@beesolve/iam-policy-ts 0.1.0

package/dist/helpers.d.ts

@@ -0,0 +1,17 @@
+import { iamActionCatalog } from "./catalog.js";
+export type IamActionCatalog = typeof iamActionCatalog;
+export type IamPolicyServicePrefix = keyof IamActionCatalog;
+export type IamPolicyActionNameByService<TService extends IamPolicyServicePrefix> = IamActionCatalog[TService][number];
+export type IamPolicyActionForService<TService extends IamPolicyServicePrefix> = `${TService}:${IamPolicyActionNameByService<TService>}`;
+export type IamHelperObject = {
+    [K in IamPolicyServicePrefix]: (action: IamPolicyActionNameByService<K>) => IamPolicyActionForService<K>;
+};
+/**
+ * Builds a fully qualified IAM action string with service-scoped autocomplete.
+ *
+ * @example
+ * iamAction("s3", "GetObject")    // "s3:GetObject"
+ * iamAction("kms", "Decrypt")     // "kms:Decrypt"
+ */
+export declare function iamAction<TService extends IamPolicyServicePrefix>(service: TService, action: IamPolicyActionNameByService<TService>): IamPolicyActionForService<TService>;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../src/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,MAAM,gBAAgB,GAAG,OAAO,gBAAgB,CAAC;AACvD,MAAM,MAAM,sBAAsB,GAAG,MAAM,gBAAgB,CAAC;AAC5D,MAAM,MAAM,4BAA4B,CACtC,QAAQ,SAAS,sBAAsB,IACrC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC;AACvC,MAAM,MAAM,yBAAyB,CAAC,QAAQ,SAAS,sBAAsB,IAC3E,GAAG,QAAQ,IAAI,4BAA4B,CAAC,QAAQ,CAAC,EAAE,CAAC;AAE1D,MAAM,MAAM,eAAe,GAAG;KAC3B,CAAC,IAAI,sBAAsB,GAAG,CAC7B,MAAM,EAAE,4BAA4B,CAAC,CAAC,CAAC,KACpC,yBAAyB,CAAC,CAAC,CAAC;CAClC,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,QAAQ,SAAS,sBAAsB,EAC/D,OAAO,EAAE,QAAQ,EACjB,MAAM,EAAE,4BAA4B,CAAC,QAAQ,CAAC,GAC7C,yBAAyB,CAAC,QAAQ,CAAC,CAErC"}

package/dist/helpers.js

@@ -0,0 +1,12 @@
+import { iamActionCatalog } from "./catalog.js";
+/**
+ * Builds a fully qualified IAM action string with service-scoped autocomplete.
+ *
+ * @example
+ * iamAction("s3", "GetObject")    // "s3:GetObject"
+ * iamAction("kms", "Decrypt")     // "kms:Decrypt"
+ */
+export function iamAction(service, action) {
+    return `${service}:${action}`;
+}
+//# sourceMappingURL=helpers.js.map

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { iamActionCatalog, iamActionCatalogSourceUrl, iamActionCatalogSourceSha256, iamActionCatalogActionCount, iam, } from "./catalog.js";
+export { iamAction, type IamActionCatalog, type IamPolicyServicePrefix, type IamPolicyActionNameByService, type IamPolicyActionForService, type IamHelperObject, } from "./helpers.js";
+export { iamPolicyDocumentSchema, iamPolicyStatementSchema, iamPolicyDocumentStrictSchema, iamPolicyStatementStrictSchema, isIamPolicyDocument, isIamPolicyStatement, isIamPolicyDocumentStrict, assertIamPolicyDocument, assertIamPolicyDocumentStrict, type IamPolicyVersion, type IamPolicyScalar, type IamPolicyScalarList, type IamPolicyStringList, type IamPolicyPrincipalMap, type IamPolicyPrincipal, type IamPolicyConditionBlock, type IamPolicyStatement, type IamPolicyDocument, type IamPolicyStatementStrict, type IamPolicyDocumentStrict, } from "./schema.js";
+export { policyToTypescript } from "./render.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,yBAAyB,EACzB,4BAA4B,EAC5B,2BAA2B,EAC3B,GAAG,GACJ,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,4BAA4B,EACjC,KAAK,yBAAyB,EAC9B,KAAK,eAAe,GACrB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,6BAA6B,EAC7B,8BAA8B,EAC9B,mBAAmB,EACnB,oBAAoB,EACpB,yBAAyB,EACzB,uBAAuB,EACvB,6BAA6B,EAC7B,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,GAC7B,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,5 @@
+export { iamActionCatalog, iamActionCatalogSourceUrl, iamActionCatalogSourceSha256, iamActionCatalogActionCount, iam, } from "./catalog.js";
+export { iamAction, } from "./helpers.js";
+export { iamPolicyDocumentSchema, iamPolicyStatementSchema, iamPolicyDocumentStrictSchema, iamPolicyStatementStrictSchema, isIamPolicyDocument, isIamPolicyStatement, isIamPolicyDocumentStrict, assertIamPolicyDocument, assertIamPolicyDocumentStrict, } from "./schema.js";
+export { policyToTypescript } from "./render.js";
+//# sourceMappingURL=index.js.map

package/dist/render.d.ts

@@ -0,0 +1,20 @@
+import type { IamPolicyDocument } from "./schema.js";
+/**
+ * Renders an IAM policy document as TypeScript source code using `iam.*` helpers
+ * for known actions. Unknown actions are rendered as plain string literals.
+ *
+ * @example
+ * const ts = policyToTypescript({
+ *   Version: "2012-10-17",
+ *   Statement: [{
+ *     Effect: "Allow",
+ *     Action: ["s3:GetObject", "s3:ListBucket"],
+ *     Resource: "*",
+ *   }],
+ * });
+ * // Returns TypeScript source with iam.s3("GetObject"), iam.s3("ListBucket"), etc.
+ */
+export declare function policyToTypescript(policy: IamPolicyDocument, options?: {
+    indentLevel?: number;
+}): string;
+//# sourceMappingURL=render.d.ts.map

package/dist/render.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"render.d.ts","sourceRoot":"","sources":["../src/render.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,iBAAiB,EACzB,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GACjC,MAAM,CAGR"}

package/dist/render.js

@@ -0,0 +1,102 @@
+import { iamActionCatalog } from "./catalog.js";
+/**
+ * Renders an IAM policy document as TypeScript source code using `iam.*` helpers
+ * for known actions. Unknown actions are rendered as plain string literals.
+ *
+ * @example
+ * const ts = policyToTypescript({
+ *   Version: "2012-10-17",
+ *   Statement: [{
+ *     Effect: "Allow",
+ *     Action: ["s3:GetObject", "s3:ListBucket"],
+ *     Resource: "*",
+ *   }],
+ * });
+ * // Returns TypeScript source with iam.s3("GetObject"), iam.s3("ListBucket"), etc.
+ */
+export function policyToTypescript(policy, options) {
+    const indentLevel = options?.indentLevel ?? 0;
+    return renderValue(policy, { indentLevel, parentPropertyName: undefined });
+}
+function renderValue(value, props) {
+    if (value === null) {
+        return "null";
+    }
+    if (value === undefined) {
+        return "undefined";
+    }
+    if (typeof value === "string") {
+        return renderStringValue(value, props);
+    }
+    if (typeof value === "number" || typeof value === "boolean") {
+        return JSON.stringify(value);
+    }
+    if (Array.isArray(value)) {
+        return renderArray(value, props);
+    }
+    if (isRecord(value)) {
+        return renderObject(value, props);
+    }
+    return JSON.stringify(value);
+}
+function renderStringValue(value, props) {
+    if (props.parentPropertyName === "Action" ||
+        props.parentPropertyName === "NotAction") {
+        return renderActionString(value);
+    }
+    return JSON.stringify(value);
+}
+function renderActionString(value) {
+    const separatorIndex = value.indexOf(":");
+    if (separatorIndex <= 0 || separatorIndex === value.length - 1) {
+        return JSON.stringify(value);
+    }
+    const servicePrefix = value.slice(0, separatorIndex);
+    const actionName = value.slice(separatorIndex + 1);
+    const knownActions = iamActionCatalog[servicePrefix];
+    if (knownActions == null || !knownActions.includes(actionName)) {
+        return JSON.stringify(value);
+    }
+    if (isIdentifierSafe(servicePrefix)) {
+        return `iam.${servicePrefix}(${JSON.stringify(actionName)})`;
+    }
+    return `iam[${JSON.stringify(servicePrefix)}](${JSON.stringify(actionName)})`;
+}
+function renderArray(value, props) {
+    if (value.length === 0) {
+        return "[]";
+    }
+    const indent = "  ".repeat(props.indentLevel);
+    const childIndent = "  ".repeat(props.indentLevel + 1);
+    const renderedItems = value.map((item) => renderValue(item, {
+        indentLevel: props.indentLevel + 1,
+        parentPropertyName: props.parentPropertyName,
+    }));
+    return `[\n${renderedItems.map((item) => `${childIndent}${item}`).join(",\n")}\n${indent}]`;
+}
+function renderObject(value, props) {
+    const entries = Object.entries(value).filter(([, entryValue]) => entryValue !== undefined);
+    if (entries.length === 0) {
+        return "{}";
+    }
+    const indent = "  ".repeat(props.indentLevel);
+    const childIndent = "  ".repeat(props.indentLevel + 1);
+    const renderedEntries = entries.map(([key, entryValue]) => {
+        const renderedValue = renderValue(entryValue, {
+            indentLevel: props.indentLevel + 1,
+            parentPropertyName: key,
+        });
+        return `${childIndent}${renderObjectKey(key)}: ${renderedValue}`;
+    });
+    return `{\n${renderedEntries.join(",\n")}\n${indent}}`;
+}
+function renderObjectKey(value) {
+    return isIdentifierSafe(value) ? value : JSON.stringify(value);
+}
+function isIdentifierSafe(value) {
+    return /^[A-Za-z_$][A-Za-z0-9_$]*$/u.test(value);
+}
+function isRecord(value) {
+    return (value != null && typeof value === "object" && Array.isArray(value) === false);
+}
+//# sourceMappingURL=render.js.map

package/dist/schema.d.ts

@@ -0,0 +1,269 @@
+import * as v from "valibot";
+declare const nonEmptyStringListSchema: v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>;
+declare const policyScalarSchema: v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>;
+declare const policyScalarListSchema: v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>;
+declare const policyPrincipalMapSchema: v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+declare const policyPrincipalSchema: v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>;
+declare const policyConditionBlockSchema: v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>, undefined>, undefined>;
+export declare const iamPolicyStatementSchema: v.StrictObjectSchema<{
+    readonly Sid: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+    readonly Effect: v.PicklistSchema<["Allow", "Deny"], undefined>;
+    readonly Action: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly NotAction: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly Resource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly NotResource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly Principal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+    readonly NotPrincipal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+    readonly Condition: v.OptionalSchema<v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>, undefined>, undefined>, undefined>;
+}, undefined>;
+export declare const iamPolicyDocumentSchema: v.StrictObjectSchema<{
+    readonly Version: v.OptionalSchema<v.PicklistSchema<["2008-10-17", "2012-10-17"], undefined>, undefined>;
+    readonly Id: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+    readonly Statement: v.UnionSchema<[v.StrictObjectSchema<{
+        readonly Sid: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+        readonly Effect: v.PicklistSchema<["Allow", "Deny"], undefined>;
+        readonly Action: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotAction: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Resource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotResource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Principal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly NotPrincipal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly Condition: v.OptionalSchema<v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>, undefined>, undefined>, undefined>;
+    }, undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.StrictObjectSchema<{
+        readonly Sid: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+        readonly Effect: v.PicklistSchema<["Allow", "Deny"], undefined>;
+        readonly Action: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotAction: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Resource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotResource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Principal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly NotPrincipal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly Condition: v.OptionalSchema<v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>, undefined>, undefined>, undefined>;
+    }, undefined>, undefined>, v.MinLengthAction<{
+        Sid?: string | undefined;
+        Effect: "Allow" | "Deny";
+        Action?: string | string[] | undefined;
+        NotAction?: string | string[] | undefined;
+        Resource?: string | string[] | undefined;
+        NotResource?: string | string[] | undefined;
+        Principal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        NotPrincipal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        Condition?: {
+            [x: string]: {
+                [x: string]: string | number | boolean | (string | number | boolean)[];
+            };
+        } | undefined;
+    }[], 1, undefined>]>], undefined>;
+}, undefined>;
+export type IamPolicyVersion = v.InferOutput<typeof iamPolicyDocumentSchema>["Version"];
+export type IamPolicyScalar = v.InferOutput<typeof policyScalarSchema>;
+export type IamPolicyScalarList = v.InferOutput<typeof policyScalarListSchema>;
+export type IamPolicyStringList = v.InferOutput<typeof nonEmptyStringListSchema>;
+export type IamPolicyPrincipalMap = v.InferOutput<typeof policyPrincipalMapSchema>;
+export type IamPolicyPrincipal = v.InferOutput<typeof policyPrincipalSchema>;
+export type IamPolicyConditionBlock = v.InferOutput<typeof policyConditionBlockSchema>;
+export type IamPolicyStatement = v.InferOutput<typeof iamPolicyStatementSchema>;
+export type IamPolicyDocument = v.InferOutput<typeof iamPolicyDocumentSchema>;
+/**
+ * Type guard: checks if a value is a valid IAM policy document.
+ */
+export declare function isIamPolicyDocument(value: unknown): value is IamPolicyDocument;
+/**
+ * Type guard: checks if a value is a valid IAM policy statement.
+ */
+export declare function isIamPolicyStatement(value: unknown): value is IamPolicyStatement;
+/**
+ * Parses and validates a value as an IAM policy document.
+ * Throws a ValiError if validation fails.
+ */
+export declare function assertIamPolicyDocument(value: unknown): IamPolicyDocument;
+/**
+ * Strict IAM policy statement schema that enforces grammar rules:
+ * - Must have exactly one of Action or NotAction
+ * - Must have exactly one of Resource or NotResource (for identity-based policies)
+ * - Cannot have both Action and NotAction
+ * - Cannot have both Resource and NotResource
+ */
+export declare const iamPolicyStatementStrictSchema: v.SchemaWithPipe<readonly [v.StrictObjectSchema<{
+    readonly Sid: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+    readonly Effect: v.PicklistSchema<["Allow", "Deny"], undefined>;
+    readonly Action: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly NotAction: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly Resource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly NotResource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+    readonly Principal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+    readonly NotPrincipal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+    readonly Condition: v.OptionalSchema<v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>, undefined>, undefined>, undefined>;
+}, undefined>, v.CheckAction<{
+    Sid?: string | undefined;
+    Effect: "Allow" | "Deny";
+    Action?: string | string[] | undefined;
+    NotAction?: string | string[] | undefined;
+    Resource?: string | string[] | undefined;
+    NotResource?: string | string[] | undefined;
+    Principal?: "*" | {
+        [x: string]: string | string[];
+    } | undefined;
+    NotPrincipal?: "*" | {
+        [x: string]: string | string[];
+    } | undefined;
+    Condition?: {
+        [x: string]: {
+            [x: string]: string | number | boolean | (string | number | boolean)[];
+        };
+    } | undefined;
+}, "Statement must have exactly one of Action or NotAction.">, v.CheckAction<{
+    Sid?: string | undefined;
+    Effect: "Allow" | "Deny";
+    Action?: string | string[] | undefined;
+    NotAction?: string | string[] | undefined;
+    Resource?: string | string[] | undefined;
+    NotResource?: string | string[] | undefined;
+    Principal?: "*" | {
+        [x: string]: string | string[];
+    } | undefined;
+    NotPrincipal?: "*" | {
+        [x: string]: string | string[];
+    } | undefined;
+    Condition?: {
+        [x: string]: {
+            [x: string]: string | number | boolean | (string | number | boolean)[];
+        };
+    } | undefined;
+}, "Statement cannot have both Resource and NotResource.">]>;
+/**
+ * Strict IAM policy document schema that enforces grammar rules on each statement.
+ */
+export declare const iamPolicyDocumentStrictSchema: v.StrictObjectSchema<{
+    readonly Version: v.OptionalSchema<v.PicklistSchema<["2008-10-17", "2012-10-17"], undefined>, undefined>;
+    readonly Id: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+    readonly Statement: v.UnionSchema<[v.SchemaWithPipe<readonly [v.StrictObjectSchema<{
+        readonly Sid: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+        readonly Effect: v.PicklistSchema<["Allow", "Deny"], undefined>;
+        readonly Action: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotAction: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Resource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotResource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Principal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly NotPrincipal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly Condition: v.OptionalSchema<v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>, undefined>, undefined>, undefined>;
+    }, undefined>, v.CheckAction<{
+        Sid?: string | undefined;
+        Effect: "Allow" | "Deny";
+        Action?: string | string[] | undefined;
+        NotAction?: string | string[] | undefined;
+        Resource?: string | string[] | undefined;
+        NotResource?: string | string[] | undefined;
+        Principal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        NotPrincipal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        Condition?: {
+            [x: string]: {
+                [x: string]: string | number | boolean | (string | number | boolean)[];
+            };
+        } | undefined;
+    }, "Statement must have exactly one of Action or NotAction.">, v.CheckAction<{
+        Sid?: string | undefined;
+        Effect: "Allow" | "Deny";
+        Action?: string | string[] | undefined;
+        NotAction?: string | string[] | undefined;
+        Resource?: string | string[] | undefined;
+        NotResource?: string | string[] | undefined;
+        Principal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        NotPrincipal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        Condition?: {
+            [x: string]: {
+                [x: string]: string | number | boolean | (string | number | boolean)[];
+            };
+        } | undefined;
+    }, "Statement cannot have both Resource and NotResource.">]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StrictObjectSchema<{
+        readonly Sid: v.OptionalSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>;
+        readonly Effect: v.PicklistSchema<["Allow", "Deny"], undefined>;
+        readonly Action: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotAction: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Resource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly NotResource: v.OptionalSchema<v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>;
+        readonly Principal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly NotPrincipal: v.OptionalSchema<v.UnionSchema<[v.LiteralSchema<"*", undefined>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.SchemaWithPipe<readonly [v.ArraySchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>, v.MinLengthAction<string[], 1, undefined>]>], undefined>, undefined>], undefined>, undefined>;
+        readonly Condition: v.OptionalSchema<v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.RecordSchema<v.SchemaWithPipe<readonly [v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, v.UnionSchema<[v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, v.SchemaWithPipe<readonly [v.ArraySchema<v.UnionSchema<[v.StringSchema<undefined>, v.NumberSchema<undefined>, v.BooleanSchema<undefined>], undefined>, undefined>, v.MinLengthAction<(string | number | boolean)[], 1, undefined>]>], undefined>, undefined>, undefined>, undefined>;
+    }, undefined>, v.CheckAction<{
+        Sid?: string | undefined;
+        Effect: "Allow" | "Deny";
+        Action?: string | string[] | undefined;
+        NotAction?: string | string[] | undefined;
+        Resource?: string | string[] | undefined;
+        NotResource?: string | string[] | undefined;
+        Principal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        NotPrincipal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        Condition?: {
+            [x: string]: {
+                [x: string]: string | number | boolean | (string | number | boolean)[];
+            };
+        } | undefined;
+    }, "Statement must have exactly one of Action or NotAction.">, v.CheckAction<{
+        Sid?: string | undefined;
+        Effect: "Allow" | "Deny";
+        Action?: string | string[] | undefined;
+        NotAction?: string | string[] | undefined;
+        Resource?: string | string[] | undefined;
+        NotResource?: string | string[] | undefined;
+        Principal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        NotPrincipal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        Condition?: {
+            [x: string]: {
+                [x: string]: string | number | boolean | (string | number | boolean)[];
+            };
+        } | undefined;
+    }, "Statement cannot have both Resource and NotResource.">]>, undefined>, v.MinLengthAction<{
+        Sid?: string | undefined;
+        Effect: "Allow" | "Deny";
+        Action?: string | string[] | undefined;
+        NotAction?: string | string[] | undefined;
+        Resource?: string | string[] | undefined;
+        NotResource?: string | string[] | undefined;
+        Principal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        NotPrincipal?: "*" | {
+            [x: string]: string | string[];
+        } | undefined;
+        Condition?: {
+            [x: string]: {
+                [x: string]: string | number | boolean | (string | number | boolean)[];
+            };
+        } | undefined;
+    }[], 1, undefined>]>], undefined>;
+}, undefined>;
+export type IamPolicyStatementStrict = v.InferOutput<typeof iamPolicyStatementStrictSchema>;
+export type IamPolicyDocumentStrict = v.InferOutput<typeof iamPolicyDocumentStrictSchema>;
+/**
+ * Type guard: checks if a value is a valid IAM policy document
+ * with strict grammar enforcement.
+ */
+export declare function isIamPolicyDocumentStrict(value: unknown): value is IamPolicyDocumentStrict;
+/**
+ * Parses and validates a value as an IAM policy document with strict grammar rules.
+ * Throws a ValiError if validation fails.
+ */
+export declare function assertIamPolicyDocumentStrict(value: unknown): IamPolicyDocumentStrict;
+export {};
+//# sourceMappingURL=schema.d.ts.map

package/dist/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAG7B,QAAA,MAAM,wBAAwB,wTAG5B,CAAC;AACH,QAAA,MAAM,kBAAkB,8GAAiD,CAAC;AAC1E,QAAA,MAAM,sBAAsB,+WAG1B,CAAC;AACH,QAAA,MAAM,wBAAwB,gbAG7B,CAAC;AACF,QAAA,MAAM,qBAAqB,6eAGzB,CAAC;AACH,QAAA,MAAM,0BAA0B,+lBAG/B,CAAC;AAEF,eAAO,MAAM,wBAAwB;;;;;;;;;;aAUnC,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;aAOlC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,WAAW,CAC1C,OAAO,uBAAuB,CAC/B,CAAC,SAAS,CAAC,CAAC;AACb,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,kBAAkB,CAAC,CAAC;AACvE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC/E,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,wBAAwB,CAAC,CAAC;AACjF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,WAAW,CAC/C,OAAO,wBAAwB,CAChC,CAAC;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAC7E,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,WAAW,CACjD,OAAO,0BAA0B,CAClC,CAAC;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAChF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,iBAAiB,CAE5B;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,kBAAkB,CAE7B;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,GAAG,iBAAiB,CAEzE;AAED;;;;;;GAMG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;4DAqB1C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;aAOxC,CAAC;AAEH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,WAAW,CAClD,OAAO,8BAA8B,CACtC,CAAC;AACF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,WAAW,CACjD,OAAO,6BAA6B,CACrC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,uBAAuB,CAElC;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,OAAO,GACb,uBAAuB,CAEzB"}

package/dist/schema.js

@@ -0,0 +1,103 @@
+import * as v from "valibot";
+const nonEmptyString = v.pipe(v.string(), v.nonEmpty());
+const nonEmptyStringListSchema = v.union([
+    nonEmptyString,
+    v.pipe(v.array(nonEmptyString), v.minLength(1)),
+]);
+const policyScalarSchema = v.union([v.string(), v.number(), v.boolean()]);
+const policyScalarListSchema = v.union([
+    policyScalarSchema,
+    v.pipe(v.array(policyScalarSchema), v.minLength(1)),
+]);
+const policyPrincipalMapSchema = v.record(nonEmptyString, nonEmptyStringListSchema);
+const policyPrincipalSchema = v.union([
+    v.literal("*"),
+    policyPrincipalMapSchema,
+]);
+const policyConditionBlockSchema = v.record(nonEmptyString, v.record(nonEmptyString, policyScalarListSchema));
+export const iamPolicyStatementSchema = v.strictObject({
+    Sid: v.optional(nonEmptyString),
+    Effect: v.picklist(["Allow", "Deny"]),
+    Action: v.optional(nonEmptyStringListSchema),
+    NotAction: v.optional(nonEmptyStringListSchema),
+    Resource: v.optional(nonEmptyStringListSchema),
+    NotResource: v.optional(nonEmptyStringListSchema),
+    Principal: v.optional(policyPrincipalSchema),
+    NotPrincipal: v.optional(policyPrincipalSchema),
+    Condition: v.optional(policyConditionBlockSchema),
+});
+export const iamPolicyDocumentSchema = v.strictObject({
+    Version: v.optional(v.picklist(["2008-10-17", "2012-10-17"])),
+    Id: v.optional(nonEmptyString),
+    Statement: v.union([
+        iamPolicyStatementSchema,
+        v.pipe(v.array(iamPolicyStatementSchema), v.minLength(1)),
+    ]),
+});
+/**
+ * Type guard: checks if a value is a valid IAM policy document.
+ */
+export function isIamPolicyDocument(value) {
+    return v.safeParse(iamPolicyDocumentSchema, value).success;
+}
+/**
+ * Type guard: checks if a value is a valid IAM policy statement.
+ */
+export function isIamPolicyStatement(value) {
+    return v.safeParse(iamPolicyStatementSchema, value).success;
+}
+/**
+ * Parses and validates a value as an IAM policy document.
+ * Throws a ValiError if validation fails.
+ */
+export function assertIamPolicyDocument(value) {
+    return v.parse(iamPolicyDocumentSchema, value);
+}
+/**
+ * Strict IAM policy statement schema that enforces grammar rules:
+ * - Must have exactly one of Action or NotAction
+ * - Must have exactly one of Resource or NotResource (for identity-based policies)
+ * - Cannot have both Action and NotAction
+ * - Cannot have both Resource and NotResource
+ */
+export const iamPolicyStatementStrictSchema = v.pipe(iamPolicyStatementSchema, v.check((statement) => {
+    const hasAction = statement.Action != null;
+    const hasNotAction = statement.NotAction != null;
+    if (hasAction && hasNotAction)
+        return false;
+    if (!hasAction && !hasNotAction)
+        return false;
+    return true;
+}, "Statement must have exactly one of Action or NotAction."), v.check((statement) => {
+    const hasResource = statement.Resource != null;
+    const hasNotResource = statement.NotResource != null;
+    if (hasResource && hasNotResource)
+        return false;
+    return true;
+}, "Statement cannot have both Resource and NotResource."));
+/**
+ * Strict IAM policy document schema that enforces grammar rules on each statement.
+ */
+export const iamPolicyDocumentStrictSchema = v.strictObject({
+    Version: v.optional(v.picklist(["2008-10-17", "2012-10-17"])),
+    Id: v.optional(nonEmptyString),
+    Statement: v.union([
+        iamPolicyStatementStrictSchema,
+        v.pipe(v.array(iamPolicyStatementStrictSchema), v.minLength(1)),
+    ]),
+});
+/**
+ * Type guard: checks if a value is a valid IAM policy document
+ * with strict grammar enforcement.
+ */
+export function isIamPolicyDocumentStrict(value) {
+    return v.safeParse(iamPolicyDocumentStrictSchema, value).success;
+}
+/**
+ * Parses and validates a value as an IAM policy document with strict grammar rules.
+ * Throws a ValiError if validation fails.
+ */
+export function assertIamPolicyDocumentStrict(value) {
+    return v.parse(iamPolicyDocumentStrictSchema, value);
+}
+//# sourceMappingURL=schema.js.map

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@beesolve/iam-policy-ts",
+  "version": "0.1.0",
+  "description": "Type-safe IAM policy helpers with auto-generated action catalog from AWS",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "!dist/**/*.js.map"
+  ],
+  "scripts": {
+    "build": "rm -rf dist && tsc",
+    "typecheck": "tsc --noEmit",
+    "test": "rm -rf dist-test && tsc -p tsconfig.test.json --outDir dist-test && node --test dist-test/**/*.test.js",
+    "generate": "node scripts/generate-catalog.mjs",
+    "prepack": "npm run generate && npm run build"
+  },
+  "keywords": [
+    "aws",
+    "iam",
+    "policy",
+    "typescript",
+    "autocomplete",
+    "valibot"
+  ],
+  "author": "BeeSlove",
+  "license": "MIT",
+  "dependencies": {
+    "valibot": "^1.4.0"
+  },
+  "engines": {
+    "node": ">=24"
+  },
+  "devDependencies": {
+    "@types/node": "^25.7.0",
+    "typescript": "^6.0.3"
+  }
+}