npm - @baseplate-dev/project-builder-lib - Versions diffs - 0.5.1 → 0.5.3 - Mend

@baseplate-dev/project-builder-lib 0.5.1 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/dist/schema/models/authorizer/authorizer-expression-acorn-parser.js ADDED Viewed

@@ -0,0 +1,291 @@
+/**
+ * Parser for authorizer expressions using Acorn.
+ *
+ * Parses expressions with implicit auth context:
+ * - `model.id === userId`
+ * - `hasRole('admin')`
+ * - `hasSomeRole(['admin', 'moderator'])`
+ * - `model.id === userId || hasRole('admin')`
+ *
+ * Uses Acorn to parse as JavaScript, then converts the ESTree AST
+ * to our domain-specific AST, rejecting unsupported constructs.
+ */
+import { parse } from 'acorn';
+import { AuthorizerExpressionParseError } from './authorizer-expression-ast.js';
+/**
+ * Parse an authorizer expression string into our domain AST.
+ *
+ * @param input - The expression string to parse
+ * @returns The parsed expression info including AST and dependencies
+ * @throws {AuthorizerExpressionParseError} If the expression is invalid
+ *
+ * @example
+ * ```typescript
+ * const result = parseAuthorizerExpression("model.id === auth.userId");
+ * // result.ast = { type: 'fieldComparison', ... }
+ * // result.modelFieldRefs = ['id']
+ * // result.authFieldRefs = ['userId']
+ * ```
+ */
+export function parseAuthorizerExpression(input) {
+    // Parse with Acorn
+    let program;
+    try {
+        program = parse(input, {
+            ecmaVersion: 2020,
+        });
+    }
+    catch (error) {
+        if (error instanceof SyntaxError) {
+            throw new AuthorizerExpressionParseError(`Invalid expression syntax: ${error.message}`,
+            // SyntaxError thrown by Acorn have a pos property
+            error.pos);
+        }
+        throw error;
+    }
+    // Check body is an expression
+    if (program.body.length !== 1) {
+        throw new AuthorizerExpressionParseError('Expression must be a single expression statement, e.g. model.id === auth.userId', 0, input.length);
+    }
+    const expressionStatement = program.body[0];
+    if (expressionStatement.type !== 'ExpressionStatement') {
+        throw new AuthorizerExpressionParseError('Line must be an expression statement, e.g. model.id === auth.userId', expressionStatement);
+    }
+    // Convert ESTree to our domain AST
+    const ast = convertNode(expressionStatement.expression);
+    // Extract dependency information
+    const info = extractInfo(ast);
+    return {
+        ast,
+        ...info,
+    };
+}
+/**
+ * Convert an ESTree expression node to our domain AST.
+ */
+function convertNode(node) {
+    switch (node.type) {
+        case 'LogicalExpression': {
+            return convertLogicalExpression(node);
+        }
+        case 'BinaryExpression': {
+            return convertBinaryExpression(node);
+        }
+        case 'CallExpression': {
+            return convertCallExpression(node);
+        }
+        case 'MemberExpression': {
+            // A bare member expression like `model.id` without comparison
+            throw new AuthorizerExpressionParseError('Field reference must be part of a comparison (e.g., model.id === auth.userId)', node);
+        }
+        default: {
+            throw new AuthorizerExpressionParseError(`Unsupported expression type: ${node.type}`, node);
+        }
+    }
+}
+/**
+ * Convert a LogicalExpression (|| or &&) to BinaryLogicalNode.
+ */
+function convertLogicalExpression(node) {
+    if (node.operator !== '||' && node.operator !== '&&') {
+        throw new AuthorizerExpressionParseError(`Unsupported logical operator: ${node.operator}. Only || and && are supported.`, node.left.end, node.right.start);
+    }
+    return {
+        type: 'binaryLogical',
+        operator: node.operator,
+        left: convertNode(node.left),
+        right: convertNode(node.right),
+    };
+}
+/**
+ * Convert a BinaryExpression (===) to FieldComparisonNode.
+ */
+function convertBinaryExpression(node) {
+    if (node.operator !== '===') {
+        throw new AuthorizerExpressionParseError(`Unsupported comparison operator: ${node.operator}. Only === is supported.`, node.left.end, node.right.start);
+    }
+    // Acorn's BinaryExpression allows PrivateIdentifier for ES2022+, but we only
+    // support MemberExpression field refs. convertFieldRef will throw if given
+    // anything other than MemberExpression.
+    return {
+        type: 'fieldComparison',
+        operator: '===',
+        left: convertFieldRef(node.left),
+        right: convertFieldRef(node.right),
+    };
+}
+/**
+ * Convert a CallExpression to HasRoleNode or HasSomeRoleNode.
+ * Supports:
+ * - `hasRole('admin')`
+ * - `hasSomeRole(['admin', 'moderator'])`
+ */
+function convertCallExpression(node) {
+    // Only support direct calls (e.g., hasRole(...))
+    if (node.callee.type !== 'Identifier') {
+        throw new AuthorizerExpressionParseError('Function calls must be standalone (hasRole, hasSomeRole)', node.callee);
+    }
+    const funcName = node.callee.name;
+    if (funcName === 'hasRole') {
+        return parseHasRoleArgs(node, 'hasRole()');
+    }
+    if (funcName === 'hasSomeRole') {
+        return parseHasSomeRoleArgs(node, 'hasSomeRole()');
+    }
+    throw new AuthorizerExpressionParseError(`Unknown function '${funcName}'. Use hasRole() or hasSomeRole().`, node.callee);
+}
+/**
+ * Parse hasRole('role') arguments.
+ */
+function parseHasRoleArgs(node, funcName) {
+    // Must have exactly one string argument
+    if (node.arguments.length !== 1) {
+        throw new AuthorizerExpressionParseError(`${funcName} requires exactly one argument, got ${node.arguments.length}`, node);
+    }
+    const arg = node.arguments[0];
+    if (arg.type !== 'Literal' || typeof arg.value !== 'string') {
+        throw new AuthorizerExpressionParseError(`${funcName} argument must be a string literal`, arg);
+    }
+    const role = arg.value;
+    return {
+        type: 'hasRole',
+        role,
+        roleStart: arg.start,
+        roleEnd: arg.end,
+    };
+}
+/**
+ * Parse hasSomeRole(['role1', 'role2']) arguments.
+ */
+function parseHasSomeRoleArgs(node, funcName) {
+    // Must have exactly one array argument
+    if (node.arguments.length !== 1) {
+        throw new AuthorizerExpressionParseError(`${funcName} requires exactly one argument, got ${node.arguments.length}`, node);
+    }
+    const arg = node.arguments[0];
+    if (arg.type !== 'ArrayExpression') {
+        throw new AuthorizerExpressionParseError(`${funcName} argument must be an array literal (e.g., ['admin', 'moderator'])`, arg);
+    }
+    const roles = [];
+    const rolesStart = [];
+    const rolesEnd = [];
+    for (const element of arg.elements) {
+        if (!element) {
+            throw new AuthorizerExpressionParseError(`${funcName} array cannot have empty elements`, arg);
+        }
+        if (element.type !== 'Literal' || typeof element.value !== 'string') {
+            throw new AuthorizerExpressionParseError(`${funcName} array elements must be string literals`, element);
+        }
+        roles.push(element.value);
+        rolesStart.push(element.start);
+        rolesEnd.push(element.end);
+    }
+    if (roles.length === 0) {
+        throw new AuthorizerExpressionParseError(`${funcName} requires at least one role`, arg);
+    }
+    return {
+        type: 'hasSomeRole',
+        roles,
+        rolesStart,
+        rolesEnd,
+    };
+}
+/**
+ * Convert to FieldRefNode.
+ * Supports:
+ * - Standalone identifier for implicit auth context: `userId`
+ * - Member expressions: `model.field`
+ */
+function convertFieldRef(node) {
+    // Handle standalone identifier (implicit auth context)
+    if (node.type === 'Identifier') {
+        const identifier = node;
+        const { name } = identifier;
+        // Only userId is valid as a standalone identifier (implicit auth context)
+        if (name === 'userId') {
+            return {
+                type: 'fieldRef',
+                source: 'auth',
+                field: 'userId',
+                start: node.start,
+                end: node.end,
+            };
+        }
+        throw new AuthorizerExpressionParseError(`Unknown identifier '${name}'. Did you mean 'model.${name}' or use 'userId' for auth context?`, node);
+    }
+    if (node.type !== 'MemberExpression') {
+        throw new AuthorizerExpressionParseError('Expected field reference (model.field or userId)', node);
+    }
+    const memberExpr = node;
+    // Object must be an identifier
+    if (memberExpr.object.type !== 'Identifier') {
+        throw new AuthorizerExpressionParseError('Field reference must start with model', memberExpr.object);
+    }
+    const source = memberExpr.object.name;
+    if (source !== 'model') {
+        throw new AuthorizerExpressionParseError(`Field reference must start with 'model', not '${source}'`, memberExpr.object);
+    }
+    // Property must be a simple identifier (not computed)
+    if (memberExpr.computed) {
+        throw new AuthorizerExpressionParseError('Computed property access (e.g., model["field"]) is not supported', memberExpr.property);
+    }
+    if (memberExpr.property.type !== 'Identifier') {
+        throw new AuthorizerExpressionParseError('Expected field name identifier', memberExpr.property);
+    }
+    const field = memberExpr.property.name;
+    return {
+        type: 'fieldRef',
+        source: 'model',
+        field,
+        start: node.start,
+        end: node.end,
+    };
+}
+/**
+ * Extract dependency information from the parsed AST.
+ */
+function extractInfo(ast) {
+    const modelFieldRefs = [];
+    const authFieldRefs = [];
+    const roleRefs = [];
+    let requiresModel = false;
+    function walk(node) {
+        switch (node.type) {
+            case 'fieldComparison': {
+                walkFieldRef(node.left);
+                walkFieldRef(node.right);
+                break;
+            }
+            case 'hasRole': {
+                roleRefs.push(node.role);
+                break;
+            }
+            case 'hasSomeRole': {
+                roleRefs.push(...node.roles);
+                break;
+            }
+            case 'binaryLogical': {
+                walk(node.left);
+                walk(node.right);
+                break;
+            }
+        }
+    }
+    function walkFieldRef(node) {
+        if (node.source === 'model') {
+            modelFieldRefs.push(node.field);
+            requiresModel = true;
+        }
+        else {
+            authFieldRefs.push(node.field);
+        }
+    }
+    walk(ast);
+    return {
+        modelFieldRefs: [...new Set(modelFieldRefs)],
+        authFieldRefs: [...new Set(authFieldRefs)],
+        roleRefs: [...new Set(roleRefs)],
+        requiresModel,
+    };
+}
+//# sourceMappingURL=authorizer-expression-acorn-parser.js.map

package/dist/schema/models/authorizer/authorizer-expression-acorn-parser.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorizer-expression-acorn-parser.js","sourceRoot":"","sources":["../../../../src/schema/models/authorizer/authorizer-expression-acorn-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAUH,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AAY9B,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAC;AAEhF;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,yBAAyB,CACvC,KAAa;IAEb,mBAAmB;IACnB,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,KAAK,CAAC,KAAK,EAAE;YACrB,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,MAAM,IAAI,8BAA8B,CACtC,8BAA8B,KAAK,CAAC,OAAO,EAAE;YAC7C,kDAAkD;YACjD,KAAoC,CAAC,GAAG,CAC1C,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,8BAA8B;IAC9B,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,8BAA8B,CACtC,iFAAiF,EACjF,CAAC,EACD,KAAK,CAAC,MAAM,CACb,CAAC;IACJ,CAAC;IACD,MAAM,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAE5C,IAAI,mBAAmB,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QACvD,MAAM,IAAI,8BAA8B,CACtC,qEAAqE,EACrE,mBAAmB,CACpB,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,MAAM,GAAG,GAAG,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAExD,iCAAiC;IACjC,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAE9B,OAAO;QACL,GAAG;QACH,GAAG,IAAI;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAgB;IACnC,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,mBAAmB,CAAC,CAAC,CAAC;YACzB,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC;QACxC,CAAC;QAED,KAAK,kBAAkB,CAAC,CAAC,CAAC;YACxB,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC;QAED,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;QAED,KAAK,kBAAkB,CAAC,CAAC,CAAC;YACxB,8DAA8D;YAC9D,MAAM,IAAI,8BAA8B,CACtC,+EAA+E,EAC/E,IAAI,CACL,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,CAAC,CAAC;YACR,MAAM,IAAI,8BAA8B,CACtC,gCAAgC,IAAI,CAAC,IAAI,EAAE,EAC3C,IAAI,CACL,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,IAAuB;IACvD,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;QACrD,MAAM,IAAI,8BAA8B,CACtC,iCAAiC,IAAI,CAAC,QAAQ,iCAAiC,EAC/E,IAAI,CAAC,IAAI,CAAC,GAAG,EACb,IAAI,CAAC,KAAK,CAAC,KAAK,CACjB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAC5B,KAAK,EAAE,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;KAC/B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,IAAsB;IACrD,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;QAC5B,MAAM,IAAI,8BAA8B,CACtC,oCAAoC,IAAI,CAAC,QAAQ,0BAA0B,EAC3E,IAAI,CAAC,IAAI,CAAC,GAAG,EACb,IAAI,CAAC,KAAK,CAAC,KAAK,CACjB,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,2EAA2E;IAC3E,wCAAwC;IACxC,OAAO;QACL,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,KAAK;QACf,IAAI,EAAE,eAAe,CAAC,IAAI,CAAC,IAAkB,CAAC;QAC9C,KAAK,EAAE,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC;KACnC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,qBAAqB,CAC5B,IAAoB;IAEpB,iDAAiD;IACjD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACtC,MAAM,IAAI,8BAA8B,CACtC,0DAA0D,EAC1D,IAAI,CAAC,MAAM,CACZ,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAElC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,gBAAgB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC/B,OAAO,oBAAoB,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,8BAA8B,CACtC,qBAAqB,QAAQ,oCAAoC,EACjE,IAAI,CAAC,MAAM,CACZ,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,IAAoB,EAAE,QAAgB;IAC9D,wCAAwC;IACxC,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,8BAA8B,CACtC,GAAG,QAAQ,uCAAuC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,EACzE,IAAI,CACL,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,8BAA8B,CACtC,GAAG,QAAQ,oCAAoC,EAC/C,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC;IAEvB,OAAO;QACL,IAAI,EAAE,SAAS;QACf,IAAI;QACJ,SAAS,EAAE,GAAG,CAAC,KAAK;QACpB,OAAO,EAAE,GAAG,CAAC,GAAG;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,IAAoB,EACpB,QAAgB;IAEhB,uCAAuC;IACvC,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,8BAA8B,CACtC,GAAG,QAAQ,uCAAuC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,EACzE,IAAI,CACL,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACnC,MAAM,IAAI,8BAA8B,CACtC,GAAG,QAAQ,mEAAmE,EAC9E,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,OAAO,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACnC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,8BAA8B,CACtC,GAAG,QAAQ,mCAAmC,EAC9C,GAAG,CACJ,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpE,MAAM,IAAI,8BAA8B,CACtC,GAAG,QAAQ,yCAAyC,EACpD,OAAO,CACR,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1B,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,8BAA8B,CACtC,GAAG,QAAQ,6BAA6B,EACxC,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,KAAK;QACL,UAAU;QACV,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,eAAe,CAAC,IAAgB;IACvC,uDAAuD;IACvD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC;QACxB,MAAM,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC;QAE5B,0EAA0E;QAC1E,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,OAAO;gBACL,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,QAAQ;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,GAAG,EAAE,IAAI,CAAC,GAAG;aACd,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,8BAA8B,CACtC,uBAAuB,IAAI,0BAA0B,IAAI,qCAAqC,EAC9F,IAAI,CACL,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACrC,MAAM,IAAI,8BAA8B,CACtC,kDAAkD,EAClD,IAAI,CACL,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC;IAExB,+BAA+B;IAC/B,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC5C,MAAM,IAAI,8BAA8B,CACtC,uCAAuC,EACvC,UAAU,CAAC,MAAM,CAClB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC;IACtC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,MAAM,IAAI,8BAA8B,CACtC,iDAAiD,MAAM,GAAG,EAC1D,UAAU,CAAC,MAAM,CAClB,CAAC;IACJ,CAAC;IAED,sDAAsD;IACtD,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,8BAA8B,CACtC,kEAAkE,EAClE,UAAU,CAAC,QAAQ,CACpB,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC9C,MAAM,IAAI,8BAA8B,CACtC,gCAAgC,EAChC,UAAU,CAAC,QAAQ,CACpB,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;IAEvC,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,OAAO;QACf,KAAK;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,GAAG,EAAE,IAAI,CAAC,GAAG;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAClB,GAA6B;IAE7B,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,aAAa,GAAG,KAAK,CAAC;IAE1B,SAAS,IAAI,CAAC,IAA8B;QAC1C,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACxB,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACzB,MAAM;YACR,CAAC;YAED,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzB,MAAM;YACR,CAAC;YAED,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC7B,MAAM;YACR,CAAC;YAED,KAAK,eAAe,CAAC,CAAC,CAAC;gBACrB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAChB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACjB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS,YAAY,CAAC,IAAkB;QACtC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC5B,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChC,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,CAAC;IAEV,OAAO;QACL,cAAc,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5C,aAAa,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;QAC1C,QAAQ,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChC,aAAa;KACd,CAAC;AACJ,CAAC"}

package/dist/schema/models/authorizer/authorizer-expression-ast.d.ts ADDED Viewed

@@ -0,0 +1,159 @@
+/**
+ * AST node types for authorizer expressions.
+ *
+ * These represent the semantic structure of expressions like:
+ * - `model.id === userId`
+ * - `hasRole('admin')`
+ * - `hasSomeRole(['admin', 'moderator'])`
+ * - `model.id === userId || hasRole('admin')`
+ *
+ * The AST is produced by parsing with Acorn and converting from ESTree.
+ */
+/**
+ * Root expression node - the result of parsing an authorizer expression.
+ */
+export type AuthorizerExpressionNode = FieldComparisonNode | HasRoleNode | HasSomeRoleNode | BinaryLogicalNode;
+/**
+ * A field comparison expression: `left === right`
+ *
+ * Currently only supports strict equality (`===`).
+ *
+ * @example
+ * ```typescript
+ * // model.id === auth.userId
+ * {
+ *   type: 'fieldComparison',
+ *   operator: '===',
+ *   left: { type: 'fieldRef', source: 'model', field: 'id', ... },
+ *   right: { type: 'fieldRef', source: 'auth', field: 'userId', ... },
+ * }
+ * ```
+ */
+export interface FieldComparisonNode {
+    type: 'fieldComparison';
+    operator: '===';
+    left: FieldRefNode;
+    right: FieldRefNode;
+}
+/**
+ * A role check expression: `hasRole('roleName')`
+ *
+ * @example
+ * ```typescript
+ * // hasRole('admin')
+ * {
+ *   type: 'hasRole',
+ *   role: 'admin',
+ *   roleStart: 8,
+ *   roleEnd: 15,
+ * }
+ * ```
+ */
+export interface HasRoleNode {
+    type: 'hasRole';
+    /** The role name being checked */
+    role: string;
+    /** Start position of the role string in the source (for rename tracking) */
+    roleStart: number;
+    /** End position of the role string in the source (for rename tracking) */
+    roleEnd: number;
+}
+/**
+ * A role check expression for multiple roles: `hasSomeRole(['role1', 'role2'])`
+ *
+ * @example
+ * ```typescript
+ * // hasSomeRole(['admin', 'moderator'])
+ * {
+ *   type: 'hasSomeRole',
+ *   roles: ['admin', 'moderator'],
+ *   rolesStart: [13, 22],
+ *   rolesEnd: [20, 33],
+ * }
+ * ```
+ */
+export interface HasSomeRoleNode {
+    type: 'hasSomeRole';
+    /** The role names being checked */
+    roles: string[];
+    /** Start positions of each role string in the source (for rename tracking) */
+    rolesStart: number[];
+    /** End positions of each role string in the source (for rename tracking) */
+    rolesEnd: number[];
+}
+/**
+ * A binary logical expression: `left || right` or `left && right`
+ *
+ * @example
+ * ```typescript
+ * // model.id === auth.userId || auth.hasRole('admin')
+ * {
+ *   type: 'binaryLogical',
+ *   operator: '||',
+ *   left: { type: 'fieldComparison', ... },
+ *   right: { type: 'hasRole', ... },
+ * }
+ * ```
+ */
+export interface BinaryLogicalNode {
+    type: 'binaryLogical';
+    operator: '||' | '&&';
+    left: AuthorizerExpressionNode;
+    right: AuthorizerExpressionNode;
+}
+/**
+ * A reference to a field on either `model` or `auth`.
+ *
+ * @example
+ * ```typescript
+ * // model.id
+ * { type: 'fieldRef', source: 'model', field: 'id', start: 0, end: 8 }
+ *
+ * // userId - implicit auth context
+ * { type: 'fieldRef', source: 'auth', field: 'userId', start: 13, end: 19 }
+ * ```
+ */
+export interface FieldRefNode {
+    type: 'fieldRef';
+    /** The source object - either 'model' or 'auth' */
+    source: 'model' | 'auth';
+    /** The field name being accessed */
+    field: string;
+    /** Start position in the source (for rename tracking) */
+    start: number;
+    /** End position in the source (for rename tracking) */
+    end: number;
+}
+/**
+ * Information extracted from a parsed expression for dependency tracking.
+ */
+export interface AuthorizerExpressionInfo {
+    /** The parsed AST */
+    ast: AuthorizerExpressionNode;
+    /** Model field names referenced (e.g., ['id', 'authorId']) */
+    modelFieldRefs: string[];
+    /** Auth field names referenced (e.g., ['userId']) */
+    authFieldRefs: string[];
+    /** Role names referenced (e.g., ['admin', 'user']) */
+    roleRefs: string[];
+    /** Whether the expression requires the model instance */
+    requiresModel: boolean;
+}
+/**
+ * Position information for error reporting.
+ * Compatible with Acorn AST nodes which have start/end properties.
+ */
+export interface NodePosition {
+    start: number;
+    end: number;
+}
+/**
+ * Error thrown when parsing an authorizer expression fails.
+ */
+export declare class AuthorizerExpressionParseError extends Error {
+    readonly startPosition?: number;
+    readonly endPosition?: number;
+    constructor(message: string, position?: NodePosition);
+    constructor(message: string, startPosition?: number, endPosition?: number);
+}
+//# sourceMappingURL=authorizer-expression-ast.d.ts.map

package/dist/schema/models/authorizer/authorizer-expression-ast.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorizer-expression-ast.d.ts","sourceRoot":"","sources":["../../../../src/schema/models/authorizer/authorizer-expression-ast.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAChC,mBAAmB,GACnB,WAAW,GACX,eAAe,GACf,iBAAiB,CAAC;AAEtB;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,KAAK,CAAC;IAChB,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,YAAY,CAAC;CACrB;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,SAAS,CAAC;IAChB,kCAAkC;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,4EAA4E;IAC5E,SAAS,EAAE,MAAM,CAAC;IAClB,0EAA0E;IAC1E,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,aAAa,CAAC;IACpB,mCAAmC;IACnC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,8EAA8E;IAC9E,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,4EAA4E;IAC5E,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,eAAe,CAAC;IACtB,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,IAAI,EAAE,wBAAwB,CAAC;IAC/B,KAAK,EAAE,wBAAwB,CAAC;CACjC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,UAAU,CAAC;IACjB,mDAAmD;IACnD,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,yDAAyD;IACzD,KAAK,EAAE,MAAM,CAAC;IACd,uDAAuD;IACvD,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,qBAAqB;IACrB,GAAG,EAAE,wBAAwB,CAAC;IAC9B,8DAA8D;IAC9D,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,qDAAqD;IACrD,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,yDAAyD;IACzD,aAAa,EAAE,OAAO,CAAC;CACxB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,qBAAa,8BAA+B,SAAQ,KAAK;IACvD,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,YAAY;gBACxC,OAAO,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;CAiB1E"}

package/dist/schema/models/authorizer/authorizer-expression-ast.js ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * AST node types for authorizer expressions.
+ *
+ * These represent the semantic structure of expressions like:
+ * - `model.id === userId`
+ * - `hasRole('admin')`
+ * - `hasSomeRole(['admin', 'moderator'])`
+ * - `model.id === userId || hasRole('admin')`
+ *
+ * The AST is produced by parsing with Acorn and converting from ESTree.
+ */
+/**
+ * Error thrown when parsing an authorizer expression fails.
+ */
+export class AuthorizerExpressionParseError extends Error {
+    startPosition;
+    endPosition;
+    constructor(message, positionOrStart, endPosition) {
+        super(message);
+        this.name = 'AuthorizerExpressionParseError';
+        if (typeof positionOrStart === 'object') {
+            this.startPosition = positionOrStart.start;
+            this.endPosition = positionOrStart.end;
+        }
+        else {
+            this.startPosition = positionOrStart;
+            this.endPosition = endPosition;
+        }
+    }
+}
+//# sourceMappingURL=authorizer-expression-ast.js.map

package/dist/schema/models/authorizer/authorizer-expression-ast.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorizer-expression-ast.js","sourceRoot":"","sources":["../../../../src/schema/models/authorizer/authorizer-expression-ast.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAwJH;;GAEG;AACH,MAAM,OAAO,8BAA+B,SAAQ,KAAK;IAC9C,aAAa,CAAU;IACvB,WAAW,CAAU;IAI9B,YACE,OAAe,EACf,eAAuC,EACvC,WAAoB;QAEpB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gCAAgC,CAAC;QAE7C,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;YACxC,IAAI,CAAC,aAAa,GAAG,eAAe,CAAC,KAAK,CAAC;YAC3C,IAAI,CAAC,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,aAAa,GAAG,eAAe,CAAC;YACrC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QACjC,CAAC;IACH,CAAC;CACF"}

package/dist/schema/models/authorizer/authorizer-expression-parser.d.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { z } from 'zod';
+import type { RefExpressionDependency, RefExpressionWarning, ResolvedExpressionSlots } from '#src/references/expression-types.js';
+import { RefExpressionParser } from '#src/references/expression-types.js';
+import type { modelEntityType } from '../types.js';
+import type { AuthorizerExpressionInfo } from './authorizer-expression-ast.js';
+/**
+ * Expression parser for model authorizer role expressions.
+ *
+ * Parses expressions like:
+ * - `model.id === auth.userId` (ownership check)
+ * - `auth.hasRole('admin')` (global role check)
+ * - `model.id === auth.userId || auth.hasRole('admin')` (combined)
+ *
+ * Uses Acorn to parse JavaScript expressions and validates
+ * that only supported constructs are used.
+ *
+ * @example
+ * ```typescript
+ * const schema = z.object({
+ *   expression: ctx.withExpression(authorizerExpressionParser, { model: modelSlot }),
+ * });
+ * ```
+ */
+export declare class AuthorizerExpressionParser extends RefExpressionParser<string, AuthorizerExpressionInfo | undefined, {
+    model: typeof modelEntityType;
+}> {
+    readonly name = "authorizer-expression";
+    /**
+     * Zod schema for validating expression strings.
+     * Requires a non-empty string value.
+     */
+    readonly schema: z.ZodString;
+    /**
+     * Parse the expression string into an AST.
+     *
+     * @param value - The expression string
+     * @param _projectDef - The project definition (unused during parsing)
+     * @returns The parsed expression info, or undefined if parsing fails
+     */
+    parse(value: string): AuthorizerExpressionInfo | undefined;
+    /**
+     * Get validation warnings for the expression.
+     *
+     * Validates:
+     * - Syntax errors from parsing
+     * - Model field references exist
+     * - Auth field references are valid
+     * - Role names exist in project config (warning only)
+     */
+    getWarnings(value: string, parseResult: AuthorizerExpressionInfo | undefined, projectDef: unknown, resolvedSlots: ResolvedExpressionSlots<{
+        model: typeof modelEntityType;
+    }>): RefExpressionWarning[];
+    /**
+     * Get entity/field dependencies from the expression.
+     *
+     * Currently returns empty array as we don't yet track
+     * entity-level dependencies (just field names).
+     * Future: could track model field entity references for renames.
+     */
+    getDependencies(): RefExpressionDependency[];
+    /**
+     * Update the expression when dependencies are renamed.
+     *
+     * Currently returns value unchanged as we don't yet
+     * support field renames in expressions.
+     */
+    updateForRename(value: string): string;
+    /**
+     * Extract model context from the project definition container using resolved slots.
+     */
+    private getModelContext;
+}
+/**
+ * Singleton instance of AuthorizerExpressionParser.
+ */
+export declare const authorizerExpressionParser: AuthorizerExpressionParser;
+//# sourceMappingURL=authorizer-expression-parser.d.ts.map

package/dist/schema/models/authorizer/authorizer-expression-parser.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorizer-expression-parser.d.ts","sourceRoot":"","sources":["../../../../src/schema/models/authorizer/authorizer-expression-parser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,KAAK,EACV,uBAAuB,EACvB,oBAAoB,EACpB,uBAAuB,EACxB,MAAM,qCAAqC,CAAC;AAE7C,OAAO,EAAE,mBAAmB,EAAE,MAAM,qCAAqC,CAAC;AAE1E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAM/E;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,0BAA2B,SAAQ,mBAAmB,CACjE,MAAM,EACN,wBAAwB,GAAG,SAAS,EACpC;IAAE,KAAK,EAAE,OAAO,eAAe,CAAA;CAAE,CAClC;IACC,QAAQ,CAAC,IAAI,2BAA2B;IAExC;;;OAGG;IACH,QAAQ,CAAC,MAAM,cAA+C;IAE9D;;;;;;OAMG;IACH,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,wBAAwB,GAAG,SAAS;IAY1D;;;;;;;;OAQG;IACH,WAAW,CACT,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,wBAAwB,GAAG,SAAS,EACjD,UAAU,EAAE,OAAO,EACnB,aAAa,EAAE,uBAAuB,CAAC;QAAE,KAAK,EAAE,OAAO,eAAe,CAAA;KAAE,CAAC,GACxE,oBAAoB,EAAE;IAuCzB;;;;;;OAMG;IACH,eAAe,IAAI,uBAAuB,EAAE;IAK5C;;;;;OAKG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAKtC;;OAEG;IACH,OAAO,CAAC,eAAe;CAyCxB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,4BAAmC,CAAC"}