@astralibx/staff-engine 0.2.0

package/dist/index.mjs

@@ -0,0 +1,1049 @@
+import { z } from 'zod';
+import { AlxError, sendError, noopLogger, sendSuccess } from '@astralibx/core';
+export { sendSuccess } from '@astralibx/core';
+import { PERMISSION_TYPE_VALUES, STAFF_STATUS, STAFF_STATUS_VALUES, STAFF_ROLE_VALUES, PERMISSION_TYPE, STAFF_ROLE, DEFAULT_OPTIONS } from '@astralibx/staff-types';
+export { DEFAULT_OPTIONS } from '@astralibx/staff-types';
+import { Schema } from 'mongoose';
+import jwt2 from 'jsonwebtoken';
+import { Router } from 'express';
+
+// src/index.ts
+function createStaffModel(connection, prefix) {
+  const schema = new Schema(
+    {
+      name: { type: String, required: true, trim: true },
+      email: { type: String, required: true, trim: true, lowercase: true },
+      password: { type: String, required: true, select: false },
+      role: { type: String, enum: STAFF_ROLE_VALUES, default: "staff" },
+      status: { type: String, enum: STAFF_STATUS_VALUES, default: STAFF_STATUS.Pending },
+      permissions: { type: [String], default: [] },
+      externalUserId: { type: String, sparse: true },
+      lastLoginAt: { type: Date },
+      lastLoginIp: { type: String },
+      metadata: { type: Schema.Types.Mixed },
+      tenantId: { type: String, sparse: true }
+    },
+    { timestamps: true }
+  );
+  schema.index({ email: 1, tenantId: 1 }, { unique: true });
+  schema.index({ status: 1 });
+  schema.index({ role: 1 });
+  const collectionName = prefix ? `${prefix}_staff` : "staff";
+  return connection.model("Staff", schema, collectionName);
+}
+var permissionEntrySchema = new Schema(
+  {
+    key: { type: String, required: true },
+    label: { type: String, required: true },
+    type: { type: String, enum: PERMISSION_TYPE_VALUES, required: true }
+  },
+  { _id: false }
+);
+function createPermissionGroupModel(connection, prefix) {
+  const schema = new Schema(
+    {
+      groupId: { type: String, required: true },
+      label: { type: String, required: true, trim: true },
+      permissions: { type: [permissionEntrySchema], default: [] },
+      sortOrder: { type: Number, default: 0 },
+      tenantId: { type: String, index: true, sparse: true }
+    },
+    { timestamps: true }
+  );
+  schema.index({ groupId: 1, tenantId: 1 }, { unique: true });
+  schema.index({ sortOrder: 1 });
+  const collectionName = prefix ? `${prefix}_permission_groups` : "permission_groups";
+  return connection.model("PermissionGroup", schema, collectionName);
+}
+
+// src/services/rate-limiter.service.ts
+var RateLimiterService = class {
+  constructor(windowMs, maxAttempts, redis, keyPrefix, logger) {
+    this.windowMs = windowMs;
+    this.maxAttempts = maxAttempts;
+    this.redis = redis;
+    this.keyPrefix = keyPrefix;
+    this.logger = logger;
+  }
+  memoryStore = /* @__PURE__ */ new Map();
+  async checkLimit(key) {
+    if (this.redis) {
+      return this.checkLimitRedis(key);
+    }
+    return this.checkLimitMemory(key);
+  }
+  async recordAttempt(key) {
+    if (this.redis) {
+      return this.recordAttemptRedis(key);
+    }
+    this.recordAttemptMemory(key);
+  }
+  async reset(key) {
+    if (this.redis) {
+      await this.redis.del(`${this.keyPrefix}rate:${key}`);
+      return;
+    }
+    this.memoryStore.delete(key);
+  }
+  checkLimitMemory(key) {
+    const entry = this.memoryStore.get(key);
+    if (!entry || Date.now() > entry.expiresAt) {
+      return { allowed: true, remaining: this.maxAttempts };
+    }
+    if (entry.count >= this.maxAttempts) {
+      return { allowed: false, remaining: 0, retryAfterMs: entry.expiresAt - Date.now() };
+    }
+    return { allowed: true, remaining: this.maxAttempts - entry.count };
+  }
+  recordAttemptMemory(key) {
+    const entry = this.memoryStore.get(key);
+    if (!entry || Date.now() > entry.expiresAt) {
+      this.memoryStore.set(key, { count: 1, expiresAt: Date.now() + this.windowMs });
+    } else {
+      entry.count++;
+    }
+  }
+  async checkLimitRedis(key) {
+    const redisKey = `${this.keyPrefix}rate:${key}`;
+    const redis = this.redis;
+    const count = await redis.get(redisKey);
+    const current = count ? parseInt(count, 10) : 0;
+    if (current >= this.maxAttempts) {
+      const ttl = await redis.pttl(redisKey);
+      return { allowed: false, remaining: 0, retryAfterMs: ttl > 0 ? ttl : this.windowMs };
+    }
+    return { allowed: true, remaining: this.maxAttempts - current };
+  }
+  async recordAttemptRedis(key) {
+    const redisKey = `${this.keyPrefix}rate:${key}`;
+    const redis = this.redis;
+    const count = await redis.incr(redisKey);
+    if (count === 1) {
+      await redis.pexpire(redisKey, this.windowMs);
+    }
+  }
+};
+
+// src/services/permission-cache.service.ts
+var PermissionCacheService = class {
+  constructor(StaffModel, ttlMs, redis, keyPrefix, logger, tenantId) {
+    this.StaffModel = StaffModel;
+    this.ttlMs = ttlMs;
+    this.redis = redis;
+    this.keyPrefix = keyPrefix;
+    this.logger = logger;
+    this.tenantId = tenantId;
+  }
+  memoryCache = /* @__PURE__ */ new Map();
+  async get(staffId) {
+    if (this.redis) {
+      return this.getRedis(staffId);
+    }
+    return this.getMemory(staffId);
+  }
+  async invalidate(staffId) {
+    if (this.redis) {
+      await this.redis.del(`${this.keyPrefix}perms:${staffId}`);
+      return;
+    }
+    this.memoryCache.delete(staffId);
+  }
+  async invalidateAll() {
+    if (this.redis) {
+      const redis = this.redis;
+      const keys = await redis.keys(`${this.keyPrefix}perms:*`);
+      if (keys.length > 0) {
+        await redis.del(...keys);
+      }
+      return;
+    }
+    this.memoryCache.clear();
+  }
+  async getMemory(staffId) {
+    const cached = this.memoryCache.get(staffId);
+    if (cached && Date.now() < cached.expiresAt) {
+      return cached.permissions;
+    }
+    const permissions = await this.fetchFromDb(staffId);
+    this.memoryCache.set(staffId, { permissions, expiresAt: Date.now() + this.ttlMs });
+    return permissions;
+  }
+  async getRedis(staffId) {
+    const redisKey = `${this.keyPrefix}perms:${staffId}`;
+    const redis = this.redis;
+    const cached = await redis.get(redisKey);
+    if (cached) {
+      return JSON.parse(cached);
+    }
+    const permissions = await this.fetchFromDb(staffId);
+    await redis.set(redisKey, JSON.stringify(permissions), "PX", this.ttlMs);
+    return permissions;
+  }
+  async fetchFromDb(staffId) {
+    const filter = { _id: staffId };
+    if (this.tenantId) filter.tenantId = this.tenantId;
+    const staff = await this.StaffModel.findOne(filter).select("permissions").lean();
+    return staff?.permissions ?? [];
+  }
+};
+
+// src/constants/index.ts
+var ERROR_CODE = {
+  // Auth
+  InvalidCredentials: "STAFF_INVALID_CREDENTIALS",
+  AccountInactive: "STAFF_ACCOUNT_INACTIVE",
+  AccountPending: "STAFF_ACCOUNT_PENDING",
+  RateLimited: "STAFF_RATE_LIMITED",
+  TokenExpired: "STAFF_TOKEN_EXPIRED",
+  TokenInvalid: "STAFF_TOKEN_INVALID",
+  InsufficientPermissions: "STAFF_INSUFFICIENT_PERMISSIONS",
+  OwnerOnly: "STAFF_OWNER_ONLY",
+  // CRUD
+  StaffNotFound: "STAFF_NOT_FOUND",
+  EmailExists: "STAFF_EMAIL_EXISTS",
+  SetupAlreadyComplete: "STAFF_SETUP_ALREADY_COMPLETE",
+  LastOwnerGuard: "STAFF_LAST_OWNER_GUARD",
+  InvalidPermissions: "STAFF_INVALID_PERMISSIONS",
+  // Permission Groups
+  GroupNotFound: "STAFF_GROUP_NOT_FOUND",
+  GroupIdExists: "STAFF_GROUP_ID_EXISTS",
+  // Config
+  InvalidConfig: "STAFF_INVALID_CONFIG"
+};
+var ERROR_MESSAGE = {
+  InvalidCredentials: "Invalid email or password",
+  AccountInactive: "Account is deactivated",
+  AccountPending: "Account is pending activation",
+  RateLimited: "Too many login attempts. Please try again later.",
+  TokenExpired: "Token has expired",
+  TokenInvalid: "Invalid token",
+  InsufficientPermissions: "Insufficient permissions",
+  OwnerOnly: "This action requires owner privileges",
+  StaffNotFound: "Staff member not found",
+  EmailExists: "A staff member with this email already exists",
+  SetupAlreadyComplete: "Initial setup has already been completed",
+  LastOwnerGuard: "Cannot deactivate the last active owner",
+  InvalidPermissions: "Edit permissions require corresponding view permissions",
+  GroupNotFound: "Permission group not found",
+  GroupIdExists: "A permission group with this ID already exists",
+  InvalidConfig: "Invalid engine configuration"
+};
+var DEFAULTS = {
+  ListPageSize: 20,
+  MaxListPageSize: 100,
+  PermissionCacheTtlMs: 5 * 60 * 1e3
+};
+var DEFAULT_AUTH = {
+  staffTokenExpiry: "24h",
+  ownerTokenExpiry: "30d",
+  permissionCacheTtlMs: 5 * 60 * 1e3
+};
+
+// src/errors/index.ts
+var AlxStaffError = class extends AlxError {
+  constructor(message, code, context) {
+    super(message, code);
+    this.context = context;
+    this.name = "AlxStaffError";
+  }
+};
+var AuthenticationError = class extends AlxStaffError {
+  constructor(code = ERROR_CODE.InvalidCredentials, message) {
+    super(message || ERROR_MESSAGE.InvalidCredentials, code);
+    this.name = "AuthenticationError";
+  }
+};
+var AuthorizationError = class extends AlxStaffError {
+  constructor(code = ERROR_CODE.InsufficientPermissions, message) {
+    super(message || ERROR_MESSAGE.InsufficientPermissions, code);
+    this.name = "AuthorizationError";
+  }
+};
+var RateLimitError = class extends AlxStaffError {
+  constructor(retryAfterMs) {
+    super(ERROR_MESSAGE.RateLimited, ERROR_CODE.RateLimited, { retryAfterMs });
+    this.retryAfterMs = retryAfterMs;
+    this.name = "RateLimitError";
+  }
+};
+var TokenError = class extends AlxStaffError {
+  constructor(code = ERROR_CODE.TokenInvalid, message) {
+    super(message || ERROR_MESSAGE.TokenInvalid, code);
+    this.name = "TokenError";
+  }
+};
+var StaffNotFoundError = class extends AlxStaffError {
+  constructor(staffId) {
+    super(ERROR_MESSAGE.StaffNotFound, ERROR_CODE.StaffNotFound, { staffId });
+    this.staffId = staffId;
+    this.name = "StaffNotFoundError";
+  }
+};
+var DuplicateError = class extends AlxStaffError {
+  constructor(code, message, context) {
+    super(message, code, context);
+    this.name = "DuplicateError";
+  }
+};
+var SetupError = class extends AlxStaffError {
+  constructor() {
+    super(ERROR_MESSAGE.SetupAlreadyComplete, ERROR_CODE.SetupAlreadyComplete);
+    this.name = "SetupError";
+  }
+};
+var LastOwnerError = class extends AlxStaffError {
+  constructor(staffId) {
+    super(ERROR_MESSAGE.LastOwnerGuard, ERROR_CODE.LastOwnerGuard, { staffId });
+    this.staffId = staffId;
+    this.name = "LastOwnerError";
+  }
+};
+var InvalidPermissionError = class extends AlxStaffError {
+  constructor(missingViewKeys) {
+    super(ERROR_MESSAGE.InvalidPermissions, ERROR_CODE.InvalidPermissions, { missingViewKeys });
+    this.missingViewKeys = missingViewKeys;
+    this.name = "InvalidPermissionError";
+  }
+};
+var GroupNotFoundError = class extends AlxStaffError {
+  constructor(groupId) {
+    super(ERROR_MESSAGE.GroupNotFound, ERROR_CODE.GroupNotFound, { groupId });
+    this.groupId = groupId;
+    this.name = "GroupNotFoundError";
+  }
+};
+var InvalidConfigError = class extends AlxStaffError {
+  constructor(field, reason) {
+    super(`Invalid config for "${field}": ${reason}`, ERROR_CODE.InvalidConfig, { field, reason });
+    this.field = field;
+    this.reason = reason;
+    this.name = "InvalidConfigError";
+  }
+};
+
+// src/services/permission.service.ts
+var PermissionService = class {
+  constructor(PermissionGroup, permissionCache, logger, tenantId) {
+    this.PermissionGroup = PermissionGroup;
+    this.permissionCache = permissionCache;
+    this.logger = logger;
+    this.tenantId = tenantId;
+  }
+  get tenantFilter() {
+    return this.tenantId ? { tenantId: this.tenantId } : {};
+  }
+  async listGroups() {
+    return this.PermissionGroup.find(this.tenantFilter).sort({ sortOrder: 1 }).lean();
+  }
+  async createGroup(data) {
+    const existing = await this.PermissionGroup.findOne({
+      groupId: data.groupId,
+      ...this.tenantFilter
+    });
+    if (existing) {
+      throw new DuplicateError(
+        ERROR_CODE.GroupIdExists,
+        ERROR_MESSAGE.GroupIdExists,
+        { groupId: data.groupId }
+      );
+    }
+    const group = await this.PermissionGroup.create({
+      ...data,
+      sortOrder: data.sortOrder ?? 0,
+      ...this.tenantFilter
+    });
+    this.logger.info("Permission group created", { groupId: data.groupId });
+    return group.toObject();
+  }
+  async updateGroup(groupId, data) {
+    const group = await this.PermissionGroup.findOneAndUpdate(
+      { groupId, ...this.tenantFilter },
+      { $set: data },
+      { new: true }
+    ).lean();
+    if (!group) {
+      throw new GroupNotFoundError(groupId);
+    }
+    await this.permissionCache.invalidateAll();
+    this.logger.info("Permission group updated", { groupId, fields: Object.keys(data) });
+    return group;
+  }
+  async deleteGroup(groupId) {
+    const result = await this.PermissionGroup.deleteOne({ groupId, ...this.tenantFilter });
+    if (result.deletedCount === 0) {
+      throw new GroupNotFoundError(groupId);
+    }
+    await this.permissionCache.invalidateAll();
+    this.logger.info("Permission group deleted", { groupId });
+  }
+  async getAllPermissionKeys() {
+    const groups = await this.listGroups();
+    return groups.flatMap((g) => g.permissions.map((p) => p.key));
+  }
+};
+function validatePermissionPairs(permissions, allGroups) {
+  const allEntries = allGroups.flatMap((g) => g.permissions);
+  const editKeys = allEntries.filter((e) => e.type === PERMISSION_TYPE.Edit).map((e) => e.key);
+  const permissionSet = new Set(permissions);
+  const missingViewKeys = [];
+  for (const editKey of editKeys) {
+    if (!permissionSet.has(editKey)) continue;
+    const prefix = editKey.substring(0, editKey.lastIndexOf(":"));
+    const viewKey = `${prefix}:view`;
+    const viewEntry = allEntries.find((e) => e.key === viewKey && e.type === PERMISSION_TYPE.View);
+    if (viewEntry && !permissionSet.has(viewKey)) {
+      missingViewKeys.push(viewKey);
+    }
+  }
+  if (missingViewKeys.length > 0) {
+    throw new InvalidPermissionError(missingViewKeys);
+  }
+}
+
+// src/services/staff.service.ts
+var StaffService = class {
+  Staff;
+  PermissionGroup;
+  adapters;
+  hooks;
+  permissionCache;
+  rateLimiter;
+  logger;
+  tenantId;
+  jwtSecret;
+  staffTokenExpiry;
+  ownerTokenExpiry;
+  requireEmailUniqueness;
+  allowSelfPasswordChange;
+  constructor(deps) {
+    this.Staff = deps.Staff;
+    this.PermissionGroup = deps.PermissionGroup;
+    this.adapters = deps.adapters;
+    this.hooks = deps.hooks;
+    this.permissionCache = deps.permissionCache;
+    this.rateLimiter = deps.rateLimiter;
+    this.logger = deps.logger;
+    this.tenantId = deps.tenantId;
+    this.jwtSecret = deps.jwtSecret;
+    this.staffTokenExpiry = deps.staffTokenExpiry;
+    this.ownerTokenExpiry = deps.ownerTokenExpiry;
+    this.requireEmailUniqueness = deps.requireEmailUniqueness;
+    this.allowSelfPasswordChange = deps.allowSelfPasswordChange;
+  }
+  get tenantFilter() {
+    return this.tenantId ? { tenantId: this.tenantId } : {};
+  }
+  generateToken(staffId, role) {
+    const expiresIn = role === STAFF_ROLE.Owner ? this.ownerTokenExpiry : this.staffTokenExpiry;
+    return jwt2.sign({ staffId, role }, this.jwtSecret, { expiresIn });
+  }
+  async setupOwner(data) {
+    const count = await this.Staff.countDocuments(this.tenantFilter);
+    if (count > 0) throw new SetupError();
+    const hashedPassword = await this.adapters.hashPassword(data.password);
+    let staff;
+    try {
+      const doc = await this.Staff.create({
+        name: data.name,
+        email: data.email.toLowerCase().trim(),
+        password: hashedPassword,
+        role: STAFF_ROLE.Owner,
+        status: STAFF_STATUS.Active,
+        permissions: [],
+        ...this.tenantFilter
+      });
+      staff = doc.toObject();
+    } catch (err) {
+      if (err && typeof err === "object" && "code" in err && err.code === 11e3) {
+        throw new SetupError();
+      }
+      throw err;
+    }
+    const token = this.generateToken(staff._id.toString(), STAFF_ROLE.Owner);
+    this.logger.info("Owner setup complete", { staffId: staff._id.toString() });
+    this.hooks.onStaffCreated?.(staff);
+    this.hooks.onMetric?.({ name: "staff_setup_complete", value: 1 });
+    return { staff, token };
+  }
+  async login(email, password, ip) {
+    if (ip) {
+      const limit = await this.rateLimiter.checkLimit(ip);
+      if (!limit.allowed) {
+        this.hooks.onLoginFailed?.(email, ip);
+        throw new RateLimitError(limit.retryAfterMs);
+      }
+    }
+    const staff = await this.Staff.findOne({
+      email: email.toLowerCase().trim(),
+      ...this.tenantFilter
+    }).select("+password");
+    if (!staff) {
+      if (ip) await this.rateLimiter.recordAttempt(ip);
+      this.hooks.onLoginFailed?.(email, ip);
+      throw new AuthenticationError(ERROR_CODE.InvalidCredentials);
+    }
+    const valid = await this.adapters.comparePassword(password, staff.password);
+    if (!valid) {
+      if (ip) await this.rateLimiter.recordAttempt(ip);
+      this.hooks.onLoginFailed?.(email, ip);
+      throw new AuthenticationError(ERROR_CODE.InvalidCredentials);
+    }
+    if (staff.status === STAFF_STATUS.Inactive) {
+      throw new AuthenticationError(ERROR_CODE.AccountInactive, ERROR_MESSAGE.AccountInactive);
+    }
+    if (staff.status === STAFF_STATUS.Pending) {
+      throw new AuthenticationError(ERROR_CODE.AccountPending, ERROR_MESSAGE.AccountPending);
+    }
+    staff.lastLoginAt = /* @__PURE__ */ new Date();
+    if (ip) staff.lastLoginIp = ip;
+    await staff.save();
+    if (ip) await this.rateLimiter.reset(ip);
+    const token = this.generateToken(staff._id.toString(), staff.role);
+    this.hooks.onLogin?.(staff.toObject(), ip);
+    this.hooks.onMetric?.({ name: "staff_login", value: 1, labels: { role: staff.role } });
+    this.logger.info("Staff login", { staffId: staff._id.toString() });
+    const staffObj = staff.toObject();
+    delete staffObj.password;
+    return { staff: staffObj, token };
+  }
+  async create(data) {
+    if (this.requireEmailUniqueness) {
+      const existing = await this.Staff.findOne({
+        email: data.email.toLowerCase().trim(),
+        ...this.tenantFilter
+      });
+      if (existing) {
+        throw new DuplicateError(ERROR_CODE.EmailExists, ERROR_MESSAGE.EmailExists, { email: data.email });
+      }
+    }
+    const hashedPassword = await this.adapters.hashPassword(data.password);
+    const staff = await this.Staff.create({
+      ...data,
+      email: data.email.toLowerCase().trim(),
+      password: hashedPassword,
+      role: data.role ?? STAFF_ROLE.Staff,
+      status: data.status ?? STAFF_STATUS.Pending,
+      permissions: data.permissions ?? [],
+      ...this.tenantFilter
+    });
+    this.logger.info("Staff created", { staffId: staff._id.toString() });
+    this.hooks.onStaffCreated?.(staff.toObject());
+    return staff.toObject();
+  }
+  async list(filters = {}) {
+    const page = Math.max(1, filters.page ?? 1);
+    const limit = Math.min(filters.limit ?? DEFAULTS.ListPageSize, DEFAULTS.MaxListPageSize);
+    const query = { ...this.tenantFilter };
+    if (filters.status) query.status = filters.status;
+    if (filters.role) query.role = filters.role;
+    const [data, total] = await Promise.all([
+      this.Staff.find(query).sort({ createdAt: -1 }).skip((page - 1) * limit).limit(limit).lean(),
+      this.Staff.countDocuments(query)
+    ]);
+    return {
+      data,
+      pagination: { page, limit, total, totalPages: Math.ceil(total / limit) }
+    };
+  }
+  async getById(staffId) {
+    const staff = await this.Staff.findOne({ _id: staffId, ...this.tenantFilter }).lean();
+    if (!staff) throw new StaffNotFoundError(staffId);
+    return staff;
+  }
+  async update(staffId, data) {
+    const updateData = {};
+    if (data.name !== void 0) updateData.name = data.name;
+    if (data.email !== void 0) updateData.email = data.email.toLowerCase().trim();
+    if (data.metadata !== void 0) updateData.metadata = data.metadata;
+    if (data.email && this.requireEmailUniqueness) {
+      const existing = await this.Staff.findOne({
+        email: data.email.toLowerCase().trim(),
+        _id: { $ne: staffId },
+        ...this.tenantFilter
+      });
+      if (existing) {
+        throw new DuplicateError(ERROR_CODE.EmailExists, ERROR_MESSAGE.EmailExists, { email: data.email });
+      }
+    }
+    const staff = await this.Staff.findOneAndUpdate(
+      { _id: staffId, ...this.tenantFilter },
+      { $set: updateData },
+      { new: true }
+    ).lean();
+    if (!staff) throw new StaffNotFoundError(staffId);
+    this.logger.info("Staff updated", { staffId, fields: Object.keys(updateData) });
+    return staff;
+  }
+  async updatePermissions(staffId, permissions) {
+    const groups = await this.PermissionGroup.find(this.tenantFilter).lean();
+    validatePermissionPairs(permissions, groups);
+    const staff = await this.Staff.findOne({ _id: staffId, ...this.tenantFilter });
+    if (!staff) throw new StaffNotFoundError(staffId);
+    const oldPerms = [...staff.permissions];
+    staff.permissions = permissions;
+    await staff.save();
+    await this.permissionCache.invalidate(staffId);
+    this.hooks.onPermissionsChanged?.(staffId, oldPerms, permissions);
+    this.logger.info("Staff permissions updated", { staffId, count: permissions.length });
+    return staff.toObject();
+  }
+  async updateStatus(staffId, status) {
+    const staff = await this.Staff.findOne({ _id: staffId, ...this.tenantFilter });
+    if (!staff) throw new StaffNotFoundError(staffId);
+    if (status === STAFF_STATUS.Inactive && staff.role === STAFF_ROLE.Owner) {
+      const activeOwnerCount = await this.Staff.countDocuments({
+        role: STAFF_ROLE.Owner,
+        status: STAFF_STATUS.Active,
+        ...this.tenantFilter
+      });
+      if (activeOwnerCount <= 1) throw new LastOwnerError(staffId);
+    }
+    const oldStatus = staff.status;
+    staff.status = status;
+    await staff.save();
+    await this.permissionCache.invalidate(staffId);
+    this.hooks.onStatusChanged?.(staffId, oldStatus, status);
+    this.logger.info("Staff status updated", { staffId, oldStatus, newStatus: status });
+    return staff.toObject();
+  }
+  async resetPassword(staffId, newPassword) {
+    const staff = await this.Staff.findOne({ _id: staffId, ...this.tenantFilter });
+    if (!staff) throw new StaffNotFoundError(staffId);
+    staff.password = await this.adapters.hashPassword(newPassword);
+    await staff.save();
+    this.logger.info("Staff password reset", { staffId });
+  }
+  async changeOwnPassword(staffId, oldPassword, newPassword) {
+    if (!this.allowSelfPasswordChange) {
+      throw new AuthenticationError(ERROR_CODE.InsufficientPermissions, "Self password change is disabled");
+    }
+    const staff = await this.Staff.findOne({ _id: staffId, ...this.tenantFilter }).select("+password");
+    if (!staff) throw new StaffNotFoundError(staffId);
+    const valid = await this.adapters.comparePassword(oldPassword, staff.password);
+    if (!valid) throw new AuthenticationError(ERROR_CODE.InvalidCredentials, "Current password is incorrect");
+    staff.password = await this.adapters.hashPassword(newPassword);
+    await staff.save();
+    this.logger.info("Staff changed own password", { staffId });
+  }
+};
+function createAuthMiddleware(jwtSecret, permissionCache, StaffModel, logger, tenantId) {
+  async function resolveStaffFromToken(token) {
+    try {
+      const payload = jwt2.verify(token, jwtSecret);
+      if (!payload.staffId || !payload.role) return null;
+      const filter = { _id: payload.staffId };
+      if (tenantId) filter.tenantId = tenantId;
+      const staff = await StaffModel.findOne(filter).select("status role").lean();
+      if (!staff) return null;
+      if (staff.status !== STAFF_STATUS.Active) return null;
+      const permissions = await permissionCache.get(payload.staffId);
+      return { staffId: payload.staffId, role: staff.role, permissions };
+    } catch {
+      return null;
+    }
+  }
+  const verifyToken = async (req, res, next) => {
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+      res.status(401).json({ success: false, error: ERROR_MESSAGE.TokenInvalid, code: ERROR_CODE.TokenInvalid });
+      return;
+    }
+    const token = authHeader.slice(7);
+    try {
+      jwt2.verify(token, jwtSecret);
+    } catch (err) {
+      if (err instanceof jwt2.TokenExpiredError) {
+        res.status(401).json({ success: false, error: ERROR_MESSAGE.TokenExpired, code: ERROR_CODE.TokenExpired });
+        return;
+      }
+      res.status(401).json({ success: false, error: ERROR_MESSAGE.TokenInvalid, code: ERROR_CODE.TokenInvalid });
+      return;
+    }
+    const user = await resolveStaffFromToken(token);
+    if (!user) {
+      res.status(401).json({ success: false, error: ERROR_MESSAGE.TokenInvalid, code: ERROR_CODE.TokenInvalid });
+      return;
+    }
+    req.user = user;
+    next();
+  };
+  function requirePermission(...keys) {
+    return (req, res, next) => {
+      const user = req.user;
+      if (!user) {
+        res.status(401).json({ success: false, error: ERROR_MESSAGE.TokenInvalid, code: ERROR_CODE.TokenInvalid });
+        return;
+      }
+      if (user.role === STAFF_ROLE.Owner) {
+        next();
+        return;
+      }
+      const permSet = new Set(user.permissions);
+      const missing = [];
+      for (const key of keys) {
+        if (!permSet.has(key)) {
+          missing.push(key);
+          continue;
+        }
+        if (key.endsWith(":edit")) {
+          const prefix = key.substring(0, key.lastIndexOf(":"));
+          const viewKey = `${prefix}:view`;
+          if (!permSet.has(viewKey)) {
+            missing.push(viewKey);
+          }
+        }
+      }
+      if (missing.length > 0) {
+        res.status(403).json({
+          success: false,
+          error: ERROR_MESSAGE.InsufficientPermissions,
+          code: ERROR_CODE.InsufficientPermissions,
+          missing
+        });
+        return;
+      }
+      next();
+    };
+  }
+  const ownerOnly = (req, res, next) => {
+    const user = req.user;
+    if (!user || user.role !== STAFF_ROLE.Owner) {
+      res.status(403).json({ success: false, error: ERROR_MESSAGE.OwnerOnly, code: ERROR_CODE.OwnerOnly });
+      return;
+    }
+    next();
+  };
+  function requireRole(...roles) {
+    return (req, res, next) => {
+      const user = req.user;
+      if (!user || !roles.includes(user.role)) {
+        res.status(403).json({ success: false, error: ERROR_MESSAGE.InsufficientPermissions, code: ERROR_CODE.InsufficientPermissions });
+        return;
+      }
+      next();
+    };
+  }
+  return {
+    verifyToken,
+    resolveStaff: resolveStaffFromToken,
+    requirePermission,
+    ownerOnly,
+    requireRole
+  };
+}
+function sendStaffError(res, error, status) {
+  res.status(status).json({ success: false, error: error.message, code: error.code });
+}
+function handleStaffError(res, error, logger) {
+  if (error instanceof RateLimitError) {
+    res.set("Retry-After", String(Math.ceil(error.retryAfterMs / 1e3)));
+    sendStaffError(res, error, 429);
+  } else if (error instanceof AuthenticationError || error instanceof TokenError) {
+    sendStaffError(res, error, 401);
+  } else if (error instanceof AuthorizationError || error instanceof SetupError) {
+    sendStaffError(res, error, 403);
+  } else if (error instanceof StaffNotFoundError || error instanceof GroupNotFoundError) {
+    sendStaffError(res, error, 404);
+  } else if (error instanceof DuplicateError) {
+    sendStaffError(res, error, 409);
+  } else if (error instanceof LastOwnerError || error instanceof InvalidPermissionError) {
+    sendStaffError(res, error, 400);
+  } else if (error instanceof AlxStaffError) {
+    sendStaffError(res, error, 400);
+  } else {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    logger.error("Unexpected error", { error: message });
+    sendError(res, message, 500);
+  }
+}
+
+// src/routes/auth.routes.ts
+function createAuthRoutes(staffService, auth, logger, allowSelfPasswordChange) {
+  const router = Router();
+  router.post("/setup", async (req, res) => {
+    try {
+      const result = await staffService.setupOwner(req.body);
+      sendSuccess(res, result, 201);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.post("/login", async (req, res) => {
+    try {
+      const { email, password } = req.body;
+      const ip = req.ip || req.socket.remoteAddress || "";
+      const result = await staffService.login(email, password, ip);
+      sendSuccess(res, result);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.get("/me", auth.verifyToken, async (req, res) => {
+    try {
+      const user = req.user;
+      const staff = await staffService.getById(user.staffId);
+      sendSuccess(res, { staff, permissions: user.permissions });
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  if (allowSelfPasswordChange) {
+    router.put("/me/password", auth.verifyToken, async (req, res) => {
+      try {
+        const user = req.user;
+        const { oldPassword, newPassword } = req.body;
+        await staffService.changeOwnPassword(user.staffId, oldPassword, newPassword);
+        sendSuccess(res, { message: "Password changed successfully" });
+      } catch (error) {
+        handleStaffError(res, error, logger);
+      }
+    });
+  }
+  return router;
+}
+function createStaffRoutes(staffService, logger) {
+  const router = Router();
+  router.get("/", async (req, res) => {
+    try {
+      const query = req.query;
+      const filters = {};
+      if (query["status"]) filters["status"] = query["status"];
+      if (query["role"]) filters["role"] = query["role"];
+      if (query["page"]) filters["page"] = parseInt(query["page"], 10);
+      if (query["limit"]) filters["limit"] = parseInt(query["limit"], 10);
+      const result = await staffService.list(filters);
+      sendSuccess(res, result);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.post("/", async (req, res) => {
+    try {
+      const result = await staffService.create(req.body);
+      sendSuccess(res, result, 201);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.put("/:staffId", async (req, res) => {
+    try {
+      const result = await staffService.update(req.params["staffId"], req.body);
+      sendSuccess(res, result);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.put("/:staffId/permissions", async (req, res) => {
+    try {
+      const result = await staffService.updatePermissions(
+        req.params["staffId"],
+        req.body.permissions
+      );
+      sendSuccess(res, result);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.put("/:staffId/status", async (req, res) => {
+    try {
+      const result = await staffService.updateStatus(
+        req.params["staffId"],
+        req.body.status
+      );
+      sendSuccess(res, result);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.put("/:staffId/password", async (req, res) => {
+    try {
+      await staffService.resetPassword(req.params["staffId"], req.body.password);
+      sendSuccess(res, { message: "Password reset successfully" });
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  return router;
+}
+function createPermissionGroupRoutes(permissionService, auth, logger) {
+  const router = Router();
+  router.get("/", auth.verifyToken, async (req, res) => {
+    try {
+      const result = await permissionService.listGroups();
+      sendSuccess(res, result);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.post("/", auth.verifyToken, auth.ownerOnly, async (req, res) => {
+    try {
+      const result = await permissionService.createGroup(req.body);
+      sendSuccess(res, result, 201);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.put("/:groupId", auth.verifyToken, auth.ownerOnly, async (req, res) => {
+    try {
+      const result = await permissionService.updateGroup(req.params["groupId"], req.body);
+      sendSuccess(res, result);
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  router.delete("/:groupId", auth.verifyToken, auth.ownerOnly, async (req, res) => {
+    try {
+      await permissionService.deleteGroup(req.params["groupId"]);
+      sendSuccess(res, { message: "Group deleted successfully" });
+    } catch (error) {
+      handleStaffError(res, error, logger);
+    }
+  });
+  return router;
+}
+
+// src/routes/index.ts
+function createRoutes(services, auth, logger, allowSelfPasswordChange) {
+  const router = Router();
+  router.use("/", createAuthRoutes(services.staff, auth, logger, allowSelfPasswordChange));
+  router.use("/", auth.verifyToken, auth.ownerOnly, createStaffRoutes(services.staff, logger));
+  router.use("/permission-groups", createPermissionGroupRoutes(services.permissions, auth, logger));
+  return router;
+}
+var StaffEngineConfigSchema = z.object({
+  db: z.object({
+    connection: z.unknown().refine((v) => v !== void 0 && v !== null, {
+      message: "db.connection is required"
+    }),
+    collectionPrefix: z.string().optional()
+  }),
+  redis: z.object({
+    connection: z.unknown(),
+    keyPrefix: z.string().optional()
+  }).optional(),
+  logger: z.object({
+    info: z.function(),
+    warn: z.function(),
+    error: z.function()
+  }).optional(),
+  tenantId: z.string().optional(),
+  auth: z.object({
+    jwtSecret: z.string().min(1),
+    staffTokenExpiry: z.string().optional(),
+    ownerTokenExpiry: z.string().optional(),
+    permissionCacheTtlMs: z.number().int().positive().optional()
+  }),
+  adapters: z.object({
+    hashPassword: z.function(),
+    comparePassword: z.function()
+  }),
+  hooks: z.object({
+    onStaffCreated: z.function().optional(),
+    onLogin: z.function().optional(),
+    onLoginFailed: z.function().optional(),
+    onPermissionsChanged: z.function().optional(),
+    onStatusChanged: z.function().optional(),
+    onMetric: z.function().optional()
+  }).optional(),
+  options: z.object({
+    requireEmailUniqueness: z.boolean().optional(),
+    allowSelfPasswordChange: z.boolean().optional(),
+    rateLimiter: z.object({
+      windowMs: z.number().int().positive().optional(),
+      maxAttempts: z.number().int().positive().optional()
+    }).optional()
+  }).optional()
+});
+function createStaffEngine(config) {
+  const parseResult = StaffEngineConfigSchema.safeParse(config);
+  if (!parseResult.success) {
+    const issues = parseResult.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join(", ");
+    throw new InvalidConfigError("config", issues);
+  }
+  const resolvedOptions = {
+    requireEmailUniqueness: config.options?.requireEmailUniqueness ?? DEFAULT_OPTIONS.requireEmailUniqueness,
+    allowSelfPasswordChange: config.options?.allowSelfPasswordChange ?? DEFAULT_OPTIONS.allowSelfPasswordChange,
+    rateLimiter: {
+      windowMs: config.options?.rateLimiter?.windowMs ?? DEFAULT_OPTIONS.rateLimiter.windowMs,
+      maxAttempts: config.options?.rateLimiter?.maxAttempts ?? DEFAULT_OPTIONS.rateLimiter.maxAttempts
+    }
+  };
+  const resolvedAuth = {
+    jwtSecret: config.auth.jwtSecret,
+    staffTokenExpiry: config.auth.staffTokenExpiry ?? DEFAULT_AUTH.staffTokenExpiry,
+    ownerTokenExpiry: config.auth.ownerTokenExpiry ?? DEFAULT_AUTH.ownerTokenExpiry,
+    permissionCacheTtlMs: config.auth.permissionCacheTtlMs ?? DEFAULT_AUTH.permissionCacheTtlMs
+  };
+  const logger = config.logger ?? noopLogger;
+  const conn = config.db.connection;
+  const prefix = config.db.collectionPrefix;
+  const StaffModel = createStaffModel(conn, prefix);
+  const PermissionGroupModel = createPermissionGroupModel(conn, prefix);
+  const redis = config.redis?.connection ?? null;
+  const keyPrefix = config.redis?.keyPrefix ?? "staff:";
+  const rateLimiter = new RateLimiterService(
+    resolvedOptions.rateLimiter.windowMs,
+    resolvedOptions.rateLimiter.maxAttempts,
+    redis,
+    keyPrefix,
+    logger
+  );
+  const permissionCache = new PermissionCacheService(
+    StaffModel,
+    resolvedAuth.permissionCacheTtlMs,
+    redis,
+    keyPrefix,
+    logger,
+    config.tenantId
+  );
+  const permissionService = new PermissionService(
+    PermissionGroupModel,
+    permissionCache,
+    logger,
+    config.tenantId
+  );
+  const staffService = new StaffService({
+    Staff: StaffModel,
+    PermissionGroup: PermissionGroupModel,
+    adapters: config.adapters,
+    hooks: config.hooks ?? {},
+    permissionCache,
+    rateLimiter,
+    logger,
+    tenantId: config.tenantId,
+    jwtSecret: resolvedAuth.jwtSecret,
+    staffTokenExpiry: resolvedAuth.staffTokenExpiry,
+    ownerTokenExpiry: resolvedAuth.ownerTokenExpiry,
+    requireEmailUniqueness: resolvedOptions.requireEmailUniqueness,
+    allowSelfPasswordChange: resolvedOptions.allowSelfPasswordChange
+  });
+  const auth = createAuthMiddleware(
+    resolvedAuth.jwtSecret,
+    permissionCache,
+    StaffModel,
+    logger,
+    config.tenantId
+  );
+  const routes = createRoutes(
+    { staff: staffService, permissions: permissionService },
+    auth,
+    logger,
+    resolvedOptions.allowSelfPasswordChange
+  );
+  async function destroy() {
+    await permissionCache.invalidateAll();
+    logger.info("StaffEngine destroyed");
+  }
+  return {
+    routes,
+    auth,
+    staff: staffService,
+    permissions: permissionService,
+    models: { Staff: StaffModel, PermissionGroup: PermissionGroupModel },
+    destroy
+  };
+}
+
+export { AlxStaffError, AuthenticationError, AuthorizationError, DEFAULTS, DEFAULT_AUTH, DuplicateError, ERROR_CODE, ERROR_MESSAGE, GroupNotFoundError, InvalidConfigError, InvalidPermissionError, LastOwnerError, PermissionCacheService, PermissionService, RateLimitError, RateLimiterService, SetupError, StaffNotFoundError, StaffService, TokenError, createAuthMiddleware, createPermissionGroupModel, createRoutes, createStaffEngine, createStaffModel, handleStaffError, validatePermissionPairs };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map