@byline/auth 0.9.3

package/LICENSE

@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

package/README.md

@@ -0,0 +1,18 @@
+# @byline/auth
+
+Auth primitives for Byline CMS — actor classes (`AdminAuth`, `UserAuth`,
+`Actor`), the `RequestContext` shape, the `AbilityRegistry`, the
+`SessionProvider` interface, and the `AuthError` factories. A leaf package
+with no DB or transport dependencies.
+
+This package is part of [Byline CMS](https://github.com/Byline-CMS/bylinecms.dev)
+— a developer-friendly, open-source headless CMS with versioning, editorial
+workflow, and content translation as first-class concerns.
+
+For documentation, the full architecture overview, and getting started
+instructions, see the main repository:
+<https://github.com/Byline-CMS/bylinecms.dev>.
+
+## License
+
+MPL-2.0

package/dist/abilities.d.ts

@@ -0,0 +1,78 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Ability registry.
+ *
+ * The load-bearing abstraction of Byline's authorization system.
+ *
+ * Every subsystem that wants to gate behaviour behind a permission
+ * registers its abilities here at `initBylineCore()` time. The registry
+ * feeds two consumers:
+ *
+ *   - **Runtime** — `AdminAuth.assertAbility('collections.pages.publish')`
+ *     checks the flat ability set on the actor; the registry is intended
+ *     to be consulted in dev mode to warn on unregistered keys once
+ *     service-layer enforcement is wired in.
+ *   - **Admin UI** — the role editor enumerates `list()` / `byGroup()`
+ *     and renders a grouped checkbox tree. No per-plugin wiring.
+ *
+ * Collections auto-register their CRUD + workflow abilities via the
+ * collection registrar in `@byline/core`. Future plugins (media,
+ * uploads, settings) contribute their own groups.
+ *
+ * See docs/analysis/AUTHN-AUTHZ-ANALYSIS.md §3.
+ */
+/**
+ * A single registered ability.
+ *
+ * `key` is the flat dotted string thrown against `AdminAuth.assertAbility`
+ * and stored one-per-row in `admin_permissions`. Keep keys stable — they
+ * are data-plane identifiers.
+ *
+ * `label` and `description` are UI-facing. `group` controls how the role
+ * editor buckets the checkbox tree — collections typically use
+ * `collections.<path>` so every ability for a collection lands in one
+ * group.
+ *
+ * `source` tags the ability's origin for the inspector view (the
+ * registered-collections / who-has-what panels still to ship).
+ */
+export interface AbilityDescriptor {
+    /** Flat dotted string, e.g. `'collections.pages.publish'`. */
+    key: string;
+    /** Short human-readable label for UI display. */
+    label: string;
+    /** Group key for UI bucketing, e.g. `'collections.pages'` or `'media'`. */
+    group: string;
+    /** Optional longer description, shown as tooltip / help text. */
+    description?: string;
+    /** Where this ability was registered from. */
+    source?: 'collection' | 'plugin' | 'core' | 'admin';
+}
+export declare class AbilityRegistry {
+    #private;
+    /**
+     * Register an ability. Silent no-op when the same key is re-registered
+     * (dupe-tolerant so tests, hot-reload, and bootstrap re-runs don't need
+     * to guard).
+     */
+    register(descriptor: AbilityDescriptor): void;
+    /** Whether a key has been registered. */
+    has(key: string): boolean;
+    /** Look up a descriptor by key. */
+    get(key: string): AbilityDescriptor | undefined;
+    /** All registered abilities, in registration order. */
+    list(): AbilityDescriptor[];
+    /** All registered abilities grouped by their `group` key. */
+    byGroup(): Map<string, AbilityDescriptor[]>;
+    /** Number of registered abilities. */
+    get size(): number;
+    /** Drop every registered ability. Primarily for tests. */
+    clear(): void;
+}
+//# sourceMappingURL=abilities.d.ts.map

package/dist/abilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"abilities.d.ts","sourceRoot":"","sources":["../src/abilities.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,iBAAiB;IAChC,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAA;IACX,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAA;IACb,2EAA2E;IAC3E,KAAK,EAAE,MAAM,CAAA;IACb,iEAAiE;IACjE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,8CAA8C;IAC9C,MAAM,CAAC,EAAE,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAA;CACpD;AAED,qBAAa,eAAe;;IAG1B;;;;OAIG;IACH,QAAQ,CAAC,UAAU,EAAE,iBAAiB,GAAG,IAAI;IAK7C,yCAAyC;IACzC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAIzB,mCAAmC;IACnC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;IAK/C,uDAAuD;IACvD,IAAI,IAAI,iBAAiB,EAAE;IAI3B,6DAA6D;IAC7D,OAAO,IAAI,GAAG,CAAC,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAW3C,sCAAsC;IACtC,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,0DAA0D;IAC1D,KAAK,IAAI,IAAI;CAGd"}

package/dist/abilities.js

@@ -0,0 +1,55 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export class AbilityRegistry {
+    #abilities = new Map();
+    /**
+     * Register an ability. Silent no-op when the same key is re-registered
+     * (dupe-tolerant so tests, hot-reload, and bootstrap re-runs don't need
+     * to guard).
+     */
+    register(descriptor) {
+        if (this.#abilities.has(descriptor.key))
+            return;
+        this.#abilities.set(descriptor.key, { ...descriptor });
+    }
+    /** Whether a key has been registered. */
+    has(key) {
+        return this.#abilities.has(key);
+    }
+    /** Look up a descriptor by key. */
+    get(key) {
+        const found = this.#abilities.get(key);
+        return found ? { ...found } : undefined;
+    }
+    /** All registered abilities, in registration order. */
+    list() {
+        return Array.from(this.#abilities.values(), (d) => ({ ...d }));
+    }
+    /** All registered abilities grouped by their `group` key. */
+    byGroup() {
+        const buckets = new Map();
+        for (const descriptor of this.#abilities.values()) {
+            const bucket = buckets.get(descriptor.group);
+            const entry = { ...descriptor };
+            if (bucket)
+                bucket.push(entry);
+            else
+                buckets.set(descriptor.group, [entry]);
+        }
+        return buckets;
+    }
+    /** Number of registered abilities. */
+    get size() {
+        return this.#abilities.size;
+    }
+    /** Drop every registered ability. Primarily for tests. */
+    clear() {
+        this.#abilities.clear();
+    }
+}
+//# sourceMappingURL=abilities.js.map

package/dist/abilities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"abilities.js","sourceRoot":"","sources":["../src/abilities.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAqDH,MAAM,OAAO,eAAe;IACjB,UAAU,GAAmC,IAAI,GAAG,EAAE,CAAA;IAE/D;;;;OAIG;IACH,QAAQ,CAAC,UAA6B;QACpC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAM;QAC/C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,EAAE,GAAG,UAAU,EAAE,CAAC,CAAA;IACxD,CAAC;IAED,yCAAyC;IACzC,GAAG,CAAC,GAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACjC,CAAC;IAED,mCAAmC;IACnC,GAAG,CAAC,GAAW;QACb,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QACtC,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAA;IACzC,CAAC;IAED,uDAAuD;IACvD,IAAI;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAA;IAChE,CAAC;IAED,6DAA6D;IAC7D,OAAO;QACL,MAAM,OAAO,GAAG,IAAI,GAAG,EAA+B,CAAA;QACtD,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC;YAClD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;YAC5C,MAAM,KAAK,GAAG,EAAE,GAAG,UAAU,EAAE,CAAA;YAC/B,IAAI,MAAM;gBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;;gBACzB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,CAAA;QAC7C,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,sCAAsC;IACtC,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAA;IAC7B,CAAC;IAED,0DAA0D;IAC1D,KAAK;QACH,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAA;IACzB,CAAC;CACF"}

package/dist/actor.d.ts

@@ -0,0 +1,68 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Admin-realm identity. Constructed by the session provider's
+ * `resolveActor()` method, which joins roles → permissions into the
+ * flat ability set.
+ *
+ * `isSuperAdmin` short-circuits every ability check. It mirrors the
+ * `is_super_admin` flag on the `admin_users` row (see Phase 2 schema).
+ */
+export declare class AdminAuth {
+    readonly id: string;
+    readonly abilities: ReadonlySet<string>;
+    readonly isSuperAdmin: boolean;
+    constructor(params: {
+        id: string;
+        abilities: Iterable<string>;
+        isSuperAdmin?: boolean;
+    });
+    /** Non-throwing check. Super-admins always return `true`. */
+    hasAbility(ability: string): boolean;
+    /**
+     * Throwing check. Throws `ERR_FORBIDDEN` when the actor lacks the
+     * ability. Super-admins bypass. Primary enforcement call site once
+     * service-layer enforcement (`document-lifecycle` / `IDocumentQueries`)
+     * is wired in.
+     */
+    assertAbility(ability: string, message?: string): void;
+    /**
+     * Throwing check for a set of abilities (AND semantics — every listed
+     * ability must be held). Super-admins bypass.
+     */
+    assertAbilities(abilities: readonly string[], messageFor?: (ability: string) => string): void;
+}
+/**
+ * End-user / app-side identity. Stubbed in Phase 0 — the class exists so
+ * `Actor` can discriminate between realms without later breaking
+ * signatures, but the ability surface is deliberately minimal.
+ *
+ * Fleshed out when an end-user sign-in surface is actually needed. Until
+ * then, assume no call path constructs a `UserAuth` instance in practice.
+ */
+export declare class UserAuth {
+    readonly id: string;
+    readonly abilities: ReadonlySet<string>;
+    constructor(params: {
+        id: string;
+        abilities?: Iterable<string>;
+    });
+    hasAbility(ability: string): boolean;
+    assertAbility(ability: string, message?: string): void;
+}
+/**
+ * Canonical actor shape carried on `RequestContext`. `null` represents an
+ * unauthenticated request — permitted only on public read paths once
+ * service-layer enforcement is in place.
+ */
+export type Actor = AdminAuth | UserAuth | null;
+/** Narrow an `Actor` to the admin realm. */
+export declare function isAdminAuth(actor: Actor): actor is AdminAuth;
+/** Narrow an `Actor` to the end-user realm. */
+export declare function isUserAuth(actor: Actor): actor is UserAuth;
+//# sourceMappingURL=actor.d.ts.map

package/dist/actor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor.d.ts","sourceRoot":"","sources":["../src/actor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA8BH;;;;;;;GAOG;AACH,qBAAa,SAAS;IACpB,SAAgB,EAAE,EAAE,MAAM,CAAA;IAC1B,SAAgB,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAA;IAC9C,SAAgB,YAAY,EAAE,OAAO,CAAA;gBAEzB,MAAM,EAAE;QAClB,EAAE,EAAE,MAAM,CAAA;QACV,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAA;QAC3B,YAAY,CAAC,EAAE,OAAO,CAAA;KACvB;IAMD,6DAA6D;IAC7D,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAKpC;;;;;OAKG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI;IAStD;;;OAGG;IACH,eAAe,CAAC,SAAS,EAAE,SAAS,MAAM,EAAE,EAAE,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI;CAU9F;AAED;;;;;;;GAOG;AACH,qBAAa,QAAQ;IACnB,SAAgB,EAAE,EAAE,MAAM,CAAA;IAC1B,SAAgB,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAA;gBAElC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAA;KAAE;IAKhE,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAIpC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI;CAOvD;AAED;;;;GAIG;AACH,MAAM,MAAM,KAAK,GAAG,SAAS,GAAG,QAAQ,GAAG,IAAI,CAAA;AAE/C,4CAA4C;AAC5C,wBAAgB,WAAW,CAAC,KAAK,EAAE,KAAK,GAAG,KAAK,IAAI,SAAS,CAE5D;AAED,+CAA+C;AAC/C,wBAAgB,UAAU,CAAC,KAAK,EAAE,KAAK,GAAG,KAAK,IAAI,QAAQ,CAE1D"}

package/dist/actor.js

@@ -0,0 +1,122 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Actor primitives.
+ *
+ * Two realms are modelled from day one, even though only `AdminAuth` is
+ * fleshed out in Phase 0:
+ *
+ *   - `AdminAuth` — the identity of a signed-in Byline admin (CMS staff,
+ *     editors, super-admins). Carries a flat set of ability strings
+ *     resolved from the role graph.
+ *   - `UserAuth`  — reserved for end-user / app-side identity (public
+ *     readers with entitlements, member-only access, per-user drafts).
+ *     Stubbed out in Phase 0 so every signature that must accommodate
+ *     "either realm or neither" can reference it already; filled in when
+ *     a concrete end-user feature arrives.
+ *
+ * The `Actor` union (`AdminAuth | UserAuth | null`) is the canonical shape
+ * carried on `RequestContext`. A `null` actor represents an
+ * unauthenticated request — only permitted on public read paths
+ * (`readMode === 'published'`) once service-layer enforcement lands
+ * (the outstanding item in AUTHN-AUTHZ-ANALYSIS.md).
+ *
+ * Ability keys are flat dotted strings (e.g. `collections.pages.publish`,
+ * `media.manage`). See AUTHN-AUTHZ-ANALYSIS.md §4 for the rationale and
+ * §1 (Phase 1) for the registry that mints them.
+ */
+import { ERR_FORBIDDEN } from './errors.js';
+/**
+ * Admin-realm identity. Constructed by the session provider's
+ * `resolveActor()` method, which joins roles → permissions into the
+ * flat ability set.
+ *
+ * `isSuperAdmin` short-circuits every ability check. It mirrors the
+ * `is_super_admin` flag on the `admin_users` row (see Phase 2 schema).
+ */
+export class AdminAuth {
+    id;
+    abilities;
+    isSuperAdmin;
+    constructor(params) {
+        this.id = params.id;
+        this.abilities = new Set(params.abilities);
+        this.isSuperAdmin = params.isSuperAdmin ?? false;
+    }
+    /** Non-throwing check. Super-admins always return `true`. */
+    hasAbility(ability) {
+        if (this.isSuperAdmin)
+            return true;
+        return this.abilities.has(ability);
+    }
+    /**
+     * Throwing check. Throws `ERR_FORBIDDEN` when the actor lacks the
+     * ability. Super-admins bypass. Primary enforcement call site once
+     * service-layer enforcement (`document-lifecycle` / `IDocumentQueries`)
+     * is wired in.
+     */
+    assertAbility(ability, message) {
+        if (this.isSuperAdmin)
+            return;
+        if (!this.abilities.has(ability)) {
+            throw ERR_FORBIDDEN({
+                message: message ?? `missing required ability: ${ability}`,
+            });
+        }
+    }
+    /**
+     * Throwing check for a set of abilities (AND semantics — every listed
+     * ability must be held). Super-admins bypass.
+     */
+    assertAbilities(abilities, messageFor) {
+        if (this.isSuperAdmin)
+            return;
+        for (const ability of abilities) {
+            if (!this.abilities.has(ability)) {
+                throw ERR_FORBIDDEN({
+                    message: messageFor?.(ability) ?? `missing required ability: ${ability}`,
+                });
+            }
+        }
+    }
+}
+/**
+ * End-user / app-side identity. Stubbed in Phase 0 — the class exists so
+ * `Actor` can discriminate between realms without later breaking
+ * signatures, but the ability surface is deliberately minimal.
+ *
+ * Fleshed out when an end-user sign-in surface is actually needed. Until
+ * then, assume no call path constructs a `UserAuth` instance in practice.
+ */
+export class UserAuth {
+    id;
+    abilities;
+    constructor(params) {
+        this.id = params.id;
+        this.abilities = new Set(params.abilities ?? []);
+    }
+    hasAbility(ability) {
+        return this.abilities.has(ability);
+    }
+    assertAbility(ability, message) {
+        if (!this.abilities.has(ability)) {
+            throw ERR_FORBIDDEN({
+                message: message ?? `missing required ability: ${ability}`,
+            });
+        }
+    }
+}
+/** Narrow an `Actor` to the admin realm. */
+export function isAdminAuth(actor) {
+    return actor instanceof AdminAuth;
+}
+/** Narrow an `Actor` to the end-user realm. */
+export function isUserAuth(actor) {
+    return actor instanceof UserAuth;
+}
+//# sourceMappingURL=actor.js.map

package/dist/actor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor.js","sourceRoot":"","sources":["../src/actor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAE3C;;;;;;;GAOG;AACH,MAAM,OAAO,SAAS;IACJ,EAAE,CAAQ;IACV,SAAS,CAAqB;IAC9B,YAAY,CAAS;IAErC,YAAY,MAIX;QACC,IAAI,CAAC,EAAE,GAAG,MAAM,CAAC,EAAE,CAAA;QACnB,IAAI,CAAC,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QAC1C,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,KAAK,CAAA;IAClD,CAAC;IAED,6DAA6D;IAC7D,UAAU,CAAC,OAAe;QACxB,IAAI,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAA;QAClC,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED;;;;;OAKG;IACH,aAAa,CAAC,OAAe,EAAE,OAAgB;QAC7C,IAAI,IAAI,CAAC,YAAY;YAAE,OAAM;QAC7B,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,MAAM,aAAa,CAAC;gBAClB,OAAO,EAAE,OAAO,IAAI,6BAA6B,OAAO,EAAE;aAC3D,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,SAA4B,EAAE,UAAwC;QACpF,IAAI,IAAI,CAAC,YAAY;YAAE,OAAM;QAC7B,KAAK,MAAM,OAAO,IAAI,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,MAAM,aAAa,CAAC;oBAClB,OAAO,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,6BAA6B,OAAO,EAAE;iBACzE,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,QAAQ;IACH,EAAE,CAAQ;IACV,SAAS,CAAqB;IAE9C,YAAY,MAAoD;QAC9D,IAAI,CAAC,EAAE,GAAG,MAAM,CAAC,EAAE,CAAA;QACnB,IAAI,CAAC,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAClD,CAAC;IAED,UAAU,CAAC,OAAe;QACxB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED,aAAa,CAAC,OAAe,EAAE,OAAgB;QAC7C,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,MAAM,aAAa,CAAC;gBAClB,OAAO,EAAE,OAAO,IAAI,6BAA6B,OAAO,EAAE;aAC3D,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;CACF;AASD,4CAA4C;AAC5C,MAAM,UAAU,WAAW,CAAC,KAAY;IACtC,OAAO,KAAK,YAAY,SAAS,CAAA;AACnC,CAAC;AAED,+CAA+C;AAC/C,MAAM,UAAU,UAAU,CAAC,KAAY;IACrC,OAAO,KAAK,YAAY,QAAQ,CAAA;AAClC,CAAC"}

package/dist/context.d.ts

@@ -0,0 +1,63 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { type Actor } from './actor.js';
+/**
+ * Request-scoped context threaded through every admin server fn,
+ * `document-lifecycle` service, `IDocumentQueries` method, `@byline/client`
+ * entry point, and collection hook.
+ *
+ * The auth subsystem populates `actor`; downstream code reads it. Today
+ * the threading is plumbing only — `actor.assertAbility(...)` is not yet
+ * called at the `document-lifecycle` / `IDocumentQueries` boundary. See
+ * the Phase status table in AUTHN-AUTHZ-ANALYSIS.md.
+ *
+ * `RequestContext` is intentionally independent of the existing
+ * `ReadContext` (populate / `afterRead` recursion guard) for now. Merging
+ * them is a potential follow-up if it earns its keep; keeping them
+ * separate in Phase 0 avoids churning every populate call site.
+ *
+ * Fields:
+ *   - `actor`        — the authenticated identity (or `null` for public
+ *                      read paths). Service-layer enforcement (when wired)
+ *                      will permit `null` only when
+ *                      `readMode === 'published'`.
+ *   - `requestId`    — monotonic-ish UUIDv7 per logical request. Surfaces
+ *                      in log lines and error cause chains.
+ *   - `locale`       — optional content locale for this request. When
+ *                      omitted, callers fall back to the default locale
+ *                      from `ServerConfig.i18n.content.defaultLocale`.
+ *   - `readMode`     — `'any'` (admin default) or `'published'` (public
+ *                      default). Mirrors the existing `ReadMode` on
+ *                      `IDocumentQueries` call options; threaded here so
+ *                      the auth layer can reason about the public-read
+ *                      case uniformly.
+ */
+export interface RequestContext {
+    actor: Actor;
+    requestId: string;
+    locale?: string;
+    readMode?: 'any' | 'published';
+}
+/** Build a fresh `RequestContext`. All fields optional for ergonomic test/script construction. */
+export declare function createRequestContext(overrides?: Partial<RequestContext>): RequestContext;
+/**
+ * Construct an explicit super-admin `RequestContext` for scripts, seeds,
+ * and tests.
+ *
+ * The super-admin bypass on `AdminAuth.isSuperAdmin` short-circuits every
+ * ability check downstream — which is exactly what migration scripts and
+ * seeders need, but it is also why this helper is **explicit**: callers
+ * must state "I am acting as super-admin" in code so the fact is
+ * auditable. No ambient bypass, no environment-variable escape hatch.
+ */
+export declare function createSuperAdminContext(params?: {
+    id?: string;
+    requestId?: string;
+    locale?: string;
+}): RequestContext;
+//# sourceMappingURL=context.d.ts.map

package/dist/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,KAAK,KAAK,EAAa,MAAM,YAAY,CAAA;AAElD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,KAAK,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,KAAK,GAAG,WAAW,CAAA;CAC/B;AAED,kGAAkG;AAClG,wBAAgB,oBAAoB,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,cAAc,CAOxF;AAED;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,CAAC,EAAE;IAC/C,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB,GAAG,cAAc,CAWjB"}

package/dist/context.js

@@ -0,0 +1,41 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { v7 as uuidv7 } from 'uuid';
+import { AdminAuth } from './actor.js';
+/** Build a fresh `RequestContext`. All fields optional for ergonomic test/script construction. */
+export function createRequestContext(overrides) {
+    return {
+        actor: overrides?.actor ?? null,
+        requestId: overrides?.requestId ?? uuidv7(),
+        locale: overrides?.locale,
+        readMode: overrides?.readMode,
+    };
+}
+/**
+ * Construct an explicit super-admin `RequestContext` for scripts, seeds,
+ * and tests.
+ *
+ * The super-admin bypass on `AdminAuth.isSuperAdmin` short-circuits every
+ * ability check downstream — which is exactly what migration scripts and
+ * seeders need, but it is also why this helper is **explicit**: callers
+ * must state "I am acting as super-admin" in code so the fact is
+ * auditable. No ambient bypass, no environment-variable escape hatch.
+ */
+export function createSuperAdminContext(params) {
+    const actor = new AdminAuth({
+        id: params?.id ?? 'super-admin',
+        abilities: [],
+        isSuperAdmin: true,
+    });
+    return {
+        actor,
+        requestId: params?.requestId ?? uuidv7(),
+        locale: params?.locale,
+    };
+}
+//# sourceMappingURL=context.js.map

package/dist/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAA;AAEnC,OAAO,EAAc,SAAS,EAAE,MAAM,YAAY,CAAA;AAwClD,kGAAkG;AAClG,MAAM,UAAU,oBAAoB,CAAC,SAAmC;IACtE,OAAO;QACL,KAAK,EAAE,SAAS,EAAE,KAAK,IAAI,IAAI;QAC/B,SAAS,EAAE,SAAS,EAAE,SAAS,IAAI,MAAM,EAAE;QAC3C,MAAM,EAAE,SAAS,EAAE,MAAM;QACzB,QAAQ,EAAE,SAAS,EAAE,QAAQ;KAC9B,CAAA;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAIvC;IACC,MAAM,KAAK,GAAG,IAAI,SAAS,CAAC;QAC1B,EAAE,EAAE,MAAM,EAAE,EAAE,IAAI,aAAa;QAC/B,SAAS,EAAE,EAAE;QACb,YAAY,EAAE,IAAI;KACnB,CAAC,CAAA;IACF,OAAO;QACL,KAAK;QACL,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,MAAM,EAAE;QACxC,MAAM,EAAE,MAAM,EAAE,MAAM;KACvB,CAAA;AACH,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,66 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Auth-realm error factories.
+ *
+ * Shaped to match `@byline/core`'s `BylineError` / `createErrorType` conventions
+ * (a `code` property and a factory that returns a thrown-ready error) without
+ * depending on core — `@byline/auth` stays a leaf package so that core can
+ * import types from it without circular risk.
+ *
+ * Consumers can:
+ *   - `instanceof AuthError` to narrow,
+ *   - `err.code === 'ERR_FORBIDDEN'` to branch on category,
+ *   - catch and re-throw as a `BylineError` at the service boundary if the
+ *     logger integration is wanted (Phase 4 call sites will do this).
+ */
+export declare const AuthErrorCodes: {
+    readonly UNAUTHENTICATED: "ERR_UNAUTHENTICATED";
+    readonly FORBIDDEN: "ERR_FORBIDDEN";
+    readonly INVALID_CREDENTIALS: "ERR_INVALID_CREDENTIALS";
+    readonly INVALID_TOKEN: "ERR_INVALID_TOKEN";
+    readonly REVOKED_TOKEN: "ERR_REVOKED_TOKEN";
+    readonly ACCOUNT_DISABLED: "ERR_ACCOUNT_DISABLED";
+};
+export type AuthErrorCode = (typeof AuthErrorCodes)[keyof typeof AuthErrorCodes];
+export interface AuthErrorOptions {
+    message: string;
+    cause?: unknown;
+}
+export declare class AuthError extends Error {
+    readonly code: AuthErrorCode;
+    constructor(code: AuthErrorCode, options: AuthErrorOptions);
+}
+/** Throw when a request has no actor and the path requires one. */
+export declare const ERR_UNAUTHENTICATED: (options: AuthErrorOptions) => AuthError;
+/** Throw when the actor is known but lacks the required ability. */
+export declare const ERR_FORBIDDEN: (options: AuthErrorOptions) => AuthError;
+/**
+ * Throw on sign-in when the email/password combination does not match a
+ * known account. Message is intentionally generic — callers should not
+ * distinguish "unknown email" from "wrong password" at this layer.
+ */
+export declare const ERR_INVALID_CREDENTIALS: (options: AuthErrorOptions) => AuthError;
+/**
+ * Throw when an access or refresh token is malformed, has a bad signature,
+ * has expired, or otherwise cannot be verified.
+ */
+export declare const ERR_INVALID_TOKEN: (options: AuthErrorOptions) => AuthError;
+/**
+ * Throw when a refresh token has been revoked — either explicitly, or
+ * because it was rotated and the caller is presenting a stale copy
+ * (replay). Presenting a rotated token additionally revokes the entire
+ * chain descended from it.
+ */
+export declare const ERR_REVOKED_TOKEN: (options: AuthErrorOptions) => AuthError;
+/**
+ * Throw when credentials / token are valid but the account has been
+ * disabled (`is_enabled = false`).
+ */
+export declare const ERR_ACCOUNT_DISABLED: (options: AuthErrorOptions) => AuthError;
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;GAaG;AAEH,eAAO,MAAM,cAAc;;;;;;;CAOjB,CAAA;AAEV,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,OAAO,cAAc,CAAC,CAAA;AAEhF,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,OAAO,CAAA;CAChB;AAED,qBAAa,SAAU,SAAQ,KAAK;IAClC,SAAgB,IAAI,EAAE,aAAa,CAAA;gBAEvB,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,gBAAgB;CAK3D;AAMD,mEAAmE;AACnE,eAAO,MAAM,mBAAmB,YAJb,gBAAgB,cAImD,CAAA;AAEtF,oEAAoE;AACpE,eAAO,MAAM,aAAa,YAPP,gBAAgB,cAOuC,CAAA;AAE1E;;;;GAIG;AACH,eAAO,MAAM,uBAAuB,YAdjB,gBAAgB,cAc2D,CAAA;AAE9F;;;GAGG;AACH,eAAO,MAAM,iBAAiB,YApBX,gBAAgB,cAoB+C,CAAA;AAElF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,YA5BX,gBAAgB,cA4B+C,CAAA;AAElF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,YAlCd,gBAAgB,cAkCqD,CAAA"}

package/dist/errors.js

@@ -0,0 +1,68 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Auth-realm error factories.
+ *
+ * Shaped to match `@byline/core`'s `BylineError` / `createErrorType` conventions
+ * (a `code` property and a factory that returns a thrown-ready error) without
+ * depending on core — `@byline/auth` stays a leaf package so that core can
+ * import types from it without circular risk.
+ *
+ * Consumers can:
+ *   - `instanceof AuthError` to narrow,
+ *   - `err.code === 'ERR_FORBIDDEN'` to branch on category,
+ *   - catch and re-throw as a `BylineError` at the service boundary if the
+ *     logger integration is wanted (Phase 4 call sites will do this).
+ */
+export const AuthErrorCodes = {
+    UNAUTHENTICATED: 'ERR_UNAUTHENTICATED',
+    FORBIDDEN: 'ERR_FORBIDDEN',
+    INVALID_CREDENTIALS: 'ERR_INVALID_CREDENTIALS',
+    INVALID_TOKEN: 'ERR_INVALID_TOKEN',
+    REVOKED_TOKEN: 'ERR_REVOKED_TOKEN',
+    ACCOUNT_DISABLED: 'ERR_ACCOUNT_DISABLED',
+};
+export class AuthError extends Error {
+    code;
+    constructor(code, options) {
+        super(options.message, options.cause != null ? { cause: options.cause } : undefined);
+        this.name = 'AuthError';
+        this.code = code;
+    }
+}
+const createAuthErrorType = (code) => {
+    return (options) => new AuthError(code, options);
+};
+/** Throw when a request has no actor and the path requires one. */
+export const ERR_UNAUTHENTICATED = createAuthErrorType(AuthErrorCodes.UNAUTHENTICATED);
+/** Throw when the actor is known but lacks the required ability. */
+export const ERR_FORBIDDEN = createAuthErrorType(AuthErrorCodes.FORBIDDEN);
+/**
+ * Throw on sign-in when the email/password combination does not match a
+ * known account. Message is intentionally generic — callers should not
+ * distinguish "unknown email" from "wrong password" at this layer.
+ */
+export const ERR_INVALID_CREDENTIALS = createAuthErrorType(AuthErrorCodes.INVALID_CREDENTIALS);
+/**
+ * Throw when an access or refresh token is malformed, has a bad signature,
+ * has expired, or otherwise cannot be verified.
+ */
+export const ERR_INVALID_TOKEN = createAuthErrorType(AuthErrorCodes.INVALID_TOKEN);
+/**
+ * Throw when a refresh token has been revoked — either explicitly, or
+ * because it was rotated and the caller is presenting a stale copy
+ * (replay). Presenting a rotated token additionally revokes the entire
+ * chain descended from it.
+ */
+export const ERR_REVOKED_TOKEN = createAuthErrorType(AuthErrorCodes.REVOKED_TOKEN);
+/**
+ * Throw when credentials / token are valid but the account has been
+ * disabled (`is_enabled = false`).
+ */
+export const ERR_ACCOUNT_DISABLED = createAuthErrorType(AuthErrorCodes.ACCOUNT_DISABLED);
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;GAaG;AAEH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,eAAe,EAAE,qBAAqB;IACtC,SAAS,EAAE,eAAe;IAC1B,mBAAmB,EAAE,yBAAyB;IAC9C,aAAa,EAAE,mBAAmB;IAClC,aAAa,EAAE,mBAAmB;IAClC,gBAAgB,EAAE,sBAAsB;CAChC,CAAA;AASV,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClB,IAAI,CAAe;IAEnC,YAAY,IAAmB,EAAE,OAAyB;QACxD,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;QACpF,IAAI,CAAC,IAAI,GAAG,WAAW,CAAA;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;IAClB,CAAC;CACF;AAED,MAAM,mBAAmB,GAAG,CAAC,IAAmB,EAAE,EAAE;IAClD,OAAO,CAAC,OAAyB,EAAE,EAAE,CAAC,IAAI,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;AACpE,CAAC,CAAA;AAED,mEAAmE;AACnE,MAAM,CAAC,MAAM,mBAAmB,GAAG,mBAAmB,CAAC,cAAc,CAAC,eAAe,CAAC,CAAA;AAEtF,oEAAoE;AACpE,MAAM,CAAC,MAAM,aAAa,GAAG,mBAAmB,CAAC,cAAc,CAAC,SAAS,CAAC,CAAA;AAE1E;;;;GAIG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,mBAAmB,CAAC,cAAc,CAAC,mBAAmB,CAAC,CAAA;AAE9F;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,cAAc,CAAC,aAAa,CAAC,CAAA;AAElF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,cAAc,CAAC,aAAa,CAAC,CAAA;AAElF;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAA"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export { type AbilityDescriptor, AbilityRegistry, } from './abilities.js';
+export { type Actor, AdminAuth, isAdminAuth, isUserAuth, UserAuth, } from './actor.js';
+export { createRequestContext, createSuperAdminContext, type RequestContext, } from './context.js';
+export { AuthError, type AuthErrorCode, AuthErrorCodes, type AuthErrorOptions, ERR_ACCOUNT_DISABLED, ERR_FORBIDDEN, ERR_INVALID_CREDENTIALS, ERR_INVALID_TOKEN, ERR_REVOKED_TOKEN, ERR_UNAUTHENTICATED, } from './errors.js';
+export type { AccessTokenPayload, RefreshSessionArgs, SessionProvider, SessionProviderCapabilities, SessionTokens, SignInResult, SignInWithPasswordArgs, } from './session-provider.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,KAAK,iBAAiB,EACtB,eAAe,GAChB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EACL,KAAK,KAAK,EACV,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAQ,GACT,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,KAAK,cAAc,GACpB,MAAM,cAAc,CAAA;AACrB,OAAO,EACL,SAAS,EACT,KAAK,aAAa,EAClB,cAAc,EACd,KAAK,gBAAgB,EACrB,oBAAoB,EACpB,aAAa,EACb,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,EACf,2BAA2B,EAC3B,aAAa,EACb,YAAY,EACZ,sBAAsB,GACvB,MAAM,uBAAuB,CAAA"}

package/dist/index.js

@@ -0,0 +1,12 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export { AbilityRegistry, } from './abilities.js';
+export { AdminAuth, isAdminAuth, isUserAuth, UserAuth, } from './actor.js';
+export { createRequestContext, createSuperAdminContext, } from './context.js';
+export { AuthError, AuthErrorCodes, ERR_ACCOUNT_DISABLED, ERR_FORBIDDEN, ERR_INVALID_CREDENTIALS, ERR_INVALID_TOKEN, ERR_REVOKED_TOKEN, ERR_UNAUTHENTICATED, } from './errors.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAEL,eAAe,GAChB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAEL,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAQ,GACT,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,oBAAoB,EACpB,uBAAuB,GAExB,MAAM,cAAc,CAAA;AACrB,OAAO,EACL,SAAS,EAET,cAAc,EAEd,oBAAoB,EACpB,aAAa,EACb,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,aAAa,CAAA"}

package/dist/session-provider.d.ts

@@ -0,0 +1,121 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Session provider — the transport-agnostic contract for authenticating
+ * admin users and managing session tokens.
+ *
+ * The built-in `JwtSessionProvider` (in `@byline/db-postgres/admin`) mints
+ * short-lived JWT access tokens and long-lived opaque refresh tokens,
+ * storing refresh-token hashes in `byline_admin_refresh_tokens` for
+ * revocation and replay detection.
+ *
+ * Alternative providers can adapt Lucia, better-auth, WorkOS, Clerk, or an
+ * institutional SSO/IdP by implementing this surface. `capabilities` lets
+ * the admin UI render affordances appropriate to whatever provider is
+ * wired up.
+ *
+ * See docs/analysis/AUTHN-AUTHZ-ANALYSIS.md §7.
+ */
+import type { AdminAuth } from './actor.js';
+/**
+ * Decoded access-token payload. `JwtSessionProvider` issues this shape;
+ * alternative providers may attach additional claims but must at minimum
+ * carry the `sub` (admin user id) so `verifyAccessToken` can resolve the
+ * actor.
+ */
+export interface AccessTokenPayload {
+    /** Admin user id (UUIDv7). */
+    sub: string;
+    /** Issued-at (seconds since epoch). */
+    iat: number;
+    /** Expires-at (seconds since epoch). */
+    exp: number;
+    /** Issuer identifier — `'byline'` for the built-in provider. */
+    iss: string;
+    /** JWT id. Unique per issuance so same-second re-issuance produces distinct tokens. */
+    jti: string;
+    /** Token type discriminator — `'access'` for access tokens. */
+    typ: 'access';
+}
+/** Returned by `signInWithPassword` and `refreshSession`. */
+export interface SessionTokens {
+    /** Short-lived (typically 15 min). Sent on every authenticated request. */
+    accessToken: string;
+    /**
+     * Long-lived (typically 30 days). Opaque random string in the built-in
+     * provider; alternative providers may use their own format. Client
+     * stores this in an http-only cookie or secure storage.
+     */
+    refreshToken: string;
+    /** Seconds-from-now at which `accessToken` expires. */
+    accessTokenExpiresAt: Date;
+    /** Seconds-from-now at which `refreshToken` expires. */
+    refreshTokenExpiresAt: Date;
+}
+export interface SignInResult extends SessionTokens {
+    actor: AdminAuth;
+}
+export interface SignInWithPasswordArgs {
+    email: string;
+    password: string;
+    /** Client IP — recorded on the refresh-token row for observability. */
+    ip?: string;
+    /** Client User-Agent — recorded on the refresh-token row for observability. */
+    userAgent?: string;
+}
+export interface RefreshSessionArgs {
+    refreshToken: string;
+    ip?: string;
+    userAgent?: string;
+}
+/**
+ * Capability flags. The admin UI consults these when rendering sign-in
+ * affordances — e.g. hide the "change password" button when the provider
+ * delegates credential management to an external IdP, show a "Sign in
+ * with SSO" button when appropriate.
+ */
+export interface SessionProviderCapabilities {
+    /** Can callers change their password through this provider? */
+    passwordChange: boolean;
+    /** Does the provider support magic-link sign-in? */
+    magicLink: boolean;
+    /** Does the provider delegate to an SSO/IdP (SAML, OIDC, etc.)? */
+    sso: boolean;
+}
+export interface SessionProvider {
+    /** Verify email + password, return fresh tokens and the resolved actor. */
+    signInWithPassword(args: SignInWithPasswordArgs): Promise<SignInResult>;
+    /**
+     * Verify an access token. Returns the actor resolved from the token's
+     * subject. Throws `ERR_INVALID_TOKEN` on bad signature, expiry, or
+     * tampering; throws `ERR_ACCOUNT_DISABLED` if the subject has been
+     * disabled since the token was issued.
+     */
+    verifyAccessToken(token: string): Promise<{
+        actor: AdminAuth;
+    }>;
+    /**
+     * Rotate the refresh token. Returns fresh tokens; the presented token
+     * is revoked. Presenting an already-rotated token triggers
+     * `ERR_REVOKED_TOKEN` and revokes the entire chain descended from the
+     * replayed token (theft recovery).
+     */
+    refreshSession(args: RefreshSessionArgs): Promise<SessionTokens>;
+    /** Revoke a refresh token. Idempotent on an already-revoked token. */
+    revokeSession(refreshToken: string): Promise<void>;
+    /**
+     * Resolve an actor from an admin user id without any token. Used by
+     * tests, seeds, and admin tooling that authenticates outside the
+     * sign-in flow. Returns `null` when the user does not exist or is
+     * disabled.
+     */
+    resolveActor(adminUserId: string): Promise<AdminAuth | null>;
+    /** Declarative capability flags. See `SessionProviderCapabilities`. */
+    readonly capabilities: SessionProviderCapabilities;
+}
+//# sourceMappingURL=session-provider.d.ts.map

package/dist/session-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-provider.d.ts","sourceRoot":"","sources":["../src/session-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAE3C;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAA;IACX,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAA;IACX,wCAAwC;IACxC,GAAG,EAAE,MAAM,CAAA;IACX,gEAAgE;IAChE,GAAG,EAAE,MAAM,CAAA;IACX,uFAAuF;IACvF,GAAG,EAAE,MAAM,CAAA;IACX,+DAA+D;IAC/D,GAAG,EAAE,QAAQ,CAAA;CACd;AAED,6DAA6D;AAC7D,MAAM,WAAW,aAAa;IAC5B,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAA;IACpB,uDAAuD;IACvD,oBAAoB,EAAE,IAAI,CAAA;IAC1B,wDAAwD;IACxD,qBAAqB,EAAE,IAAI,CAAA;CAC5B;AAED,MAAM,WAAW,YAAa,SAAQ,aAAa;IACjD,KAAK,EAAE,SAAS,CAAA;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,uEAAuE;IACvE,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAA;IACpB,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,2BAA2B;IAC1C,+DAA+D;IAC/D,cAAc,EAAE,OAAO,CAAA;IACvB,oDAAoD;IACpD,SAAS,EAAE,OAAO,CAAA;IAClB,mEAAmE;IACnE,GAAG,EAAE,OAAO,CAAA;CACb;AAED,MAAM,WAAW,eAAe;IAC9B,2EAA2E;IAC3E,kBAAkB,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;IAEvE;;;;;OAKG;IACH,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,SAAS,CAAA;KAAE,CAAC,CAAA;IAE/D;;;;;OAKG;IACH,cAAc,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;IAEhE,sEAAsE;IACtE,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAElD;;;;;OAKG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAA;IAE5D,uEAAuE;IACvE,QAAQ,CAAC,YAAY,EAAE,2BAA2B,CAAA;CACnD"}

package/dist/session-provider.js

@@ -0,0 +1,9 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export {};
+//# sourceMappingURL=session-provider.js.map

package/dist/session-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-provider.js","sourceRoot":"","sources":["../src/session-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/package.json

@@ -0,0 +1,69 @@
+{
+  "name": "@byline/auth",
+  "private": false,
+  "license": "MPL-2.0",
+  "version": "0.9.3",
+  "engines": {
+    "node": ">=20.9.0"
+  },
+  "description": "Byline CMS auth primitives — actors, abilities, request context, session provider interface",
+  "keywords": [
+    "cms",
+    "headless cms",
+    "content management",
+    "authentication",
+    "authorization"
+  ],
+  "homepage": "https://github.com/Byline-CMS/bylinecms.dev",
+  "bugs": {
+    "url": "https://github.com/Byline-CMS/bylinecms.dev/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Byline-CMS/bylinecms.dev.git",
+    "directory": "packages/auth"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "index": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "npm-run-all": "^4.1.5",
+    "uuid": "^14.0.0"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "2.4.14",
+    "@types/node": "^25.6.0",
+    "chokidar": "^5.0.0",
+    "chokidar-cli": "^3.0.0",
+    "tsc-alias": "^1.8.17",
+    "tsx": "^4.21.0",
+    "typescript": "6.0.3",
+    "vitest": "^4.1.5"
+  },
+  "publishConfig": {
+    "access": "public",
+    "index": "dist/index.js",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "scripts": {
+    "dev": "chokidar 'src/**/*' -c 'npm-run-all build'",
+    "build": "tsc -p tsconfig.json && tsc-alias",
+    "clean": "rimraf node_modules dist build .turbo",
+    "lint": "biome check --write --unsafe --diagnostic-level=error",
+    "test": "vitest run --mode=node",
+    "test:watch": "vitest --mode=node",
+    "typecheck": "tsc --noEmit"
+  }
+}