@carlonicora/nestjs-neo4jsonapi 1.63.0 → 1.64.0

package/dist/bootstrap/bootstrap.options.d.ts

@@ -1,6 +1,7 @@
 import { DynamicModule, Type } from "@nestjs/common";
 import { EntityDescriptor, RelationshipDef } from "../common/interfaces/entity.schema.interface";
 import { ContentExtensionConfig } from "../foundations/content/interfaces/content.extension.interface";
+import type { RbacMatrix } from "../foundations/rbac/dsl/types";
 import { ReferralModuleConfig } from "../foundations/referral/interfaces/referral.config.interface";
 /**
  * i18n configuration options
@@ -85,6 +86,12 @@ export interface BootstrapOptions {
      * ```
      */
     openApi?: OpenApiOptions;
+    /**
+     * Declarative RBAC matrix.
+     * When provided, the RbacReconciler reconciles Neo4j to match this matrix
+     * on application bootstrap. See docs for `defineRbac()`.
+     */
+    rbac?: RbacMatrix;
 }
 /**
  * OpenAPI documentation options

package/dist/bootstrap/bootstrap.options.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap.options.d.ts","sourceRoot":"","sources":["../../src/bootstrap/bootstrap.options.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,8CAA8C,CAAC;AACjG,OAAO,EAAE,sBAAsB,EAAE,MAAM,+DAA+D,CAAC;AACvG,OAAO,EAAE,oBAAoB,EAAE,MAAM,8DAA8D,CAAC;AAEpG;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,UAAU,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,EAAE,CAAC;IAE1C;;;OAGG;IACH,IAAI,CAAC,EAAE,WAAW,CAAC;IAEnB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEnC;;;;;;;;;;;;;OAaG;IACH,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C;;;;;;;;;;;;OAYG;IACH,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAEhC;;;;;;;;;;;;;;;OAeG;IACH,OAAO,CAAC,EAAE,cAAc,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,kDAAkD;IAClD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iDAAiD;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kBAAkB;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,4BAA4B;IAC5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,iBAAiB,CAAC,EAAE,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;CAC9E"}
+{"version":3,"file":"bootstrap.options.d.ts","sourceRoot":"","sources":["../../src/bootstrap/bootstrap.options.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,8CAA8C,CAAC;AACjG,OAAO,EAAE,sBAAsB,EAAE,MAAM,+DAA+D,CAAC;AACvG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,8DAA8D,CAAC;AAEpG;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,UAAU,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,EAAE,CAAC;IAE1C;;;OAGG;IACH,IAAI,CAAC,EAAE,WAAW,CAAC;IAEnB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEnC;;;;;;;;;;;;;OAaG;IACH,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C;;;;;;;;;;;;OAYG;IACH,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAEhC;;;;;;;;;;;;;;;OAeG;IACH,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB;;;;OAIG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,kDAAkD;IAClD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iDAAiD;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kBAAkB;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,4BAA4B;IAC5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,iBAAiB,CAAC,EAAE,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;CAC9E"}

package/dist/foundations/rbac/controllers/rbac-dev.controller.d.ts

@@ -0,0 +1,50 @@
+import type { RbacMatrix } from "../dsl/types";
+interface RbacMatrixPutBody {
+    data: {
+        type: string;
+        id?: string;
+        attributes: {
+            matrix: RbacMatrix;
+            roleNames: Record<string, string>;
+            moduleNames: Record<string, string>;
+            outputPath: string;
+        };
+    };
+}
+/**
+ * Dev-only endpoints for editing the rbac matrix.
+ *
+ * Registered ONLY when `devMode` is enabled on RbacModule.register (see
+ * `apps/api/src/features/features.modules.ts`).
+ *
+ * Both endpoints speak JSON:API (single-resource envelopes) so the frontend
+ * can consume them via the standard `callApi()` pipeline instead of a
+ * bespoke raw-fetch escape hatch.
+ */
+export declare class RbacDevController {
+    private readonly matrix;
+    private readonly moduleUserPaths;
+    constructor(matrix: RbacMatrix | null, moduleUserPaths: Record<string, readonly string[]> | null);
+    getMatrix(): {
+        data: {
+            type: string;
+            id: string;
+            attributes: {
+                matrix: RbacMatrix<Record<string, readonly string[]>>;
+                modulePaths: Record<string, readonly string[]>;
+            };
+        };
+    };
+    putMatrix(body: RbacMatrixPutBody): Promise<{
+        data: {
+            type: string;
+            id: string;
+            attributes: {
+                bytesWritten: number;
+                path: string;
+            };
+        };
+    }>;
+}
+export {};
+//# sourceMappingURL=rbac-dev.controller.d.ts.map

package/dist/foundations/rbac/controllers/rbac-dev.controller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-dev.controller.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/controllers/rbac-dev.controller.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAa,UAAU,EAAE,MAAM,cAAc,CAAC;AA8C1D,UAAU,iBAAiB;IACzB,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE;YACV,MAAM,EAAE,UAAU,CAAC;YACnB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAClC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACpC,UAAU,EAAE,MAAM,CAAC;SACpB,CAAC;KACH,CAAC;CACH;AAED;;;;;;;;;GASG;AACH,qBACa,iBAAiB;IAEa,OAAO,CAAC,QAAQ,CAAC,MAAM;IAG9D,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAHwB,MAAM,EAAE,UAAU,GAAG,IAAI,EAGhE,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,GAAG,IAAI;IAI5E,SAAS;;;;;;;;;;IAcH,SAAS,CAAS,IAAI,EAAE,iBAAiB;;;;;;;;;;CA8BhD"}

package/dist/foundations/rbac/controllers/rbac-dev.controller.js

@@ -0,0 +1,172 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RbacDevController = void 0;
+const common_1 = require("@nestjs/common");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const rbac_tokens_1 = require("../rbac.tokens");
+const rbac_constants_1 = require("../rbac.constants");
+const matrix_to_ts_1 = require("../serializer/matrix-to-ts");
+/**
+ * Walk up from `startDir` looking for `pnpm-workspace.yaml`. Returns that
+ * directory, or `startDir` as a fallback. Used to resolve relative
+ * `outputPath` arguments from the frontend consistently regardless of where
+ * the API process was started from (its `cwd` is `apps/api` in dev).
+ */
+function findMonorepoRoot(startDir) {
+    let current = startDir;
+    while (true) {
+        if (fs.existsSync(path.join(current, "pnpm-workspace.yaml"))) {
+            return current;
+        }
+        const parent = path.dirname(current);
+        if (parent === current)
+            return startDir;
+        current = parent;
+    }
+}
+/**
+ * perm.* tokens are callable hybrids (function + attached `action`/`scope` own
+ * properties). JSON.stringify drops functions, producing `null` inside arrays.
+ * Normalise to plain `{ action, scope }` objects before envelope wrapping.
+ */
+function normaliseMatrix(matrix) {
+    const out = {};
+    for (const [moduleId, block] of Object.entries(matrix)) {
+        if (!block)
+            continue;
+        const newBlock = { default: [] };
+        for (const [key, tokens] of Object.entries(block)) {
+            newBlock[key] = tokens.map((t) => ({ action: t.action, scope: t.scope }));
+        }
+        out[moduleId] = newBlock;
+    }
+    return out;
+}
+/**
+ * JSON:API type emitted / expected by the dev RBAC matrix endpoints.
+ * Kebab-case to match the rest of the codebase (e.g. "permission-mappings").
+ */
+const RBAC_MATRIX_TYPE = "rbac-matrix";
+const RBAC_MATRIX_ID = "singleton";
+/**
+ * Dev-only endpoints for editing the rbac matrix.
+ *
+ * Registered ONLY when `devMode` is enabled on RbacModule.register (see
+ * `apps/api/src/features/features.modules.ts`).
+ *
+ * Both endpoints speak JSON:API (single-resource envelopes) so the frontend
+ * can consume them via the standard `callApi()` pipeline instead of a
+ * bespoke raw-fetch escape hatch.
+ */
+let RbacDevController = class RbacDevController {
+    constructor(matrix, moduleUserPaths) {
+        this.matrix = matrix;
+        this.moduleUserPaths = moduleUserPaths;
+    }
+    getMatrix() {
+        return {
+            data: {
+                type: RBAC_MATRIX_TYPE,
+                id: RBAC_MATRIX_ID,
+                attributes: {
+                    matrix: this.matrix ? normaliseMatrix(this.matrix) : {},
+                    modulePaths: this.moduleUserPaths ?? {},
+                },
+            },
+        };
+    }
+    async putMatrix(body) {
+        const attributes = body?.data?.attributes;
+        if (!attributes) {
+            throw new Error("Invalid JSON:API body: missing data.attributes");
+        }
+        const { matrix, roleNames, moduleNames, outputPath } = attributes;
+        const source = await (0, matrix_to_ts_1.serializeMatrixToTs)(matrix, {
+            roleNames,
+            moduleNames,
+        });
+        const outPath = path.isAbsolute(outputPath)
+            ? outputPath
+            : path.resolve(findMonorepoRoot(process.cwd()), outputPath);
+        fs.writeFileSync(outPath, source);
+        return {
+            data: {
+                type: RBAC_MATRIX_TYPE,
+                id: RBAC_MATRIX_ID,
+                attributes: {
+                    bytesWritten: Buffer.byteLength(source),
+                    path: outPath,
+                },
+            },
+        };
+    }
+};
+exports.RbacDevController = RbacDevController;
+__decorate([
+    (0, common_1.Get)("matrix"),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], RbacDevController.prototype, "getMatrix", null);
+__decorate([
+    (0, common_1.Put)("matrix"),
+    __param(0, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], RbacDevController.prototype, "putMatrix", null);
+exports.RbacDevController = RbacDevController = __decorate([
+    (0, common_1.Controller)("_dev/rbac"),
+    __param(0, (0, common_1.Optional)()),
+    __param(0, (0, common_1.Inject)(rbac_tokens_1.RBAC_MATRIX_TOKEN)),
+    __param(1, (0, common_1.Optional)()),
+    __param(1, (0, common_1.Inject)(rbac_constants_1.MODULE_USER_PATHS_TOKEN)),
+    __metadata("design:paramtypes", [Object, Object])
+], RbacDevController);
+//# sourceMappingURL=rbac-dev.controller.js.map

package/dist/foundations/rbac/controllers/rbac-dev.controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-dev.controller.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/controllers/rbac-dev.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA8E;AAC9E,uCAAyB;AACzB,2CAA6B;AAC7B,gDAAmD;AACnD,sDAA4D;AAE5D,6DAAiE;AAEjE;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IAAI,OAAO,GAAG,QAAQ,CAAC;IACvB,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC,EAAE,CAAC;YAC7D,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,MAAM,KAAK,OAAO;YAAE,OAAO,QAAQ,CAAC;QACxC,OAAO,GAAG,MAAM,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CAAC,MAAkB;IACzC,MAAM,GAAG,GAAe,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACvD,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,MAAM,QAAQ,GAAgC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC9D,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,QAAQ,CAAC,GAAG,CAAC,GAAI,MAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7F,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC,GAAG,QAA8B,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,gBAAgB,GAAG,aAAa,CAAC;AACvC,MAAM,cAAc,GAAG,WAAW,CAAC;AAenC;;;;;;;;;GASG;AAEI,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAC5B,YAC0D,MAAyB,EAGhE,eAAyD;QAHlB,WAAM,GAAN,MAAM,CAAmB;QAGhE,oBAAe,GAAf,eAAe,CAA0C;IACzE,CAAC;IAGJ,SAAS;QACP,OAAO;YACL,IAAI,EAAE;gBACJ,IAAI,EAAE,gBAAgB;gBACtB,EAAE,EAAE,cAAc;gBAClB,UAAU,EAAE;oBACV,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE;oBACvD,WAAW,EAAE,IAAI,CAAC,eAAe,IAAI,EAAE;iBACxC;aACF;SACF,CAAC;IACJ,CAAC;IAGK,AAAN,KAAK,CAAC,SAAS,CAAS,IAAuB;QAC7C,MAAM,UAAU,GAAG,IAAI,EAAE,IAAI,EAAE,UAAU,CAAC;QAC1C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC;QAElE,MAAM,MAAM,GAAG,MAAM,IAAA,kCAAmB,EAAC,MAAM,EAAE;YAC/C,SAAS;YACT,WAAW;SACZ,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YACzC,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,UAAU,CAAC,CAAC;QAE9D,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAElC,OAAO;YACL,IAAI,EAAE;gBACJ,IAAI,EAAE,gBAAgB;gBACtB,EAAE,EAAE,cAAc;gBAClB,UAAU,EAAE;oBACV,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;oBACvC,IAAI,EAAE,OAAO;iBACd;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AArDY,8CAAiB;AAS5B;IADC,IAAA,YAAG,EAAC,QAAQ,CAAC;;;;kDAYb;AAGK;IADL,IAAA,YAAG,EAAC,QAAQ,CAAC;IACG,WAAA,IAAA,aAAI,GAAE,CAAA;;;;kDA6BtB;4BApDU,iBAAiB;IAD7B,IAAA,mBAAU,EAAC,WAAW,CAAC;IAGnB,WAAA,IAAA,iBAAQ,GAAE,CAAA;IAAE,WAAA,IAAA,eAAM,EAAC,+BAAiB,CAAC,CAAA;IACrC,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,wCAAuB,CAAC,CAAA;;GAJvB,iBAAiB,CAqD7B"}

package/dist/foundations/rbac/dsl/define-rbac.d.ts

@@ -0,0 +1,15 @@
+import type { RbacMatrix } from "./types";
+/**
+ * Identity function used to attach typing to an rbac matrix literal.
+ *
+ * The generic parameter binds the matrix to a concrete `MODULE_USER_PATHS`
+ * shape so that scoped-path arguments in `perm.update("...")` etc. are
+ * type-checked against the module they are declared under.
+ *
+ * Usage:
+ *   export const rbac = defineRbac<typeof MODULE_USER_PATHS>({
+ *     [ModuleId.Part]: { default: [perm.read], ... },
+ *   });
+ */
+export declare function defineRbac<ModuleUserPaths extends Record<string, readonly string[]>>(matrix: RbacMatrix<ModuleUserPaths>): RbacMatrix<ModuleUserPaths>;
+//# sourceMappingURL=define-rbac.d.ts.map

package/dist/foundations/rbac/dsl/define-rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"define-rbac.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/define-rbac.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C;;;;;;;;;;;GAWG;AACH,wBAAgB,UAAU,CAAC,eAAe,SAAS,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,EAClF,MAAM,EAAE,UAAU,CAAC,eAAe,CAAC,GAClC,UAAU,CAAC,eAAe,CAAC,CAE7B"}

package/dist/foundations/rbac/dsl/define-rbac.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defineRbac = defineRbac;
+/**
+ * Identity function used to attach typing to an rbac matrix literal.
+ *
+ * The generic parameter binds the matrix to a concrete `MODULE_USER_PATHS`
+ * shape so that scoped-path arguments in `perm.update("...")` etc. are
+ * type-checked against the module they are declared under.
+ *
+ * Usage:
+ *   export const rbac = defineRbac<typeof MODULE_USER_PATHS>({
+ *     [ModuleId.Part]: { default: [perm.read], ... },
+ *   });
+ */
+function defineRbac(matrix) {
+    return matrix;
+}
+//# sourceMappingURL=define-rbac.js.map

package/dist/foundations/rbac/dsl/define-rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"define-rbac.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/define-rbac.ts"],"names":[],"mappings":";;AAeA,gCAIC;AAhBD;;;;;;;;;;;GAWG;AACH,SAAgB,UAAU,CACxB,MAAmC;IAEnC,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/foundations/rbac/dsl/index.d.ts

@@ -0,0 +1,6 @@
+export * from "./types";
+export { perm } from "./perm";
+export { defineRbac } from "./define-rbac";
+export { toPermissionsJson } from "./to-permissions-json";
+export { resolveForRole, resolveDefault, iterateDeclaredEdges, iterateDeclaredModules } from "./resolver";
+//# sourceMappingURL=index.d.ts.map

package/dist/foundations/rbac/dsl/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC"}

package/dist/foundations/rbac/dsl/index.js

@@ -0,0 +1,30 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.iterateDeclaredModules = exports.iterateDeclaredEdges = exports.resolveDefault = exports.resolveForRole = exports.toPermissionsJson = exports.defineRbac = exports.perm = void 0;
+__exportStar(require("./types"), exports);
+var perm_1 = require("./perm");
+Object.defineProperty(exports, "perm", { enumerable: true, get: function () { return perm_1.perm; } });
+var define_rbac_1 = require("./define-rbac");
+Object.defineProperty(exports, "defineRbac", { enumerable: true, get: function () { return define_rbac_1.defineRbac; } });
+var to_permissions_json_1 = require("./to-permissions-json");
+Object.defineProperty(exports, "toPermissionsJson", { enumerable: true, get: function () { return to_permissions_json_1.toPermissionsJson; } });
+var resolver_1 = require("./resolver");
+Object.defineProperty(exports, "resolveForRole", { enumerable: true, get: function () { return resolver_1.resolveForRole; } });
+Object.defineProperty(exports, "resolveDefault", { enumerable: true, get: function () { return resolver_1.resolveDefault; } });
+Object.defineProperty(exports, "iterateDeclaredEdges", { enumerable: true, get: function () { return resolver_1.iterateDeclaredEdges; } });
+Object.defineProperty(exports, "iterateDeclaredModules", { enumerable: true, get: function () { return resolver_1.iterateDeclaredModules; } });
+//# sourceMappingURL=index.js.map

package/dist/foundations/rbac/dsl/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,0CAAwB;AACxB,+BAA8B;AAArB,4FAAA,IAAI,OAAA;AACb,6CAA2C;AAAlC,yGAAA,UAAU,OAAA;AACnB,6DAA0D;AAAjD,wHAAA,iBAAiB,OAAA;AAC1B,uCAA0G;AAAjG,0GAAA,cAAc,OAAA;AAAE,0GAAA,cAAc,OAAA;AAAE,gHAAA,oBAAoB,OAAA;AAAE,kHAAA,sBAAsB,OAAA"}

package/dist/foundations/rbac/dsl/perm.d.ts

@@ -0,0 +1,15 @@
+import { Action, PermToken } from "./types";
+type Scoped<A extends Action> = (path: string) => PermToken;
+type PermFn<A extends Action> = {
+    action: A;
+    scope: true;
+} & Scoped<A>;
+export declare const perm: {
+    read: PermFn<"read">;
+    create: PermFn<"create">;
+    update: PermFn<"update">;
+    delete: PermFn<"delete">;
+    full: PermToken<never>[];
+};
+export {};
+//# sourceMappingURL=perm.d.ts.map

package/dist/foundations/rbac/dsl/perm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"perm.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/perm.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAE5C,KAAK,MAAM,CAAC,CAAC,SAAS,MAAM,IAAI,CAAC,IAAI,EAAE,MAAM,KAAK,SAAS,CAAC;AAE5D,KAAK,MAAM,CAAC,CAAC,SAAS,MAAM,IAAI;IAAE,MAAM,EAAE,CAAC,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AAYvE,eAAO,MAAM,IAAI;;;;;UAUV,SAAS,CAAC,KAAK,CAAC,EAAE;CACxB,CAAC"}

package/dist/foundations/rbac/dsl/perm.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.perm = void 0;
+function build(action) {
+    const fn = (path) => ({ action, scope: path });
+    return Object.assign(fn, { action, scope: true });
+}
+const readT = build("read");
+const createT = build("create");
+const updateT = build("update");
+const deleteT = build("delete");
+exports.perm = {
+    read: readT,
+    create: createT,
+    update: updateT,
+    delete: deleteT,
+    full: [
+        { action: "read", scope: true },
+        { action: "create", scope: true },
+        { action: "update", scope: true },
+        { action: "delete", scope: true },
+    ],
+};
+//# sourceMappingURL=perm.js.map

package/dist/foundations/rbac/dsl/perm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"perm.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/perm.ts"],"names":[],"mappings":";;;AAOA,SAAS,KAAK,CAAmB,MAAS;IACxC,MAAM,EAAE,GAAG,CAAC,IAAY,EAAa,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAW,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;AAC5B,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;AAChC,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;AAChC,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;AAEnB,QAAA,IAAI,GAAG;IAClB,IAAI,EAAE,KAAK;IACX,MAAM,EAAE,OAAO;IACf,MAAM,EAAE,OAAO;IACf,MAAM,EAAE,OAAO;IACf,IAAI,EAAE;QACJ,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE;QAC/B,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;QACjC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;QACjC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;KACZ;CACxB,CAAC"}

package/dist/foundations/rbac/dsl/resolver.d.ts

@@ -0,0 +1,24 @@
+import { RbacMatrix } from "./types";
+/**
+ * Compute the canonical edge JSON for a given (role, module) pair.
+ * Union of module defaults and role-specific tokens, serialised.
+ * Returns undefined if the role or module is not declared.
+ */
+export declare function resolveForRole(matrix: RbacMatrix, roleId: string, moduleId: string): string | undefined;
+/**
+ * Compute the canonical defaults JSON for a module.
+ * Returns undefined if the module is not declared.
+ */
+export declare function resolveDefault(matrix: RbacMatrix, moduleId: string): string | undefined;
+/**
+ * Yield every (role, module) pair declared in the matrix.
+ */
+export declare function iterateDeclaredEdges(matrix: RbacMatrix): Iterable<{
+    roleId: string;
+    moduleId: string;
+}>;
+/**
+ * Yield every module declared in the matrix.
+ */
+export declare function iterateDeclaredModules(matrix: RbacMatrix): Iterable<string>;
+//# sourceMappingURL=resolver.d.ts.map

package/dist/foundations/rbac/dsl/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrC;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAMvG;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAIvF;AAED;;GAEG;AACH,wBAAiB,oBAAoB,CAAC,MAAM,EAAE,UAAU,GAAG,QAAQ,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAQxG;AAED;;GAEG;AACH,wBAAiB,sBAAsB,CAAC,MAAM,EAAE,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,CAI5E"}

package/dist/foundations/rbac/dsl/resolver.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveForRole = resolveForRole;
+exports.resolveDefault = resolveDefault;
+exports.iterateDeclaredEdges = iterateDeclaredEdges;
+exports.iterateDeclaredModules = iterateDeclaredModules;
+const to_permissions_json_1 = require("./to-permissions-json");
+/**
+ * Compute the canonical edge JSON for a given (role, module) pair.
+ * Union of module defaults and role-specific tokens, serialised.
+ * Returns undefined if the role or module is not declared.
+ */
+function resolveForRole(matrix, roleId, moduleId) {
+    const block = matrix[moduleId];
+    if (!block)
+        return undefined;
+    const roleTokens = block[roleId];
+    if (roleTokens === undefined)
+        return undefined;
+    return (0, to_permissions_json_1.toPermissionsJson)([...block.default, ...roleTokens]);
+}
+/**
+ * Compute the canonical defaults JSON for a module.
+ * Returns undefined if the module is not declared.
+ */
+function resolveDefault(matrix, moduleId) {
+    const block = matrix[moduleId];
+    if (!block)
+        return undefined;
+    return (0, to_permissions_json_1.toPermissionsJson)(block.default);
+}
+/**
+ * Yield every (role, module) pair declared in the matrix.
+ */
+function* iterateDeclaredEdges(matrix) {
+    for (const [moduleId, block] of Object.entries(matrix)) {
+        if (!block)
+            continue;
+        for (const key of Object.keys(block)) {
+            if (key === "default")
+                continue;
+            yield { roleId: key, moduleId };
+        }
+    }
+}
+/**
+ * Yield every module declared in the matrix.
+ */
+function* iterateDeclaredModules(matrix) {
+    for (const moduleId of Object.keys(matrix)) {
+        if (matrix[moduleId])
+            yield moduleId;
+    }
+}
+//# sourceMappingURL=resolver.js.map

package/dist/foundations/rbac/dsl/resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/resolver.ts"],"names":[],"mappings":";;AAQA,wCAMC;AAMD,wCAIC;AAKD,oDAQC;AAKD,wDAIC;AA7CD,+DAA0D;AAE1D;;;;GAIG;AACH,SAAgB,cAAc,CAAC,MAAkB,EAAE,MAAc,EAAE,QAAgB;IACjF,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC/C,OAAO,IAAA,uCAAiB,EAAC,CAAC,GAAG,KAAK,CAAC,OAAO,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,MAAkB,EAAE,QAAgB;IACjE,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,IAAA,uCAAiB,EAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,QAAe,CAAC,CAAC,oBAAoB,CAAC,MAAkB;IACtD,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACvD,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACrC,IAAI,GAAG,KAAK,SAAS;gBAAE,SAAS;YAChC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;QAClC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,QAAe,CAAC,CAAC,sBAAsB,CAAC,MAAkB;IACxD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3C,IAAI,MAAM,CAAC,QAAQ,CAAC;YAAE,MAAM,QAAQ,CAAC;IACvC,CAAC;AACH,CAAC"}

package/dist/foundations/rbac/dsl/to-permissions-json.d.ts

@@ -0,0 +1,13 @@
+import { PermToken } from "./types";
+/**
+ * Serialise a PermToken[] to the JSON-string shape stored on
+ * `Module.permissions` and `HAS_PERMISSIONS.permissions` edges.
+ *
+ * Format: a JSON-stringified array of `{ type: Action, value: boolean | string }`
+ * in fixed action order (read, create, update, delete).
+ *
+ * Merge rule within the input: unconditional `true` beats scoped path string;
+ * scoped path string beats default `false`. (Matches auth.repository merge.)
+ */
+export declare function toPermissionsJson(tokens: PermToken[]): string;
+//# sourceMappingURL=to-permissions-json.d.ts.map

package/dist/foundations/rbac/dsl/to-permissions-json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"to-permissions-json.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/to-permissions-json.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwB,SAAS,EAAE,MAAM,SAAS,CAAC;AAE1D;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CA4B7D"}

package/dist/foundations/rbac/dsl/to-permissions-json.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toPermissionsJson = toPermissionsJson;
+const types_1 = require("./types");
+/**
+ * Serialise a PermToken[] to the JSON-string shape stored on
+ * `Module.permissions` and `HAS_PERMISSIONS.permissions` edges.
+ *
+ * Format: a JSON-stringified array of `{ type: Action, value: boolean | string }`
+ * in fixed action order (read, create, update, delete).
+ *
+ * Merge rule within the input: unconditional `true` beats scoped path string;
+ * scoped path string beats default `false`. (Matches auth.repository merge.)
+ */
+function toPermissionsJson(tokens) {
+    const perAction = {
+        read: false,
+        create: false,
+        update: false,
+        delete: false,
+    };
+    for (const token of tokens) {
+        const existing = perAction[token.action];
+        const incoming = token.scope;
+        // Precedence: true > string > false
+        if (existing === true)
+            continue;
+        if (incoming === true) {
+            perAction[token.action] = true;
+            continue;
+        }
+        if (typeof existing === "string")
+            continue; // keep earlier string
+        if (typeof incoming === "string") {
+            perAction[token.action] = incoming;
+            continue;
+        }
+        // both false — no change
+    }
+    const array = types_1.ACTION_ORDER.map((action) => ({ type: action, value: perAction[action] }));
+    return JSON.stringify(array);
+}
+//# sourceMappingURL=to-permissions-json.js.map

package/dist/foundations/rbac/dsl/to-permissions-json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"to-permissions-json.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/to-permissions-json.ts"],"names":[],"mappings":";;AAYA,8CA4BC;AAxCD,mCAA0D;AAE1D;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAAC,MAAmB;IACnD,MAAM,SAAS,GAAqC;QAClD,IAAI,EAAE,KAAK;QACX,MAAM,EAAE,KAAK;QACb,MAAM,EAAE,KAAK;QACb,MAAM,EAAE,KAAK;KACd,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC;QAE7B,oCAAoC;QACpC,IAAI,QAAQ,KAAK,IAAI;YAAE,SAAS;QAChC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;YAC/B,SAAS;QACX,CAAC;QACD,IAAI,OAAO,QAAQ,KAAK,QAAQ;YAAE,SAAS,CAAC,sBAAsB;QAClE,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;YACnC,SAAS;QACX,CAAC;QACD,yBAAyB;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,oBAAY,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IACzF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC"}

package/dist/foundations/rbac/dsl/types.d.ts

@@ -0,0 +1,55 @@
+export type Action = "read" | "create" | "update" | "delete";
+/**
+ * A single permission token. Either unconditional (`scope: true`) or scoped to
+ * a dotted path into the frontend model (`scope: "warehouse.managedBy"`).
+ *
+ * The `M` type parameter constrains scoped paths to those valid for the
+ * module the token is declared under. Unconditional tokens are any-module
+ * (scope: true) so they have no module constraint.
+ */
+export type PermToken<PathSet extends string = string> = {
+    action: Action;
+    scope: true;
+} | {
+    action: Action;
+    scope: PathSet;
+};
+/**
+ * Permissions block for a single module in the matrix.
+ *
+ * `default` applies to every role for this module (the floor).
+ * Each role key declares *additions* on top of defaults.
+ */
+export type ModuleBlock<PathSet extends string = string> = {
+    default: PermToken<PathSet>[];
+} & Record<string, PermToken<PathSet>[]>;
+/**
+ * The full RBAC matrix.
+ *
+ * Keys are module UUIDs (values of `ModuleId`). The `ModuleUserPaths` generic
+ * constrains the key set to known modules; scoped paths are typed as `string`
+ * (not narrowed per-module), because:
+ *   1. Many modules legitimately have no BFS-discovered relationship paths, so
+ *      per-module narrowing would collapse their scope type to `never` and
+ *      reject any scoped token.
+ *   2. Self-scope paths (e.g. `"id"` on User) and attribute paths are not part
+ *      of the relationship-based `MODULE_USER_PATHS` set, but are valid at
+ *      runtime.
+ * Action names remain strictly typed.
+ */
+export type RbacMatrix<ModuleUserPaths extends Record<string, readonly string[]> = Record<string, readonly string[]>> = {
+    [M in keyof ModuleUserPaths]?: ModuleBlock<string>;
+};
+/**
+ * Effective permissions for a single role on a single module, after union of
+ * default and role-specific tokens. Matches the shape that the existing
+ * permissionQuery writes to Neo4j.
+ */
+export interface ResolvedPermissions {
+    create: boolean | string;
+    read: boolean | string;
+    update: boolean | string;
+    delete: boolean | string;
+}
+export declare const ACTION_ORDER: readonly Action[];
+//# sourceMappingURL=types.d.ts.map

package/dist/foundations/rbac/dsl/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE7D;;;;;;;GAOG;AACH,MAAM,MAAM,SAAS,CAAC,OAAO,SAAS,MAAM,GAAG,MAAM,IACjD;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAC/B;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,OAAO,CAAA;CAAE,CAAC;AAEvC;;;;;GAKG;AACH,MAAM,MAAM,WAAW,CAAC,OAAO,SAAS,MAAM,GAAG,MAAM,IAAI;IACzD,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;CAC/B,GAAG,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;AAEzC;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,UAAU,CAAC,eAAe,SAAS,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,IAClH;KACG,CAAC,IAAI,MAAM,eAAe,CAAC,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC;CACnD,CAAC;AAEJ;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,IAAI,EAAE,OAAO,GAAG,MAAM,CAAC;IACvB,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;CAC1B;AAED,eAAO,MAAM,YAAY,EAAE,SAAS,MAAM,EAAoD,CAAC"}

package/dist/foundations/rbac/dsl/types.js

@@ -0,0 +1,6 @@
+"use strict";
+// packages/nestjs-neo4jsonapi/src/foundations/rbac/dsl/types.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ACTION_ORDER = void 0;
+exports.ACTION_ORDER = ["read", "create", "update", "delete"];
+//# sourceMappingURL=types.js.map

package/dist/foundations/rbac/dsl/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/dsl/types.ts"],"names":[],"mappings":";AAAA,gEAAgE;;;AAyDnD,QAAA,YAAY,GAAsB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAU,CAAC"}