@blimu/nestjs 1.1.3 → 1.2.0

package/dist/index.cjs

@@ -113,9 +113,9 @@ var BlimuForbiddenException = class _BlimuForbiddenException extends import_comm
 var import_backend = require("@blimu/backend");
 var ENTITLEMENT_KEY = "entitlement";
 var ENTITLEMENT_METADATA_KEY = /* @__PURE__ */ Symbol("entitlement");
-var SetEntitlementMetadata = (entitlementKey, getEntitlementInfo) => (0, import_common2.SetMetadata)(ENTITLEMENT_METADATA_KEY, {
+var SetEntitlementMetadata = (entitlementKey, entitlementCtxResolver) => (0, import_common2.SetMetadata)(ENTITLEMENT_METADATA_KEY, {
   entitlementKey,
-  getEntitlementInfo
+  entitlementCtxResolver
 });
 var EntitlementGuard = class {
   constructor(config, runtime) {
@@ -138,22 +138,36 @@ var EntitlementGuard = class {
     if (!userId) {
       throw new import_common2.ForbiddenException("User ID is required for entitlement check");
     }
-    const entitlementInfo = await metadata.getEntitlementInfo(request);
-    if (!entitlementInfo?.resourceId) {
+    let entitlementCtx;
+    if (metadata.entitlementCtxResolver) {
+      entitlementCtx = await metadata.entitlementCtxResolver(request);
+    } else if (this.config.defaultEntitlementCtxResolver) {
+      const resourceType = metadata.entitlementKey.split(":")[0] || "";
+      entitlementCtx = await this.config.defaultEntitlementCtxResolver(
+        {
+          entitlement: metadata.entitlementKey,
+          resourceType
+        },
+        request
+      );
+    } else {
+      throw new import_common2.ForbiddenException("No entitlement context resolver available");
+    }
+    if (!entitlementCtx?.resourceId) {
       throw new import_common2.ForbiddenException("Resource ID is required for entitlement check");
     }
     try {
       const result = await this.runtime.entitlements.checkEntitlement({
         userId,
         entitlement: metadata.entitlementKey,
-        resourceId: entitlementInfo.resourceId,
-        ...entitlementInfo.amount !== void 0 ? { amount: entitlementInfo.amount } : {}
+        resourceId: entitlementCtx.resourceId,
+        ...entitlementCtx.amount !== void 0 ? { amount: entitlementCtx.amount } : {}
       });
       if (!result.allowed) {
         throw new BlimuForbiddenException(
           result,
           metadata.entitlementKey,
-          entitlementInfo.resourceId,
+          entitlementCtx.resourceId,
           userId
         );
       }
@@ -243,6 +257,9 @@ var BlimuModule = class {
    *       environmentId: 'your-environment-id', // optional
    *       timeoutMs: 30000, // optional
    *       getUserId: (req) => req.user?.id, // required
+   *       defaultEntitlementCtxResolver: ({ entitlement, resourceType }, req) => ({
+   *         resourceId: req.params.resourceId,
+   *       }), // optional
    *     }),
    *   ],
    * })
@@ -280,7 +297,8 @@ var BlimuModule = class {
             baseURL: config.baseURL ?? DEFAULT_BASE_URL,
             environmentId: config.environmentId,
             timeoutMs: config.timeoutMs ?? 3e4,
-            getUserId: config.getUserId
+            getUserId: config.getUserId,
+            defaultEntitlementCtxResolver: config.defaultEntitlementCtxResolver
           }
         },
         {
@@ -323,6 +341,9 @@ var BlimuModule = class {
    *         environmentId: configService.get('BLIMU_ENVIRONMENT_ID'),
    *         timeoutMs: configService.get('BLIMU_TIMEOUT_MS'),
    *         getUserId: (req) => req.user?.id,
+   *         defaultEntitlementCtxResolver: (entitlementKey, req) => ({
+   *           resourceId: req.params.resourceId,
+   *         }),
    *       }),
    *       inject: [ConfigService],
    *     }),
@@ -393,7 +414,8 @@ var BlimuModule = class {
               baseURL: config.baseURL ?? DEFAULT_BASE_URL,
               environmentId: config.environmentId,
               timeoutMs: config.timeoutMs ?? 3e4,
-              getUserId: config.getUserId
+              getUserId: config.getUserId,
+              defaultEntitlementCtxResolver: config.defaultEntitlementCtxResolver
             };
           },
           ...options.inject ? { inject: options.inject } : {}
@@ -424,9 +446,9 @@ BlimuModule = __decorateClass([
 
 // src/decorators/entitlement.decorator.ts
 var import_common5 = require("@nestjs/common");
-var Entitlement = (entitlementKey, getEntitlementInfo) => {
+var Entitlement = (entitlementKey, entitlementCtxResolver) => {
   return (0, import_common5.applyDecorators)(
-    SetEntitlementMetadata(entitlementKey, getEntitlementInfo),
+    SetEntitlementMetadata(entitlementKey, entitlementCtxResolver),
     (0, import_common5.UseGuards)(EntitlementGuard)
   );
 };

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/modules/blimu.module.ts","../src/config/blimu.config.ts","../src/guards/entitlement.guard.ts","../src/exceptions/blimu-forbidden.exception.ts","../src/services/jwk.service.ts","../src/decorators/entitlement.decorator.ts"],"sourcesContent":["// Main module\nexport * from './modules/blimu.module';\n\n// Configuration\nexport * from './config/blimu.config';\n\n// Guards\nexport * from './guards/entitlement.guard';\n\n// Decorators\nexport * from './decorators/entitlement.decorator';\n\n// Exceptions\nexport * from './exceptions/blimu-forbidden.exception';\n\n// Services\nexport * from './services';\n","import {\n  Module,\n  type DynamicModule,\n  type Type,\n  type ForwardReference,\n  type InjectionToken,\n  type OptionalFactoryDependency,\n} from '@nestjs/common';\n\nimport { BLIMU_CONFIG, type BlimuConfig } from '../config/blimu.config';\nimport { EntitlementGuard } from 'guards/entitlement.guard';\nimport { JWKService } from 'services/jwk.service';\nimport { Blimu } from '@blimu/backend';\n\nconst DEFAULT_BASE_URL = 'https://api.blimu.dev';\n\n/**\n * Blimu NestJS Module\n *\n * This module provides entitlement checking capabilities and Blimu Runtime SDK integration\n * for NestJS applications. It can be configured synchronously or asynchronously.\n */\n@Module({})\nexport class BlimuModule {\n  /**\n   * Configure the Blimu module with static configuration\n   *\n   * @param config - The Blimu configuration object\n   * @returns A configured dynamic module\n   *\n   * @example\n   * Basic usage with default Request type:\n   * ```typescript\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRoot({\n   *       apiKey: 'your-api-secret-key',\n   *       baseURL: 'https://api.blimu.dev', // optional\n   *       environmentId: 'your-environment-id', // optional\n   *       timeoutMs: 30000, // optional\n   *       getUserId: (req) => req.user?.id, // required\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   *\n   * @example\n   * Usage with custom request type:\n   * ```typescript\n   * interface AuthenticatedRequest {\n   *   user: { id: string; email: string };\n   * }\n   *\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRoot<AuthenticatedRequest>({\n   *       apiKey: 'your-api-secret-key',\n   *       getUserId: (req) => req.user.id, // req is typed as AuthenticatedRequest\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   */\n  static forRoot<TRequest = unknown>(config: BlimuConfig<TRequest>): DynamicModule {\n    return {\n      ...(config.global ? { global: true } : {}),\n      module: BlimuModule,\n      providers: [\n        // Register factory providers first so dependencies are available\n        {\n          provide: BLIMU_CONFIG,\n          useValue: {\n            apiKey: config.apiKey,\n            baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n            environmentId: config.environmentId,\n            timeoutMs: config.timeoutMs ?? 30000,\n            getUserId: config.getUserId,\n          },\n        },\n        {\n          provide: Blimu,\n          useFactory: (config: BlimuConfig) => {\n            return new Blimu({\n              apiKey: config.apiKey,\n              baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n              timeoutMs: config.timeoutMs ?? 30000,\n            });\n          },\n          inject: [BLIMU_CONFIG],\n        },\n        // Register class providers after their dependencies are available\n        EntitlementGuard,\n        JWKService,\n      ],\n      exports: [EntitlementGuard, Blimu, BLIMU_CONFIG, JWKService],\n    };\n  }\n\n  /**\n   * Configure the Blimu module with async configuration\n   *\n   * This is useful when you need to load configuration from environment variables,\n   * configuration services, or other async sources.\n   *\n   * @param options - Async configuration options\n   * @returns A configured dynamic module\n   *\n   * @example\n   * Using with ConfigService:\n   * ```typescript\n   * @Module({\n   *   imports: [\n   *     ConfigModule.forRoot(),\n   *     BlimuModule.forRootAsync({\n   *       useFactory: (configService: ConfigService) => ({\n   *         apiKey: configService.get('BLIMU_API_SECRET_KEY'),\n   *         baseURL: configService.get('BLIMU_BASE_URL'),\n   *         environmentId: configService.get('BLIMU_ENVIRONMENT_ID'),\n   *         timeoutMs: configService.get('BLIMU_TIMEOUT_MS'),\n   *         getUserId: (req) => req.user?.id,\n   *       }),\n   *       inject: [ConfigService],\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   *\n   * @example\n   * Using with custom request type:\n   * ```typescript\n   * interface AuthenticatedRequest {\n   *   user: { id: string; email: string };\n   * }\n   *\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRootAsync<AuthenticatedRequest>({\n   *       useFactory: (configService: ConfigService) => ({\n   *         apiKey: configService.get('BLIMU_API_SECRET_KEY'),\n   *         getUserId: (req) => req.user.id, // req is typed as AuthenticatedRequest\n   *       }),\n   *       inject: [ConfigService],\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   *\n   * @example\n   * Using with custom provider:\n   * ```typescript\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRootAsync({\n   *       imports: [MyConfigModule],\n   *       useFactory: async (myConfigService: MyConfigService) => {\n   *         const config = await myConfigService.getBlimuConfig();\n   *         return {\n   *           apiKey: config.apiKey,\n   *           baseURL: config.baseUrl,\n   *           environmentId: config.environmentId,\n   *           getUserId: (req) => req.user?.id,\n   *         };\n   *       },\n   *       inject: [MyConfigService],\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   */\n  static forRootAsync<TRequest = unknown>(options: {\n    global?: boolean | undefined;\n    useFactory: (...args: unknown[]) => Promise<BlimuConfig<TRequest>> | BlimuConfig<TRequest>;\n    inject?: (InjectionToken | OptionalFactoryDependency)[];\n    imports?: (\n      | Type<unknown>\n      | DynamicModule\n      | Promise<DynamicModule>\n      | ForwardReference<() => Type<unknown>>\n    )[];\n  }): DynamicModule {\n    const additionalImports = options.imports ?? [];\n\n    const module = {\n      ...(options.global ? { global: true } : {}),\n      module: BlimuModule,\n      imports: [...additionalImports] as (\n        | Type<unknown>\n        | DynamicModule\n        | Promise<DynamicModule>\n        | ForwardReference\n      )[],\n      providers: [\n        // Register factory providers first so dependencies are available\n        {\n          provide: BLIMU_CONFIG,\n          useFactory: async (...args: unknown[]) => {\n            const configResult = options.useFactory(...args);\n            const config = configResult instanceof Promise ? await configResult : configResult;\n            return {\n              apiKey: config.apiKey,\n              baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n              environmentId: config.environmentId,\n              timeoutMs: config.timeoutMs ?? 30000,\n              getUserId: config.getUserId,\n            };\n          },\n          ...(options.inject ? { inject: options.inject } : {}),\n        },\n        {\n          provide: Blimu,\n          useFactory: (config: BlimuConfig) => {\n            return new Blimu({\n              apiKey: config.apiKey,\n              baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n              timeoutMs: config.timeoutMs ?? 30000,\n            });\n          },\n          inject: [BLIMU_CONFIG],\n        },\n        // Register class providers after their dependencies are available\n        EntitlementGuard,\n        JWKService,\n      ],\n      exports: [EntitlementGuard, Blimu, BLIMU_CONFIG, JWKService],\n    };\n    return module;\n  }\n}\n","/**\n * Configuration interface for Blimu NestJS integration\n */\nexport interface BlimuConfig<TRequest = unknown> {\n  global?: boolean | undefined;\n  /**\n   * The API secret key for authenticating with Blimu Runtime API\n   */\n  apiKey: string;\n\n  /**\n   * The base URL for the Blimu Runtime API\n   * @default 'https://api.blimu.dev'\n   */\n  baseURL?: string | undefined;\n\n  /**\n   * Environment ID for the Blimu environment\n   * This will be used in future versions for environment-specific configurations\n   */\n  environmentId?: string | undefined;\n\n  /**\n   * Request timeout in milliseconds\n   * @default 30000\n   */\n  timeoutMs?: number | undefined;\n\n  /**\n   * Function to extract user ID from the request\n   *\n   * This function is called by the EntitlementGuard to determine which user\n   * to check entitlements for. It should return the user ID as a string.\n   *\n   * @param request - The incoming HTTP request\n   * @returns The user ID as a string, or a Promise that resolves to the user ID\n   *\n   * @example\n   * ```typescript\n   * // Extract from JWT token in Authorization header\n   * getUserId: (req) => {\n   *   const token = req.headers.authorization?.replace('Bearer ', '');\n   *   const decoded = jwt.verify(token, secret);\n   *   return decoded.sub;\n   * }\n   *\n   * // Extract from request.user (common with Passport.js)\n   * getUserId: (req) => req.user?.id\n   *\n   * // Extract from custom header\n   * getUserId: (req) => req.headers['x-user-id']\n   * ```\n   */\n  getUserId: (request: TRequest) => string | Promise<string>;\n}\n\n/**\n * Injection token for Blimu configuration\n */\nexport const BLIMU_CONFIG = Symbol('BLIMU_CONFIG');\n","import {\n  type CanActivate,\n  type ExecutionContext,\n  ForbiddenException,\n  Injectable,\n  SetMetadata,\n  Inject,\n} from '@nestjs/common';\nimport 'reflect-metadata';\n\nimport type { EntitlementType } from '@blimu/types';\nimport { BlimuForbiddenException } from '../exceptions/blimu-forbidden.exception';\nimport { Blimu } from '@blimu/backend';\nimport { BLIMU_CONFIG, type BlimuConfig } from 'config/blimu.config';\n\nexport const ENTITLEMENT_KEY = 'entitlement';\nexport const ENTITLEMENT_METADATA_KEY = Symbol('entitlement');\n\n/**\n * Entitlement information returned by the getEntitlementInfo callback\n */\nexport interface EntitlementInfo {\n  resourceId: string;\n  amount?: number; // Amount to check against usage limit (for consumption)\n}\n\n/**\n * Metadata interface for entitlement checks\n */\nexport interface EntitlementMetadata<TRequest = unknown> {\n  entitlementKey: EntitlementType;\n  getEntitlementInfo: (request: TRequest) => EntitlementInfo | Promise<EntitlementInfo>;\n}\n\n/**\n * Sets entitlement metadata for a route handler\n * @internal This is used internally by the @Entitlement decorator\n */\nexport const SetEntitlementMetadata = <TRequest = unknown>(\n  entitlementKey: string,\n  getEntitlementInfo: (request: TRequest) => EntitlementInfo | Promise<EntitlementInfo>,\n): MethodDecorator =>\n  SetMetadata(ENTITLEMENT_METADATA_KEY, {\n    entitlementKey,\n    getEntitlementInfo,\n  } as EntitlementMetadata<TRequest>);\n\n/**\n * Guard that checks if the authenticated user has the required entitlement on a resource\n *\n * This guard automatically:\n * 1. Extracts the user from the request\n * 2. Extracts the resource ID using the provided extractor function\n * 3. Calls the Blimu Runtime API to check entitlements\n * 4. Allows or denies access based on the result\n */\n@Injectable()\nexport class EntitlementGuard<TRequest = unknown> implements CanActivate {\n  constructor(\n    @Inject(BLIMU_CONFIG)\n    private readonly config: BlimuConfig<TRequest>,\n    @Inject(Blimu)\n    private readonly runtime: Blimu,\n  ) {}\n\n  async canActivate(context: ExecutionContext): Promise<boolean> {\n    const request = context.switchToHttp().getRequest<TRequest>();\n    const handler = context.getHandler();\n    const metadata = Reflect.getMetadata(ENTITLEMENT_METADATA_KEY, handler) as\n      | EntitlementMetadata<TRequest>\n      | undefined;\n\n    if (!metadata) {\n      // No entitlement check required\n      return true;\n    }\n\n    // Extract user ID using the configured getUserId function\n    let userId: string;\n    try {\n      userId = await this.config.getUserId(request);\n    } catch {\n      throw new ForbiddenException('Failed to extract user ID from request');\n    }\n\n    if (!userId) {\n      throw new ForbiddenException('User ID is required for entitlement check');\n    }\n\n    // Extract entitlement info from request\n    const entitlementInfo = await metadata.getEntitlementInfo(request);\n\n    if (!entitlementInfo?.resourceId) {\n      throw new ForbiddenException('Resource ID is required for entitlement check');\n    }\n\n    try {\n      // Check entitlement\n      const result = await this.runtime.entitlements.checkEntitlement({\n        userId,\n        entitlement: metadata.entitlementKey,\n        resourceId: entitlementInfo.resourceId,\n        ...(entitlementInfo.amount !== undefined ? { amount: entitlementInfo.amount } : {}),\n      });\n\n      if (!result.allowed) {\n        throw new BlimuForbiddenException(\n          result,\n          metadata.entitlementKey,\n          entitlementInfo.resourceId,\n          userId,\n        );\n      }\n\n      return true;\n    } catch (error) {\n      if (error instanceof BlimuForbiddenException || error instanceof ForbiddenException) {\n        throw error;\n      }\n\n      // Log the error for debugging but don't expose internal details\n      console.error('Entitlement check failed:', error);\n      throw new ForbiddenException('Failed to verify entitlements');\n    }\n  }\n}\n","import { ForbiddenException } from '@nestjs/common';\nimport type { Schema } from '@blimu/backend';\nimport type { EntitlementType } from '@blimu/types';\n/**\n * Custom exception for Blimu entitlement check failures\n *\n * This exception extends NestJS's ForbiddenException and includes\n * the typed EntitlementCheckResult, providing detailed information\n * about why the entitlement check failed (roles, plans, limits, etc.)\n */\nexport class BlimuForbiddenException extends ForbiddenException {\n  /**\n   * The entitlement check result containing detailed failure information\n   */\n  public readonly entitlementResult: Schema.EntitlementCheckResult;\n\n  /**\n   * The entitlement key that was checked\n   */\n  public readonly entitlementKey: EntitlementType;\n\n  /**\n   * The resource ID that was checked\n   */\n  public readonly resourceId: string;\n\n  /**\n   * The user ID that was checked\n   */\n  public readonly userId: string;\n\n  constructor(\n    entitlementResult: Schema.EntitlementCheckResult,\n    entitlementKey: EntitlementType,\n    resourceId: string,\n    userId: string,\n  ) {\n    // Create a user-friendly message based on the failure reason\n    const message = BlimuForbiddenException.buildMessage(entitlementResult, entitlementKey);\n\n    super({\n      message,\n      entitlementResult,\n      entitlementKey,\n      resourceId,\n      userId,\n    });\n\n    this.entitlementResult = entitlementResult;\n    this.entitlementKey = entitlementKey;\n    this.resourceId = resourceId;\n    this.userId = userId;\n  }\n\n  /**\n   * Builds a user-friendly error message from the entitlement check result\n   */\n  private static buildMessage(\n    result: Schema.EntitlementCheckResult,\n    entitlementKey: EntitlementType,\n  ): string {\n    const reasons: string[] = [];\n\n    if (result.roles && !result.roles.allowed) {\n      reasons.push(\n        `Insufficient roles. Required: ${result.roles.allowedRoles?.join(', ') || 'unknown'}. User has: ${result.roles.userRoles?.join(', ') || 'none'}.`,\n      );\n    }\n\n    if (result.plans && !result.plans.allowed) {\n      reasons.push(\n        `Plan restriction. Required plans: ${result.plans.allowedPlans?.join(', ') || 'unknown'}. Current plan: ${result.plans.plan || 'none'}.`,\n      );\n    }\n\n    if (result.limit && !result.limit.allowed) {\n      reasons.push(`Usage limit exceeded. ${result.limit.reason || 'Limit has been reached'}.`);\n    }\n\n    if (reasons.length === 0) {\n      return `Access denied for entitlement: ${entitlementKey}`;\n    }\n\n    return `Access denied for entitlement \"${entitlementKey}\": ${reasons.join(' ')}`;\n  }\n}\n","import { Inject, Injectable, Logger } from '@nestjs/common';\nimport { TokenVerifier } from '@blimu/backend';\nimport { BLIMU_CONFIG, type BlimuConfig } from '../config/blimu.config';\n\n@Injectable()\nexport class JWKService {\n  private readonly logger = new Logger(JWKService.name);\n  private readonly tokenVerifier: TokenVerifier;\n\n  constructor(@Inject(BLIMU_CONFIG) private readonly config: BlimuConfig) {\n    this.tokenVerifier = new TokenVerifier({\n      runtimeApiUrl: this.config.baseURL,\n    });\n  }\n\n  /**\n   * Verify JWT token using JWKs from runtime-api\n   */\n  async verifyToken<T = unknown>(token: string): Promise<T> {\n    try {\n      this.logger.debug(\n        `🔍 Verifying token. Runtime API URL: ${this.config.baseURL}, API Key prefix: ${this.config.apiKey?.substring(0, 10)}...`,\n      );\n\n      const result = await this.tokenVerifier.verifyToken<T>({\n        secretKey: this.config.apiKey,\n        token,\n        runtimeApiUrl: this.config.baseURL,\n      });\n\n      this.logger.debug(`✅ Token verified successfully`);\n      return result;\n    } catch (error) {\n      const errorMessage = error instanceof Error ? error.message : String(error);\n      this.logger.error(`❌ Token verification failed: ${errorMessage}`);\n      if (error instanceof Error && error.stack) {\n        this.logger.error(`Stack trace: ${error.stack}`);\n      }\n      throw error;\n    }\n  }\n\n  /**\n   * Clear cache (useful for testing or key rotation)\n   */\n  clearCache(): void {\n    this.tokenVerifier.clearCache(this.config.apiKey);\n    this.logger.debug('JWK cache cleared');\n  }\n}\n","import { applyDecorators, UseGuards } from '@nestjs/common';\nimport {\n  EntitlementGuard,\n  SetEntitlementMetadata,\n  type EntitlementInfo,\n} from '../guards/entitlement.guard';\nimport type { EntitlementType } from '@blimu/types';\n\n/**\n * Decorator to check if the authenticated user has a specific entitlement on a resource.\n *\n * This decorator combines the entitlement metadata setting and guard application\n * to provide a clean, declarative way to protect routes with entitlement checks.\n *\n * @param entitlementKey - The entitlement key to check (e.g., 'brand:read', 'organization:create_workspace')\n * @param getEntitlementInfo - Function that returns entitlement information including resourceId and optionally amount for usage limits\n *\n * @example\n * Basic usage with path parameter:\n * ```typescript\n * @Get('/:resourceId')\n * @Entitlement('brand:read', (req) => ({ resourceId: req.params.resourceId }))\n * async getBrand(@Param('resourceId') resourceId: string) {\n *   // User is guaranteed to have 'brand:read' entitlement on this resource\n * }\n * ```\n *\n * @example\n * Using with typed parameters:\n * ```typescript\n * @Get('/:resourceType/:resourceId')\n * @Entitlement('workspace:delete', (req) => ({ resourceId: req.params.resourceId }))\n * async deleteResource(@Param() params: ResourceParamsDto) {\n *   // User is guaranteed to have 'workspace:delete' entitlement\n * }\n * ```\n *\n * @example\n * Complex resource ID extraction:\n * ```typescript\n * @Post('/organizations/:orgId/workspaces')\n * @Entitlement('organization:create_workspace', (req) => {\n *   const params = req.params as { orgId: string };\n *   return { resourceId: params.orgId };\n * })\n * async createWorkspace(@Param() params: CreateWorkspaceParamsDto, @Body() body: CreateWorkspaceDto) {\n *   // User is guaranteed to have 'organization:create_workspace' entitlement on the organization\n * }\n * ```\n *\n * @example\n * With usage limit consumption:\n * ```typescript\n * @Post('/api-calls')\n * @Entitlement('organization:make_api_call', (req) => ({\n *   resourceId: req.params.orgId,\n *   amount: req.body.apiCallsCount, // Amount to consume from usage limit\n * }))\n * async makeApiCalls(@Param('orgId') orgId: string, @Body() body: { apiCallsCount: number }) {\n *   // User is guaranteed to have 'organization:make_api_call' entitlement\n *   // and sufficient usage limit balance\n * }\n * ```\n *\n * @example\n * Async entitlement info extraction (e.g., from database):\n * ```typescript\n * @Delete('/items/:itemId')\n * @Entitlement('workspace:delete_item', async (req) => {\n *   // You could fetch the workspace ID from your database\n *   const item = await itemService.findById(req.params.itemId);\n *   return { resourceId: item.workspaceId };\n * })\n * async deleteItem(@Param('itemId') itemId: string) {\n *   // User is guaranteed to have 'workspace:delete_item' entitlement on the item's workspace\n * }\n * ```\n *\n * @example\n * Using with custom request type:\n * ```typescript\n * interface AuthenticatedRequest {\n *   user: { id: string; email: string };\n * }\n *\n * @Get('/:resourceId')\n * @Entitlement<AuthenticatedRequest>('brand:read', (req) => {\n *   // req is typed as AuthenticatedRequest, so req.user is properly typed\n *   console.log(req.user.email); // TypeScript knows this exists\n *   return { resourceId: req.params.resourceId };\n * })\n * async getBrand(@Param('resourceId') resourceId: string) {\n *   // User is guaranteed to have 'brand:read' entitlement on this resource\n * }\n * ```\n */\nexport const Entitlement = <TRequest = unknown>(\n  entitlementKey: EntitlementType,\n  getEntitlementInfo: (request: TRequest) => EntitlementInfo | Promise<EntitlementInfo>,\n): MethodDecorator => {\n  return applyDecorators(\n    SetEntitlementMetadata<TRequest>(entitlementKey, getEntitlementInfo),\n    UseGuards(EntitlementGuard),\n  );\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAA,iBAOO;;;ACoDA,IAAM,eAAe,uBAAO,cAAc;;;AC3DjD,IAAAC,iBAOO;AACP,8BAAO;;;ACRP,oBAAmC;AAU5B,IAAM,0BAAN,MAAM,iCAAgC,iCAAmB;AAAA;AAAA;AAAA;AAAA,EAI9C;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,EAEhB,YACE,mBACA,gBACA,YACA,QACA;AAEA,UAAM,UAAU,yBAAwB,aAAa,mBAAmB,cAAc;AAEtF,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED,SAAK,oBAAoB;AACzB,SAAK,iBAAiB;AACtB,SAAK,aAAa;AAClB,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,OAAe,aACb,QACA,gBACQ;AACR,UAAM,UAAoB,CAAC;AAE3B,QAAI,OAAO,SAAS,CAAC,OAAO,MAAM,SAAS;AACzC,cAAQ;AAAA,QACN,iCAAiC,OAAO,MAAM,cAAc,KAAK,IAAI,KAAK,SAAS,eAAe,OAAO,MAAM,WAAW,KAAK,IAAI,KAAK,MAAM;AAAA,MAChJ;AAAA,IACF;AAEA,QAAI,OAAO,SAAS,CAAC,OAAO,MAAM,SAAS;AACzC,cAAQ;AAAA,QACN,qCAAqC,OAAO,MAAM,cAAc,KAAK,IAAI,KAAK,SAAS,mBAAmB,OAAO,MAAM,QAAQ,MAAM;AAAA,MACvI;AAAA,IACF;AAEA,QAAI,OAAO,SAAS,CAAC,OAAO,MAAM,SAAS;AACzC,cAAQ,KAAK,yBAAyB,OAAO,MAAM,UAAU,wBAAwB,GAAG;AAAA,IAC1F;AAEA,QAAI,QAAQ,WAAW,GAAG;AACxB,aAAO,kCAAkC,cAAc;AAAA,IACzD;AAEA,WAAO,kCAAkC,cAAc,MAAM,QAAQ,KAAK,GAAG,CAAC;AAAA,EAChF;AACF;;;ADzEA,qBAAsB;AAGf,IAAM,kBAAkB;AACxB,IAAM,2BAA2B,uBAAO,aAAa;AAsBrD,IAAM,yBAAyB,CACpC,gBACA,2BAEA,4BAAY,0BAA0B;AAAA,EACpC;AAAA,EACA;AACF,CAAkC;AAY7B,IAAM,mBAAN,MAAkE;AAAA,EACvE,YAEmB,QAEA,SACjB;AAHiB;AAEA;AAAA,EAChB;AAAA,EAEH,MAAM,YAAY,SAA6C;AAC7D,UAAM,UAAU,QAAQ,aAAa,EAAE,WAAqB;AAC5D,UAAM,UAAU,QAAQ,WAAW;AACnC,UAAM,WAAW,QAAQ,YAAY,0BAA0B,OAAO;AAItE,QAAI,CAAC,UAAU;AAEb,aAAO;AAAA,IACT;AAGA,QAAI;AACJ,QAAI;AACF,eAAS,MAAM,KAAK,OAAO,UAAU,OAAO;AAAA,IAC9C,QAAQ;AACN,YAAM,IAAI,kCAAmB,wCAAwC;AAAA,IACvE;AAEA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,kCAAmB,2CAA2C;AAAA,IAC1E;AAGA,UAAM,kBAAkB,MAAM,SAAS,mBAAmB,OAAO;AAEjE,QAAI,CAAC,iBAAiB,YAAY;AAChC,YAAM,IAAI,kCAAmB,+CAA+C;AAAA,IAC9E;AAEA,QAAI;AAEF,YAAM,SAAS,MAAM,KAAK,QAAQ,aAAa,iBAAiB;AAAA,QAC9D;AAAA,QACA,aAAa,SAAS;AAAA,QACtB,YAAY,gBAAgB;AAAA,QAC5B,GAAI,gBAAgB,WAAW,SAAY,EAAE,QAAQ,gBAAgB,OAAO,IAAI,CAAC;AAAA,MACnF,CAAC;AAED,UAAI,CAAC,OAAO,SAAS;AACnB,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT,gBAAgB;AAAA,UAChB;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,2BAA2B,iBAAiB,mCAAoB;AACnF,cAAM;AAAA,MACR;AAGA,cAAQ,MAAM,6BAA6B,KAAK;AAChD,YAAM,IAAI,kCAAmB,+BAA+B;AAAA,IAC9D;AAAA,EACF;AACF;AApEa,mBAAN;AAAA,MADN,2BAAW;AAAA,EAGP,8CAAO,YAAY;AAAA,EAEnB,8CAAO,oBAAK;AAAA,GAJJ;;;AEzDb,IAAAC,iBAA2C;AAC3C,IAAAC,kBAA8B;AAIvB,IAAM,aAAN,MAAiB;AAAA,EAItB,YAAmD,QAAqB;AAArB;AACjD,SAAK,gBAAgB,IAAI,8BAAc;AAAA,MACrC,eAAe,KAAK,OAAO;AAAA,IAC7B,CAAC;AAAA,EACH;AAAA,EAPiB,SAAS,IAAI,sBAAO,WAAW,IAAI;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAWjB,MAAM,YAAyB,OAA2B;AACxD,QAAI;AACF,WAAK,OAAO;AAAA,QACV,+CAAwC,KAAK,OAAO,OAAO,qBAAqB,KAAK,OAAO,QAAQ,UAAU,GAAG,EAAE,CAAC;AAAA,MACtH;AAEA,YAAM,SAAS,MAAM,KAAK,cAAc,YAAe;AAAA,QACrD,WAAW,KAAK,OAAO;AAAA,QACvB;AAAA,QACA,eAAe,KAAK,OAAO;AAAA,MAC7B,CAAC;AAED,WAAK,OAAO,MAAM,oCAA+B;AACjD,aAAO;AAAA,IACT,SAAS,OAAO;AACd,YAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAC1E,WAAK,OAAO,MAAM,qCAAgC,YAAY,EAAE;AAChE,UAAI,iBAAiB,SAAS,MAAM,OAAO;AACzC,aAAK,OAAO,MAAM,gBAAgB,MAAM,KAAK,EAAE;AAAA,MACjD;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,SAAK,cAAc,WAAW,KAAK,OAAO,MAAM;AAChD,SAAK,OAAO,MAAM,mBAAmB;AAAA,EACvC;AACF;AA5Ca,aAAN;AAAA,MADN,2BAAW;AAAA,EAKG,8CAAO,YAAY;AAAA,GAJrB;;;AJOb,IAAAC,kBAAsB;AAEtB,IAAM,mBAAmB;AASlB,IAAM,cAAN,MAAkB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0CvB,OAAO,QAA4B,QAA8C;AAC/E,WAAO;AAAA,MACL,GAAI,OAAO,SAAS,EAAE,QAAQ,KAAK,IAAI,CAAC;AAAA,MACxC,QAAQ;AAAA,MACR,WAAW;AAAA;AAAA,QAET;AAAA,UACE,SAAS;AAAA,UACT,UAAU;AAAA,YACR,QAAQ,OAAO;AAAA,YACf,SAAS,OAAO,WAAW;AAAA,YAC3B,eAAe,OAAO;AAAA,YACtB,WAAW,OAAO,aAAa;AAAA,YAC/B,WAAW,OAAO;AAAA,UACpB;AAAA,QACF;AAAA,QACA;AAAA,UACE,SAAS;AAAA,UACT,YAAY,CAACC,YAAwB;AACnC,mBAAO,IAAI,sBAAM;AAAA,cACf,QAAQA,QAAO;AAAA,cACf,SAASA,QAAO,WAAW;AAAA,cAC3B,WAAWA,QAAO,aAAa;AAAA,YACjC,CAAC;AAAA,UACH;AAAA,UACA,QAAQ,CAAC,YAAY;AAAA,QACvB;AAAA;AAAA,QAEA;AAAA,QACA;AAAA,MACF;AAAA,MACA,SAAS,CAAC,kBAAkB,uBAAO,cAAc,UAAU;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4EA,OAAO,aAAiC,SAUtB;AAChB,UAAM,oBAAoB,QAAQ,WAAW,CAAC;AAE9C,UAAMC,UAAS;AAAA,MACb,GAAI,QAAQ,SAAS,EAAE,QAAQ,KAAK,IAAI,CAAC;AAAA,MACzC,QAAQ;AAAA,MACR,SAAS,CAAC,GAAG,iBAAiB;AAAA,MAM9B,WAAW;AAAA;AAAA,QAET;AAAA,UACE,SAAS;AAAA,UACT,YAAY,UAAU,SAAoB;AACxC,kBAAM,eAAe,QAAQ,WAAW,GAAG,IAAI;AAC/C,kBAAM,SAAS,wBAAwB,UAAU,MAAM,eAAe;AACtE,mBAAO;AAAA,cACL,QAAQ,OAAO;AAAA,cACf,SAAS,OAAO,WAAW;AAAA,cAC3B,eAAe,OAAO;AAAA,cACtB,WAAW,OAAO,aAAa;AAAA,cAC/B,WAAW,OAAO;AAAA,YACpB;AAAA,UACF;AAAA,UACA,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,QACrD;AAAA,QACA;AAAA,UACE,SAAS;AAAA,UACT,YAAY,CAAC,WAAwB;AACnC,mBAAO,IAAI,sBAAM;AAAA,cACf,QAAQ,OAAO;AAAA,cACf,SAAS,OAAO,WAAW;AAAA,cAC3B,WAAW,OAAO,aAAa;AAAA,YACjC,CAAC;AAAA,UACH;AAAA,UACA,QAAQ,CAAC,YAAY;AAAA,QACvB;AAAA;AAAA,QAEA;AAAA,QACA;AAAA,MACF;AAAA,MACA,SAAS,CAAC,kBAAkB,uBAAO,cAAc,UAAU;AAAA,IAC7D;AACA,WAAOA;AAAA,EACT;AACF;AAjNa,cAAN;AAAA,MADN,uBAAO,CAAC,CAAC;AAAA,GACG;;;AKvBb,IAAAC,iBAA2C;AAgGpC,IAAM,cAAc,CACzB,gBACA,uBACoB;AACpB,aAAO;AAAA,IACL,uBAAiC,gBAAgB,kBAAkB;AAAA,QACnE,0BAAU,gBAAgB;AAAA,EAC5B;AACF;","names":["import_common","import_common","import_common","import_backend","import_backend","config","module","import_common"]}
+{"version":3,"sources":["../src/index.ts","../src/modules/blimu.module.ts","../src/config/blimu.config.ts","../src/guards/entitlement.guard.ts","../src/exceptions/blimu-forbidden.exception.ts","../src/services/jwk.service.ts","../src/decorators/entitlement.decorator.ts"],"sourcesContent":["// Main module\nexport * from './modules/blimu.module';\n\n// Configuration\nexport * from './config/blimu.config';\n\n// Guards\nexport * from './guards/entitlement.guard';\n\n// Decorators\nexport * from './decorators/entitlement.decorator';\n\n// Exceptions\nexport * from './exceptions/blimu-forbidden.exception';\n\n// Services\nexport * from './services';\n","import {\n  Module,\n  type DynamicModule,\n  type Type,\n  type ForwardReference,\n  type InjectionToken,\n  type OptionalFactoryDependency,\n} from '@nestjs/common';\n\nimport { BLIMU_CONFIG, type BlimuConfig } from '../config/blimu.config';\nimport { EntitlementGuard } from '../guards/entitlement.guard';\nimport { JWKService } from '../services/jwk.service';\nimport { Blimu } from '@blimu/backend';\n\nconst DEFAULT_BASE_URL = 'https://api.blimu.dev';\n\n/**\n * Blimu NestJS Module\n *\n * This module provides entitlement checking capabilities and Blimu Runtime SDK integration\n * for NestJS applications. It can be configured synchronously or asynchronously.\n */\n@Module({})\nexport class BlimuModule {\n  /**\n   * Configure the Blimu module with static configuration\n   *\n   * @param config - The Blimu configuration object\n   * @returns A configured dynamic module\n   *\n   * @example\n   * Basic usage with default Request type:\n   * ```typescript\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRoot({\n   *       apiKey: 'your-api-secret-key',\n   *       baseURL: 'https://api.blimu.dev', // optional\n   *       environmentId: 'your-environment-id', // optional\n   *       timeoutMs: 30000, // optional\n   *       getUserId: (req) => req.user?.id, // required\n   *       defaultEntitlementCtxResolver: ({ entitlement, resourceType }, req) => ({\n   *         resourceId: req.params.resourceId,\n   *       }), // optional\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   *\n   * @example\n   * Usage with custom request type:\n   * ```typescript\n   * interface AuthenticatedRequest {\n   *   user: { id: string; email: string };\n   * }\n   *\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRoot<AuthenticatedRequest>({\n   *       apiKey: 'your-api-secret-key',\n   *       getUserId: (req) => req.user.id, // req is typed as AuthenticatedRequest\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   */\n  static forRoot<TRequest = unknown>(config: BlimuConfig<TRequest>): DynamicModule {\n    return {\n      ...(config.global ? { global: true } : {}),\n      module: BlimuModule,\n      providers: [\n        // Register factory providers first so dependencies are available\n        {\n          provide: BLIMU_CONFIG,\n          useValue: {\n            apiKey: config.apiKey,\n            baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n            environmentId: config.environmentId,\n            timeoutMs: config.timeoutMs ?? 30000,\n            getUserId: config.getUserId,\n            defaultEntitlementCtxResolver: config.defaultEntitlementCtxResolver,\n          },\n        },\n        {\n          provide: Blimu,\n          useFactory: (config: BlimuConfig) => {\n            return new Blimu({\n              apiKey: config.apiKey,\n              baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n              timeoutMs: config.timeoutMs ?? 30000,\n            });\n          },\n          inject: [BLIMU_CONFIG],\n        },\n        // Register class providers after their dependencies are available\n        EntitlementGuard,\n        JWKService,\n      ],\n      exports: [EntitlementGuard, Blimu, BLIMU_CONFIG, JWKService],\n    };\n  }\n\n  /**\n   * Configure the Blimu module with async configuration\n   *\n   * This is useful when you need to load configuration from environment variables,\n   * configuration services, or other async sources.\n   *\n   * @param options - Async configuration options\n   * @returns A configured dynamic module\n   *\n   * @example\n   * Using with ConfigService:\n   * ```typescript\n   * @Module({\n   *   imports: [\n   *     ConfigModule.forRoot(),\n   *     BlimuModule.forRootAsync({\n   *       useFactory: (configService: ConfigService) => ({\n   *         apiKey: configService.get('BLIMU_API_SECRET_KEY'),\n   *         baseURL: configService.get('BLIMU_BASE_URL'),\n   *         environmentId: configService.get('BLIMU_ENVIRONMENT_ID'),\n   *         timeoutMs: configService.get('BLIMU_TIMEOUT_MS'),\n   *         getUserId: (req) => req.user?.id,\n   *         defaultEntitlementCtxResolver: (entitlementKey, req) => ({\n   *           resourceId: req.params.resourceId,\n   *         }),\n   *       }),\n   *       inject: [ConfigService],\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   *\n   * @example\n   * Using with custom request type:\n   * ```typescript\n   * interface AuthenticatedRequest {\n   *   user: { id: string; email: string };\n   * }\n   *\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRootAsync<AuthenticatedRequest>({\n   *       useFactory: (configService: ConfigService) => ({\n   *         apiKey: configService.get('BLIMU_API_SECRET_KEY'),\n   *         getUserId: (req) => req.user.id, // req is typed as AuthenticatedRequest\n   *       }),\n   *       inject: [ConfigService],\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   *\n   * @example\n   * Using with custom provider:\n   * ```typescript\n   * @Module({\n   *   imports: [\n   *     BlimuModule.forRootAsync({\n   *       imports: [MyConfigModule],\n   *       useFactory: async (myConfigService: MyConfigService) => {\n   *         const config = await myConfigService.getBlimuConfig();\n   *         return {\n   *           apiKey: config.apiKey,\n   *           baseURL: config.baseUrl,\n   *           environmentId: config.environmentId,\n   *           getUserId: (req) => req.user?.id,\n   *         };\n   *       },\n   *       inject: [MyConfigService],\n   *     }),\n   *   ],\n   * })\n   * export class AppModule {}\n   * ```\n   */\n  static forRootAsync<TRequest = unknown>(options: {\n    global?: boolean | undefined;\n    useFactory: (...args: unknown[]) => Promise<BlimuConfig<TRequest>> | BlimuConfig<TRequest>;\n    inject?: (InjectionToken | OptionalFactoryDependency)[];\n    imports?: (\n      | Type<unknown>\n      | DynamicModule\n      | Promise<DynamicModule>\n      | ForwardReference<() => Type<unknown>>\n    )[];\n  }): DynamicModule {\n    const additionalImports = options.imports ?? [];\n\n    const module = {\n      ...(options.global ? { global: true } : {}),\n      module: BlimuModule,\n      imports: [...additionalImports] as (\n        | Type<unknown>\n        | DynamicModule\n        | Promise<DynamicModule>\n        | ForwardReference\n      )[],\n      providers: [\n        // Register factory providers first so dependencies are available\n        {\n          provide: BLIMU_CONFIG,\n          useFactory: async (...args: unknown[]) => {\n            const configResult = options.useFactory(...args);\n            const config = configResult instanceof Promise ? await configResult : configResult;\n            return {\n              apiKey: config.apiKey,\n              baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n              environmentId: config.environmentId,\n              timeoutMs: config.timeoutMs ?? 30000,\n              getUserId: config.getUserId,\n              defaultEntitlementCtxResolver: config.defaultEntitlementCtxResolver,\n            };\n          },\n          ...(options.inject ? { inject: options.inject } : {}),\n        },\n        {\n          provide: Blimu,\n          useFactory: (config: BlimuConfig) => {\n            return new Blimu({\n              apiKey: config.apiKey,\n              baseURL: config.baseURL ?? DEFAULT_BASE_URL,\n              timeoutMs: config.timeoutMs ?? 30000,\n            });\n          },\n          inject: [BLIMU_CONFIG],\n        },\n        // Register class providers after their dependencies are available\n        EntitlementGuard,\n        JWKService,\n      ],\n      exports: [EntitlementGuard, Blimu, BLIMU_CONFIG, JWKService],\n    };\n    return module;\n  }\n}\n","import type { EntitlementType } from '@blimu/types';\n/**\n * Configuration interface for Blimu NestJS integration\n */\nexport interface BlimuConfig<TRequest = unknown> {\n  global?: boolean | undefined;\n  /**\n   * The API secret key for authenticating with Blimu Runtime API\n   */\n  apiKey: string;\n\n  /**\n   * The base URL for the Blimu Runtime API\n   * @default 'https://api.blimu.dev'\n   */\n  baseURL?: string | undefined;\n\n  /**\n   * Environment ID for the Blimu environment\n   * This will be used in future versions for environment-specific configurations\n   */\n  environmentId?: string | undefined;\n\n  /**\n   * Request timeout in milliseconds\n   * @default 30000\n   */\n  timeoutMs?: number | undefined;\n\n  /**\n   * Function to extract user ID from the request\n   *\n   * This function is called by the EntitlementGuard to determine which user\n   * to check entitlements for. It should return the user ID as a string.\n   *\n   * @param request - The incoming HTTP request\n   * @returns The user ID as a string, or a Promise that resolves to the user ID\n   *\n   * @example\n   * ```typescript\n   * // Extract from JWT token in Authorization header\n   * getUserId: (req) => {\n   *   const token = req.headers.authorization?.replace('Bearer ', '');\n   *   const decoded = jwt.verify(token, secret);\n   *   return decoded.sub;\n   * }\n   *\n   * // Extract from request.user (common with Passport.js)\n   * getUserId: (req) => req.user?.id\n   *\n   * // Extract from custom header\n   * getUserId: (req) => req.headers['x-user-id']\n   * ```\n   */\n  getUserId: (request: TRequest) => string | Promise<string>;\n\n  /**\n   * Optional default entitlement context resolver for entitlement checks\n   *\n   * This function is used as a fallback when a decorator-specific resolver is not provided.\n   * It receives an object with the entitlement key and parsed resource type, along with the request,\n   * allowing for context-aware resolution.\n   *\n   * @param context - Object containing the entitlement and resource type (parsed from entitlement by splitting on ':')\n   * @param request - The incoming HTTP request\n   * @returns Entitlement context with resourceId and optionally amount, or a Promise that resolves to it\n   *\n   * @example\n   * ```typescript\n   * // Extract resourceId from path parameter\n   * defaultEntitlementCtxResolver: ({ entitlement, resourceType }, req) => ({\n   *   resourceId: req.params.resourceId,\n   * })\n   *\n   * // Context-aware resolution based on resource type\n   * defaultEntitlementCtxResolver: ({ resourceType }, req) => {\n   *   if (resourceType === 'organization') {\n   *     return { resourceId: req.params.orgId };\n   *   }\n   *   return { resourceId: req.params.resourceId };\n   * }\n   *\n   * // Extract from request body or query with amount for consumption\n   * defaultEntitlementCtxResolver: ({ entitlement, resourceType }, req) => ({\n   *   resourceId: req.body?.resourceId || req.query?.resourceId,\n   *   amount: req.body?.amount, // Amount to consume for usage-based entitlements\n   * })\n   * ```\n   */\n  defaultEntitlementCtxResolver?: (\n    context: { entitlement: EntitlementType; resourceType: string },\n    request: TRequest,\n  ) => { resourceId: string; amount?: number } | Promise<{ resourceId: string; amount?: number }> | undefined;\n}\n\n/**\n * Injection token for Blimu configuration\n */\nexport const BLIMU_CONFIG = Symbol('BLIMU_CONFIG');\n","import {\n  type CanActivate,\n  type ExecutionContext,\n  ForbiddenException,\n  Injectable,\n  SetMetadata,\n  Inject,\n} from '@nestjs/common';\nimport 'reflect-metadata';\n\nimport type { EntitlementType } from '@blimu/types';\nimport { BlimuForbiddenException } from '../exceptions/blimu-forbidden.exception';\nimport { Blimu } from '@blimu/backend';\nimport { BLIMU_CONFIG, type BlimuConfig } from '../config/blimu.config';\n\nexport const ENTITLEMENT_KEY = 'entitlement';\nexport const ENTITLEMENT_METADATA_KEY = Symbol('entitlement');\n\n/**\n * Entitlement context returned by the entitlementCtxResolver callback\n */\nexport interface EntitlementCtx {\n  resourceId: string;\n  amount?: number; // Amount to check against usage limit (for consumption)\n}\n\n/**\n * Metadata interface for entitlement checks\n */\nexport interface EntitlementMetadata<TRequest = unknown> {\n  entitlementKey: EntitlementType;\n  entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>;\n}\n\n/**\n * Sets entitlement metadata for a route handler\n * @internal This is used internally by the @Entitlement decorator\n */\nexport const SetEntitlementMetadata = <TRequest = unknown>(\n  entitlementKey: string,\n  entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>,\n): MethodDecorator =>\n  SetMetadata(ENTITLEMENT_METADATA_KEY, {\n    entitlementKey,\n    entitlementCtxResolver,\n  } as EntitlementMetadata<TRequest>);\n\n/**\n * Guard that checks if the authenticated user has the required entitlement on a resource\n *\n * This guard automatically:\n * 1. Extracts the user from the request\n * 2. Extracts the resource ID using the provided extractor function\n * 3. Calls the Blimu Runtime API to check entitlements\n * 4. Allows or denies access based on the result\n */\n@Injectable()\nexport class EntitlementGuard<TRequest = unknown> implements CanActivate {\n  constructor(\n    @Inject(BLIMU_CONFIG)\n    private readonly config: BlimuConfig<TRequest>,\n    @Inject(Blimu)\n    private readonly runtime: Blimu,\n  ) {}\n\n  async canActivate(context: ExecutionContext): Promise<boolean> {\n    const request = context.switchToHttp().getRequest<TRequest>();\n    const handler = context.getHandler();\n    const metadata = Reflect.getMetadata(ENTITLEMENT_METADATA_KEY, handler) as\n      | EntitlementMetadata<TRequest>\n      | undefined;\n\n    if (!metadata) {\n      // No entitlement check required\n      return true;\n    }\n\n    // Extract user ID using the configured getUserId function\n    let userId: string;\n    try {\n      userId = await this.config.getUserId(request);\n    } catch {\n      throw new ForbiddenException('Failed to extract user ID from request');\n    }\n\n    if (!userId) {\n      throw new ForbiddenException('User ID is required for entitlement check');\n    }\n\n    // Resolve entitlement context from request\n    // Priority: decorator resolver > default resolver > error\n    let entitlementCtx: EntitlementCtx | undefined;\n    if (metadata.entitlementCtxResolver) {\n      entitlementCtx = await metadata.entitlementCtxResolver(request);\n    } else if (this.config.defaultEntitlementCtxResolver) {\n      // Parse resourceType from entitlementKey (format: \"resourceType:action\")\n      const resourceType = metadata.entitlementKey.split(':')[0] || '';\n      entitlementCtx = await this.config.defaultEntitlementCtxResolver(\n        {\n          entitlement: metadata.entitlementKey,\n          resourceType,\n        },\n        request,\n      );\n    } else {\n      throw new ForbiddenException('No entitlement context resolver available');\n    }\n\n    if (!entitlementCtx?.resourceId) {\n      throw new ForbiddenException('Resource ID is required for entitlement check');\n    }\n\n    try {\n      // Check entitlement\n      const result = await this.runtime.entitlements.checkEntitlement({\n        userId,\n        entitlement: metadata.entitlementKey,\n        resourceId: entitlementCtx.resourceId,\n        ...(entitlementCtx.amount !== undefined ? { amount: entitlementCtx.amount } : {}),\n      });\n\n      if (!result.allowed) {\n        throw new BlimuForbiddenException(\n          result,\n          metadata.entitlementKey,\n          entitlementCtx.resourceId,\n          userId,\n        );\n      }\n\n      return true;\n    } catch (error) {\n      if (error instanceof BlimuForbiddenException || error instanceof ForbiddenException) {\n        throw error;\n      }\n\n      // Log the error for debugging but don't expose internal details\n      console.error('Entitlement check failed:', error);\n      throw new ForbiddenException('Failed to verify entitlements');\n    }\n  }\n}\n","import { ForbiddenException } from '@nestjs/common';\nimport type { Schema } from '@blimu/backend';\nimport type { EntitlementType } from '@blimu/types';\n/**\n * Custom exception for Blimu entitlement check failures\n *\n * This exception extends NestJS's ForbiddenException and includes\n * the typed EntitlementCheckResult, providing detailed information\n * about why the entitlement check failed (roles, plans, limits, etc.)\n */\nexport class BlimuForbiddenException extends ForbiddenException {\n  /**\n   * The entitlement check result containing detailed failure information\n   */\n  public readonly entitlementResult: Schema.EntitlementCheckResult;\n\n  /**\n   * The entitlement key that was checked\n   */\n  public readonly entitlementKey: EntitlementType;\n\n  /**\n   * The resource ID that was checked\n   */\n  public readonly resourceId: string;\n\n  /**\n   * The user ID that was checked\n   */\n  public readonly userId: string;\n\n  constructor(\n    entitlementResult: Schema.EntitlementCheckResult,\n    entitlementKey: EntitlementType,\n    resourceId: string,\n    userId: string,\n  ) {\n    // Create a user-friendly message based on the failure reason\n    const message = BlimuForbiddenException.buildMessage(entitlementResult, entitlementKey);\n\n    super({\n      message,\n      entitlementResult,\n      entitlementKey,\n      resourceId,\n      userId,\n    });\n\n    this.entitlementResult = entitlementResult;\n    this.entitlementKey = entitlementKey;\n    this.resourceId = resourceId;\n    this.userId = userId;\n  }\n\n  /**\n   * Builds a user-friendly error message from the entitlement check result\n   */\n  private static buildMessage(\n    result: Schema.EntitlementCheckResult,\n    entitlementKey: EntitlementType,\n  ): string {\n    const reasons: string[] = [];\n\n    if (result.roles && !result.roles.allowed) {\n      reasons.push(\n        `Insufficient roles. Required: ${result.roles.allowedRoles?.join(', ') || 'unknown'}. User has: ${result.roles.userRoles?.join(', ') || 'none'}.`,\n      );\n    }\n\n    if (result.plans && !result.plans.allowed) {\n      reasons.push(\n        `Plan restriction. Required plans: ${result.plans.allowedPlans?.join(', ') || 'unknown'}. Current plan: ${result.plans.plan || 'none'}.`,\n      );\n    }\n\n    if (result.limit && !result.limit.allowed) {\n      reasons.push(`Usage limit exceeded. ${result.limit.reason || 'Limit has been reached'}.`);\n    }\n\n    if (reasons.length === 0) {\n      return `Access denied for entitlement: ${entitlementKey}`;\n    }\n\n    return `Access denied for entitlement \"${entitlementKey}\": ${reasons.join(' ')}`;\n  }\n}\n","import { Inject, Injectable, Logger } from '@nestjs/common';\nimport { TokenVerifier } from '@blimu/backend';\nimport { BLIMU_CONFIG, type BlimuConfig } from '../config/blimu.config';\n\n@Injectable()\nexport class JWKService {\n  private readonly logger = new Logger(JWKService.name);\n  private readonly tokenVerifier: TokenVerifier;\n\n  constructor(@Inject(BLIMU_CONFIG) private readonly config: BlimuConfig) {\n    this.tokenVerifier = new TokenVerifier({\n      runtimeApiUrl: this.config.baseURL,\n    });\n  }\n\n  /**\n   * Verify JWT token using JWKs from runtime-api\n   */\n  async verifyToken<T = unknown>(token: string): Promise<T> {\n    try {\n      this.logger.debug(\n        `🔍 Verifying token. Runtime API URL: ${this.config.baseURL}, API Key prefix: ${this.config.apiKey?.substring(0, 10)}...`,\n      );\n\n      const result = await this.tokenVerifier.verifyToken<T>({\n        secretKey: this.config.apiKey,\n        token,\n        runtimeApiUrl: this.config.baseURL,\n      });\n\n      this.logger.debug(`✅ Token verified successfully`);\n      return result;\n    } catch (error) {\n      const errorMessage = error instanceof Error ? error.message : String(error);\n      this.logger.error(`❌ Token verification failed: ${errorMessage}`);\n      if (error instanceof Error && error.stack) {\n        this.logger.error(`Stack trace: ${error.stack}`);\n      }\n      throw error;\n    }\n  }\n\n  /**\n   * Clear cache (useful for testing or key rotation)\n   */\n  clearCache(): void {\n    this.tokenVerifier.clearCache(this.config.apiKey);\n    this.logger.debug('JWK cache cleared');\n  }\n}\n","import { applyDecorators, UseGuards } from '@nestjs/common';\nimport {\n  EntitlementGuard,\n  SetEntitlementMetadata,\n  type EntitlementCtx,\n} from '../guards/entitlement.guard';\nimport type { EntitlementType } from '@blimu/types';\n\n/**\n * Decorator to check if the authenticated user has a specific entitlement on a resource.\n *\n * This decorator combines the entitlement metadata setting and guard application\n * to provide a clean, declarative way to protect routes with entitlement checks.\n *\n * @param entitlementKey - The entitlement key to check (e.g., 'brand:read', 'organization:create_workspace')\n * @param entitlementCtxResolver - Optional function that returns entitlement context including resourceId and optionally amount for usage limits.\n *                                 If not provided, the default resolver from module configuration will be used.\n *\n * @example\n * Basic usage with path parameter:\n * ```typescript\n * @Get('/:resourceId')\n * @Entitlement('brand:read', (req) => ({ resourceId: req.params.resourceId }))\n * async getBrand(@Param('resourceId') resourceId: string) {\n *   // User is guaranteed to have 'brand:read' entitlement on this resource\n * }\n * ```\n *\n * @example\n * Using default resolver from module configuration:\n * ```typescript\n * // In module configuration:\n * BlimuModule.forRoot({\n *   // ... other config\n *   defaultEntitlementCtxResolver: ({ entitlement, resourceType }, req) => ({\n *     resourceId: req.params.resourceId,\n *   }),\n * })\n *\n * // In controller (no resolver needed):\n * @Get('/:resourceId')\n * @Entitlement('brand:read')\n * async getBrand(@Param('resourceId') resourceId: string) {\n *   // Uses default resolver from config\n * }\n * ```\n *\n * @example\n * Using with typed parameters:\n * ```typescript\n * @Get('/:resourceType/:resourceId')\n * @Entitlement('workspace:delete', (req) => ({ resourceId: req.params.resourceId }))\n * async deleteResource(@Param() params: ResourceParamsDto) {\n *   // User is guaranteed to have 'workspace:delete' entitlement\n * }\n * ```\n *\n * @example\n * Complex resource ID extraction:\n * ```typescript\n * @Post('/organizations/:orgId/workspaces')\n * @Entitlement('organization:create_workspace', (req) => {\n *   const params = req.params as { orgId: string };\n *   return { resourceId: params.orgId };\n * })\n * async createWorkspace(@Param() params: CreateWorkspaceParamsDto, @Body() body: CreateWorkspaceDto) {\n *   // User is guaranteed to have 'organization:create_workspace' entitlement on the organization\n * }\n * ```\n *\n * @example\n * With usage limit consumption:\n * ```typescript\n * @Post('/api-calls')\n * @Entitlement('organization:make_api_call', (req) => ({\n *   resourceId: req.params.orgId,\n *   amount: req.body.apiCallsCount, // Amount to consume from usage limit\n * }))\n * async makeApiCalls(@Param('orgId') orgId: string, @Body() body: { apiCallsCount: number }) {\n *   // User is guaranteed to have 'organization:make_api_call' entitlement\n *   // and sufficient usage limit balance\n * }\n * ```\n *\n * @example\n * Async resource context extraction (e.g., from database):\n * ```typescript\n * @Delete('/items/:itemId')\n * @Entitlement('workspace:delete_item', async (req) => {\n *   // You could fetch the workspace ID from your database\n *   const item = await itemService.findById(req.params.itemId);\n *   return { resourceId: item.workspaceId };\n * })\n * async deleteItem(@Param('itemId') itemId: string) {\n *   // User is guaranteed to have 'workspace:delete_item' entitlement on the item's workspace\n * }\n * ```\n *\n * @example\n * Using with custom request type:\n * ```typescript\n * interface AuthenticatedRequest {\n *   user: { id: string; email: string };\n * }\n *\n * @Get('/:resourceId')\n * @Entitlement<AuthenticatedRequest>('brand:read', (req) => {\n *   // req is typed as AuthenticatedRequest, so req.user is properly typed\n *   console.log(req.user.email); // TypeScript knows this exists\n *   return { resourceId: req.params.resourceId };\n * })\n * async getBrand(@Param('resourceId') resourceId: string) {\n *   // User is guaranteed to have 'brand:read' entitlement on this resource\n * }\n * ```\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport const Entitlement = <TRequest = any>(\n  entitlementKey: EntitlementType,\n  entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>,\n): MethodDecorator => {\n  return applyDecorators(\n    SetEntitlementMetadata<TRequest>(entitlementKey, entitlementCtxResolver),\n    UseGuards(EntitlementGuard),\n  );\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAA,iBAOO;;;AC2FA,IAAM,eAAe,uBAAO,cAAc;;;AClGjD,IAAAC,iBAOO;AACP,8BAAO;;;ACRP,oBAAmC;AAU5B,IAAM,0BAAN,MAAM,iCAAgC,iCAAmB;AAAA;AAAA;AAAA;AAAA,EAI9C;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,EAEhB,YACE,mBACA,gBACA,YACA,QACA;AAEA,UAAM,UAAU,yBAAwB,aAAa,mBAAmB,cAAc;AAEtF,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED,SAAK,oBAAoB;AACzB,SAAK,iBAAiB;AACtB,SAAK,aAAa;AAClB,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,OAAe,aACb,QACA,gBACQ;AACR,UAAM,UAAoB,CAAC;AAE3B,QAAI,OAAO,SAAS,CAAC,OAAO,MAAM,SAAS;AACzC,cAAQ;AAAA,QACN,iCAAiC,OAAO,MAAM,cAAc,KAAK,IAAI,KAAK,SAAS,eAAe,OAAO,MAAM,WAAW,KAAK,IAAI,KAAK,MAAM;AAAA,MAChJ;AAAA,IACF;AAEA,QAAI,OAAO,SAAS,CAAC,OAAO,MAAM,SAAS;AACzC,cAAQ;AAAA,QACN,qCAAqC,OAAO,MAAM,cAAc,KAAK,IAAI,KAAK,SAAS,mBAAmB,OAAO,MAAM,QAAQ,MAAM;AAAA,MACvI;AAAA,IACF;AAEA,QAAI,OAAO,SAAS,CAAC,OAAO,MAAM,SAAS;AACzC,cAAQ,KAAK,yBAAyB,OAAO,MAAM,UAAU,wBAAwB,GAAG;AAAA,IAC1F;AAEA,QAAI,QAAQ,WAAW,GAAG;AACxB,aAAO,kCAAkC,cAAc;AAAA,IACzD;AAEA,WAAO,kCAAkC,cAAc,MAAM,QAAQ,KAAK,GAAG,CAAC;AAAA,EAChF;AACF;;;ADzEA,qBAAsB;AAGf,IAAM,kBAAkB;AACxB,IAAM,2BAA2B,uBAAO,aAAa;AAsBrD,IAAM,yBAAyB,CACpC,gBACA,+BAEA,4BAAY,0BAA0B;AAAA,EACpC;AAAA,EACA;AACF,CAAkC;AAY7B,IAAM,mBAAN,MAAkE;AAAA,EACvE,YAEmB,QAEA,SACjB;AAHiB;AAEA;AAAA,EAChB;AAAA,EAEH,MAAM,YAAY,SAA6C;AAC7D,UAAM,UAAU,QAAQ,aAAa,EAAE,WAAqB;AAC5D,UAAM,UAAU,QAAQ,WAAW;AACnC,UAAM,WAAW,QAAQ,YAAY,0BAA0B,OAAO;AAItE,QAAI,CAAC,UAAU;AAEb,aAAO;AAAA,IACT;AAGA,QAAI;AACJ,QAAI;AACF,eAAS,MAAM,KAAK,OAAO,UAAU,OAAO;AAAA,IAC9C,QAAQ;AACN,YAAM,IAAI,kCAAmB,wCAAwC;AAAA,IACvE;AAEA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,kCAAmB,2CAA2C;AAAA,IAC1E;AAIA,QAAI;AACJ,QAAI,SAAS,wBAAwB;AACnC,uBAAiB,MAAM,SAAS,uBAAuB,OAAO;AAAA,IAChE,WAAW,KAAK,OAAO,+BAA+B;AAEpD,YAAM,eAAe,SAAS,eAAe,MAAM,GAAG,EAAE,CAAC,KAAK;AAC9D,uBAAiB,MAAM,KAAK,OAAO;AAAA,QACjC;AAAA,UACE,aAAa,SAAS;AAAA,UACtB;AAAA,QACF;AAAA,QACA;AAAA,MACF;AAAA,IACF,OAAO;AACL,YAAM,IAAI,kCAAmB,2CAA2C;AAAA,IAC1E;AAEA,QAAI,CAAC,gBAAgB,YAAY;AAC/B,YAAM,IAAI,kCAAmB,+CAA+C;AAAA,IAC9E;AAEA,QAAI;AAEF,YAAM,SAAS,MAAM,KAAK,QAAQ,aAAa,iBAAiB;AAAA,QAC9D;AAAA,QACA,aAAa,SAAS;AAAA,QACtB,YAAY,eAAe;AAAA,QAC3B,GAAI,eAAe,WAAW,SAAY,EAAE,QAAQ,eAAe,OAAO,IAAI,CAAC;AAAA,MACjF,CAAC;AAED,UAAI,CAAC,OAAO,SAAS;AACnB,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT,eAAe;AAAA,UACf;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,2BAA2B,iBAAiB,mCAAoB;AACnF,cAAM;AAAA,MACR;AAGA,cAAQ,MAAM,6BAA6B,KAAK;AAChD,YAAM,IAAI,kCAAmB,+BAA+B;AAAA,IAC9D;AAAA,EACF;AACF;AApFa,mBAAN;AAAA,MADN,2BAAW;AAAA,EAGP,8CAAO,YAAY;AAAA,EAEnB,8CAAO,oBAAK;AAAA,GAJJ;;;AEzDb,IAAAC,iBAA2C;AAC3C,IAAAC,kBAA8B;AAIvB,IAAM,aAAN,MAAiB;AAAA,EAItB,YAAmD,QAAqB;AAArB;AACjD,SAAK,gBAAgB,IAAI,8BAAc;AAAA,MACrC,eAAe,KAAK,OAAO;AAAA,IAC7B,CAAC;AAAA,EACH;AAAA,EAPiB,SAAS,IAAI,sBAAO,WAAW,IAAI;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAWjB,MAAM,YAAyB,OAA2B;AACxD,QAAI;AACF,WAAK,OAAO;AAAA,QACV,+CAAwC,KAAK,OAAO,OAAO,qBAAqB,KAAK,OAAO,QAAQ,UAAU,GAAG,EAAE,CAAC;AAAA,MACtH;AAEA,YAAM,SAAS,MAAM,KAAK,cAAc,YAAe;AAAA,QACrD,WAAW,KAAK,OAAO;AAAA,QACvB;AAAA,QACA,eAAe,KAAK,OAAO;AAAA,MAC7B,CAAC;AAED,WAAK,OAAO,MAAM,oCAA+B;AACjD,aAAO;AAAA,IACT,SAAS,OAAO;AACd,YAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAC1E,WAAK,OAAO,MAAM,qCAAgC,YAAY,EAAE;AAChE,UAAI,iBAAiB,SAAS,MAAM,OAAO;AACzC,aAAK,OAAO,MAAM,gBAAgB,MAAM,KAAK,EAAE;AAAA,MACjD;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,SAAK,cAAc,WAAW,KAAK,OAAO,MAAM;AAChD,SAAK,OAAO,MAAM,mBAAmB;AAAA,EACvC;AACF;AA5Ca,aAAN;AAAA,MADN,2BAAW;AAAA,EAKG,8CAAO,YAAY;AAAA,GAJrB;;;AJOb,IAAAC,kBAAsB;AAEtB,IAAM,mBAAmB;AASlB,IAAM,cAAN,MAAkB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA6CvB,OAAO,QAA4B,QAA8C;AAC/E,WAAO;AAAA,MACL,GAAI,OAAO,SAAS,EAAE,QAAQ,KAAK,IAAI,CAAC;AAAA,MACxC,QAAQ;AAAA,MACR,WAAW;AAAA;AAAA,QAET;AAAA,UACE,SAAS;AAAA,UACT,UAAU;AAAA,YACR,QAAQ,OAAO;AAAA,YACf,SAAS,OAAO,WAAW;AAAA,YAC3B,eAAe,OAAO;AAAA,YACtB,WAAW,OAAO,aAAa;AAAA,YAC/B,WAAW,OAAO;AAAA,YAClB,+BAA+B,OAAO;AAAA,UACxC;AAAA,QACF;AAAA,QACA;AAAA,UACE,SAAS;AAAA,UACT,YAAY,CAACC,YAAwB;AACnC,mBAAO,IAAI,sBAAM;AAAA,cACf,QAAQA,QAAO;AAAA,cACf,SAASA,QAAO,WAAW;AAAA,cAC3B,WAAWA,QAAO,aAAa;AAAA,YACjC,CAAC;AAAA,UACH;AAAA,UACA,QAAQ,CAAC,YAAY;AAAA,QACvB;AAAA;AAAA,QAEA;AAAA,QACA;AAAA,MACF;AAAA,MACA,SAAS,CAAC,kBAAkB,uBAAO,cAAc,UAAU;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+EA,OAAO,aAAiC,SAUtB;AAChB,UAAM,oBAAoB,QAAQ,WAAW,CAAC;AAE9C,UAAMC,UAAS;AAAA,MACb,GAAI,QAAQ,SAAS,EAAE,QAAQ,KAAK,IAAI,CAAC;AAAA,MACzC,QAAQ;AAAA,MACR,SAAS,CAAC,GAAG,iBAAiB;AAAA,MAM9B,WAAW;AAAA;AAAA,QAET;AAAA,UACE,SAAS;AAAA,UACT,YAAY,UAAU,SAAoB;AACxC,kBAAM,eAAe,QAAQ,WAAW,GAAG,IAAI;AAC/C,kBAAM,SAAS,wBAAwB,UAAU,MAAM,eAAe;AACtE,mBAAO;AAAA,cACL,QAAQ,OAAO;AAAA,cACf,SAAS,OAAO,WAAW;AAAA,cAC3B,eAAe,OAAO;AAAA,cACtB,WAAW,OAAO,aAAa;AAAA,cAC/B,WAAW,OAAO;AAAA,cAClB,+BAA+B,OAAO;AAAA,YACxC;AAAA,UACF;AAAA,UACA,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,QACrD;AAAA,QACA;AAAA,UACE,SAAS;AAAA,UACT,YAAY,CAAC,WAAwB;AACnC,mBAAO,IAAI,sBAAM;AAAA,cACf,QAAQ,OAAO;AAAA,cACf,SAAS,OAAO,WAAW;AAAA,cAC3B,WAAW,OAAO,aAAa;AAAA,YACjC,CAAC;AAAA,UACH;AAAA,UACA,QAAQ,CAAC,YAAY;AAAA,QACvB;AAAA;AAAA,QAEA;AAAA,QACA;AAAA,MACF;AAAA,MACA,SAAS,CAAC,kBAAkB,uBAAO,cAAc,UAAU;AAAA,IAC7D;AACA,WAAOA;AAAA,EACT;AACF;AAzNa,cAAN;AAAA,MADN,uBAAO,CAAC,CAAC;AAAA,GACG;;;AKvBb,IAAAC,iBAA2C;AAqHpC,IAAM,cAAc,CACzB,gBACA,2BACoB;AACpB,aAAO;AAAA,IACL,uBAAiC,gBAAgB,sBAAsB;AAAA,QACvE,0BAAU,gBAAgB;AAAA,EAC5B;AACF;","names":["import_common","import_common","import_common","import_backend","import_backend","config","module","import_common"]}

package/dist/index.d.cts

@@ -1,9 +1,73 @@
-export { BlimuModule } from './modules/blimu.module.cjs';
-export { BLIMU_CONFIG, BlimuConfig } from './config/blimu.config.cjs';
-export { ENTITLEMENT_KEY, ENTITLEMENT_METADATA_KEY, EntitlementGuard, EntitlementInfo, EntitlementMetadata, SetEntitlementMetadata } from './guards/entitlement.guard.cjs';
-export { Entitlement } from './decorators/entitlement.decorator.cjs';
-export { BlimuForbiddenException } from './exceptions/blimu-forbidden.exception.cjs';
-export { JWKService } from './services/jwk.service.cjs';
-import '@nestjs/common';
-import '@blimu/types';
-import '@blimu/backend';
+import { DynamicModule, InjectionToken, OptionalFactoryDependency, Type, ForwardReference, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';
+import { EntitlementType } from '@blimu/types';
+import { Blimu, Schema } from '@blimu/backend';
+
+interface BlimuConfig<TRequest = unknown> {
+    global?: boolean | undefined;
+    apiKey: string;
+    baseURL?: string | undefined;
+    environmentId?: string | undefined;
+    timeoutMs?: number | undefined;
+    getUserId: (request: TRequest) => string | Promise<string>;
+    defaultEntitlementCtxResolver?: (context: {
+        entitlement: EntitlementType;
+        resourceType: string;
+    }, request: TRequest) => {
+        resourceId: string;
+        amount?: number;
+    } | Promise<{
+        resourceId: string;
+        amount?: number;
+    }> | undefined;
+}
+declare const BLIMU_CONFIG: unique symbol;
+
+declare class BlimuModule {
+    static forRoot<TRequest = unknown>(config: BlimuConfig<TRequest>): DynamicModule;
+    static forRootAsync<TRequest = unknown>(options: {
+        global?: boolean | undefined;
+        useFactory: (...args: unknown[]) => Promise<BlimuConfig<TRequest>> | BlimuConfig<TRequest>;
+        inject?: (InjectionToken | OptionalFactoryDependency)[];
+        imports?: (Type<unknown> | DynamicModule | Promise<DynamicModule> | ForwardReference<() => Type<unknown>>)[];
+    }): DynamicModule;
+}
+
+declare const ENTITLEMENT_KEY = "entitlement";
+declare const ENTITLEMENT_METADATA_KEY: unique symbol;
+interface EntitlementCtx {
+    resourceId: string;
+    amount?: number;
+}
+interface EntitlementMetadata<TRequest = unknown> {
+    entitlementKey: EntitlementType;
+    entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>;
+}
+declare const SetEntitlementMetadata: <TRequest = unknown>(entitlementKey: string, entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>) => MethodDecorator;
+declare class EntitlementGuard<TRequest = unknown> implements CanActivate {
+    private readonly config;
+    private readonly runtime;
+    constructor(config: BlimuConfig<TRequest>, runtime: Blimu);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
+declare const Entitlement: <TRequest = any>(entitlementKey: EntitlementType, entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>) => MethodDecorator;
+
+declare class BlimuForbiddenException extends ForbiddenException {
+    readonly entitlementResult: Schema.EntitlementCheckResult;
+    readonly entitlementKey: EntitlementType;
+    readonly resourceId: string;
+    readonly userId: string;
+    constructor(entitlementResult: Schema.EntitlementCheckResult, entitlementKey: EntitlementType, resourceId: string, userId: string);
+    private static buildMessage;
+}
+
+declare class JWKService {
+    private readonly config;
+    private readonly logger;
+    private readonly tokenVerifier;
+    constructor(config: BlimuConfig);
+    verifyToken<T = unknown>(token: string): Promise<T>;
+    clearCache(): void;
+}
+
+export { BLIMU_CONFIG, type BlimuConfig, BlimuForbiddenException, BlimuModule, ENTITLEMENT_KEY, ENTITLEMENT_METADATA_KEY, Entitlement, type EntitlementCtx, EntitlementGuard, type EntitlementMetadata, JWKService, SetEntitlementMetadata };

package/dist/index.d.ts

@@ -1,9 +1,73 @@
-export { BlimuModule } from './modules/blimu.module.js';
-export { BLIMU_CONFIG, BlimuConfig } from './config/blimu.config.js';
-export { ENTITLEMENT_KEY, ENTITLEMENT_METADATA_KEY, EntitlementGuard, EntitlementInfo, EntitlementMetadata, SetEntitlementMetadata } from './guards/entitlement.guard.js';
-export { Entitlement } from './decorators/entitlement.decorator.js';
-export { BlimuForbiddenException } from './exceptions/blimu-forbidden.exception.js';
-export { JWKService } from './services/jwk.service.js';
-import '@nestjs/common';
-import '@blimu/types';
-import '@blimu/backend';
+import { DynamicModule, InjectionToken, OptionalFactoryDependency, Type, ForwardReference, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';
+import { EntitlementType } from '@blimu/types';
+import { Blimu, Schema } from '@blimu/backend';
+
+interface BlimuConfig<TRequest = unknown> {
+    global?: boolean | undefined;
+    apiKey: string;
+    baseURL?: string | undefined;
+    environmentId?: string | undefined;
+    timeoutMs?: number | undefined;
+    getUserId: (request: TRequest) => string | Promise<string>;
+    defaultEntitlementCtxResolver?: (context: {
+        entitlement: EntitlementType;
+        resourceType: string;
+    }, request: TRequest) => {
+        resourceId: string;
+        amount?: number;
+    } | Promise<{
+        resourceId: string;
+        amount?: number;
+    }> | undefined;
+}
+declare const BLIMU_CONFIG: unique symbol;
+
+declare class BlimuModule {
+    static forRoot<TRequest = unknown>(config: BlimuConfig<TRequest>): DynamicModule;
+    static forRootAsync<TRequest = unknown>(options: {
+        global?: boolean | undefined;
+        useFactory: (...args: unknown[]) => Promise<BlimuConfig<TRequest>> | BlimuConfig<TRequest>;
+        inject?: (InjectionToken | OptionalFactoryDependency)[];
+        imports?: (Type<unknown> | DynamicModule | Promise<DynamicModule> | ForwardReference<() => Type<unknown>>)[];
+    }): DynamicModule;
+}
+
+declare const ENTITLEMENT_KEY = "entitlement";
+declare const ENTITLEMENT_METADATA_KEY: unique symbol;
+interface EntitlementCtx {
+    resourceId: string;
+    amount?: number;
+}
+interface EntitlementMetadata<TRequest = unknown> {
+    entitlementKey: EntitlementType;
+    entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>;
+}
+declare const SetEntitlementMetadata: <TRequest = unknown>(entitlementKey: string, entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>) => MethodDecorator;
+declare class EntitlementGuard<TRequest = unknown> implements CanActivate {
+    private readonly config;
+    private readonly runtime;
+    constructor(config: BlimuConfig<TRequest>, runtime: Blimu);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
+declare const Entitlement: <TRequest = any>(entitlementKey: EntitlementType, entitlementCtxResolver?: (request: TRequest) => EntitlementCtx | Promise<EntitlementCtx>) => MethodDecorator;
+
+declare class BlimuForbiddenException extends ForbiddenException {
+    readonly entitlementResult: Schema.EntitlementCheckResult;
+    readonly entitlementKey: EntitlementType;
+    readonly resourceId: string;
+    readonly userId: string;
+    constructor(entitlementResult: Schema.EntitlementCheckResult, entitlementKey: EntitlementType, resourceId: string, userId: string);
+    private static buildMessage;
+}
+
+declare class JWKService {
+    private readonly config;
+    private readonly logger;
+    private readonly tokenVerifier;
+    constructor(config: BlimuConfig);
+    verifyToken<T = unknown>(token: string): Promise<T>;
+    clearCache(): void;
+}
+
+export { BLIMU_CONFIG, type BlimuConfig, BlimuForbiddenException, BlimuModule, ENTITLEMENT_KEY, ENTITLEMENT_METADATA_KEY, Entitlement, type EntitlementCtx, EntitlementGuard, type EntitlementMetadata, JWKService, SetEntitlementMetadata };

package/dist/index.mjs

@@ -89,9 +89,9 @@ var BlimuForbiddenException = class _BlimuForbiddenException extends ForbiddenEx
 import { Blimu } from "@blimu/backend";
 var ENTITLEMENT_KEY = "entitlement";
 var ENTITLEMENT_METADATA_KEY = /* @__PURE__ */ Symbol("entitlement");
-var SetEntitlementMetadata = (entitlementKey, getEntitlementInfo) => SetMetadata(ENTITLEMENT_METADATA_KEY, {
+var SetEntitlementMetadata = (entitlementKey, entitlementCtxResolver) => SetMetadata(ENTITLEMENT_METADATA_KEY, {
   entitlementKey,
-  getEntitlementInfo
+  entitlementCtxResolver
 });
 var EntitlementGuard = class {
   constructor(config, runtime) {
@@ -114,22 +114,36 @@ var EntitlementGuard = class {
     if (!userId) {
       throw new ForbiddenException2("User ID is required for entitlement check");
     }
-    const entitlementInfo = await metadata.getEntitlementInfo(request);
-    if (!entitlementInfo?.resourceId) {
+    let entitlementCtx;
+    if (metadata.entitlementCtxResolver) {
+      entitlementCtx = await metadata.entitlementCtxResolver(request);
+    } else if (this.config.defaultEntitlementCtxResolver) {
+      const resourceType = metadata.entitlementKey.split(":")[0] || "";
+      entitlementCtx = await this.config.defaultEntitlementCtxResolver(
+        {
+          entitlement: metadata.entitlementKey,
+          resourceType
+        },
+        request
+      );
+    } else {
+      throw new ForbiddenException2("No entitlement context resolver available");
+    }
+    if (!entitlementCtx?.resourceId) {
       throw new ForbiddenException2("Resource ID is required for entitlement check");
     }
     try {
       const result = await this.runtime.entitlements.checkEntitlement({
         userId,
         entitlement: metadata.entitlementKey,
-        resourceId: entitlementInfo.resourceId,
-        ...entitlementInfo.amount !== void 0 ? { amount: entitlementInfo.amount } : {}
+        resourceId: entitlementCtx.resourceId,
+        ...entitlementCtx.amount !== void 0 ? { amount: entitlementCtx.amount } : {}
       });
       if (!result.allowed) {
         throw new BlimuForbiddenException(
           result,
           metadata.entitlementKey,
-          entitlementInfo.resourceId,
+          entitlementCtx.resourceId,
           userId
         );
       }
@@ -219,6 +233,9 @@ var BlimuModule = class {
    *       environmentId: 'your-environment-id', // optional
    *       timeoutMs: 30000, // optional
    *       getUserId: (req) => req.user?.id, // required
+   *       defaultEntitlementCtxResolver: ({ entitlement, resourceType }, req) => ({
+   *         resourceId: req.params.resourceId,
+   *       }), // optional
    *     }),
    *   ],
    * })
@@ -256,7 +273,8 @@ var BlimuModule = class {
             baseURL: config.baseURL ?? DEFAULT_BASE_URL,
             environmentId: config.environmentId,
             timeoutMs: config.timeoutMs ?? 3e4,
-            getUserId: config.getUserId
+            getUserId: config.getUserId,
+            defaultEntitlementCtxResolver: config.defaultEntitlementCtxResolver
           }
         },
         {
@@ -299,6 +317,9 @@ var BlimuModule = class {
    *         environmentId: configService.get('BLIMU_ENVIRONMENT_ID'),
    *         timeoutMs: configService.get('BLIMU_TIMEOUT_MS'),
    *         getUserId: (req) => req.user?.id,
+   *         defaultEntitlementCtxResolver: (entitlementKey, req) => ({
+   *           resourceId: req.params.resourceId,
+   *         }),
    *       }),
    *       inject: [ConfigService],
    *     }),
@@ -369,7 +390,8 @@ var BlimuModule = class {
               baseURL: config.baseURL ?? DEFAULT_BASE_URL,
               environmentId: config.environmentId,
               timeoutMs: config.timeoutMs ?? 3e4,
-              getUserId: config.getUserId
+              getUserId: config.getUserId,
+              defaultEntitlementCtxResolver: config.defaultEntitlementCtxResolver
             };
           },
           ...options.inject ? { inject: options.inject } : {}
@@ -400,9 +422,9 @@ BlimuModule = __decorateClass([
 
 // src/decorators/entitlement.decorator.ts
 import { applyDecorators, UseGuards } from "@nestjs/common";
-var Entitlement = (entitlementKey, getEntitlementInfo) => {
+var Entitlement = (entitlementKey, entitlementCtxResolver) => {
   return applyDecorators(
-    SetEntitlementMetadata(entitlementKey, getEntitlementInfo),
+    SetEntitlementMetadata(entitlementKey, entitlementCtxResolver),
     UseGuards(EntitlementGuard)
   );
 };