@airoom/nextmin-node 0.1.0

package/dist/files/S3FileStorageAdapter.js

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.S3FileStorageAdapter = void 0;
+const client_s3_1 = require("@aws-sdk/client-s3");
+// Encode per path segment, keep slashes
+function encodeKeySegments(key) {
+    return key.split('/').map(encodeURIComponent).join('/');
+}
+class S3FileStorageAdapter {
+    constructor(opts) {
+        this.name = 's3';
+        this.bucket = opts.bucket;
+        this.regionStr = opts.region; // <- store plain region
+        this.endpoint = opts.endpoint?.replace(/\/+$/, '');
+        this.forcePathStyle = opts.forcePathStyle ?? true; // sane default for MinIO
+        this.defaultACL = opts.defaultACL;
+        this.publicBaseUrl = opts.publicBaseUrl;
+        this.s3 = new client_s3_1.S3Client({
+            region: this.regionStr,
+            endpoint: this.endpoint,
+            forcePathStyle: this.forcePathStyle,
+            credentials: opts.credentials,
+        });
+    }
+    async upload(input) {
+        if (!input.body)
+            throw new Error('S3 upload: "body" is required');
+        const key = input.key ?? this.randomKey();
+        // Build params without ACL by default
+        const params = {
+            Bucket: this.bucket,
+            Key: key,
+            Body: input.body,
+            ContentType: input.contentType,
+            Metadata: input.metadata,
+            CacheControl: input.contentType?.startsWith('image/')
+                ? 'public, max-age=31536000, immutable'
+                : 'public, max-age=86400',
+        };
+        // Only attach ACL for S3-compatible endpoints that require it (e.g., MinIO)
+        // i.e., when you explicitly configured an endpoint AND set defaultACL
+        if (this.endpoint && this.defaultACL) {
+            params.ACL = this.defaultACL;
+        }
+        await this.s3.send(new client_s3_1.PutObjectCommand(params));
+        const url = this.getPublicUrl(key);
+        return {
+            provider: 's3',
+            bucket: this.bucket,
+            key,
+            url,
+            contentType: input.contentType,
+            size: Buffer.isBuffer(input.body) ? input.body.length : undefined,
+            metadata: input.metadata,
+        };
+    }
+    async delete(key) {
+        await this.s3.send(new client_s3_1.DeleteObjectCommand({ Bucket: this.bucket, Key: key }));
+        return { deleted: true };
+    }
+    getPublicUrl(key) {
+        const encKey = encodeKeySegments(key);
+        if (this.publicBaseUrl) {
+            return `${this.publicBaseUrl.replace(/\/+$/, '')}/${encKey}`;
+        }
+        if (this.endpoint) {
+            // MinIO / custom endpoint → path-style
+            return `${this.endpoint}/${this.bucket}/${encKey}`;
+        }
+        // AWS S3 standard
+        return `https://${this.bucket}.s3.${this.regionStr}.amazonaws.com/${encKey}`;
+    }
+    // ---- private helpers ----
+    randomKey() {
+        const ts = new Date();
+        const y = ts.getUTCFullYear();
+        const m = String(ts.getUTCMonth() + 1).padStart(2, '0');
+        const d = String(ts.getUTCDate()).padStart(2, '0');
+        const rand = Math.random().toString(36).slice(2, 10);
+        // You wanted keys like uploads/YYYY/MM/DD/uid.ext (ext is added by router)
+        return `uploads/${y}/${m}/${d}/${rand}`;
+    }
+}
+exports.S3FileStorageAdapter = S3FileStorageAdapter;

package/dist/files/filename.d.ts

@@ -0,0 +1,5 @@
+export declare function sanitizeFilename(name: string): string;
+export declare function withTimestampPrefix(name: string): string;
+export declare function joinKey(...parts: string[]): string;
+export declare function ensureExt(name: string, fallbackExt?: string): string;
+export declare function extFromMime(mime: string): string | undefined;

package/dist/files/filename.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeFilename = sanitizeFilename;
+exports.withTimestampPrefix = withTimestampPrefix;
+exports.joinKey = joinKey;
+exports.ensureExt = ensureExt;
+exports.extFromMime = extFromMime;
+function sanitizeFilename(name) {
+    const base = name.replace(/[/\\?%*:|"<>]/g, '-').replace(/\s+/g, '-');
+    return base.replace(/-+/g, '-').toLowerCase();
+}
+function withTimestampPrefix(name) {
+    const ts = Date.now();
+    return `${ts}-${name}`;
+}
+function joinKey(...parts) {
+    return parts
+        .filter(Boolean)
+        .map((p) => p.replace(/^\/+|\/+$/g, ''))
+        .join('/');
+}
+function ensureExt(name, fallbackExt) {
+    const hasExt = /\.[A-Za-z0-9]{1,8}$/.test(name);
+    if (hasExt || !fallbackExt)
+        return name;
+    return `${name}.${fallbackExt.replace(/^\./, '')}`;
+}
+function extFromMime(mime) {
+    const map = {
+        'image/jpeg': 'jpg',
+        'image/png': 'png',
+        'image/webp': 'webp',
+        'image/gif': 'gif',
+        'application/pdf': 'pdf',
+        'text/plain': 'txt',
+        'text/csv': 'csv',
+        'video/mp4': 'mp4',
+    };
+    return map[mime];
+}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+import { APIRouterOptions } from './api/apiRouter';
+export { MongoAdapter } from './database/MongoAdapter';
+export { generateApiKey } from './utils/apiKey';
+export * from './files/FileStorageAdapter';
+export * from './files/S3FileStorageAdapter';
+export * from './files/filename';
+/**
+ * Compose the public router:
+ * - JSON & urlencoded body parsers
+ * - a guarded "body required" check for JSON/urlencoded ONLY
+ * - mounts APIRouter (which includes /files using multer)
+ */
+export declare function createNextMinRouter(options: APIRouterOptions): import("express-serve-static-core").Router;

package/dist/index.js

@@ -0,0 +1,87 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateApiKey = exports.MongoAdapter = void 0;
+exports.createNextMinRouter = createNextMinRouter;
+const express_1 = __importDefault(require("express"));
+const body_parser_1 = __importDefault(require("body-parser"));
+const apiRouter_1 = require("./api/apiRouter");
+var MongoAdapter_1 = require("./database/MongoAdapter");
+Object.defineProperty(exports, "MongoAdapter", { enumerable: true, get: function () { return MongoAdapter_1.MongoAdapter; } });
+var apiKey_1 = require("./utils/apiKey");
+Object.defineProperty(exports, "generateApiKey", { enumerable: true, get: function () { return apiKey_1.generateApiKey; } });
+__exportStar(require("./files/FileStorageAdapter"), exports);
+__exportStar(require("./files/S3FileStorageAdapter"), exports);
+__exportStar(require("./files/filename"), exports);
+function isMultipart(req) {
+    const ct = (req.headers['content-type'] || '').toLowerCase();
+    return ct.startsWith('multipart/form-data');
+}
+function isJson(req) {
+    // req.is is safer if body-parser/express has set it up
+    return (Boolean(req.is?.('application/json')) ||
+        (req.headers['content-type'] || '')
+            .toLowerCase()
+            .startsWith('application/json'));
+}
+function isUrlEncoded(req) {
+    return (Boolean(req.is?.('application/x-www-form-urlencoded')) ||
+        (req.headers['content-type'] || '')
+            .toLowerCase()
+            .startsWith('application/x-www-form-urlencoded'));
+}
+/**
+ * Compose the public router:
+ * - JSON & urlencoded body parsers
+ * - a guarded "body required" check for JSON/urlencoded ONLY
+ * - mounts APIRouter (which includes /files using multer)
+ */
+function createNextMinRouter(options) {
+    const apiRouter = new apiRouter_1.APIRouter(options).getRouter();
+    const router = express_1.default.Router();
+    // ✅ Parse JSON & urlencoded (does NOT parse multipart/form-data)
+    router.use(body_parser_1.default.json({ limit: '2mb' }));
+    router.use(body_parser_1.default.urlencoded({ extended: true }));
+    // ✅ Require body ONLY for JSON / urlencoded requests
+    //    Skip multipart (handled by multer inside APIRouter)
+    router.use((req, res, next) => {
+        // Allow non-mutating methods and preflight
+        if (!['POST', 'PUT', 'PATCH'].includes(req.method))
+            return next();
+        // Never block /files (multer needs to see raw multipart)
+        if (req.path.startsWith('/files') || isMultipart(req))
+            return next();
+        // Enforce body presence only for JSON or urlencoded
+        const mustHaveBody = isJson(req) || isUrlEncoded(req);
+        if (mustHaveBody) {
+            const empty = !req.body ||
+                (typeof req.body === 'object' && Object.keys(req.body).length === 0);
+            if (empty) {
+                return res.status(400).json({
+                    error: true,
+                    message: 'Request body is required for JSON/urlencoded requests.',
+                });
+            }
+        }
+        next();
+    });
+    // ✅ Mount the actual API (includes /files with multer.any())
+    router.use(apiRouter);
+    return router;
+}

package/dist/models/BaseModel.d.ts

@@ -0,0 +1,44 @@
+import { DatabaseAdapter } from '../database/DatabaseAdapter';
+export type SortDir = 1 | -1;
+export type SortSpec = Record<string, SortDir>;
+export type ReadOptions = {
+    sort?: SortSpec;
+    projection?: Record<string, 0 | 1>;
+};
+export interface Attributes {
+    type: string;
+    required?: boolean;
+    default?: any;
+    enum?: any[];
+    ref?: string;
+    select?: string[];
+    private?: boolean;
+    unique?: boolean;
+    sensitive?: boolean;
+    writeOnly?: boolean;
+}
+export interface Schema {
+    modelName: string;
+    attributes: {
+        [key: string]: Attributes;
+    };
+    private?: boolean;
+    allowedMethods: {
+        create?: boolean;
+        read?: boolean;
+        update?: boolean;
+        delete?: boolean;
+    };
+    extends?: string;
+}
+export declare class BaseModel {
+    private schema;
+    private adapter;
+    private collectionName;
+    constructor(schema: Schema, adapter: DatabaseAdapter);
+    create(data: any, includePrivateFields?: boolean): Promise<any>;
+    read(query: any, limit?: number, skip?: number, includePrivateFields?: boolean, options?: ReadOptions): Promise<any[]>;
+    update(id: string, data: any, includePrivateFields?: boolean): Promise<any>;
+    delete(id: string, includePrivateFields?: boolean): Promise<any>;
+    count(query: any, includePrivateFields?: boolean): Promise<number>;
+}

package/dist/models/BaseModel.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BaseModel = void 0;
+class BaseModel {
+    constructor(schema, adapter) {
+        this.schema = schema;
+        this.adapter = adapter;
+        this.collectionName = schema.modelName.toLowerCase();
+    }
+    async create(data, includePrivateFields) {
+        for (const [key, attr] of Object.entries(this.schema.attributes)) {
+            if (data[key] === undefined && attr.default !== undefined) {
+                data[key] = attr.default;
+            }
+        }
+        return await this.adapter.create(this.collectionName, data, this.schema, includePrivateFields);
+    }
+    async read(query, limit, skip, includePrivateFields, options) {
+        return await this.adapter.read(this.collectionName, query, limit, skip, this.schema, includePrivateFields, options);
+    }
+    async update(id, data, includePrivateFields) {
+        return await this.adapter.update(this.collectionName, id, data, this.schema, includePrivateFields);
+    }
+    async delete(id, includePrivateFields) {
+        return await this.adapter.delete(this.collectionName, id, this.schema, includePrivateFields);
+    }
+    async count(query, includePrivateFields) {
+        return await this.adapter.count(this.collectionName, query, this.schema, includePrivateFields);
+    }
+}
+exports.BaseModel = BaseModel;

package/dist/policy/authorize.d.ts

@@ -0,0 +1,25 @@
+export type Action = 'create' | 'read' | 'update' | 'delete';
+export interface PolicyContext {
+    isAuthenticated: boolean;
+    role: string | null;
+    userId: string | null;
+    isSuperadmin: boolean;
+    apiKeyOk: boolean;
+}
+export interface Decision {
+    allow: boolean;
+    readMask?: string[];
+    writeDeny?: string[];
+    createDefaults?: Record<string, any>;
+    restrictions?: Record<string, any>;
+    queryFilter?: Record<string, any>;
+    exposePrivate?: boolean;
+    sensitiveMask?: string[];
+}
+export declare function authorize(modelNameLC: string, action: Action, schemaPolicy: any, ctx: PolicyContext, doc?: any): Decision;
+export declare function applyReadMaskOne(doc: any, mask?: string[]): any;
+export declare function applyReadMaskMany(docs: any[], mask?: string[]): any[];
+export declare function stripWriteDeny(payload: any, deny?: string[]): any;
+export declare function mergeCreateDefaults(payload: any, defs?: Record<string, any>): any;
+export declare function enforceRestrictions(payload: any, restrictions?: Record<string, any>, _ctx?: PolicyContext): void;
+export declare function andFilter(a?: Record<string, any>, b?: Record<string, any>): Record<string, any>;

package/dist/policy/authorize.js

@@ -0,0 +1,305 @@
+"use strict";
+// src/policy/authorize.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorize = authorize;
+exports.applyReadMaskOne = applyReadMaskOne;
+exports.applyReadMaskMany = applyReadMaskMany;
+exports.stripWriteDeny = stripWriteDeny;
+exports.mergeCreateDefaults = mergeCreateDefaults;
+exports.enforceRestrictions = enforceRestrictions;
+exports.andFilter = andFilter;
+const EMPTY_DECISION = {
+    allow: false,
+    readMask: [],
+    writeDeny: [],
+    createDefaults: {},
+    restrictions: {},
+    queryFilter: {},
+};
+/* ----------------- privacy helpers ----------------- */
+function shouldBypassPrivacy(schemaPolicy, role) {
+    if (!role)
+        return false;
+    const roles = schemaPolicy?.access?.bypassPrivacy?.roles;
+    if (!Array.isArray(roles))
+        return false;
+    return roles
+        .map((r) => String(r).toLowerCase())
+        .includes(String(role).toLowerCase());
+}
+function computeSensitiveMask(schemaPolicy) {
+    const negs = [];
+    for (const [name, attr] of Object.entries(schemaPolicy?.attributes || {})) {
+        if (!Array.isArray(attr) &&
+            (attr.sensitive === true || attr.writeOnly === true)) {
+            negs.push(`-${name}`);
+        }
+    }
+    return negs;
+}
+/* ----------------- general helpers ----------------- */
+function asBool(v) {
+    return typeof v === 'boolean' ? v : undefined;
+}
+function ownerKey(schemaPolicy) {
+    const by = schemaPolicy?.conditions?.owner?.by;
+    return typeof by === 'string' && by.trim() ? by.trim() : 'id';
+}
+function ownerFilter(schemaPolicy, ctx) {
+    const key = ownerKey(schemaPolicy);
+    if (!ctx.userId)
+        return {};
+    return { [key]: ctx.userId };
+}
+function isOwnerDoc(schemaPolicy, ctx, doc) {
+    if (!doc || !ctx.userId)
+        return false;
+    const key = ownerKey(schemaPolicy);
+    const val = doc[key];
+    if (val == null)
+        return false;
+    const candidate = typeof val === 'object' ? (val.id ?? val._id ?? String(val)) : String(val);
+    return String(candidate) === String(ctx.userId);
+}
+/* =================================================== */
+/* =============== MAIN AUTHORIZATION ================= */
+/* =================================================== */
+function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
+    // 0) action enabled at all?
+    const allowed = !!schemaPolicy?.allowedMethods?.[action];
+    if (!allowed)
+        return { ...EMPTY_DECISION, allow: false };
+    const access = schemaPolicy?.access || {};
+    const baseReadMask = [].concat(access?.readMask || []);
+    const baseWriteDeny = [].concat(access?.writeDeny || []);
+    const restrictionsBase = access?.restrictions || {};
+    const createDefaultsBase = access?.createDefaults || {};
+    const queryFilterBase = access?.queryFilter || {};
+    const bypass = shouldBypassPrivacy(schemaPolicy, ctx.role);
+    const sensitiveMask = computeSensitiveMask(schemaPolicy);
+    const mkMasks = (readMaskIn, writeDenyIn) => {
+        const fullMask = [...(readMaskIn || []), ...sensitiveMask];
+        const effectiveReadMask = bypass ? sensitiveMask : fullMask;
+        const effectiveWriteDeny = bypass ? [] : writeDenyIn || [];
+        return { effectiveReadMask, effectiveWriteDeny };
+    };
+    // 1) no access block → sensible defaults
+    if (!schemaPolicy?.access) {
+        const allowedByDefault = action === 'read' ? true : !!ctx.isAuthenticated;
+        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+        return {
+            allow: allowedByDefault,
+            readMask: effectiveReadMask,
+            writeDeny: effectiveWriteDeny,
+            createDefaults: {},
+            restrictions: {},
+            queryFilter: action === 'read' ? {} : {},
+            exposePrivate: bypass, // will normally be false if no bypassPrivacy set
+            sensitiveMask,
+        };
+    }
+    // 2) PUBLIC
+    const pubRule = access?.public?.[action];
+    const pubBool = asBool(pubRule);
+    if (pubBool === true) {
+        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+        return {
+            allow: true,
+            readMask: effectiveReadMask,
+            writeDeny: effectiveWriteDeny,
+            createDefaults: createDefaultsBase?.public || {},
+            restrictions: restrictionsBase?.public || {},
+            queryFilter: queryFilterBase?.public || {},
+            exposePrivate: bypass, // if caller has a bypass role, they get private fields (still masked by sensitive)
+            sensitiveMask,
+        };
+    }
+    // if false → continue to roles/auth checks
+    // 3) ROLES
+    const roleName = (ctx.role || '').toLowerCase();
+    if (roleName && access?.roles?.[roleName]) {
+        const rule = access.roles[roleName][action];
+        const rBool = asBool(rule);
+        if (rBool === true) {
+            const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+            return {
+                allow: true,
+                readMask: effectiveReadMask,
+                writeDeny: effectiveWriteDeny,
+                createDefaults: createDefaultsBase?.roles?.[roleName] || {},
+                restrictions: restrictionsBase?.roles?.[roleName] || {},
+                queryFilter: queryFilterBase?.roles?.[roleName] || {},
+                exposePrivate: bypass,
+                sensitiveMask,
+            };
+        }
+        if (rBool === false) {
+            const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+            return {
+                ...EMPTY_DECISION,
+                readMask: effectiveReadMask,
+                writeDeny: effectiveWriteDeny,
+                exposePrivate: false,
+                sensitiveMask,
+            };
+        }
+        // role === 'owner'
+        if (rule === 'owner') {
+            const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+            if (action === 'read') {
+                if (doc) {
+                    return {
+                        allow: isOwnerDoc(schemaPolicy, ctx, doc),
+                        readMask: effectiveReadMask,
+                        writeDeny: effectiveWriteDeny,
+                        createDefaults: {},
+                        restrictions: {},
+                        queryFilter: {},
+                        exposePrivate: bypass,
+                        sensitiveMask,
+                    };
+                }
+                return {
+                    allow: true,
+                    readMask: effectiveReadMask,
+                    writeDeny: effectiveWriteDeny,
+                    createDefaults: {},
+                    restrictions: {},
+                    queryFilter: ownerFilter(schemaPolicy, ctx),
+                    exposePrivate: bypass,
+                    sensitiveMask,
+                };
+            }
+            return {
+                allow: isOwnerDoc(schemaPolicy, ctx, doc),
+                readMask: effectiveReadMask,
+                writeDeny: effectiveWriteDeny,
+                createDefaults: {},
+                restrictions: {},
+                queryFilter: {},
+                exposePrivate: bypass,
+                sensitiveMask,
+            };
+        }
+    }
+    // 4) AUTHENTICATED
+    const authRule = access?.authenticated?.[action];
+    const aBool = asBool(authRule);
+    if (aBool === true && ctx.isAuthenticated) {
+        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+        return {
+            allow: true,
+            readMask: effectiveReadMask,
+            writeDeny: effectiveWriteDeny,
+            createDefaults: createDefaultsBase?.authenticated || {},
+            restrictions: restrictionsBase?.authenticated || {},
+            queryFilter: queryFilterBase?.authenticated || {},
+            exposePrivate: bypass,
+            sensitiveMask,
+        };
+    }
+    if (aBool === false && ctx.isAuthenticated) {
+        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+        return {
+            ...EMPTY_DECISION,
+            readMask: effectiveReadMask,
+            writeDeny: effectiveWriteDeny,
+            exposePrivate: false,
+            sensitiveMask,
+        };
+    }
+    if (authRule === 'owner' && ctx.isAuthenticated) {
+        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+        if (action === 'read') {
+            if (doc) {
+                return {
+                    allow: isOwnerDoc(schemaPolicy, ctx, doc),
+                    readMask: effectiveReadMask,
+                    writeDeny: effectiveWriteDeny,
+                    createDefaults: {},
+                    restrictions: {},
+                    queryFilter: {},
+                    exposePrivate: bypass,
+                    sensitiveMask,
+                };
+            }
+            return {
+                allow: true,
+                readMask: effectiveReadMask,
+                writeDeny: effectiveWriteDeny,
+                createDefaults: {},
+                restrictions: {},
+                queryFilter: ownerFilter(schemaPolicy, ctx),
+                exposePrivate: bypass,
+                sensitiveMask,
+            };
+        }
+        return {
+            allow: isOwnerDoc(schemaPolicy, ctx, doc),
+            readMask: effectiveReadMask,
+            writeDeny: effectiveReadMask, // (typo guard: will be ignored by callers; leave as is)
+            createDefaults: {},
+            restrictions: {},
+            queryFilter: {},
+            exposePrivate: bypass,
+            sensitiveMask,
+        };
+    }
+    // 5) default deny
+    const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+    return {
+        ...EMPTY_DECISION,
+        readMask: effectiveReadMask,
+        writeDeny: effectiveWriteDeny,
+        exposePrivate: false,
+        sensitiveMask,
+    };
+}
+/* ===== Helpers consumed by the router ===== */
+function applyReadMaskOne(doc, mask) {
+    if (!doc || !mask?.length)
+        return doc;
+    const result = { ...doc };
+    for (const m of mask) {
+        if (typeof m === 'string' && m.startsWith('-')) {
+            delete result[m.slice(1)];
+        }
+    }
+    return result;
+}
+function applyReadMaskMany(docs, mask) {
+    if (!Array.isArray(docs) || !mask?.length)
+        return docs;
+    return docs.map((d) => applyReadMaskOne(d, mask));
+}
+function stripWriteDeny(payload, deny) {
+    if (!deny?.length || !payload)
+        return payload;
+    const out = { ...payload };
+    for (const k of deny)
+        delete out[k];
+    return out;
+}
+function mergeCreateDefaults(payload, defs) {
+    if (!defs || !Object.keys(defs).length)
+        return payload;
+    return { ...defs, ...payload };
+}
+function enforceRestrictions(payload, restrictions, _ctx) {
+    if (!payload || !restrictions)
+        return;
+    for (const [field, blocked] of Object.entries(restrictions)) {
+        if (Array.isArray(blocked) && blocked.includes(payload[field])) {
+            throw new Error(`Restricted value for field: ${field}`);
+        }
+    }
+}
+function andFilter(a, b) {
+    const A = a && Object.keys(a).length ? a : {};
+    const B = b && Object.keys(b).length ? b : {};
+    if (!Object.keys(A).length)
+        return B;
+    if (!Object.keys(B).length)
+        return A;
+    return { $and: [A, B] };
+}

package/dist/policy/conditions.d.ts

@@ -0,0 +1,14 @@
+export declare function buildConditionFilter(condition: string, opts: {
+    by?: string;
+    context: {
+        userId?: string | null;
+        tenantId?: string | null;
+    };
+}): Record<string, any>;
+export declare function checkRecordCondition(condition: string, record: any, opts: {
+    by?: string;
+    context: {
+        userId?: string | null;
+        tenantId?: string | null;
+    };
+}): boolean;