@aooth/arbac-core 0.1.7 → 0.1.8

package/dist/index.cjs

@@ -81,37 +81,61 @@ var Arbac = class {
 		return this;
 	}
 	/**
-	* Evaluates whether a given action on a resource is allowed for a user with specified roles.
+	* Evaluates whether a given action on a resource is allowed for a user with
+	* the specified roles, returning the allow decision plus any applicable scopes.
+	*
+	* When `user.attenuate` is supplied (the credential-claims bridge) the policy
+	* is evaluated TWICE and the OUTCOMES are intersected — see the `attenuate`
+	* field for the restrict-only safety guarantee.
 	*
-	* @param {{
-	*   roleIds: string[];
-	*   userId: string;
-	*   resource: string;
-	*   action: string;
-	* }} res The options for the evaluation.
 	* @returns {Promise<TArbacEvalResult<TScope>>} The result of the evaluation, including whether the action is allowed and any applicable scopes.
 	*/
 	async evaluate(res, user) {
 		this.registerResource(res.resource);
-		const roles = user.roles.map((r) => {
+		let resolvedAttrs;
+		const userAttrs = async () => {
+			if (resolvedAttrs === void 0) resolvedAttrs = typeof user.attrs === "function" ? await user.attrs(user.id) : user.attrs;
+			return resolvedAttrs;
+		};
+		const userEval = await this.evaluateForRoles(res, user.roles, userAttrs, user.id);
+		if (!user.attenuate) return userEval;
+		const claimRoles = user.attenuate.roles;
+		const claimAttrs = user.attenuate.attrs;
+		const credRoles = claimRoles ? user.roles.filter((r) => claimRoles.includes(r)) : user.roles;
+		const credAttrs = claimAttrs ? async () => ({
+			...await userAttrs(),
+			...claimAttrs
+		}) : userAttrs;
+		const credEval = await this.evaluateForRoles(res, credRoles, credAttrs, user.id);
+		if (!userEval.allowed || !credEval.allowed) return { allowed: false };
+		return {
+			allowed: true,
+			scopes: userEval.scopes,
+			credScopes: credEval.scopes
+		};
+	}
+	/**
+	* One evaluation pass over a concrete role-id set + attrs resolver. Carries
+	* the deny-wins / allow-union / `{}` universe-sentinel semantics; `evaluate`
+	* runs it once (no attenuation) or twice (ceiling + narrowed credential view).
+	*/
+	async evaluateForRoles(res, roleIds, getAttrs, id) {
+		const roles = roleIds.map((r) => {
 			const role = this.resources[res.resource][r];
 			if (!role && !this.roles[r] && !this.warnedRoles.has(r)) {
 				this.warnedRoles.add(r);
-				console.warn(`Role "${r}" assigned to user "${user.id}" does not exist.`);
+				console.warn(`Role "${r}" assigned to user "${id}" does not exist.`);
 			}
 			return role;
 		}).filter(Boolean);
 		if (roles.length === 0) return { allowed: false };
 		for (const role of roles) for (const rule of role.deny) if (rule._actionRegex.test(res.action)) return { allowed: false };
-		let userAttrs;
 		const scopes = [];
 		let allowed = false;
 		for (const role of roles) for (const rule of role.allow) if (rule._actionRegex.test(res.action)) {
 			allowed = true;
-			if (rule.scope) {
-				if (!userAttrs) userAttrs = typeof user.attrs === "function" ? await user.attrs(user.id) : user.attrs;
-				scopes.push(rule.scope(userAttrs, String(user.id)));
-			} else scopes.push({});
+			if (rule.scope) scopes.push(rule.scope(await getAttrs(), String(id)));
+			else scopes.push({});
 		}
 		return allowed ? {
 			allowed,

package/dist/index.d.cts

@@ -2,6 +2,16 @@
 interface TArbacEvalResult<TScope> {
   allowed: boolean;
   scopes?: TScope[];
+  /**
+   * Present ONLY on an attenuated evaluation (`user.attenuate` was supplied).
+   * The scopes from the credential's narrowed pass, to be CONJOINED with
+   * `scopes` (the full-authority pass) by the scope layer — a row/field is
+   * effective only if BOTH passes admit it. The conjunction is the scope
+   * shape's responsibility (the engine is scope-agnostic), so the two unions
+   * are surfaced separately here rather than pre-combined. Absent on a normal
+   * (non-attenuated) evaluation.
+   */
+  credScopes?: TScope[];
 }
 interface TArbacRole<TUserAttrs, TScope> {
   id: string;
@@ -62,14 +72,13 @@ declare class Arbac<TUserAttrs extends object, TScope extends object> {
    */
   protected evalRoleForResource(roleId: string, resourceId: string): Arbac<TUserAttrs, TScope>;
   /**
-   * Evaluates whether a given action on a resource is allowed for a user with specified roles.
+   * Evaluates whether a given action on a resource is allowed for a user with
+   * the specified roles, returning the allow decision plus any applicable scopes.
+   *
+   * When `user.attenuate` is supplied (the credential-claims bridge) the policy
+   * is evaluated TWICE and the OUTCOMES are intersected — see the `attenuate`
+   * field for the restrict-only safety guarantee.
    *
-   * @param {{
-   *   roleIds: string[];
-   *   userId: string;
-   *   resource: string;
-   *   action: string;
-   * }} res The options for the evaluation.
    * @returns {Promise<TArbacEvalResult<TScope>>} The result of the evaluation, including whether the action is allowed and any applicable scopes.
    */
   evaluate<T extends string | undefined>(res: {
@@ -79,7 +88,36 @@ declare class Arbac<TUserAttrs extends object, TScope extends object> {
     id: T;
     roles: string[];
     attrs: TUserAttrs | ((userId: T) => TUserAttrs | Promise<TUserAttrs>);
+    /**
+     * Opt-in, restrict-only attenuation sourced from the authenticated
+     * credential's claims. When present the policy runs twice — at full
+     * authority (the ceiling) and at the credential's narrowed view — and
+     * the outcomes are intersected: `allowed` is ANDed (so dropping a role
+     * can never drop a matching `deny` and thus can never escalate a denied
+     * action), and the two passes' scope lists are surfaced separately as
+     * `scopes` (ceiling) and `credScopes` (narrowed) for the scope layer to
+     * conjoin. A credential can therefore only ever do/see/affect LESS than
+     * its owning user — escalation-proof even against an untrusted minter.
+     *
+     * `roles: []` → no roles (deny-all, fail-closed). An OMITTED `roles` key
+     * → keep all the user's roles (attrs-only narrowing). A claimed role the
+     * user lacks is dropped by the intersection (fail-closed). Absent
+     * `attenuate` → a single evaluation, byte-for-byte today's behavior.
+     */
+    attenuate?: {
+      roles?: string[];
+      attrs?: Partial<TUserAttrs>;
+    };
   }): Promise<TArbacEvalResult<TScope>>;
+  /**
+   * One evaluation pass over a concrete role-id set + attrs resolver. Carries
+   * the deny-wins / allow-union / `{}` universe-sentinel semantics; `evaluate`
+   * runs it once (no attenuation) or twice (ceiling + narrowed credential view).
+   */
+  protected evaluateForRoles(res: {
+    resource: string;
+    action: string;
+  }, roleIds: string[], getAttrs: () => Promise<TUserAttrs>, id: string | undefined): Promise<TArbacEvalResult<TScope>>;
 }
 //#endregion
 //#region src/utils.d.ts

package/dist/index.d.mts

@@ -2,6 +2,16 @@
 interface TArbacEvalResult<TScope> {
   allowed: boolean;
   scopes?: TScope[];
+  /**
+   * Present ONLY on an attenuated evaluation (`user.attenuate` was supplied).
+   * The scopes from the credential's narrowed pass, to be CONJOINED with
+   * `scopes` (the full-authority pass) by the scope layer — a row/field is
+   * effective only if BOTH passes admit it. The conjunction is the scope
+   * shape's responsibility (the engine is scope-agnostic), so the two unions
+   * are surfaced separately here rather than pre-combined. Absent on a normal
+   * (non-attenuated) evaluation.
+   */
+  credScopes?: TScope[];
 }
 interface TArbacRole<TUserAttrs, TScope> {
   id: string;
@@ -62,14 +72,13 @@ declare class Arbac<TUserAttrs extends object, TScope extends object> {
    */
   protected evalRoleForResource(roleId: string, resourceId: string): Arbac<TUserAttrs, TScope>;
   /**
-   * Evaluates whether a given action on a resource is allowed for a user with specified roles.
+   * Evaluates whether a given action on a resource is allowed for a user with
+   * the specified roles, returning the allow decision plus any applicable scopes.
+   *
+   * When `user.attenuate` is supplied (the credential-claims bridge) the policy
+   * is evaluated TWICE and the OUTCOMES are intersected — see the `attenuate`
+   * field for the restrict-only safety guarantee.
    *
-   * @param {{
-   *   roleIds: string[];
-   *   userId: string;
-   *   resource: string;
-   *   action: string;
-   * }} res The options for the evaluation.
    * @returns {Promise<TArbacEvalResult<TScope>>} The result of the evaluation, including whether the action is allowed and any applicable scopes.
    */
   evaluate<T extends string | undefined>(res: {
@@ -79,7 +88,36 @@ declare class Arbac<TUserAttrs extends object, TScope extends object> {
     id: T;
     roles: string[];
     attrs: TUserAttrs | ((userId: T) => TUserAttrs | Promise<TUserAttrs>);
+    /**
+     * Opt-in, restrict-only attenuation sourced from the authenticated
+     * credential's claims. When present the policy runs twice — at full
+     * authority (the ceiling) and at the credential's narrowed view — and
+     * the outcomes are intersected: `allowed` is ANDed (so dropping a role
+     * can never drop a matching `deny` and thus can never escalate a denied
+     * action), and the two passes' scope lists are surfaced separately as
+     * `scopes` (ceiling) and `credScopes` (narrowed) for the scope layer to
+     * conjoin. A credential can therefore only ever do/see/affect LESS than
+     * its owning user — escalation-proof even against an untrusted minter.
+     *
+     * `roles: []` → no roles (deny-all, fail-closed). An OMITTED `roles` key
+     * → keep all the user's roles (attrs-only narrowing). A claimed role the
+     * user lacks is dropped by the intersection (fail-closed). Absent
+     * `attenuate` → a single evaluation, byte-for-byte today's behavior.
+     */
+    attenuate?: {
+      roles?: string[];
+      attrs?: Partial<TUserAttrs>;
+    };
   }): Promise<TArbacEvalResult<TScope>>;
+  /**
+   * One evaluation pass over a concrete role-id set + attrs resolver. Carries
+   * the deny-wins / allow-union / `{}` universe-sentinel semantics; `evaluate`
+   * runs it once (no attenuation) or twice (ceiling + narrowed credential view).
+   */
+  protected evaluateForRoles(res: {
+    resource: string;
+    action: string;
+  }, roleIds: string[], getAttrs: () => Promise<TUserAttrs>, id: string | undefined): Promise<TArbacEvalResult<TScope>>;
 }
 //#endregion
 //#region src/utils.d.ts

package/dist/index.mjs

@@ -80,37 +80,61 @@ var Arbac = class {
 		return this;
 	}
 	/**
-	* Evaluates whether a given action on a resource is allowed for a user with specified roles.
+	* Evaluates whether a given action on a resource is allowed for a user with
+	* the specified roles, returning the allow decision plus any applicable scopes.
+	*
+	* When `user.attenuate` is supplied (the credential-claims bridge) the policy
+	* is evaluated TWICE and the OUTCOMES are intersected — see the `attenuate`
+	* field for the restrict-only safety guarantee.
 	*
-	* @param {{
-	*   roleIds: string[];
-	*   userId: string;
-	*   resource: string;
-	*   action: string;
-	* }} res The options for the evaluation.
 	* @returns {Promise<TArbacEvalResult<TScope>>} The result of the evaluation, including whether the action is allowed and any applicable scopes.
 	*/
 	async evaluate(res, user) {
 		this.registerResource(res.resource);
-		const roles = user.roles.map((r) => {
+		let resolvedAttrs;
+		const userAttrs = async () => {
+			if (resolvedAttrs === void 0) resolvedAttrs = typeof user.attrs === "function" ? await user.attrs(user.id) : user.attrs;
+			return resolvedAttrs;
+		};
+		const userEval = await this.evaluateForRoles(res, user.roles, userAttrs, user.id);
+		if (!user.attenuate) return userEval;
+		const claimRoles = user.attenuate.roles;
+		const claimAttrs = user.attenuate.attrs;
+		const credRoles = claimRoles ? user.roles.filter((r) => claimRoles.includes(r)) : user.roles;
+		const credAttrs = claimAttrs ? async () => ({
+			...await userAttrs(),
+			...claimAttrs
+		}) : userAttrs;
+		const credEval = await this.evaluateForRoles(res, credRoles, credAttrs, user.id);
+		if (!userEval.allowed || !credEval.allowed) return { allowed: false };
+		return {
+			allowed: true,
+			scopes: userEval.scopes,
+			credScopes: credEval.scopes
+		};
+	}
+	/**
+	* One evaluation pass over a concrete role-id set + attrs resolver. Carries
+	* the deny-wins / allow-union / `{}` universe-sentinel semantics; `evaluate`
+	* runs it once (no attenuation) or twice (ceiling + narrowed credential view).
+	*/
+	async evaluateForRoles(res, roleIds, getAttrs, id) {
+		const roles = roleIds.map((r) => {
 			const role = this.resources[res.resource][r];
 			if (!role && !this.roles[r] && !this.warnedRoles.has(r)) {
 				this.warnedRoles.add(r);
-				console.warn(`Role "${r}" assigned to user "${user.id}" does not exist.`);
+				console.warn(`Role "${r}" assigned to user "${id}" does not exist.`);
 			}
 			return role;
 		}).filter(Boolean);
 		if (roles.length === 0) return { allowed: false };
 		for (const role of roles) for (const rule of role.deny) if (rule._actionRegex.test(res.action)) return { allowed: false };
-		let userAttrs;
 		const scopes = [];
 		let allowed = false;
 		for (const role of roles) for (const rule of role.allow) if (rule._actionRegex.test(res.action)) {
 			allowed = true;
-			if (rule.scope) {
-				if (!userAttrs) userAttrs = typeof user.attrs === "function" ? await user.attrs(user.id) : user.attrs;
-				scopes.push(rule.scope(userAttrs, String(user.id)));
-			} else scopes.push({});
+			if (rule.scope) scopes.push(rule.scope(await getAttrs(), String(id)));
+			else scopes.push({});
 		}
 		return allowed ? {
 			allowed,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/arbac-core",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "Advanced Role-Based Access Control (ARBAC) engine",
   "keywords": [
     "access-control",