@apart-tech/intelligence-core 1.11.3 → 1.11.5

package/dist/auth/ability.d.ts

@@ -0,0 +1,148 @@
+import { type MongoAbility, type RawRuleOf } from "@casl/ability";
+import type { Principal } from "./principal.js";
+/**
+ * In-process authorization engine for Apart Intelligence (Phase 1b).
+ *
+ * Every permission check in the API service layer goes through
+ * `principal.can(action, subject)` via the `AppAbility` returned by
+ * `buildAbility(principal)`. CASL owns the rule engine; `buildAbility` owns
+ * the per-principal-type rule construction.
+ *
+ * The action/subject vocabulary is intentionally the minimal starter set —
+ * just enough to cover the five existing `requireRole` call sites in
+ * `members.ts` and `invites.ts`, plus the accept-invite flow for users
+ * without memberships. Phase 1e grows the vocabulary per-route as the
+ * broader route-handler sweep lands.
+ *
+ * **No field conditions in Phase 1b rules.** Fine-grained row scoping
+ * (e.g., "this user can only read their own membership") is not expressed
+ * in CASL rules. Tenant isolation at the query level — Prisma's org-id
+ * injection extension — already restricts every DB read to the active
+ * organization, so a `can('read', 'Membership')` check is implicitly
+ * scoped to the caller's org at the data layer. Route handlers that need
+ * self-ID checks (e.g., "this must be the caller's own user row") do them
+ * explicitly. This keeps Phase 1b's authorization surface narrow and the
+ * CASL type wiring simple; Phase 1e can add conditions back via the
+ * `subject()` runtime helper once the per-route refactor reveals the right
+ * shapes.
+ *
+ * **Do not** add an action or a subject to these types without also thinking
+ * through the role rules below. CASL rules that reference an unknown action
+ * or subject become dead code silently, which is the opposite of what
+ * authorization code should do.
+ */
+/**
+ * Canonical action verbs. `manage` is CASL's wildcard matching any action.
+ *
+ * `bypass` was added in Phase 1e as a first-class action so that the
+ * `X-Pii-Bypass` header (Phase 1 Security Review finding M3) can be gated
+ * with the natural phrasing `can('bypass', 'Pii')`. It is granted
+ * implicitly by the `manage` wildcard, which is the correct CASL semantic
+ * and preserves the legacy-api-key-grants-everything invariant without
+ * an explicit rule. See decision `500bfa31` for the full rationale,
+ * including which alternatives were rejected.
+ */
+export type AppAction = "manage" | "create" | "read" | "update" | "delete" | "bypass";
+/**
+ * Canonical subject names. `all` is CASL's wildcard matching any subject.
+ *
+ * Phase 1e added `OrgConfig`, `AgentSchedule`, and `Pii` to close the
+ * Phase 1 Security Review findings H6 (`/api/org/config` authz), H7
+ * (`/api/agent/schedules` authz), and M3 (`X-Pii-Bypass` gating). Any new
+ * subject added here **must also** be added to `CONCRETE_SUBJECTS` below
+ * or `intersect()` will silently drop any rule that targets it.
+ */
+export type AppSubject = "Organization" | "Membership" | "Invite" | "User" | "OrgConfig" | "AgentSchedule" | "Pii" | "Node" | "Search" | "Import" | "Domain" | "Workspace" | "AgentRun" | "OrgAgentConfig" | "OrgEmbedding" | "UserSecret" | "all";
+/** The CASL ability type used everywhere in the API. */
+export type AppAbility = MongoAbility<[AppAction, AppSubject]>;
+/** A CASL raw rule typed for our ability — used when serializing a
+ *  DelegatedAgent's captured ability snapshot. */
+export type AppRawRule = RawRuleOf<AppAbility>;
+/**
+ * Build a CASL `AppAbility` from a `Principal`. Pure function — no I/O, no
+ * DB reads. The principal must be fully constructed by the auth middleware
+ * before this is called; the result can be cached per-request.
+ *
+ * Rule semantics by principal type:
+ *
+ * - **UserPrincipal**: rules derive from the user's `role` on their active
+ *   `organizationId`. `owner` grants `manage all` (including `bypass Pii`
+ *   by wildcard). `admin` grants management of invites and agent schedules
+ *   plus read of org/membership/OrgConfig/Pii. `member` grants read of
+ *   org/membership/OrgConfig/AgentSchedule/Pii. `none` (no active org)
+ *   grants read of self and create of memberships for invite acceptance.
+ *   Scoping to the caller's org happens at the query layer via Prisma
+ *   tenant isolation. Admins and members cannot bypass PII scrubbing —
+ *   the `bypass` action is reserved for `manage`-grade principals only,
+ *   per the Phase 1e decision `500bfa31`.
+ *
+ * - **OrgAgentPrincipal**: if `legacyApiKey` is true (the default for
+ *   pre-Phase-1c API keys), grants `manage all` to match current behavior.
+ *   Once Phase 1c binds keys to real `OrgAgentType` rows, this branch will
+ *   read from `OrgAgentType.intrinsicPolicy` instead — the legacy path stays
+ *   as a fallback until the backfill completes.
+ *
+ * - **DelegatedAgentPrincipal**: rehydrates CASL rules from
+ *   `capturedAbility`. The snapshot was computed at agent spawn time as
+ *   `intersect(userAbility, agentIntrinsicPolicy)` and serialized into
+ *   `AgentRun.capturedAbility` (Phase 1c column). This function is a pure
+ *   deserializer for that snapshot; it does not recompute anything.
+ */
+export declare function buildAbility(principal: Principal): AppAbility;
+/**
+ * Thrown when `intersect()` is asked to combine rule sets whose shape is
+ * outside the starter CASL vocabulary — currently any rule that carries
+ * CASL `conditions` or `fields`. See `intersect` docstring.
+ */
+export declare class UnsupportedIntersectionError extends Error {
+    constructor(reason: string);
+}
+/**
+ * Compute the intersection of two raw CASL rule sets, producing a rule set
+ * that grants access only where BOTH inputs grant access.
+ *
+ * Used at agent spawn time to capture the effective authority of a
+ * `DelegatedAgentPrincipal`: the user's ability at spawn time, intersected
+ * with the agent's intrinsic policy, is the ceiling on what the agent can
+ * do for the life of the run. The result is persisted on
+ * `AgentRun.captured_ability` (the Phase 1c column) and rehydrated by
+ * `buildAbility(DelegatedAgentPrincipal)` on every callback from the
+ * sandbox. See the Phase 1d user story `ed8fcc68` for the full rationale.
+ *
+ * **Semantics.** The intersection is computed by building a CASL ability
+ * from each input and enumerating every concrete `(action, subject)` pair
+ * in the `AppAction × AppSubject` cross product. A rule is emitted for
+ * each pair where both abilities grant access. CASL's `manage` and `all`
+ * wildcards are handled implicitly because `.can("read", "Organization")`
+ * on a `manage all` ability returns true.
+ *
+ * The returned rules are NOT compressed — a full-overlap intersection
+ * yields `CONCRETE_ACTIONS.length × CONCRETE_SUBJECTS.length` concrete
+ * rules (currently 5 × 7 = 35) rather than
+ * `[{action:"manage", subject:"all"}]`. This is semantically equivalent
+ * but more verbose. If audit-log readability ever becomes a concern, a
+ * `compress()` helper can be added as a separate function; for now,
+ * verbosity is the price of simplicity.
+ *
+ * **Phase 1d limitation.** CASL conditions and field scopes are not
+ * supported on either side of the intersection. The current `AppAbility`
+ * vocabulary explicitly does not use them (see the docstring at the top
+ * of this file — "No field conditions in Phase 1b rules"), so this is
+ * the correct shape for the current starter vocabulary. If an input
+ * rule carries `conditions` or `fields`, this function throws
+ * `UnsupportedIntersectionError` rather than silently producing an
+ * over-permissive result. When a future phase grows the CASL vocabulary
+ * to use conditions, this function grows with it.
+ *
+ * **Edge cases.**
+ * - Empty ∩ X → empty (deny by default).
+ * - X ∩ empty → empty.
+ * - Disjoint inputs → empty.
+ * - Full overlap (both sides grant `manage all`) → all concrete rules
+ *   in the cross product (5 × 7 = 35 today), which rehydrates to a
+ *   functionally-manage-all ability.
+ * - One side is `manage all`, the other is a specific rule → the specific
+ *   rule (expanded to concrete (action, subject) form).
+ */
+export declare function intersect(a: AppRawRule[], b: AppRawRule[]): AppRawRule[];
+//# sourceMappingURL=ability.d.ts.map

package/dist/auth/ability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability.d.ts","sourceRoot":"","sources":["../../src/auth/ability.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,YAAY,EACjB,KAAK,SAAS,EACf,MAAM,eAAe,CAAC;AAEvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEhD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GACjB,QAAQ,GACR,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,QAAQ,CAAC;AAEb;;;;;;;;GAQG;AACH,MAAM,MAAM,UAAU,GAClB,cAAc,GACd,YAAY,GACZ,QAAQ,GACR,MAAM,GACN,WAAW,GACX,eAAe,GACf,KAAK,GACL,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,WAAW,GACX,UAAU,GACV,gBAAgB,GAChB,cAAc,GACd,YAAY,GACZ,KAAK,CAAC;AAEV,wDAAwD;AACxD,MAAM,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC;AAE/D;kDACkD;AAClD,MAAM,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,UAAU,CA6G7D;AA2BD;;;;GAIG;AACH,qBAAa,4BAA6B,SAAQ,KAAK;gBACzC,MAAM,EAAE,MAAM;CAI3B;AAyCD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8CG;AACH,wBAAgB,SAAS,CAAC,CAAC,EAAE,UAAU,EAAE,EAAE,CAAC,EAAE,UAAU,EAAE,GAAG,UAAU,EAAE,CAgBxE"}

package/dist/auth/ability.js

@@ -0,0 +1,285 @@
+import { AbilityBuilder, createMongoAbility, } from "@casl/ability";
+/**
+ * Build a CASL `AppAbility` from a `Principal`. Pure function — no I/O, no
+ * DB reads. The principal must be fully constructed by the auth middleware
+ * before this is called; the result can be cached per-request.
+ *
+ * Rule semantics by principal type:
+ *
+ * - **UserPrincipal**: rules derive from the user's `role` on their active
+ *   `organizationId`. `owner` grants `manage all` (including `bypass Pii`
+ *   by wildcard). `admin` grants management of invites and agent schedules
+ *   plus read of org/membership/OrgConfig/Pii. `member` grants read of
+ *   org/membership/OrgConfig/AgentSchedule/Pii. `none` (no active org)
+ *   grants read of self and create of memberships for invite acceptance.
+ *   Scoping to the caller's org happens at the query layer via Prisma
+ *   tenant isolation. Admins and members cannot bypass PII scrubbing —
+ *   the `bypass` action is reserved for `manage`-grade principals only,
+ *   per the Phase 1e decision `500bfa31`.
+ *
+ * - **OrgAgentPrincipal**: if `legacyApiKey` is true (the default for
+ *   pre-Phase-1c API keys), grants `manage all` to match current behavior.
+ *   Once Phase 1c binds keys to real `OrgAgentType` rows, this branch will
+ *   read from `OrgAgentType.intrinsicPolicy` instead — the legacy path stays
+ *   as a fallback until the backfill completes.
+ *
+ * - **DelegatedAgentPrincipal**: rehydrates CASL rules from
+ *   `capturedAbility`. The snapshot was computed at agent spawn time as
+ *   `intersect(userAbility, agentIntrinsicPolicy)` and serialized into
+ *   `AgentRun.capturedAbility` (Phase 1c column). This function is a pure
+ *   deserializer for that snapshot; it does not recompute anything.
+ */
+export function buildAbility(principal) {
+    const { can, build } = new AbilityBuilder(createMongoAbility);
+    switch (principal.type) {
+        case "user": {
+            switch (principal.role) {
+                case "owner":
+                    // Full access — matches today's `requireRole("owner")` behavior.
+                    can("manage", "all");
+                    break;
+                case "admin":
+                    // Admins manage the invite lifecycle and can read the org and
+                    // members. They cannot touch memberships directly; role changes
+                    // are owner-only. Phase 1e: admins can also manage agent
+                    // schedules (scheduled delegated agents are an operational
+                    // concern admins need to own), and can read org-level config
+                    // surfaces without being able to change them.
+                    // Phase 1b: admins get manage on the full knowledge-graph
+                    // surface (Node, Import, Domain, Workspace, AgentRun) and
+                    // org-level config (OrgAgentConfig, OrgEmbedding). They get
+                    // read on Search (a read-only operation).
+                    can("manage", "Invite");
+                    can("manage", "AgentSchedule");
+                    can("manage", "Node");
+                    can("manage", "Import");
+                    can("manage", "Domain");
+                    can("manage", "Workspace");
+                    can("manage", "AgentRun");
+                    can("manage", "OrgAgentConfig");
+                    can("manage", "OrgEmbedding");
+                    can("manage", "UserSecret");
+                    can("read", "Organization");
+                    can("read", "Membership");
+                    can("read", "OrgConfig");
+                    can("read", "Pii");
+                    can("read", "Search");
+                    break;
+                case "member":
+                    // Members can read their org and memberships and the org-level
+                    // config surfaces (so that the UI can show them). They cannot
+                    // create schedules in Phase 1e — CASL conditions for "own
+                    // schedules" are not in the starter vocabulary, so member-
+                    // created schedules would need handler-level self-ID
+                    // enforcement that this phase does not introduce. Tenant
+                    // isolation at the query layer scopes all reads to the
+                    // active org.
+                    // Phase 1b: members get full manage on Node (graph CRUD is
+                    // the core work) and Workspace, create+read on AgentRun,
+                    // and read on everything else.
+                    can("manage", "Node");
+                    can("manage", "Workspace");
+                    can("manage", "UserSecret");
+                    can("create", "AgentRun");
+                    can("read", "AgentRun");
+                    can("read", "Organization");
+                    can("read", "Membership");
+                    can("read", "OrgConfig");
+                    can("read", "AgentSchedule");
+                    can("read", "Pii");
+                    can("read", "Search");
+                    can("read", "Import");
+                    can("read", "Domain");
+                    can("read", "OrgAgentConfig");
+                    can("read", "OrgEmbedding");
+                    break;
+                case "none":
+                    // No active org: the user is either pre-invite-acceptance or
+                    // holds multiple memberships without choosing one. Allow reading
+                    // their own user record (handler must verify self-ID) and
+                    // creating a membership for the accept-invite flow.
+                    // Phase 1b: UserSecret is self-service and not org-scoped.
+                    can("read", "User");
+                    can("create", "Membership");
+                    can("manage", "UserSecret");
+                    break;
+            }
+            break;
+        }
+        case "org_agent": {
+            if (principal.legacyApiKey) {
+                // Pre-Phase-1c API key: match today's full-org-access behavior so
+                // nothing breaks during the migration. Phase 1c will bind keys to
+                // real OrgAgentType rows with intrinsicPolicy; this branch becomes
+                // the fallback for unbound legacy keys only.
+                can("manage", "all");
+            }
+            else {
+                // Phase 1c reads `OrgAgentType.intrinsicPolicy` here and constructs
+                // rules from it. For Phase 1b there is no such column yet, so the
+                // non-legacy branch is a placeholder with no rules — callers get a
+                // "deny by default" ability if they construct a non-legacy OrgAgent
+                // principal. This is the correct failure mode until 1c lands.
+            }
+            break;
+        }
+        case "delegated_agent": {
+            // Rehydrate from the captured snapshot. We bypass the AbilityBuilder
+            // because the rules are already fully formed; pass them straight to
+            // `createMongoAbility` to get an ability with those exact rules.
+            const rules = normalizeCapturedAbility(principal.capturedAbility);
+            return createMongoAbility(rules);
+        }
+    }
+    return build();
+}
+/**
+ * Coerce a `DelegatedAgentPrincipal.capturedAbility` payload (typed
+ * `unknown` at the principal boundary) into a `RawRuleOf<AppAbility>[]` that
+ * CASL can consume. If the payload is malformed, returns an empty rule set —
+ * which yields a deny-by-default ability. This is intentionally strict:
+ * garbage in means no access, not crash.
+ *
+ * Phase 1d adds the real end-to-end test of the capture-and-rehydrate loop;
+ * for Phase 1b this function just has to round-trip a sensible array and
+ * reject obvious garbage.
+ */
+function normalizeCapturedAbility(captured) {
+    if (!Array.isArray(captured)) {
+        return [];
+    }
+    // We do not re-validate each rule's shape here — CASL itself will throw
+    // at `createMongoAbility` time if a rule is fundamentally malformed, and
+    // in Phase 1b the delegation path is synthetic (tests) or not exercised
+    // (no code mints delegation tokens yet). When Phase 1d wires this for
+    // real, consider adding a Zod schema here.
+    return captured;
+}
+// ── Rule-set intersection (Phase 1d) ────────────────────────────────────────
+/**
+ * Thrown when `intersect()` is asked to combine rule sets whose shape is
+ * outside the starter CASL vocabulary — currently any rule that carries
+ * CASL `conditions` or `fields`. See `intersect` docstring.
+ */
+export class UnsupportedIntersectionError extends Error {
+    constructor(reason) {
+        super(`intersect(): ${reason}`);
+        this.name = "UnsupportedIntersectionError";
+    }
+}
+/**
+ * The non-wildcard subjects we enumerate when computing an intersection.
+ * Keep this in sync with the `AppSubject` type definition above — if a new
+ * concrete subject is added to `AppSubject`, it must be added here too or
+ * the intersection will silently drop any rules that target it.
+ *
+ * The `satisfies` clause gives us a compile error if a listed element is
+ * not a valid `AppSubject`, but it does NOT enforce exhaustiveness. The
+ * comment above is the current guardrail; an exhaustiveness check can be
+ * added later if the vocabulary grows past a handful of subjects.
+ */
+const CONCRETE_SUBJECTS = [
+    "Organization",
+    "Membership",
+    "Invite",
+    "User",
+    "OrgConfig",
+    "AgentSchedule",
+    "Pii",
+    "Node",
+    "Search",
+    "Import",
+    "Domain",
+    "Workspace",
+    "AgentRun",
+    "OrgAgentConfig",
+    "OrgEmbedding",
+    "UserSecret",
+];
+/** The non-wildcard actions. Same sync-with-type-definition caveat as above. */
+const CONCRETE_ACTIONS = [
+    "create",
+    "read",
+    "update",
+    "delete",
+    "bypass",
+];
+/**
+ * Compute the intersection of two raw CASL rule sets, producing a rule set
+ * that grants access only where BOTH inputs grant access.
+ *
+ * Used at agent spawn time to capture the effective authority of a
+ * `DelegatedAgentPrincipal`: the user's ability at spawn time, intersected
+ * with the agent's intrinsic policy, is the ceiling on what the agent can
+ * do for the life of the run. The result is persisted on
+ * `AgentRun.captured_ability` (the Phase 1c column) and rehydrated by
+ * `buildAbility(DelegatedAgentPrincipal)` on every callback from the
+ * sandbox. See the Phase 1d user story `ed8fcc68` for the full rationale.
+ *
+ * **Semantics.** The intersection is computed by building a CASL ability
+ * from each input and enumerating every concrete `(action, subject)` pair
+ * in the `AppAction × AppSubject` cross product. A rule is emitted for
+ * each pair where both abilities grant access. CASL's `manage` and `all`
+ * wildcards are handled implicitly because `.can("read", "Organization")`
+ * on a `manage all` ability returns true.
+ *
+ * The returned rules are NOT compressed — a full-overlap intersection
+ * yields `CONCRETE_ACTIONS.length × CONCRETE_SUBJECTS.length` concrete
+ * rules (currently 5 × 7 = 35) rather than
+ * `[{action:"manage", subject:"all"}]`. This is semantically equivalent
+ * but more verbose. If audit-log readability ever becomes a concern, a
+ * `compress()` helper can be added as a separate function; for now,
+ * verbosity is the price of simplicity.
+ *
+ * **Phase 1d limitation.** CASL conditions and field scopes are not
+ * supported on either side of the intersection. The current `AppAbility`
+ * vocabulary explicitly does not use them (see the docstring at the top
+ * of this file — "No field conditions in Phase 1b rules"), so this is
+ * the correct shape for the current starter vocabulary. If an input
+ * rule carries `conditions` or `fields`, this function throws
+ * `UnsupportedIntersectionError` rather than silently producing an
+ * over-permissive result. When a future phase grows the CASL vocabulary
+ * to use conditions, this function grows with it.
+ *
+ * **Edge cases.**
+ * - Empty ∩ X → empty (deny by default).
+ * - X ∩ empty → empty.
+ * - Disjoint inputs → empty.
+ * - Full overlap (both sides grant `manage all`) → all concrete rules
+ *   in the cross product (5 × 7 = 35 today), which rehydrates to a
+ *   functionally-manage-all ability.
+ * - One side is `manage all`, the other is a specific rule → the specific
+ *   rule (expanded to concrete (action, subject) form).
+ */
+export function intersect(a, b) {
+    assertUnconditional(a, "left");
+    assertUnconditional(b, "right");
+    const abilityA = createMongoAbility(a);
+    const abilityB = createMongoAbility(b);
+    const result = [];
+    for (const subject of CONCRETE_SUBJECTS) {
+        for (const action of CONCRETE_ACTIONS) {
+            if (abilityA.can(action, subject) && abilityB.can(action, subject)) {
+                result.push({ action, subject });
+            }
+        }
+    }
+    return result;
+}
+/**
+ * Walk a rule set and throw if any rule carries `conditions` or `fields`.
+ * The `side` label is threaded into the error message so callers can tell
+ * which argument was the offender.
+ */
+function assertUnconditional(rules, side) {
+    for (let i = 0; i < rules.length; i++) {
+        const rule = rules[i];
+        if (rule.conditions !== undefined) {
+            throw new UnsupportedIntersectionError(`${side}[${i}] has CASL conditions, which the Phase 1d starter vocabulary does not support`);
+        }
+        if (rule.fields !== undefined) {
+            throw new UnsupportedIntersectionError(`${side}[${i}] has CASL field scoping, which the Phase 1d starter vocabulary does not support`);
+        }
+    }
+}
+//# sourceMappingURL=ability.js.map

package/dist/auth/ability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability.js","sourceRoot":"","sources":["../../src/auth/ability.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,kBAAkB,GAGnB,MAAM,eAAe,CAAC;AA0FvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,YAAY,CAAC,SAAoB;IAC/C,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,cAAc,CAAa,kBAAkB,CAAC,CAAC;IAE1E,QAAQ,SAAS,CAAC,IAAI,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,QAAQ,SAAS,CAAC,IAAI,EAAE,CAAC;gBACvB,KAAK,OAAO;oBACV,iEAAiE;oBACjE,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;oBACrB,MAAM;gBAER,KAAK,OAAO;oBACV,8DAA8D;oBAC9D,gEAAgE;oBAChE,yDAAyD;oBACzD,2DAA2D;oBAC3D,6DAA6D;oBAC7D,8CAA8C;oBAC9C,0DAA0D;oBAC1D,0DAA0D;oBAC1D,4DAA4D;oBAC5D,0CAA0C;oBAC1C,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;oBACxB,GAAG,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;oBAC/B,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;oBACtB,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;oBACxB,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;oBACxB,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;oBAC3B,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;oBAC1B,GAAG,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;oBAChC,GAAG,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;oBAC9B,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;oBAC5B,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;oBAC5B,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;oBAC1B,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;oBACzB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;oBACnB,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;oBACtB,MAAM;gBAER,KAAK,QAAQ;oBACX,+DAA+D;oBAC/D,8DAA8D;oBAC9D,0DAA0D;oBAC1D,2DAA2D;oBAC3D,qDAAqD;oBACrD,yDAAyD;oBACzD,uDAAuD;oBACvD,cAAc;oBACd,2DAA2D;oBAC3D,yDAAyD;oBACzD,+BAA+B;oBAC/B,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;oBACtB,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;oBAC3B,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;oBAC5B,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;oBAC1B,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;oBACxB,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;oBAC5B,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;oBAC1B,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;oBACzB,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;oBAC7B,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;oBACnB,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;oBACtB,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;oBACtB,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;oBACtB,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;oBAC9B,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;oBAC5B,MAAM;gBAER,KAAK,MAAM;oBACT,6DAA6D;oBAC7D,iEAAiE;oBACjE,0DAA0D;oBAC1D,oDAAoD;oBACpD,2DAA2D;oBAC3D,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;oBACpB,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;oBAC5B,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;oBAC5B,MAAM;YACV,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;gBAC3B,kEAAkE;gBAClE,kEAAkE;gBAClE,mEAAmE;gBACnE,6CAA6C;gBAC7C,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,oEAAoE;gBACpE,kEAAkE;gBAClE,mEAAmE;gBACnE,oEAAoE;gBACpE,8DAA8D;YAChE,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,qEAAqE;YACrE,oEAAoE;YACpE,iEAAiE;YACjE,MAAM,KAAK,GAAG,wBAAwB,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;YAClE,OAAO,kBAAkB,CAAa,KAAK,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,OAAO,KAAK,EAAE,CAAC;AACjB,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,wBAAwB,CAAC,QAAiB;IACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,wEAAwE;IACxE,yEAAyE;IACzE,wEAAwE;IACxE,sEAAsE;IACtE,2CAA2C;IAC3C,OAAO,QAAwB,CAAC;AAClC,CAAC;AAED,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,OAAO,4BAA6B,SAAQ,KAAK;IACrD,YAAY,MAAc;QACxB,KAAK,CAAC,gBAAgB,MAAM,EAAE,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,8BAA8B,CAAC;IAC7C,CAAC;CACF;AAED;;;;;;;;;;GAUG;AACH,MAAM,iBAAiB,GAAG;IACxB,cAAc;IACd,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,WAAW;IACX,eAAe;IACf,KAAK;IACL,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,UAAU;IACV,gBAAgB;IAChB,cAAc;IACd,YAAY;CAC4C,CAAC;AAE3D,gFAAgF;AAChF,MAAM,gBAAgB,GAAG;IACvB,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,QAAQ;CACkD,CAAC;AAE7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8CG;AACH,MAAM,UAAU,SAAS,CAAC,CAAe,EAAE,CAAe;IACxD,mBAAmB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC/B,mBAAmB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAEhC,MAAM,QAAQ,GAAG,kBAAkB,CAAa,CAAC,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,kBAAkB,CAAa,CAAC,CAAC,CAAC;IAEnD,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;gBACnE,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,KAAmB,EAAE,IAAsB;IACtE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAA+C,CAAC;QACpE,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,4BAA4B,CACpC,GAAG,IAAI,IAAI,CAAC,+EAA+E,CAC5F,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,IAAI,4BAA4B,CACpC,GAAG,IAAI,IAAI,CAAC,kFAAkF,CAC/F,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/auth/ability.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ability.test.d.ts.map

package/dist/auth/ability.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability.test.d.ts","sourceRoot":"","sources":["../../src/auth/ability.test.ts"],"names":[],"mappings":""}