@banata-auth/convex 0.1.0

package/dist/plugins/organization-rbac.d.ts

@@ -0,0 +1,3 @@
+import type { BetterAuthPlugin } from "better-auth";
+export declare function organizationRbacPlugin(): BetterAuthPlugin;
+//# sourceMappingURL=organization-rbac.d.ts.map

package/dist/plugins/organization-rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"organization-rbac.d.ts","sourceRoot":"","sources":["../../src/plugins/organization-rbac.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AA2YpD,wBAAgB,sBAAsB,IAAI,gBAAgB,CA05BzD"}

package/dist/plugins/portal.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Portal plugin for Banata Auth.
+ *
+ * Provides an Admin Portal link generation API that creates short-lived,
+ * scoped portal sessions for organization IT admins. Each portal link
+ * grants access to a specific intent (SSO, Directory Sync, Audit Logs, etc.)
+ * within an organization context.
+ *
+ * This mirrors WorkOS's Admin Portal feature, allowing you to generate
+ * a URL that redirects an org admin to a self-serve configuration page.
+ *
+ * @see {@link ../../../shared/src/types.ts} for the PortalSession SDK type
+ */
+import type { BetterAuthPlugin } from "better-auth";
+/**
+ * Portal plugin for Banata Auth.
+ *
+ * Registers API endpoints under `/api/auth/banata/portal/*` that allow
+ * programmatic generation of short-lived admin portal links.
+ *
+ * @returns A Better Auth plugin descriptor
+ *
+ * @example
+ * ```ts
+ * import { portalPlugin } from "./plugins/portal";
+ *
+ * const plugins = [
+ *   portalPlugin(),
+ *   // ... other plugins
+ * ];
+ * ```
+ */
+export declare function portalPlugin(): BetterAuthPlugin;
+//# sourceMappingURL=portal.d.ts.map

package/dist/plugins/portal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/plugins/portal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAwEpD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,IAAI,gBAAgB,CA+K/C"}

package/dist/plugins/projects.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Banata Auth Projects Plugin
+ *
+ * Provides multi-project support.
+ * Each project is a fully isolated auth tenant with its own users, sessions,
+ * organizations, branding, email templates, API keys, webhooks, etc.
+ */
+import type { BetterAuthPlugin } from "better-auth";
+export interface ProjectsPluginOptions {
+    /** Whether to auto-create a default project if none exist. Default: true */
+    autoCreateDefault?: boolean;
+    /** Default project name when auto-creating. Default: "Default Project" */
+    defaultProjectName?: string;
+}
+export declare function projectsPlugin(options?: ProjectsPluginOptions): BetterAuthPlugin;
+//# sourceMappingURL=projects.d.ts.map

package/dist/plugins/projects.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"projects.d.ts","sourceRoot":"","sources":["../../src/plugins/projects.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAkTpD,MAAM,WAAW,qBAAqB;IACrC,4EAA4E;IAC5E,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,0EAA0E;IAC1E,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAID,wBAAgB,cAAc,CAAC,OAAO,GAAE,qBAA0B,GAAG,gBAAgB,CA6PpF"}

package/dist/plugins/protection.d.ts

@@ -0,0 +1,127 @@
+/**
+ * Bot protection plugin for Banata Auth.
+ *
+ * Provides request-level bot detection and abuse prevention using
+ * Better Auth's `onRequest` hook. This plugin intercepts incoming
+ * requests BEFORE any auth processing occurs and can short-circuit
+ * with a 403 if a bot is detected.
+ *
+ * The plugin is provider-agnostic — it accepts a `verifyRequest`
+ * callback that consumers implement with their preferred bot detection
+ * service (Vercel BotID, Cloudflare Turnstile, hCaptcha, reCAPTCHA, etc.).
+ *
+ * @example
+ * ```ts
+ * import { banataProtection } from "@banata-auth/convex/plugins";
+ *
+ * // The plugin is automatically included when you configure protection
+ * // in your BanataAuthConfig:
+ * const config: BanataAuthConfig = {
+ *   protection: {
+ *     enabled: true,
+ *     protectedPaths: ["/sign-in", "/sign-up", "/forget-password", "/reset-password"],
+ *     verifyRequest: async (request) => {
+ *       // Implement your bot verification logic here
+ *       return { isBot: false };
+ *     },
+ *   },
+ * };
+ * ```
+ */
+import type { BetterAuthPlugin } from "better-auth";
+/**
+ * Result of a bot verification check.
+ */
+export interface BotVerificationResult {
+    /** Whether the request was identified as coming from a bot. */
+    isBot: boolean;
+    /** Optional reason for the bot detection (for logging). */
+    reason?: string;
+}
+/**
+ * Function that verifies whether a request is from a bot.
+ * Implement this with your bot detection provider of choice.
+ *
+ * @param request - The incoming HTTP request
+ * @returns Verification result indicating whether the request is from a bot
+ */
+export type BotVerifyFn = (request: Request) => Promise<BotVerificationResult>;
+/**
+ * Configuration for the bot protection plugin.
+ */
+export interface BanataProtectionOptions {
+    /**
+     * Whether bot protection is enabled.
+     * When false, all requests pass through without verification.
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * Path prefixes to protect from bots.
+     * Only requests whose pathname starts with one of these prefixes
+     * will be verified. All other requests pass through.
+     *
+     * @default ["/sign-in", "/sign-up", "/forget-password", "/reset-password"]
+     */
+    protectedPaths?: string[];
+    /**
+     * The bot verification function.
+     * Called for every request that matches a protected path.
+     * If not provided, requests pass through (useful for development).
+     */
+    verifyRequest?: BotVerifyFn;
+    /**
+     * HTTP methods to check. By default only POST requests are verified
+     * since GET requests to auth endpoints are typically metadata/redirect
+     * flows, not credential submissions.
+     *
+     * @default ["POST"]
+     */
+    protectedMethods?: string[];
+    /**
+     * Custom error message returned when a bot is detected.
+     * @default "Bot detected. Access denied."
+     */
+    blockedMessage?: string;
+    /**
+     * Called when a bot is detected (for logging/analytics).
+     */
+    onBotDetected?: (request: Request, result: BotVerificationResult) => void | Promise<void>;
+    /**
+     * Whether to fail open (allow request) when the verification
+     * function throws an error. This prevents legitimate users from
+     * being locked out if the bot detection service is unavailable.
+     *
+     * @default true
+     */
+    failOpen?: boolean;
+}
+/**
+ * Bot protection plugin for Banata Auth.
+ *
+ * Uses Better Auth's `onRequest` hook to intercept requests before
+ * any auth processing. Protected paths are checked against the
+ * configured `verifyRequest` function.
+ *
+ * @param options - Protection configuration
+ * @returns A Better Auth plugin
+ *
+ * @example
+ * ```ts
+ * import { banataProtection } from "@banata-auth/convex/plugins";
+ * import { checkBotId } from "botid/server";
+ *
+ * banataProtection({
+ *   verifyRequest: async (request) => {
+ *     try {
+ *       const result = await checkBotId();
+ *       return { isBot: result.isBot };
+ *     } catch {
+ *       return { isBot: false }; // fail open
+ *     }
+ *   },
+ * });
+ * ```
+ */
+export declare function banataProtection(options?: BanataProtectionOptions): BetterAuthPlugin;
+//# sourceMappingURL=protection.d.ts.map

package/dist/plugins/protection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protection.d.ts","sourceRoot":"","sources":["../../src/plugins/protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACrC,+DAA+D;IAC/D,KAAK,EAAE,OAAO,CAAC;IACf,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAC;AAE/E;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACvC;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAE1B;;;;OAIG;IACH,aAAa,CAAC,EAAE,WAAW,CAAC;IAE5B;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE5B;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB;;OAEG;IACH,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,qBAAqB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1F;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;CACnB;AAUD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,GAAE,uBAA4B,GAAG,gBAAgB,CA4FxF"}

package/dist/plugins/types.d.ts

@@ -0,0 +1,508 @@
+/**
+ * Shared type definitions for Banata Auth plugins.
+ *
+ * These types provide type-safe interfaces for the Better Auth plugin system,
+ * replacing raw `any` usage throughout the plugin codebase.
+ *
+ * Better Auth's plugin system uses `better-call` endpoints under the hood.
+ * The handler context (`EndpointContext`) includes the full `AuthContext` which
+ * contains the database adapter, session info, and more.
+ *
+ * @see https://www.better-auth.com/docs/plugins/custom-plugin
+ */
+import type { BetterAuthOptions } from "better-auth";
+import { z } from "zod";
+/**
+ * Where clause for database queries.
+ * Matches Better Auth's Where type from @better-auth/core/dist/db/adapter.
+ */
+export interface WhereClause {
+    field: string;
+    value: string | number | boolean | string[] | number[] | Date | null;
+    operator?: "eq" | "ne" | "lt" | "lte" | "gt" | "gte" | "in" | "not_in" | "contains" | "starts_with" | "ends_with";
+    connector?: "AND" | "OR";
+}
+/**
+ * Sort specification for database queries.
+ */
+export interface SortBy {
+    field: string;
+    direction: "asc" | "desc";
+}
+/**
+ * Typed subset of Better Auth's DBAdapter.
+ *
+ * This represents the adapter available on `ctx.context.adapter`.
+ * We use generic `Record<string, unknown>` for data instead of `any`.
+ */
+export interface PluginDBAdapter {
+    create: <T extends Record<string, unknown> = Record<string, unknown>>(data: {
+        model: string;
+        data: Record<string, unknown>;
+        select?: string[];
+        forceAllowId?: boolean;
+    }) => Promise<T>;
+    findOne: <T = Record<string, unknown>>(data: {
+        model: string;
+        where: WhereClause[];
+        select?: string[];
+    }) => Promise<T | null>;
+    findMany: <T = Record<string, unknown>>(data: {
+        model: string;
+        where?: WhereClause[];
+        limit?: number;
+        select?: string[];
+        sortBy?: SortBy;
+        offset?: number;
+    }) => Promise<T[]>;
+    update: <T = Record<string, unknown>>(data: {
+        model: string;
+        where: WhereClause[];
+        update: Record<string, unknown>;
+    }) => Promise<T | null>;
+    delete: (data: {
+        model: string;
+        where: WhereClause[];
+    }) => Promise<void>;
+    deleteMany: (data: {
+        model: string;
+        where: WhereClause[];
+    }) => Promise<number>;
+    count: (data: {
+        model: string;
+        where?: WhereClause[];
+    }) => Promise<number>;
+}
+/**
+ * Shape of a user record from the session context.
+ */
+export interface SessionUser {
+    id: string;
+    email: string;
+    name: string;
+    emailVerified: boolean;
+    image?: string | null;
+    role?: string;
+    banned?: boolean;
+    [key: string]: unknown;
+}
+/**
+ * Shape of a session record from the session context.
+ */
+export interface SessionRecord {
+    id: string;
+    userId: string;
+    token: string;
+    expiresAt: number | Date;
+    ipAddress?: string | null;
+    userAgent?: string | null;
+    activeOrganizationId?: string | null;
+    impersonatedBy?: string | null;
+    createdAt: number | Date;
+    updatedAt: number | Date;
+    [key: string]: unknown;
+}
+/**
+ * The AuthContext subset available on `ctx.context` in endpoint handlers.
+ *
+ * This is a narrowed version of Better Auth's full AuthContext, including
+ * only the fields typically used by custom plugins.
+ */
+export interface PluginAuthContext {
+    adapter: PluginDBAdapter;
+    session: {
+        session: SessionRecord;
+        user: SessionUser;
+    } | null;
+    options: BetterAuthOptions;
+    secret: string;
+    baseURL: string;
+    appName: string;
+    generateId: (options: {
+        model: string;
+        size?: number;
+    }) => string | false;
+}
+/**
+ * The full endpoint handler context for plugin endpoints.
+ *
+ * This is the `ctx` parameter received by endpoint handlers registered
+ * in a BetterAuthPlugin's `endpoints` object.
+ */
+export interface PluginEndpointContext<TBody = Record<string, unknown>> {
+    /** Parsed and validated request body */
+    body: TBody;
+    /** Request query parameters */
+    query: Record<string, string | undefined>;
+    /** Request headers */
+    headers: Headers | undefined;
+    /** The auth context containing adapter, session, etc. */
+    context: PluginAuthContext;
+    /** Return a JSON response */
+    json: <R extends Record<string, unknown> | null>(data: R, options?: {
+        status?: number;
+        headers?: Record<string, string>;
+    } | Response) => Promise<R>;
+    /** Return an error response */
+    error: (status: number | string, body?: {
+        message?: string;
+        code?: string;
+    } & Record<string, unknown>, headers?: Record<string, string>) => Error;
+    /** The request path */
+    path: string;
+    /** The request object */
+    request: Request | undefined;
+    /** Get a request header */
+    getHeader: (key: string) => string | null;
+}
+/**
+ * Context passed to plugin hook matchers and handlers.
+ */
+export interface PluginHookContext {
+    path?: string;
+    context: PluginAuthContext & {
+        returned?: unknown;
+        responseHeaders?: Headers;
+    };
+    headers?: Headers;
+    body?: Record<string, unknown>;
+    query?: Record<string, string | undefined>;
+}
+/**
+ * Row shape for the `auditEvent` table.
+ *
+ * Index signature allows these types to satisfy Record<string, unknown>
+ * which is required by Better Auth's DBAdapter generic constraints.
+ */
+export interface AuditEventRow extends Record<string, unknown> {
+    id: string;
+    action: string;
+    version: number | null;
+    actorType: string;
+    actorId: string;
+    actorName: string | null;
+    actorEmail: string | null;
+    /** JSON-serialized Record<string, string> */
+    actorMetadata: string | null;
+    targets: string | null;
+    organizationId: string | null;
+    ipAddress: string | null;
+    userAgent: string | null;
+    requestId: string | null;
+    changes: string | null;
+    idempotencyKey: string | null;
+    /** JSON-serialized Record<string, string> */
+    metadata: string | null;
+    occurredAt: number;
+    createdAt: number;
+}
+/**
+ * Row shape for the `webhookEndpoint` table.
+ */
+export interface WebhookEndpointRow extends Record<string, unknown> {
+    id: string;
+    url: string;
+    secret: string;
+    eventTypes: string | null;
+    enabled: boolean;
+    successCount: number | null;
+    failureCount: number | null;
+    consecutiveFailures: number | null;
+    lastDeliveryAt: number | null;
+    lastDeliveryStatus: string | null;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `webhookDelivery` table.
+ */
+export interface WebhookDeliveryRow extends Record<string, unknown> {
+    id: string;
+    endpointId: string;
+    eventType: string;
+    payload: string;
+    attempt: number;
+    maxAttempts: number;
+    status: "pending" | "success" | "failed" | "retrying";
+    httpStatus: number | null;
+    responseBody: string | null;
+    errorMessage: string | null;
+    nextRetryAt: number | null;
+    deliveredAt: number | null;
+    createdAt: number;
+}
+/**
+ * Row shape for the `roleDefinition` table.
+ */
+export interface RoleDefinitionRow extends Record<string, unknown> {
+    id: string;
+    name: string;
+    slug: string;
+    description: string | null;
+    permissions: string | null;
+    isDefault: boolean | null;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `permissionDefinition` table.
+ */
+export interface PermissionDefinitionRow extends Record<string, unknown> {
+    id: string;
+    name: string;
+    slug: string;
+    description: string | null;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `brandingConfig` table.
+ */
+export interface BrandingConfigRow extends Record<string, unknown> {
+    id: string;
+    primaryColor: string | null;
+    bgColor: string | null;
+    borderRadius: number | null;
+    darkMode: boolean | null;
+    customCss: string | null;
+    font: string | null;
+    logoUrl: string | null;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `emailTemplate` table.
+ */
+export interface EmailTemplateRow extends Record<string, unknown> {
+    id: string;
+    name: string;
+    slug: string;
+    subject: string;
+    previewText: string | null;
+    category: string;
+    description: string | null;
+    /** JSON-serialized EmailBlock[] array. */
+    blocksJson: string;
+    /** JSON-serialized EmailTemplateVariable[] array. */
+    variablesJson: string | null;
+    builtIn: boolean | null;
+    builtInType: string | null;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `emailConfig` table.
+ */
+export interface EmailConfigRow extends Record<string, unknown> {
+    id: string;
+    emailType: string;
+    name: string;
+    description: string | null;
+    enabled: boolean;
+    category: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `dashboardConfig` table.
+ * Singleton row pattern: at most one row exists.
+ * Stores JSON-serialized partial dashboard config overrides.
+ */
+export interface DashboardConfigRow extends Record<string, unknown> {
+    id: string;
+    /** JSON-serialized partial dashboard config overrides */
+    configJson: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `domainConfig` table.
+ */
+export interface DomainConfigRow extends Record<string, unknown> {
+    id: string;
+    domainKey: string;
+    title: string;
+    description: string | null;
+    value: string;
+    isDefault: boolean | null;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `redirectConfig` table.
+ * Singleton row with JSON-serialized redirect settings.
+ */
+export interface RedirectConfigRow extends Record<string, unknown> {
+    id: string;
+    configJson: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `actionConfig` table.
+ */
+export interface ActionConfigRow extends Record<string, unknown> {
+    id: string;
+    name: string;
+    description: string | null;
+    triggerEvent: string;
+    webhookUrl: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `radarConfig` table.
+ * Singleton row with JSON-serialized radar/bot protection settings.
+ */
+export interface RadarConfigRow extends Record<string, unknown> {
+    id: string;
+    configJson: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `emailProviderConfig` table.
+ * Singleton row with JSON-serialized email provider settings.
+ */
+export interface EmailProviderConfigRow extends Record<string, unknown> {
+    id: string;
+    configJson: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `resourceType` table.
+ */
+export interface ResourceTypeRow extends Record<string, unknown> {
+    id: string;
+    name: string;
+    slug: string;
+    description: string | null;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `addonConfig` table.
+ * Singleton row with JSON-serialized addon states.
+ */
+export interface AddonConfigRow extends Record<string, unknown> {
+    id: string;
+    configJson: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `projectConfig` table.
+ * One row per project with JSON-serialized project settings.
+ */
+export interface ProjectConfigRow extends Record<string, unknown> {
+    id: string;
+    configJson: string;
+    projectId?: string;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Row shape for the `project` table.
+ * Each project is a fully isolated auth tenant.
+ */
+export interface ProjectRow extends Record<string, unknown> {
+    id: string;
+    name: string;
+    slug: string;
+    description?: string;
+    logoUrl?: string;
+    ownerId: string;
+    createdAt: number;
+    updatedAt: number;
+}
+export declare function parseRoleSlugs(value: string | string[] | null | undefined): string[];
+export declare function isGlobalAdminRole(role: string | null | undefined): boolean;
+export declare function isGlobalAdminUser(user: Pick<SessionUser, "role"> | null | undefined): boolean;
+/**
+ * Verify that the current request has an authenticated session.
+ *
+ * This MUST be called at the top of every custom plugin endpoint
+ * that performs administrative operations (webhook CRUD, audit log
+ * management, roles/permissions CRUD, branding, email config, etc.).
+ *
+ * The function uses a loose type signature to remain compatible with
+ * Better Auth's `EndpointContext` which uses a narrower union type
+ * for error status codes (e.g. `"UNAUTHORIZED" | "FORBIDDEN" | ...`)
+ * rather than `string | number`.
+ *
+ * @param ctx - The endpoint handler context from Better Auth
+ * @throws Error with status "UNAUTHORIZED" if not authenticated
+ */
+export declare function requireAuthenticated(ctx: any): {
+    session: SessionRecord;
+    user: SessionUser;
+};
+/**
+ * @deprecated Use `requireAuthenticated` or `requireGlobalAdmin` instead.
+ */
+export declare function requireAdmin(ctx: any): {
+    session: SessionRecord;
+    user: SessionUser;
+};
+export declare function requireGlobalAdmin(ctx: any): {
+    session: SessionRecord;
+    user: SessionUser;
+};
+export declare function getRolePermissions(db: PluginDBAdapter, params: {
+    projectId?: string;
+    roleSlugs: string[];
+}): Promise<Set<string>>;
+/**
+ * Resolve the effective permission slugs for a user in a project.
+ *
+ * Permission sources:
+ * 1) Global Better Auth admin role (`user.role`)
+ * 2) Project ownership (`project.ownerId`)
+ * 3) Organization membership roles in the project (`member.role`)
+ */
+export declare function getEffectiveProjectPermissions(db: PluginDBAdapter, params: {
+    userId: string;
+    projectId?: string;
+}): Promise<Set<string>>;
+/**
+ * Throws FORBIDDEN unless the current user has the given permission in project scope.
+ */
+export declare function requireProjectPermission(ctx: any, params: {
+    db: PluginDBAdapter;
+    permission: string;
+    projectId?: string;
+}): Promise<void>;
+/**
+ * Zod schema partial for project-scoped endpoints.
+ * Add `.merge(projectScopeSchema)` to any endpoint body schema that
+ * should accept an optional projectId.
+ */
+export declare const projectScopeSchema: z.ZodObject<{
+    projectId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    projectId?: string | undefined;
+}, {
+    projectId?: string | undefined;
+}>;
+/**
+ * Extract projectId from a parsed body and return scope helpers.
+ *
+ * **Strict by default**: throws if `projectId` is missing.
+ * All project-scoped data MUST be isolated — returning empty filters
+ * would silently leak data across projects.
+ *
+ * Pass `{ optional: true }` only for endpoints that genuinely operate
+ * across all projects (e.g. project list, ensure-default).
+ */
+export declare function getProjectScope(body: Record<string, unknown>, opts?: {
+    optional?: boolean;
+}): {
+    /** Where clause filter for findMany/findOne/update/delete. */
+    where: WhereClause[];
+    /** Data fields to include in create. */
+    data: Record<string, string>;
+    /** The resolved projectId (always present when strict). */
+    projectId: string | undefined;
+};
+//# sourceMappingURL=types.d.ts.map