npm - @blokjs/runner - Versions diffs - 0.2.0 - Mend

@blokjs/runner 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (307) hide show

package/dist/Blok.d.ts +19 -0
package/dist/Blok.js +184 -0
package/dist/Blok.js.map +1 -0
package/dist/BlokResponse.d.ts +16 -0
package/dist/BlokResponse.js +28 -0
package/dist/BlokResponse.js.map +1 -0
package/dist/Configuration.d.ts +37 -0
package/dist/Configuration.js +248 -0
package/dist/Configuration.js.map +1 -0
package/dist/ConfigurationResolver.d.ts +7 -0
package/dist/ConfigurationResolver.js +15 -0
package/dist/ConfigurationResolver.js.map +1 -0
package/dist/DefaultLogger.d.ts +65 -0
package/dist/DefaultLogger.js +101 -0
package/dist/DefaultLogger.js.map +1 -0
package/dist/LocalStorage.d.ts +7 -0
package/dist/LocalStorage.js +56 -0
package/dist/LocalStorage.js.map +1 -0
package/dist/MemoryUsage.d.ts +22 -0
package/dist/MemoryUsage.js +83 -0
package/dist/MemoryUsage.js.map +1 -0
package/dist/NodeMap.d.ts +7 -0
package/dist/NodeMap.js +13 -0
package/dist/NodeMap.js.map +1 -0
package/dist/ResolverBase.d.ts +8 -0
package/dist/ResolverBase.js +18 -0
package/dist/ResolverBase.js.map +1 -0
package/dist/Runner.d.ts +25 -0
package/dist/Runner.js +32 -0
package/dist/Runner.js.map +1 -0
package/dist/RunnerNode.d.ts +9 -0
package/dist/RunnerNode.js +8 -0
package/dist/RunnerNode.js.map +1 -0
package/dist/RunnerNodeBase.d.ts +4 -0
package/dist/RunnerNodeBase.js +3 -0
package/dist/RunnerNodeBase.js.map +1 -0
package/dist/RunnerSteps.d.ts +14 -0
package/dist/RunnerSteps.js +110 -0
package/dist/RunnerSteps.js.map +1 -0
package/dist/RuntimeAdapterNode.d.ts +19 -0
package/dist/RuntimeAdapterNode.js +87 -0
package/dist/RuntimeAdapterNode.js.map +1 -0
package/dist/RuntimeRegistry.d.ts +61 -0
package/dist/RuntimeRegistry.js +87 -0
package/dist/RuntimeRegistry.js.map +1 -0
package/dist/TriggerBase.d.ts +119 -0
package/dist/TriggerBase.js +413 -0
package/dist/TriggerBase.js.map +1 -0
package/dist/adapters/BunRuntimeAdapter.d.ts +38 -0
package/dist/adapters/BunRuntimeAdapter.js +169 -0
package/dist/adapters/BunRuntimeAdapter.js.map +1 -0
package/dist/adapters/DockerRuntimeAdapter.d.ts +85 -0
package/dist/adapters/DockerRuntimeAdapter.js +298 -0
package/dist/adapters/DockerRuntimeAdapter.js.map +1 -0
package/dist/adapters/HttpRuntimeAdapter.d.ts +58 -0
package/dist/adapters/HttpRuntimeAdapter.js +152 -0
package/dist/adapters/HttpRuntimeAdapter.js.map +1 -0
package/dist/adapters/NodeJsRuntimeAdapter.d.ts +23 -0
package/dist/adapters/NodeJsRuntimeAdapter.js +67 -0
package/dist/adapters/NodeJsRuntimeAdapter.js.map +1 -0
package/dist/adapters/RuntimeAdapter.d.ts +42 -0
package/dist/adapters/RuntimeAdapter.js +2 -0
package/dist/adapters/RuntimeAdapter.js.map +1 -0
package/dist/adapters/WasmRuntimeAdapter.d.ts +69 -0
package/dist/adapters/WasmRuntimeAdapter.js +279 -0
package/dist/adapters/WasmRuntimeAdapter.js.map +1 -0
package/dist/cache/NodeResultCache.d.ts +286 -0
package/dist/cache/NodeResultCache.js +499 -0
package/dist/cache/NodeResultCache.js.map +1 -0
package/dist/cache/index.d.ts +1 -0
package/dist/cache/index.js +2 -0
package/dist/cache/index.js.map +1 -0
package/dist/cost/CostEstimator.d.ts +57 -0
package/dist/cost/CostEstimator.js +171 -0
package/dist/cost/CostEstimator.js.map +1 -0
package/dist/cost/index.d.ts +4 -0
package/dist/cost/index.js +3 -0
package/dist/cost/index.js.map +1 -0
package/dist/cost/pricing.d.ts +24 -0
package/dist/cost/pricing.js +169 -0
package/dist/cost/pricing.js.map +1 -0
package/dist/defineNode.d.ts +155 -0
package/dist/defineNode.js +191 -0
package/dist/defineNode.js.map +1 -0
package/dist/graphql/GraphQLSchemaGenerator.d.ts +129 -0
package/dist/graphql/GraphQLSchemaGenerator.js +425 -0
package/dist/graphql/GraphQLSchemaGenerator.js.map +1 -0
package/dist/hmr/FileWatcher.d.ts +62 -0
package/dist/hmr/FileWatcher.js +185 -0
package/dist/hmr/FileWatcher.js.map +1 -0
package/dist/hmr/HmrDevConsole.d.ts +13 -0
package/dist/hmr/HmrDevConsole.js +46 -0
package/dist/hmr/HmrDevConsole.js.map +1 -0
package/dist/hmr/HotReloadManager.d.ts +84 -0
package/dist/hmr/HotReloadManager.js +195 -0
package/dist/hmr/HotReloadManager.js.map +1 -0
package/dist/hmr/index.d.ts +39 -0
package/dist/hmr/index.js +38 -0
package/dist/hmr/index.js.map +1 -0
package/dist/index.d.ts +107 -0
package/dist/index.js +107 -0
package/dist/index.js.map +1 -0
package/dist/integrations/APMIntegration.d.ts +141 -0
package/dist/integrations/APMIntegration.js +212 -0
package/dist/integrations/APMIntegration.js.map +1 -0
package/dist/integrations/AzureMonitorIntegration.d.ts +118 -0
package/dist/integrations/AzureMonitorIntegration.js +254 -0
package/dist/integrations/AzureMonitorIntegration.js.map +1 -0
package/dist/integrations/CloudWatchIntegration.d.ts +135 -0
package/dist/integrations/CloudWatchIntegration.js +293 -0
package/dist/integrations/CloudWatchIntegration.js.map +1 -0
package/dist/integrations/SentryIntegration.d.ts +153 -0
package/dist/integrations/SentryIntegration.js +200 -0
package/dist/integrations/SentryIntegration.js.map +1 -0
package/dist/integrations/index.d.ts +19 -0
package/dist/integrations/index.js +16 -0
package/dist/integrations/index.js.map +1 -0
package/dist/marketplace/RuntimeAutoScaler.d.ts +148 -0
package/dist/marketplace/RuntimeAutoScaler.js +366 -0
package/dist/marketplace/RuntimeAutoScaler.js.map +1 -0
package/dist/marketplace/RuntimeCatalog.d.ts +174 -0
package/dist/marketplace/RuntimeCatalog.js +339 -0
package/dist/marketplace/RuntimeCatalog.js.map +1 -0
package/dist/marketplace/RuntimeDiscovery.d.ts +86 -0
package/dist/marketplace/RuntimeDiscovery.js +219 -0
package/dist/marketplace/RuntimeDiscovery.js.map +1 -0
package/dist/marketplace/RuntimeHealthMonitor.d.ts +100 -0
package/dist/marketplace/RuntimeHealthMonitor.js +241 -0
package/dist/marketplace/RuntimeHealthMonitor.js.map +1 -0
package/dist/marketplace/RuntimeMetricsDashboard.d.ts +113 -0
package/dist/marketplace/RuntimeMetricsDashboard.js +293 -0
package/dist/marketplace/RuntimeMetricsDashboard.js.map +1 -0
package/dist/monitoring/CircuitBreaker.d.ts +107 -0
package/dist/monitoring/CircuitBreaker.js +238 -0
package/dist/monitoring/CircuitBreaker.js.map +1 -0
package/dist/monitoring/DistributedTracer.d.ts +125 -0
package/dist/monitoring/DistributedTracer.js +230 -0
package/dist/monitoring/DistributedTracer.js.map +1 -0
package/dist/monitoring/HealthCheck.d.ts +54 -0
package/dist/monitoring/HealthCheck.js +102 -0
package/dist/monitoring/HealthCheck.js.map +1 -0
package/dist/monitoring/PerformanceProfiler.d.ts +63 -0
package/dist/monitoring/PerformanceProfiler.js +229 -0
package/dist/monitoring/PerformanceProfiler.js.map +1 -0
package/dist/monitoring/PrometheusBootstrap.d.ts +30 -0
package/dist/monitoring/PrometheusBootstrap.js +71 -0
package/dist/monitoring/PrometheusBootstrap.js.map +1 -0
package/dist/monitoring/PrometheusMetricsBridge.d.ts +60 -0
package/dist/monitoring/PrometheusMetricsBridge.js +216 -0
package/dist/monitoring/PrometheusMetricsBridge.js.map +1 -0
package/dist/monitoring/RateLimiter.d.ts +58 -0
package/dist/monitoring/RateLimiter.js +128 -0
package/dist/monitoring/RateLimiter.js.map +1 -0
package/dist/monitoring/StructuredLogger.d.ts +131 -0
package/dist/monitoring/StructuredLogger.js +207 -0
package/dist/monitoring/StructuredLogger.js.map +1 -0
package/dist/monitoring/TracingBootstrap.d.ts +69 -0
package/dist/monitoring/TracingBootstrap.js +129 -0
package/dist/monitoring/TracingBootstrap.js.map +1 -0
package/dist/monitoring/TriggerMetricsCollector.d.ts +94 -0
package/dist/monitoring/TriggerMetricsCollector.js +174 -0
package/dist/monitoring/TriggerMetricsCollector.js.map +1 -0
package/dist/monitoring/index.d.ts +9 -0
package/dist/monitoring/index.js +10 -0
package/dist/monitoring/index.js.map +1 -0
package/dist/openapi/OpenAPIGenerator.d.ts +192 -0
package/dist/openapi/OpenAPIGenerator.js +373 -0
package/dist/openapi/OpenAPIGenerator.js.map +1 -0
package/dist/openapi/index.d.ts +20 -0
package/dist/openapi/index.js +20 -0
package/dist/openapi/index.js.map +1 -0
package/dist/security/ABAC.d.ts +224 -0
package/dist/security/ABAC.js +380 -0
package/dist/security/ABAC.js.map +1 -0
package/dist/security/AuditLogger.d.ts +242 -0
package/dist/security/AuditLogger.js +317 -0
package/dist/security/AuditLogger.js.map +1 -0
package/dist/security/AuthMiddleware.d.ts +163 -0
package/dist/security/AuthMiddleware.js +274 -0
package/dist/security/AuthMiddleware.js.map +1 -0
package/dist/security/EncryptionAtRest.d.ts +206 -0
package/dist/security/EncryptionAtRest.js +236 -0
package/dist/security/EncryptionAtRest.js.map +1 -0
package/dist/security/OAuthProvider.d.ts +334 -0
package/dist/security/OAuthProvider.js +719 -0
package/dist/security/OAuthProvider.js.map +1 -0
package/dist/security/PIIDetector.d.ts +233 -0
package/dist/security/PIIDetector.js +354 -0
package/dist/security/PIIDetector.js.map +1 -0
package/dist/security/RBAC.d.ts +143 -0
package/dist/security/RBAC.js +285 -0
package/dist/security/RBAC.js.map +1 -0
package/dist/security/SecretManager.d.ts +652 -0
package/dist/security/SecretManager.js +1146 -0
package/dist/security/SecretManager.js.map +1 -0
package/dist/security/TLSConfig.d.ts +305 -0
package/dist/security/TLSConfig.js +550 -0
package/dist/security/TLSConfig.js.map +1 -0
package/dist/security/index.d.ts +79 -0
package/dist/security/index.js +80 -0
package/dist/security/index.js.map +1 -0
package/dist/testing/TestHarness.d.ts +189 -0
package/dist/testing/TestHarness.js +272 -0
package/dist/testing/TestHarness.js.map +1 -0
package/dist/testing/TestLogger.d.ts +103 -0
package/dist/testing/TestLogger.js +153 -0
package/dist/testing/TestLogger.js.map +1 -0
package/dist/testing/WorkflowTestRunner.d.ts +172 -0
package/dist/testing/WorkflowTestRunner.js +355 -0
package/dist/testing/WorkflowTestRunner.js.map +1 -0
package/dist/testing/index.d.ts +21 -0
package/dist/testing/index.js +22 -0
package/dist/testing/index.js.map +1 -0
package/dist/tracing/InMemoryRunStore.d.ts +44 -0
package/dist/tracing/InMemoryRunStore.js +341 -0
package/dist/tracing/InMemoryRunStore.js.map +1 -0
package/dist/tracing/PostgresRunStore.d.ts +82 -0
package/dist/tracing/PostgresRunStore.js +640 -0
package/dist/tracing/PostgresRunStore.js.map +1 -0
package/dist/tracing/RunStore.d.ts +38 -0
package/dist/tracing/RunStore.js +2 -0
package/dist/tracing/RunStore.js.map +1 -0
package/dist/tracing/RunTracker.d.ts +75 -0
package/dist/tracing/RunTracker.js +374 -0
package/dist/tracing/RunTracker.js.map +1 -0
package/dist/tracing/SqliteRunStore.d.ts +53 -0
package/dist/tracing/SqliteRunStore.js +703 -0
package/dist/tracing/SqliteRunStore.js.map +1 -0
package/dist/tracing/TraceRouter.d.ts +47 -0
package/dist/tracing/TraceRouter.js +904 -0
package/dist/tracing/TraceRouter.js.map +1 -0
package/dist/tracing/TracingLogger.d.ts +21 -0
package/dist/tracing/TracingLogger.js +62 -0
package/dist/tracing/TracingLogger.js.map +1 -0
package/dist/tracing/createStore.d.ts +30 -0
package/dist/tracing/createStore.js +75 -0
package/dist/tracing/createStore.js.map +1 -0
package/dist/tracing/index.d.ts +13 -0
package/dist/tracing/index.js +9 -0
package/dist/tracing/index.js.map +1 -0
package/dist/tracing/sanitize.d.ts +7 -0
package/dist/tracing/sanitize.js +95 -0
package/dist/tracing/sanitize.js.map +1 -0
package/dist/tracing/types.d.ts +178 -0
package/dist/tracing/types.js +3 -0
package/dist/tracing/types.js.map +1 -0
package/dist/types/Average.d.ts +11 -0
package/dist/types/Average.js +2 -0
package/dist/types/Average.js.map +1 -0
package/dist/types/Condition.d.ts +8 -0
package/dist/types/Condition.js +2 -0
package/dist/types/Condition.js.map +1 -0
package/dist/types/Conditions.d.ts +5 -0
package/dist/types/Conditions.js +2 -0
package/dist/types/Conditions.js.map +1 -0
package/dist/types/Config.d.ts +12 -0
package/dist/types/Config.js +2 -0
package/dist/types/Config.js.map +1 -0
package/dist/types/Flow.d.ts +5 -0
package/dist/types/Flow.js +2 -0
package/dist/types/Flow.js.map +1 -0
package/dist/types/GlobalOptions.d.ts +11 -0
package/dist/types/GlobalOptions.js +2 -0
package/dist/types/GlobalOptions.js.map +1 -0
package/dist/types/Inputs.d.ts +5 -0
package/dist/types/Inputs.js +2 -0
package/dist/types/Inputs.js.map +1 -0
package/dist/types/JsonLikeObject.d.ts +3 -0
package/dist/types/JsonLikeObject.js +2 -0
package/dist/types/JsonLikeObject.js.map +1 -0
package/dist/types/Mapper.d.ts +5 -0
package/dist/types/Mapper.js +2 -0
package/dist/types/Mapper.js.map +1 -0
package/dist/types/Node.d.ts +10 -0
package/dist/types/Node.js +2 -0
package/dist/types/Node.js.map +1 -0
package/dist/types/ParamsDictionary.d.ts +3 -0
package/dist/types/ParamsDictionary.js +2 -0
package/dist/types/ParamsDictionary.js.map +1 -0
package/dist/types/Properties.d.ts +5 -0
package/dist/types/Properties.js +2 -0
package/dist/types/Properties.js.map +1 -0
package/dist/types/Targets.d.ts +5 -0
package/dist/types/Targets.js +2 -0
package/dist/types/Targets.js.map +1 -0
package/dist/types/Trigger.d.ts +5 -0
package/dist/types/Trigger.js +2 -0
package/dist/types/Trigger.js.map +1 -0
package/dist/types/TriggerHttp.d.ts +7 -0
package/dist/types/TriggerHttp.js +2 -0
package/dist/types/TriggerHttp.js.map +1 -0
package/dist/types/TriggerResponse.d.ts +6 -0
package/dist/types/TriggerResponse.js +2 -0
package/dist/types/TriggerResponse.js.map +1 -0
package/dist/types/Triggers.d.ts +5 -0
package/dist/types/Triggers.js +2 -0
package/dist/types/Triggers.js.map +1 -0
package/dist/types/TryCatch.d.ts +6 -0
package/dist/types/TryCatch.js +2 -0
package/dist/types/TryCatch.js.map +1 -0
package/dist/visualization/NodeDependencyGraph.d.ts +76 -0
package/dist/visualization/NodeDependencyGraph.js +418 -0
package/dist/visualization/NodeDependencyGraph.js.map +1 -0
package/dist/visualization/WorkflowVisualizer.d.ts +144 -0
package/dist/visualization/WorkflowVisualizer.js +446 -0
package/dist/visualization/WorkflowVisualizer.js.map +1 -0
package/package.json +95 -0

package/dist/security/RBAC.d.ts ADDED Viewed

@@ -0,0 +1,143 @@
+/**
+ * Role-Based Access Control (RBAC) for Blok
+ *
+ * Provides fine-grained access control for workflow execution:
+ * - Role definitions with permissions
+ * - Resource-based access control
+ * - Hierarchical roles with inheritance
+ * - Workflow-level and node-level access control
+ *
+ * @example
+ * ```typescript
+ * const rbac = new RBAC();
+ *
+ * // Define roles
+ * rbac.addRole({
+ *   name: "admin",
+ *   permissions: [
+ *     { resource: "workflow", actions: ["*"] },
+ *     { resource: "node", actions: ["*"] },
+ *   ],
+ * });
+ *
+ * rbac.addRole({
+ *   name: "developer",
+ *   permissions: [
+ *     { resource: "workflow", actions: ["read", "execute"] },
+ *     { resource: "node", actions: ["read", "execute"] },
+ *   ],
+ *   inherits: ["viewer"],
+ * });
+ *
+ * rbac.addRole({
+ *   name: "viewer",
+ *   permissions: [
+ *     { resource: "workflow", actions: ["read"] },
+ *   ],
+ * });
+ *
+ * // Check permissions
+ * rbac.can("admin", "workflow", "delete");     // true
+ * rbac.can("developer", "workflow", "execute"); // true
+ * rbac.can("viewer", "workflow", "execute");    // false
+ * ```
+ */
+export type Action = "read" | "create" | "update" | "delete" | "execute" | "admin" | "*";
+export interface Permission {
+    /** Resource type (e.g., "workflow", "node", "trigger", "runtime") */
+    resource: string;
+    /** Allowed actions on this resource */
+    actions: Action[];
+    /** Optional: restrict to specific resource instances by pattern */
+    resourcePattern?: string;
+    /** Optional: conditions that must be met (e.g., { "env": "staging" }) */
+    conditions?: Record<string, unknown>;
+}
+export interface RoleDefinition {
+    /** Unique role name */
+    name: string;
+    /** Human-readable description */
+    description?: string;
+    /** Permissions granted to this role */
+    permissions: Permission[];
+    /** Roles this role inherits from */
+    inherits?: string[];
+}
+export interface AccessCheckResult {
+    allowed: boolean;
+    role: string;
+    resource: string;
+    action: Action;
+    reason?: string;
+    matchedPermission?: Permission;
+}
+export interface RBACPolicy {
+    /** Named resource access policies */
+    workflows?: Record<string, {
+        allowedRoles: string[];
+        actions?: Action[];
+    }>;
+    /** Default policy when no specific policy matches */
+    defaultPolicy?: "allow" | "deny";
+}
+export declare class RBAC {
+    private roles;
+    private policies;
+    private roleCache;
+    /**
+     * Add a role definition
+     */
+    addRole(role: RoleDefinition): void;
+    /**
+     * Remove a role
+     */
+    removeRole(name: string): void;
+    /**
+     * Get a role definition
+     */
+    getRole(name: string): RoleDefinition | undefined;
+    /**
+     * Get all defined roles
+     */
+    getRoles(): RoleDefinition[];
+    /**
+     * Add a resource-specific policy
+     */
+    addPolicy(resourceId: string, policy: RBACPolicy): void;
+    /**
+     * Check if a role has permission to perform an action on a resource
+     */
+    can(roleName: string, resource: string, action: Action, resourceId?: string): AccessCheckResult;
+    /**
+     * Check if any of the given roles has permission
+     */
+    canAny(roles: string[], resource: string, action: Action, resourceId?: string): AccessCheckResult;
+    /**
+     * Check workflow-specific access
+     */
+    canAccessWorkflow(roles: string[], workflowPath: string, action?: Action): AccessCheckResult;
+    /**
+     * Get all effective permissions for a role (including inherited)
+     */
+    getEffectivePermissions(roleName: string, visited?: Set<string>): Permission[];
+    /**
+     * Export current RBAC configuration as JSON
+     */
+    toJSON(): {
+        roles: RoleDefinition[];
+        policies: Record<string, RBACPolicy>;
+    };
+    /**
+     * Load RBAC configuration from JSON
+     */
+    fromJSON(config: {
+        roles: RoleDefinition[];
+        policies?: Record<string, RBACPolicy>;
+    }): void;
+    private matchesPermission;
+    private matchesPattern;
+}
+/**
+ * Create a preconfigured RBAC instance with common roles
+ */
+export declare function createDefaultRBAC(): RBAC;

package/dist/security/RBAC.js ADDED Viewed

@@ -0,0 +1,285 @@
+/**
+ * Role-Based Access Control (RBAC) for Blok
+ *
+ * Provides fine-grained access control for workflow execution:
+ * - Role definitions with permissions
+ * - Resource-based access control
+ * - Hierarchical roles with inheritance
+ * - Workflow-level and node-level access control
+ *
+ * @example
+ * ```typescript
+ * const rbac = new RBAC();
+ *
+ * // Define roles
+ * rbac.addRole({
+ *   name: "admin",
+ *   permissions: [
+ *     { resource: "workflow", actions: ["*"] },
+ *     { resource: "node", actions: ["*"] },
+ *   ],
+ * });
+ *
+ * rbac.addRole({
+ *   name: "developer",
+ *   permissions: [
+ *     { resource: "workflow", actions: ["read", "execute"] },
+ *     { resource: "node", actions: ["read", "execute"] },
+ *   ],
+ *   inherits: ["viewer"],
+ * });
+ *
+ * rbac.addRole({
+ *   name: "viewer",
+ *   permissions: [
+ *     { resource: "workflow", actions: ["read"] },
+ *   ],
+ * });
+ *
+ * // Check permissions
+ * rbac.can("admin", "workflow", "delete");     // true
+ * rbac.can("developer", "workflow", "execute"); // true
+ * rbac.can("viewer", "workflow", "execute");    // false
+ * ```
+ */
+export class RBAC {
+    roles = new Map();
+    policies = new Map();
+    roleCache = new Map();
+    /**
+     * Add a role definition
+     */
+    addRole(role) {
+        this.roles.set(role.name, role);
+        // Invalidate cache for this role and any role that inherits from it
+        this.roleCache.clear();
+    }
+    /**
+     * Remove a role
+     */
+    removeRole(name) {
+        this.roles.delete(name);
+        this.roleCache.clear();
+    }
+    /**
+     * Get a role definition
+     */
+    getRole(name) {
+        return this.roles.get(name);
+    }
+    /**
+     * Get all defined roles
+     */
+    getRoles() {
+        return Array.from(this.roles.values());
+    }
+    /**
+     * Add a resource-specific policy
+     */
+    addPolicy(resourceId, policy) {
+        this.policies.set(resourceId, policy);
+    }
+    /**
+     * Check if a role has permission to perform an action on a resource
+     */
+    can(roleName, resource, action, resourceId) {
+        const permissions = this.getEffectivePermissions(roleName);
+        for (const perm of permissions) {
+            if (this.matchesPermission(perm, resource, action, resourceId)) {
+                return {
+                    allowed: true,
+                    role: roleName,
+                    resource,
+                    action,
+                    matchedPermission: perm,
+                };
+            }
+        }
+        return {
+            allowed: false,
+            role: roleName,
+            resource,
+            action,
+            reason: `Role '${roleName}' does not have '${action}' permission on '${resource}'`,
+        };
+    }
+    /**
+     * Check if any of the given roles has permission
+     */
+    canAny(roles, resource, action, resourceId) {
+        for (const role of roles) {
+            const result = this.can(role, resource, action, resourceId);
+            if (result.allowed)
+                return result;
+        }
+        return {
+            allowed: false,
+            role: roles.join(","),
+            resource,
+            action,
+            reason: `None of roles [${roles.join(", ")}] have '${action}' permission on '${resource}'`,
+        };
+    }
+    /**
+     * Check workflow-specific access
+     */
+    canAccessWorkflow(roles, workflowPath, action = "execute") {
+        // Check resource-specific policy first
+        const policy = this.policies.get(workflowPath);
+        if (policy?.workflows) {
+            for (const [pattern, config] of Object.entries(policy.workflows)) {
+                if (this.matchesPattern(workflowPath, pattern)) {
+                    const allowedActions = config.actions || ["execute"];
+                    if (!allowedActions.includes(action) && !allowedActions.includes("*")) {
+                        return {
+                            allowed: false,
+                            role: roles.join(","),
+                            resource: workflowPath,
+                            action,
+                            reason: `Action '${action}' not allowed on workflow '${workflowPath}'`,
+                        };
+                    }
+                    const hasAllowedRole = roles.some((r) => config.allowedRoles.includes(r));
+                    if (hasAllowedRole) {
+                        return {
+                            allowed: true,
+                            role: roles.find((r) => config.allowedRoles.includes(r)) || roles[0],
+                            resource: workflowPath,
+                            action,
+                        };
+                    }
+                }
+            }
+        }
+        // Fall back to general RBAC check
+        return this.canAny(roles, "workflow", action, workflowPath);
+    }
+    /**
+     * Get all effective permissions for a role (including inherited)
+     */
+    getEffectivePermissions(roleName, visited = new Set()) {
+        // Check cache
+        const cached = this.roleCache.get(roleName);
+        if (cached)
+            return cached;
+        // Guard against circular inheritance
+        if (visited.has(roleName))
+            return [];
+        visited.add(roleName);
+        const role = this.roles.get(roleName);
+        if (!role)
+            return [];
+        const permissions = [...role.permissions];
+        // Resolve inherited permissions
+        if (role.inherits) {
+            for (const parentRole of role.inherits) {
+                const inherited = this.getEffectivePermissions(parentRole, visited);
+                permissions.push(...inherited);
+            }
+        }
+        // Cache results
+        this.roleCache.set(roleName, permissions);
+        return permissions;
+    }
+    /**
+     * Export current RBAC configuration as JSON
+     */
+    toJSON() {
+        return {
+            roles: Array.from(this.roles.values()),
+            policies: Object.fromEntries(this.policies),
+        };
+    }
+    /**
+     * Load RBAC configuration from JSON
+     */
+    fromJSON(config) {
+        this.roles.clear();
+        this.policies.clear();
+        this.roleCache.clear();
+        for (const role of config.roles) {
+            this.addRole(role);
+        }
+        if (config.policies) {
+            for (const [id, policy] of Object.entries(config.policies)) {
+                this.addPolicy(id, policy);
+            }
+        }
+    }
+    matchesPermission(perm, resource, action, resourceId) {
+        // Check resource type
+        if (perm.resource !== resource && perm.resource !== "*")
+            return false;
+        // Check action
+        if (!perm.actions.includes(action) && !perm.actions.includes("*"))
+            return false;
+        // Check resource pattern if specified
+        if (perm.resourcePattern && resourceId) {
+            if (!this.matchesPattern(resourceId, perm.resourcePattern))
+                return false;
+        }
+        return true;
+    }
+    matchesPattern(value, pattern) {
+        // Support wildcards: "workflow/*", "workflow/user-*"
+        if (pattern === "*")
+            return true;
+        const regexStr = pattern.replace(/\*/g, ".*").replace(/\?/g, ".");
+        const regex = new RegExp(`^${regexStr}$`);
+        return regex.test(value);
+    }
+}
+/**
+ * Create a preconfigured RBAC instance with common roles
+ */
+export function createDefaultRBAC() {
+    const rbac = new RBAC();
+    rbac.addRole({
+        name: "admin",
+        description: "Full access to all resources",
+        permissions: [{ resource: "*", actions: ["*"] }],
+    });
+    rbac.addRole({
+        name: "developer",
+        description: "Can read, create, and execute workflows and nodes",
+        permissions: [
+            { resource: "workflow", actions: ["read", "create", "update", "execute"] },
+            { resource: "node", actions: ["read", "create", "update", "execute"] },
+            { resource: "trigger", actions: ["read"] },
+            { resource: "runtime", actions: ["read", "execute"] },
+        ],
+        inherits: ["viewer"],
+    });
+    rbac.addRole({
+        name: "operator",
+        description: "Can execute and monitor workflows",
+        permissions: [
+            { resource: "workflow", actions: ["read", "execute"] },
+            { resource: "node", actions: ["read", "execute"] },
+            { resource: "trigger", actions: ["read"] },
+            { resource: "runtime", actions: ["read"] },
+            { resource: "metrics", actions: ["read"] },
+            { resource: "health", actions: ["read"] },
+        ],
+    });
+    rbac.addRole({
+        name: "viewer",
+        description: "Read-only access to workflows and nodes",
+        permissions: [
+            { resource: "workflow", actions: ["read"] },
+            { resource: "node", actions: ["read"] },
+            { resource: "metrics", actions: ["read"] },
+            { resource: "health", actions: ["read"] },
+        ],
+    });
+    rbac.addRole({
+        name: "service",
+        description: "Machine-to-machine service account",
+        permissions: [
+            { resource: "workflow", actions: ["execute"] },
+            { resource: "node", actions: ["execute"] },
+        ],
+    });
+    return rbac;
+}
+//# sourceMappingURL=RBAC.js.map

package/dist/security/RBAC.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"RBAC.js","sourceRoot":"","sources":["../../src/security/RBAC.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AA0CH,MAAM,OAAO,IAAI;IACR,KAAK,GAAgC,IAAI,GAAG,EAAE,CAAC;IAC/C,QAAQ,GAA4B,IAAI,GAAG,EAAE,CAAC;IAC9C,SAAS,GAA8B,IAAI,GAAG,EAAE,CAAC;IAEzD;;OAEG;IACH,OAAO,CAAC,IAAoB;QAC3B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAChC,oEAAoE;QACpE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,IAAY;QACtB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACxB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,IAAY;QACnB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,QAAQ;QACP,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,UAAkB,EAAE,MAAkB;QAC/C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,QAAgB,EAAE,QAAgB,EAAE,MAAc,EAAE,UAAmB;QAC1E,MAAM,WAAW,GAAG,IAAI,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAE3D,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,CAAC;gBAChE,OAAO;oBACN,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,QAAQ;oBACd,QAAQ;oBACR,MAAM;oBACN,iBAAiB,EAAE,IAAI;iBACvB,CAAC;YACH,CAAC;QACF,CAAC;QAED,OAAO;YACN,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,QAAQ;YACd,QAAQ;YACR,MAAM;YACN,MAAM,EAAE,SAAS,QAAQ,oBAAoB,MAAM,oBAAoB,QAAQ,GAAG;SAClF,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAe,EAAE,QAAgB,EAAE,MAAc,EAAE,UAAmB;QAC5E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;YAC5D,IAAI,MAAM,CAAC,OAAO;gBAAE,OAAO,MAAM,CAAC;QACnC,CAAC;QAED,OAAO;YACN,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;YACrB,QAAQ;YACR,MAAM;YACN,MAAM,EAAE,kBAAkB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,MAAM,oBAAoB,QAAQ,GAAG;SAC1F,CAAC;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,KAAe,EAAE,YAAoB,EAAE,SAAiB,SAAS;QAClF,uCAAuC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC/C,IAAI,MAAM,EAAE,SAAS,EAAE,CAAC;YACvB,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClE,IAAI,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,OAAO,CAAC,EAAE,CAAC;oBAChD,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC;oBACrD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;wBACvE,OAAO;4BACN,OAAO,EAAE,KAAK;4BACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;4BACrB,QAAQ,EAAE,YAAY;4BACtB,MAAM;4BACN,MAAM,EAAE,WAAW,MAAM,8BAA8B,YAAY,GAAG;yBACtE,CAAC;oBACH,CAAC;oBAED,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;oBAC1E,IAAI,cAAc,EAAE,CAAC;wBACpB,OAAO;4BACN,OAAO,EAAE,IAAI;4BACb,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;4BACpE,QAAQ,EAAE,YAAY;4BACtB,MAAM;yBACN,CAAC;oBACH,CAAC;gBACF,CAAC;YACF,CAAC;QACF,CAAC;QAED,kCAAkC;QAClC,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;IAC7D,CAAC;IAED;;OAEG;IACH,uBAAuB,CAAC,QAAgB,EAAE,UAAuB,IAAI,GAAG,EAAE;QACzE,cAAc;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,qCAAqC;QACrC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEtB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAC;QAErB,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;QAE1C,gCAAgC;QAChC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACxC,MAAM,SAAS,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;gBACpE,WAAW,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,CAAC;YAChC,CAAC;QACF,CAAC;QAED,gBAAgB;QAChB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAC1C,OAAO,WAAW,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,MAAM;QACL,OAAO;YACN,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACtC,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;SAC3C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,MAA0E;QAClF,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QAEvB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5D,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YAC5B,CAAC;QACF,CAAC;IACF,CAAC;IAEO,iBAAiB,CAAC,IAAgB,EAAE,QAAgB,EAAE,MAAc,EAAE,UAAmB;QAChG,sBAAsB;QACtB,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG;YAAE,OAAO,KAAK,CAAC;QAEtE,eAAe;QACf,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAEhF,sCAAsC;QACtC,IAAI,IAAI,CAAC,eAAe,IAAI,UAAU,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,eAAe,CAAC;gBAAE,OAAO,KAAK,CAAC;QAC1E,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAEO,cAAc,CAAC,KAAa,EAAE,OAAe;QACpD,qDAAqD;QACrD,IAAI,OAAO,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAEjC,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;QAC1C,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;CACD;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAChC,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAExB,IAAI,CAAC,OAAO,CAAC;QACZ,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,8BAA8B;QAC3C,WAAW,EAAE,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;KAChD,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,CAAC;QACZ,IAAI,EAAE,WAAW;QACjB,WAAW,EAAE,mDAAmD;QAChE,WAAW,EAAE;YACZ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,EAAE;YAC1E,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,EAAE;YACtE,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;YAC1C,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;SACrD;QACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;KACpB,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,CAAC;QACZ,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,mCAAmC;QAChD,WAAW,EAAE;YACZ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;YACtD,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;YAClD,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;YAC1C,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;YAC1C,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;YAC1C,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;SACzC;KACD,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,CAAC;QACZ,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,yCAAyC;QACtD,WAAW,EAAE;YACZ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;YAC3C,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;YACvC,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;YAC1C,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;SACzC;KACD,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,CAAC;QACZ,IAAI,EAAE,SAAS;QACf,WAAW,EAAE,oCAAoC;QACjD,WAAW,EAAE;YACZ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE;YAC9C,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE;SAC1C;KACD,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC;AACb,CAAC"}