message CheckPermissionResponse {
+  bool allowed = 1;
+  EvaluationSource source = 2;
+  repeated string matched_roles = 3;
+  repeated string matched_policies = 4;
+  string reason = 5;
+  int32 evaluation_time_ms = 6;
+}
+
+message CheckBulkPermissionsResponse {
+  map<string, CheckPermissionResponse> results = 1;
+  int32 total_time_ms = 2;
+}
+
+message GetEffectivePermissionsResponse {
+  repeated string permissions = 1;
+  repeated RoleInfo roles = 2;
+  int32 version = 3;
+  string computed_at = 4;
+}
+
+message HasPermissionResponse {
+  bool has_permission = 1;
+}
+
+// ============================================================================
+// Shared Types
+// ============================================================================
+
+/**
+ * Source of the permission decision
+ */
+enum EvaluationSource {
+  EVALUATION_SOURCE_UNSPECIFIED = 0;
+  EVALUATION_SOURCE_RBAC = 1;
+  EVALUATION_SOURCE_ABAC = 2;
+  EVALUATION_SOURCE_BREAK_GLASS = 3;
+  EVALUATION_SOURCE_DENIED = 4;
+}
+
+/**
+ * Role information
+ */
+message RoleInfo {
+  string id = 1;
+  string code = 2;
+  string name = 3;
+  bool is_system = 4;
+}
+
+/**
+ * Resource context for ABAC evaluation
+ * Contains attributes about the resource being accessed
+ */
+message ResourceContext {
+  optional string id = 1;
+  optional string type = 2;
+  optional string owner_id = 3;
+  optional string department = 4;
+  map<string, string> attributes = 5;
+}
+
+/**
+ * Request context for ABAC evaluation
+ * Contains attributes about the request itself
+ */
+message RequestContext {
+  optional string ip = 1;
+  optional string user_agent = 2;
+  optional string method = 3;
+  optional string path = 4;
+  map<string, string> attributes = 5;
+}

package/dist/types/evaluation.types.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Source of permission grant decision
+ */
+export type EvaluationSource = 'rbac' | 'abac' | 'break-glass' | 'denied';
+/**
+ * Maps proto enum values to TypeScript types
+ */
+export declare const EVALUATION_SOURCE_MAP: {
+    readonly EVALUATION_SOURCE_UNSPECIFIED: "denied";
+    readonly EVALUATION_SOURCE_RBAC: "rbac";
+    readonly EVALUATION_SOURCE_ABAC: "abac";
+    readonly EVALUATION_SOURCE_BREAK_GLASS: "break-glass";
+    readonly EVALUATION_SOURCE_DENIED: "denied";
+};
+/**
+ * Resource context for ABAC evaluation
+ * Contains attributes about the resource being accessed
+ */
+export interface ResourceContext {
+    readonly id?: string;
+    readonly type?: string;
+    readonly ownerId?: string;
+    readonly department?: string;
+    readonly [key: string]: unknown;
+}
+/**
+ * Request context for ABAC evaluation
+ * Contains attributes about the request itself
+ */
+export interface RequestContext {
+    readonly ip?: string;
+    readonly userAgent?: string;
+    readonly method?: string;
+    readonly path?: string;
+    readonly [key: string]: unknown;
+}
+/**
+ * Context passed to evaluators when checking permissions
+ */
+export interface EvaluationContext {
+    readonly userId: string;
+    readonly permissionCode: string;
+    readonly resource?: ResourceContext;
+    readonly request?: RequestContext;
+}
+/**
+ * Result of permission evaluation
+ */
+export interface EvaluationResult {
+    readonly allowed: boolean;
+    readonly source: EvaluationSource;
+    readonly matchedRoles?: readonly string[];
+    readonly matchedPolicies?: readonly string[];
+    readonly reason: string;
+    readonly evaluationTimeMs: number;
+}
+/**
+ * Bulk permission check request
+ */
+export interface BulkPermissionCheck {
+    readonly userId: string;
+    readonly permissionCodes: readonly string[];
+    readonly resource?: ResourceContext;
+    readonly request?: RequestContext;
+}
+/**
+ * Bulk permission check result
+ */
+export interface BulkPermissionResult {
+    readonly results: ReadonlyMap<string, EvaluationResult>;
+    readonly totalTimeMs: number;
+}
+/**
+ * Bulk permission result as a record (for JSON serialization)
+ */
+export interface BulkPermissionResultRecord {
+    readonly results: Record<string, EvaluationResult>;
+    readonly totalTimeMs: number;
+}
+//# sourceMappingURL=evaluation.types.d.ts.map

package/dist/types/evaluation.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluation.types.d.ts","sourceRoot":"","sources":["../../src/types/evaluation.types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,GAAG,QAAQ,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;CAMxB,CAAC;AAEX;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACjC;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,OAAO,CAAC,EAAE,cAAc,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC,QAAQ,CAAC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,QAAQ,CAAC,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,OAAO,CAAC,EAAE,cAAc,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACxD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACnD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B"}

package/dist/types/evaluation.types.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EVALUATION_SOURCE_MAP = void 0;
+/**
+ * Maps proto enum values to TypeScript types
+ */
+exports.EVALUATION_SOURCE_MAP = {
+    EVALUATION_SOURCE_UNSPECIFIED: 'denied',
+    EVALUATION_SOURCE_RBAC: 'rbac',
+    EVALUATION_SOURCE_ABAC: 'abac',
+    EVALUATION_SOURCE_BREAK_GLASS: 'break-glass',
+    EVALUATION_SOURCE_DENIED: 'denied',
+};
+//# sourceMappingURL=evaluation.types.js.map

package/dist/types/evaluation.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluation.types.js","sourceRoot":"","sources":["../../src/types/evaluation.types.ts"],"names":[],"mappings":";;;AAKA;;GAEG;AACU,QAAA,qBAAqB,GAAG;IACnC,6BAA6B,EAAE,QAAQ;IACvC,sBAAsB,EAAE,MAAM;IAC9B,sBAAsB,EAAE,MAAM;IAC9B,6BAA6B,EAAE,aAAa;IAC5C,wBAAwB,EAAE,QAAQ;CAC1B,CAAC"}

package/dist/types/grpc.types.d.ts

@@ -0,0 +1,97 @@
+import type { Observable } from 'rxjs';
+/**
+ * gRPC Resource context message
+ */
+export interface GrpcResourceContext {
+    id?: string;
+    type?: string;
+    ownerId?: string;
+    department?: string;
+    attributes?: Record<string, string>;
+}
+/**
+ * gRPC Request context message
+ */
+export interface GrpcRequestContext {
+    ip?: string;
+    userAgent?: string;
+    method?: string;
+    path?: string;
+    attributes?: Record<string, string>;
+}
+/**
+ * gRPC Role info message
+ */
+export interface GrpcRoleInfo {
+    id: string;
+    code: string;
+    name: string;
+    isSystem: boolean;
+}
+/**
+ * gRPC Evaluation source enum (as number from proto)
+ */
+export declare enum GrpcEvaluationSource {
+    EVALUATION_SOURCE_UNSPECIFIED = 0,
+    EVALUATION_SOURCE_RBAC = 1,
+    EVALUATION_SOURCE_ABAC = 2,
+    EVALUATION_SOURCE_BREAK_GLASS = 3,
+    EVALUATION_SOURCE_DENIED = 4
+}
+export interface CheckPermissionRequest {
+    userId: string;
+    permissionCode: string;
+    resourceContext?: GrpcResourceContext;
+    requestContext?: GrpcRequestContext;
+}
+export interface CheckBulkPermissionsRequest {
+    userId: string;
+    permissionCodes: string[];
+    resourceContext?: GrpcResourceContext;
+    requestContext?: GrpcRequestContext;
+}
+export interface GetEffectivePermissionsRequest {
+    userId: string;
+}
+export interface HasPermissionRequest {
+    userId: string;
+    permissionCode: string;
+}
+export interface HasMultiplePermissionsRequest {
+    userId: string;
+    permissionCodes: string[];
+}
+export interface CheckPermissionResponse {
+    allowed: boolean;
+    source: GrpcEvaluationSource;
+    matchedRoles: string[];
+    matchedPolicies: string[];
+    reason: string;
+    evaluationTimeMs: number;
+}
+export interface CheckBulkPermissionsResponse {
+    results: Record<string, CheckPermissionResponse>;
+    totalTimeMs: number;
+}
+export interface GetEffectivePermissionsResponse {
+    permissions: string[];
+    roles: GrpcRoleInfo[];
+    version: number;
+    computedAt: string;
+}
+export interface HasPermissionResponse {
+    hasPermission: boolean;
+}
+/**
+ * gRPC Permissions Service client interface
+ * This interface is used by NestJS microservices to define the client methods
+ */
+export interface PermissionsGrpcService {
+    checkPermission: (request: CheckPermissionRequest) => Observable<CheckPermissionResponse>;
+    checkBulkPermissions: (request: CheckBulkPermissionsRequest) => Observable<CheckBulkPermissionsResponse>;
+    getEffectivePermissions: (request: GetEffectivePermissionsRequest) => Observable<GetEffectivePermissionsResponse>;
+    hasPermission: (request: HasPermissionRequest) => Observable<HasPermissionResponse>;
+    hasAllPermissions: (request: HasMultiplePermissionsRequest) => Observable<HasPermissionResponse>;
+    hasAnyPermission: (request: HasMultiplePermissionsRequest) => Observable<HasPermissionResponse>;
+}
+//# sourceMappingURL=grpc.types.d.ts.map

package/dist/types/grpc.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"grpc.types.d.ts","sourceRoot":"","sources":["../../src/types/grpc.types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,oBAAY,oBAAoB;IAC9B,6BAA6B,IAAI;IACjC,sBAAsB,IAAI;IAC1B,sBAAsB,IAAI;IAC1B,6BAA6B,IAAI;IACjC,wBAAwB,IAAI;CAC7B;AAMD,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,mBAAmB,CAAC;IACtC,cAAc,CAAC,EAAE,kBAAkB,CAAC;CACrC;AAED,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,CAAC,EAAE,mBAAmB,CAAC;IACtC,cAAc,CAAC,EAAE,kBAAkB,CAAC;CACrC;AAED,MAAM,WAAW,8BAA8B;IAC7C,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAMD,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,oBAAoB,CAAC;IAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,4BAA4B;IAC3C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC;IACjD,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,+BAA+B;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,KAAK,EAAE,YAAY,EAAE,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,OAAO,CAAC;CACxB;AAMD;;;GAGG;AACH,MAAM,WAAW,sBAAsB;IACrC,eAAe,EAAE,CAAC,OAAO,EAAE,sBAAsB,KAAK,UAAU,CAAC,uBAAuB,CAAC,CAAC;IAC1F,oBAAoB,EAAE,CACpB,OAAO,EAAE,2BAA2B,KACjC,UAAU,CAAC,4BAA4B,CAAC,CAAC;IAC9C,uBAAuB,EAAE,CACvB,OAAO,EAAE,8BAA8B,KACpC,UAAU,CAAC,+BAA+B,CAAC,CAAC;IACjD,aAAa,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,UAAU,CAAC,qBAAqB,CAAC,CAAC;IACpF,iBAAiB,EAAE,CAAC,OAAO,EAAE,6BAA6B,KAAK,UAAU,CAAC,qBAAqB,CAAC,CAAC;IACjG,gBAAgB,EAAE,CAAC,OAAO,EAAE,6BAA6B,KAAK,UAAU,CAAC,qBAAqB,CAAC,CAAC;CACjG"}

package/dist/types/grpc.types.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GrpcEvaluationSource = void 0;
+/**
+ * gRPC Evaluation source enum (as number from proto)
+ */
+var GrpcEvaluationSource;
+(function (GrpcEvaluationSource) {
+    GrpcEvaluationSource[GrpcEvaluationSource["EVALUATION_SOURCE_UNSPECIFIED"] = 0] = "EVALUATION_SOURCE_UNSPECIFIED";
+    GrpcEvaluationSource[GrpcEvaluationSource["EVALUATION_SOURCE_RBAC"] = 1] = "EVALUATION_SOURCE_RBAC";
+    GrpcEvaluationSource[GrpcEvaluationSource["EVALUATION_SOURCE_ABAC"] = 2] = "EVALUATION_SOURCE_ABAC";
+    GrpcEvaluationSource[GrpcEvaluationSource["EVALUATION_SOURCE_BREAK_GLASS"] = 3] = "EVALUATION_SOURCE_BREAK_GLASS";
+    GrpcEvaluationSource[GrpcEvaluationSource["EVALUATION_SOURCE_DENIED"] = 4] = "EVALUATION_SOURCE_DENIED";
+})(GrpcEvaluationSource || (exports.GrpcEvaluationSource = GrpcEvaluationSource = {}));
+//# sourceMappingURL=grpc.types.js.map

package/dist/types/grpc.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grpc.types.js","sourceRoot":"","sources":["../../src/types/grpc.types.ts"],"names":[],"mappings":";;;AAkCA;;GAEG;AACH,IAAY,oBAMX;AAND,WAAY,oBAAoB;IAC9B,iHAAiC,CAAA;IACjC,mGAA0B,CAAA;IAC1B,mGAA0B,CAAA;IAC1B,iHAAiC,CAAA;IACjC,uGAA4B,CAAA;AAC9B,CAAC,EANW,oBAAoB,oCAApB,oBAAoB,QAM/B"}

package/dist/types/index.d.ts

@@ -0,0 +1,4 @@
+export * from './evaluation.types';
+export * from './grpc.types';
+export * from './permission.types';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC"}

package/dist/types/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./evaluation.types"), exports);
+__exportStar(require("./grpc.types"), exports);
+__exportStar(require("./permission.types"), exports);
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,+CAA6B;AAC7B,qDAAmC"}

package/dist/types/permission.types.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Role information with associated permission codes
+ */
+export interface RoleInfo {
+    readonly id: string;
+    readonly code: string;
+    readonly name: string;
+    readonly isSystem: boolean;
+}
+/**
+ * User's effective permissions computed from roles and custom assignments
+ */
+export interface EffectivePermissions {
+    readonly permissions: readonly string[];
+    readonly roles: readonly RoleInfo[];
+    readonly version: number;
+    readonly computedAt: Date;
+}
+/**
+ * Options for the RequirePermissions decorator
+ */
+export interface RequirePermissionsOptions {
+    /**
+     * How to evaluate multiple permissions
+     * - 'all': User must have ALL listed permissions (AND logic)
+     * - 'any': User must have at least ONE permission (OR logic)
+     * @default 'all'
+     */
+    readonly mode?: 'all' | 'any';
+    /**
+     * Custom error message when permission is denied
+     */
+    readonly errorMessage?: string;
+    /**
+     * Whether to include resource context from request params
+     * @default false
+     */
+    readonly includeResourceContext?: boolean;
+}
+/**
+ * Metadata key for storing permission requirements
+ */
+export declare const PERMISSIONS_METADATA_KEY = "permissions:required";
+/**
+ * Metadata structure for permission requirements
+ */
+export interface PermissionsMetadata {
+    readonly permissions: readonly string[];
+    readonly options: RequirePermissionsOptions;
+}
+//# sourceMappingURL=permission.types.d.ts.map

package/dist/types/permission.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.types.d.ts","sourceRoot":"","sources":["../../src/types/permission.types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,QAAQ,CAAC,KAAK,EAAE,SAAS,QAAQ,EAAE,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC;IAE9B;;OAEG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAE/B;;;OAGG;IACH,QAAQ,CAAC,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAC3C;AAED;;GAEG;AACH,eAAO,MAAM,wBAAwB,yBAAyB,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,QAAQ,CAAC,OAAO,EAAE,yBAAyB,CAAC;CAC7C"}

package/dist/types/permission.types.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PERMISSIONS_METADATA_KEY = void 0;
+/**
+ * Metadata key for storing permission requirements
+ */
+exports.PERMISSIONS_METADATA_KEY = 'permissions:required';
+//# sourceMappingURL=permission.types.js.map