@carlonicora/nestjs-neo4jsonapi 1.63.0 → 1.64.0

package/dist/foundations/rbac/dump.d.ts

@@ -0,0 +1,116 @@
+import type { Driver } from "neo4j-driver";
+/**
+ * Options for {@link dumpRbacMatrix}.
+ */
+export interface DumpRbacMatrixOptions {
+    /**
+     * A connected `neo4j-driver` Driver. The function opens a single session
+     * and closes it on exit, but does NOT close the driver — the caller owns
+     * the driver lifecycle.
+     */
+    driver: Driver;
+    /**
+     * Optional database name. If omitted, the driver's default database is
+     * used. Pass this when your deployment uses a non-default database
+     * (e.g. `process.env.NEO4J_DATABASE`).
+     */
+    database?: string;
+    /**
+     * UUID → PascalCase name map for roles. The serializer emits
+     * `RoleId.<Name>` references using these names; without them, the
+     * generated file contains raw UUIDs.
+     *
+     * Typical construction from a `RoleId` enum:
+     * ```ts
+     * Object.fromEntries(Object.entries(RoleId).map(([k, v]) => [v, k]))
+     * ```
+     */
+    roleNames: Record<string, string>;
+    /**
+     * UUID → PascalCase name map for modules. Same shape and purpose as
+     * `roleNames`, applied to `ModuleId.<Name>` references in the output.
+     */
+    moduleNames: Record<string, string>;
+    /**
+     * UUID of the Administrator role. The dump writes
+     * `[RoleId.Administrator]: perm.full` for every declared module so the
+     * file matches the convention enforced by `RbacReconcilerService`
+     * (which deliberately skips Administrator edges — Admin is hardwired in
+     * code, not represented as `HAS_PERMISSIONS` edges in the DB).
+     */
+    administratorRoleId: string;
+    /**
+     * Output path for the emitted TypeScript file. Absolute, or relative to
+     * `process.cwd()`. Parent directories are created if missing.
+     *
+     * Convention: place the file under your API app's `src/rbac/` directory
+     * (e.g. `"src/rbac/permissions.ts"` when running from the api package
+     * cwd, or `"apps/api/src/rbac/permissions.ts"` from the monorepo root).
+     */
+    outputPath: string;
+}
+/**
+ * Result of {@link dumpRbacMatrix}.
+ */
+export interface DumpRbacMatrixResult {
+    /** Number of bytes written to the output file. */
+    bytesWritten: number;
+    /** Resolved absolute path that was written. */
+    path: string;
+}
+/**
+ * Read the current RBAC state from Neo4j and emit a declarative-matrix
+ * `permissions.ts` source file for the consuming app to commit.
+ *
+ * **Developer-only.** This is meant to run as a one-shot CLI step when
+ * bootstrapping a new project (or re-dumping after manual DB edits during
+ * development). Do not expose this from a runtime endpoint — production
+ * servers should never write source files.
+ *
+ * The emitted file imports `RoleId` / `ModuleId` from `@neural-erp/shared`
+ * (or whichever package you've wired into `serializeMatrixToTs`), and
+ * `perm` / `defineRbac` from `@carlonicora/nestjs-neo4jsonapi`.
+ *
+ * @example
+ * ```ts
+ * // apps/api/scripts/rbac-dump.ts
+ * import * as dotenv from "dotenv";
+ * import * as path from "path";
+ * dotenv.config({ path: path.resolve(__dirname, "../../../.env") });
+ *
+ * import neo4j from "neo4j-driver";
+ * import { RoleId, ModuleId } from "@neural-erp/shared";
+ * import { dumpRbacMatrix } from "@carlonicora/nestjs-neo4jsonapi";
+ *
+ * async function main() {
+ *   const driver = neo4j.driver(
+ *     process.env.NEO4J_URI!,
+ *     neo4j.auth.basic(process.env.NEO4J_USER!, process.env.NEO4J_PASSWORD!),
+ *   );
+ *   try {
+ *     const result = await dumpRbacMatrix({
+ *       driver,
+ *       database: process.env.NEO4J_DATABASE,
+ *       roleNames: Object.fromEntries(
+ *         Object.entries(RoleId).map(([k, v]) => [v, k]),
+ *       ),
+ *       moduleNames: Object.fromEntries(
+ *         Object.entries(ModuleId).map(([k, v]) => [v, k]),
+ *       ),
+ *       administratorRoleId: RoleId.Administrator,
+ *       outputPath: path.resolve(__dirname, "../src/rbac/permissions.ts"),
+ *     });
+ *     console.log(`Wrote ${result.bytesWritten} bytes to ${result.path}`);
+ *   } finally {
+ *     await driver.close();
+ *   }
+ * }
+ *
+ * main().catch((err) => {
+ *   console.error(err);
+ *   process.exit(1);
+ * });
+ * ```
+ */
+export declare function dumpRbacMatrix(opts: DumpRbacMatrixOptions): Promise<DumpRbacMatrixResult>;
+//# sourceMappingURL=dump.d.ts.map

package/dist/foundations/rbac/dump.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dump.d.ts","sourceRoot":"","sources":["../../../src/foundations/rbac/dump.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAI3C;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;;;;OASG;IACH,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAElC;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEpC;;;;;;OAMG;IACH,mBAAmB,EAAE,MAAM,CAAC;IAE5B;;;;;;;OAOG;IACH,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,kDAAkD;IAClD,YAAY,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAkD/F"}

package/dist/foundations/rbac/dump.js

@@ -0,0 +1,154 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dumpRbacMatrix = dumpRbacMatrix;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const matrix_to_ts_1 = require("./serializer/matrix-to-ts");
+/**
+ * Read the current RBAC state from Neo4j and emit a declarative-matrix
+ * `permissions.ts` source file for the consuming app to commit.
+ *
+ * **Developer-only.** This is meant to run as a one-shot CLI step when
+ * bootstrapping a new project (or re-dumping after manual DB edits during
+ * development). Do not expose this from a runtime endpoint — production
+ * servers should never write source files.
+ *
+ * The emitted file imports `RoleId` / `ModuleId` from `@neural-erp/shared`
+ * (or whichever package you've wired into `serializeMatrixToTs`), and
+ * `perm` / `defineRbac` from `@carlonicora/nestjs-neo4jsonapi`.
+ *
+ * @example
+ * ```ts
+ * // apps/api/scripts/rbac-dump.ts
+ * import * as dotenv from "dotenv";
+ * import * as path from "path";
+ * dotenv.config({ path: path.resolve(__dirname, "../../../.env") });
+ *
+ * import neo4j from "neo4j-driver";
+ * import { RoleId, ModuleId } from "@neural-erp/shared";
+ * import { dumpRbacMatrix } from "@carlonicora/nestjs-neo4jsonapi";
+ *
+ * async function main() {
+ *   const driver = neo4j.driver(
+ *     process.env.NEO4J_URI!,
+ *     neo4j.auth.basic(process.env.NEO4J_USER!, process.env.NEO4J_PASSWORD!),
+ *   );
+ *   try {
+ *     const result = await dumpRbacMatrix({
+ *       driver,
+ *       database: process.env.NEO4J_DATABASE,
+ *       roleNames: Object.fromEntries(
+ *         Object.entries(RoleId).map(([k, v]) => [v, k]),
+ *       ),
+ *       moduleNames: Object.fromEntries(
+ *         Object.entries(ModuleId).map(([k, v]) => [v, k]),
+ *       ),
+ *       administratorRoleId: RoleId.Administrator,
+ *       outputPath: path.resolve(__dirname, "../src/rbac/permissions.ts"),
+ *     });
+ *     console.log(`Wrote ${result.bytesWritten} bytes to ${result.path}`);
+ *   } finally {
+ *     await driver.close();
+ *   }
+ * }
+ *
+ * main().catch((err) => {
+ *   console.error(err);
+ *   process.exit(1);
+ * });
+ * ```
+ */
+async function dumpRbacMatrix(opts) {
+    const session = opts.driver.session(opts.database ? { database: opts.database } : undefined);
+    try {
+        const modulesResult = await session.run(`MATCH (m:Module) RETURN m.id AS id, m.permissions AS permissions`);
+        const edgesResult = await session.run(`MATCH (r:Role)-[p:HAS_PERMISSIONS]->(m:Module) RETURN r.id AS roleId, m.id AS moduleId, p.permissions AS permissions`);
+        const matrix = {};
+        for (const rec of modulesResult.records) {
+            const moduleId = rec.get("id");
+            const permissions = rec.get("permissions");
+            if (!moduleId)
+                continue;
+            matrix[moduleId] = { default: deserialize(permissions), ...(matrix[moduleId] ?? {}) };
+        }
+        for (const rec of edgesResult.records) {
+            const roleId = rec.get("roleId");
+            const moduleId = rec.get("moduleId");
+            const permissions = rec.get("permissions");
+            if (!matrix[moduleId])
+                matrix[moduleId] = { default: [] };
+            matrix[moduleId][roleId] = deltaFromDefault(deserialize(permissions), matrix[moduleId].default);
+        }
+        // Administrator gets perm.full on every declared module — matches the
+        // reconciler's "Administrator edges are never managed" convention.
+        for (const moduleId of Object.keys(matrix)) {
+            matrix[moduleId][opts.administratorRoleId] = [
+                { action: "read", scope: true },
+                { action: "create", scope: true },
+                { action: "update", scope: true },
+                { action: "delete", scope: true },
+            ];
+        }
+        const source = await (0, matrix_to_ts_1.serializeMatrixToTs)(matrix, {
+            roleNames: opts.roleNames,
+            moduleNames: opts.moduleNames,
+        });
+        const outPath = path.isAbsolute(opts.outputPath) ? opts.outputPath : path.resolve(process.cwd(), opts.outputPath);
+        fs.mkdirSync(path.dirname(outPath), { recursive: true });
+        fs.writeFileSync(outPath, source);
+        return { bytesWritten: Buffer.byteLength(source), path: outPath };
+    }
+    finally {
+        await session.close();
+    }
+}
+function deserialize(raw) {
+    if (!raw)
+        return [];
+    const arr = JSON.parse(raw);
+    return arr
+        .filter((e) => e.value !== false)
+        .map((e) => ({
+        action: e.type,
+        scope: e.value === true ? true : e.value,
+    }));
+}
+function deltaFromDefault(effective, defaults) {
+    // Naive shallow comparison — sufficient because tokens are flat
+    // {action, scope} records.
+    return effective.filter((e) => !defaults.some((d) => d.action === e.action && d.scope === e.scope));
+}
+//# sourceMappingURL=dump.js.map

package/dist/foundations/rbac/dump.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dump.js","sourceRoot":"","sources":["../../../src/foundations/rbac/dump.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8HA,wCAkDC;AAhLD,uCAAyB;AACzB,2CAA6B;AAG7B,4DAAgE;AAoEhE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AACI,KAAK,UAAU,cAAc,CAAC,IAA2B;IAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAC7F,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;QAC5G,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CACnC,sHAAsH,CACvH,CAAC;QAEF,MAAM,MAAM,GAAe,EAAE,CAAC;QAE9B,KAAK,MAAM,GAAG,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/B,MAAM,WAAW,GAAkB,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC1D,IAAI,CAAC,QAAQ;gBAAE,SAAS;YACxB,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,WAAW,CAAC,WAAW,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;QACxF,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YACrC,MAAM,WAAW,GAAkB,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;gBAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;YAC1D,MAAM,CAAC,QAAQ,CAAE,CAAC,MAAM,CAAC,GAAG,gBAAgB,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAE,CAAC,OAAO,CAAC,CAAC;QACpG,CAAC;QAED,sEAAsE;QACtE,mEAAmE;QACnE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,GAAG;gBAC5C,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE;gBAC/B,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;gBACjC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;gBACjC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;aAClC,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAA,kCAAmB,EAAC,MAAM,EAAE;YAC/C,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAElH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAElC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACpE,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAkB;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqD,CAAC;IAChF,OAAO,GAAG;SACP,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,MAAM,EAAE,CAAC,CAAC,IAAc;QACxB,KAAK,EAAE,CAAC,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC,KAAgB;KACrD,CAAC,CAAC,CAAC;AACR,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAsB,EAAE,QAAqB;IACrE,gEAAgE;IAChE,2BAA2B;IAC3B,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;AACtG,CAAC"}

package/dist/foundations/rbac/index.d.ts

@@ -4,4 +4,10 @@ export { permissionMappingMeta } from "./entities/permission-mapping.meta";
 export { modulePathsMeta } from "./entities/module-paths.meta";
 export type { PermissionMapping } from "./entities/permission-mapping.entity";
 export type { ModuleRelationshipPaths } from "./entities/module-paths.entity";
+export { perm, defineRbac, toPermissionsJson } from "./dsl";
+export { resolveForRole, resolveDefault, iterateDeclaredEdges, iterateDeclaredModules } from "./dsl";
+export { ACTION_ORDER } from "./dsl";
+export type { PermToken, ModuleBlock, RbacMatrix, ResolvedPermissions } from "./dsl";
+export { dumpRbacMatrix } from "./dump";
+export type { DumpRbacMatrixOptions, DumpRbacMatrixResult } from "./dump";
 //# sourceMappingURL=index.d.ts.map

package/dist/foundations/rbac/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/foundations/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,YAAY,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AAC9E,YAAY,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/foundations/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,YAAY,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AAC9E,YAAY,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAI9E,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,OAAO,CAAC;AACrG,OAAO,EAAE,YAAY,EAAE,MAAM,OAAO,CAAC;AACrC,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AAKrF,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,QAAQ,CAAC"}

package/dist/foundations/rbac/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.modulePathsMeta = exports.permissionMappingMeta = exports.MODULE_USER_PATHS_TOKEN = exports.RbacModule = void 0;
+exports.dumpRbacMatrix = exports.ACTION_ORDER = exports.iterateDeclaredModules = exports.iterateDeclaredEdges = exports.resolveDefault = exports.resolveForRole = exports.toPermissionsJson = exports.defineRbac = exports.perm = exports.modulePathsMeta = exports.permissionMappingMeta = exports.MODULE_USER_PATHS_TOKEN = exports.RbacModule = void 0;
 var rbac_module_1 = require("./rbac.module");
 Object.defineProperty(exports, "RbacModule", { enumerable: true, get: function () { return rbac_module_1.RbacModule; } });
 var rbac_constants_1 = require("./rbac.constants");
@@ -9,4 +9,26 @@ var permission_mapping_meta_1 = require("./entities/permission-mapping.meta");
 Object.defineProperty(exports, "permissionMappingMeta", { enumerable: true, get: function () { return permission_mapping_meta_1.permissionMappingMeta; } });
 var module_paths_meta_1 = require("./entities/module-paths.meta");
 Object.defineProperty(exports, "modulePathsMeta", { enumerable: true, get: function () { return module_paths_meta_1.modulePathsMeta; } });
+// RBAC DSL — re-export explicitly to avoid `Action` collision with
+// `common/enums/action.ts` at the library root.
+var dsl_1 = require("./dsl");
+Object.defineProperty(exports, "perm", { enumerable: true, get: function () { return dsl_1.perm; } });
+Object.defineProperty(exports, "defineRbac", { enumerable: true, get: function () { return dsl_1.defineRbac; } });
+Object.defineProperty(exports, "toPermissionsJson", { enumerable: true, get: function () { return dsl_1.toPermissionsJson; } });
+var dsl_2 = require("./dsl");
+Object.defineProperty(exports, "resolveForRole", { enumerable: true, get: function () { return dsl_2.resolveForRole; } });
+Object.defineProperty(exports, "resolveDefault", { enumerable: true, get: function () { return dsl_2.resolveDefault; } });
+Object.defineProperty(exports, "iterateDeclaredEdges", { enumerable: true, get: function () { return dsl_2.iterateDeclaredEdges; } });
+Object.defineProperty(exports, "iterateDeclaredModules", { enumerable: true, get: function () { return dsl_2.iterateDeclaredModules; } });
+var dsl_3 = require("./dsl");
+Object.defineProperty(exports, "ACTION_ORDER", { enumerable: true, get: function () { return dsl_3.ACTION_ORDER; } });
+// Developer-only one-shot tool to read the current DB state and emit a
+// declarative `permissions.ts` source file. CLI use only — see the JSDoc
+// on `dumpRbacMatrix` for the canonical script template.
+var dump_1 = require("./dump");
+Object.defineProperty(exports, "dumpRbacMatrix", { enumerable: true, get: function () { return dump_1.dumpRbacMatrix; } });
+// Note: the DSL's `Action` string-literal union is intentionally not re-exported
+// from the library root; `common/enums/action.ts` already exports an `Action`
+// enum with the same string values. Deep consumers can import it via
+// `@carlonicora/nestjs-neo4jsonapi/foundations/rbac/dsl` if needed.
 //# sourceMappingURL=index.js.map

package/dist/foundations/rbac/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/foundations/rbac/index.ts"],"names":[],"mappings":";;;AAAA,6CAA2C;AAAlC,yGAAA,UAAU,OAAA;AACnB,mDAA2D;AAAlD,yHAAA,uBAAuB,OAAA;AAChC,8EAA2E;AAAlE,gIAAA,qBAAqB,OAAA;AAC9B,kEAA+D;AAAtD,oHAAA,eAAe,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/foundations/rbac/index.ts"],"names":[],"mappings":";;;AAAA,6CAA2C;AAAlC,yGAAA,UAAU,OAAA;AACnB,mDAA2D;AAAlD,yHAAA,uBAAuB,OAAA;AAChC,8EAA2E;AAAlE,gIAAA,qBAAqB,OAAA;AAC9B,kEAA+D;AAAtD,oHAAA,eAAe,OAAA;AAIxB,mEAAmE;AACnE,gDAAgD;AAChD,6BAA4D;AAAnD,2FAAA,IAAI,OAAA;AAAE,iGAAA,UAAU,OAAA;AAAE,wGAAA,iBAAiB,OAAA;AAC5C,6BAAqG;AAA5F,qGAAA,cAAc,OAAA;AAAE,qGAAA,cAAc,OAAA;AAAE,2GAAA,oBAAoB,OAAA;AAAE,6GAAA,sBAAsB,OAAA;AACrF,6BAAqC;AAA5B,mGAAA,YAAY,OAAA;AAGrB,uEAAuE;AACvE,yEAAyE;AACzE,yDAAyD;AACzD,+BAAwC;AAA/B,sGAAA,cAAc,OAAA;AAEvB,iFAAiF;AACjF,8EAA8E;AAC9E,qEAAqE;AACrE,oEAAoE"}

package/dist/foundations/rbac/rbac.module.d.ts

@@ -1,7 +1,10 @@
 import { DynamicModule } from "@nestjs/common";
+import type { RbacMatrix } from "./dsl/types";
 export declare class RbacModule {
     static register(options: {
-        moduleUserPaths: Record<string, string[]>;
+        moduleUserPaths: Record<string, readonly string[]>;
+        rbac?: RbacMatrix;
+        devMode?: boolean;
     }): DynamicModule;
 }
 //# sourceMappingURL=rbac.module.d.ts.map

package/dist/foundations/rbac/rbac.module.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rbac.module.d.ts","sourceRoot":"","sources":["../../../src/foundations/rbac/rbac.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAU,MAAM,gBAAgB,CAAC;AASvD,qBACa,UAAU;IACrB,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE;QAAE,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;KAAE,GAAG,aAAa;CAiBvF"}
+{"version":3,"file":"rbac.module.d.ts","sourceRoot":"","sources":["../../../src/foundations/rbac/rbac.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAA0B,MAAM,gBAAgB,CAAC;AAUvE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAI9C,qBACa,UAAU;IACrB,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE;QACvB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,EAAE,UAAU,CAAC;QAClB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,GAAG,aAAa;CA6BlB"}

package/dist/foundations/rbac/rbac.module.js

@@ -13,24 +13,38 @@ const rbac_controller_1 = require("./controllers/rbac.controller");
 const rbac_module_paths_controller_1 = require("./controllers/rbac-module-paths.controller");
 const rbac_repository_1 = require("./repositories/rbac.repository");
 const rbac_service_1 = require("./services/rbac.service");
+const rbac_reconciler_service_1 = require("./services/rbac-reconciler.service");
 const permission_mapping_serialiser_1 = require("./serialisers/permission-mapping.serialiser");
 const module_paths_serialiser_1 = require("./serialisers/module-paths.serialiser");
 const rbac_constants_1 = require("./rbac.constants");
+const rbac_tokens_1 = require("./rbac.tokens");
+const rbac_dev_controller_1 = require("./controllers/rbac-dev.controller");
+const conditional_service_decorator_1 = require("../../common/decorators/conditional-service.decorator");
 let RbacModule = RbacModule_1 = class RbacModule {
     static register(options) {
+        const providers = [
+            rbac_repository_1.RbacRepository,
+            rbac_service_1.RbacService,
+            permission_mapping_serialiser_1.PermissionMappingSerialiser,
+            module_paths_serialiser_1.ModulePathsSerialiser,
+            (0, conditional_service_decorator_1.createWorkerProvider)(rbac_reconciler_service_1.RbacReconcilerService),
+            {
+                provide: rbac_constants_1.MODULE_USER_PATHS_TOKEN,
+                useValue: options.moduleUserPaths,
+            },
+            {
+                provide: rbac_tokens_1.RBAC_MATRIX_TOKEN,
+                useValue: options.rbac ?? null,
+            },
+        ];
+        const controllers = [rbac_controller_1.RbacController, rbac_module_paths_controller_1.RbacModulePathsController];
+        if (options.devMode) {
+            controllers.push(rbac_dev_controller_1.RbacDevController);
+        }
         return {
             module: RbacModule_1,
-            controllers: [rbac_controller_1.RbacController, rbac_module_paths_controller_1.RbacModulePathsController],
-            providers: [
-                rbac_repository_1.RbacRepository,
-                rbac_service_1.RbacService,
-                permission_mapping_serialiser_1.PermissionMappingSerialiser,
-                module_paths_serialiser_1.ModulePathsSerialiser,
-                {
-                    provide: rbac_constants_1.MODULE_USER_PATHS_TOKEN,
-                    useValue: options.moduleUserPaths,
-                },
-            ],
+            controllers,
+            providers,
             exports: [rbac_service_1.RbacService],
         };
     }

package/dist/foundations/rbac/rbac.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"rbac.module.js","sourceRoot":"","sources":["../../../src/foundations/rbac/rbac.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAuD;AACvD,mEAA+D;AAC/D,6FAAuF;AACvF,oEAAgE;AAChE,0DAAsD;AACtD,+FAA0F;AAC1F,mFAA8E;AAC9E,qDAA2D;AAGpD,IAAM,UAAU,kBAAhB,MAAM,UAAU;IACrB,MAAM,CAAC,QAAQ,CAAC,OAAsD;QACpE,OAAO;YACL,MAAM,EAAE,YAAU;YAClB,WAAW,EAAE,CAAC,gCAAc,EAAE,wDAAyB,CAAC;YACxD,SAAS,EAAE;gBACT,gCAAc;gBACd,0BAAW;gBACX,2DAA2B;gBAC3B,+CAAqB;gBACrB;oBACE,OAAO,EAAE,wCAAuB;oBAChC,QAAQ,EAAE,OAAO,CAAC,eAAe;iBAClC;aACF;YACD,OAAO,EAAE,CAAC,0BAAW,CAAC;SACvB,CAAC;IACJ,CAAC;CACF,CAAA;AAlBY,gCAAU;qBAAV,UAAU;IADtB,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,UAAU,CAkBtB"}
+{"version":3,"file":"rbac.module.js","sourceRoot":"","sources":["../../../src/foundations/rbac/rbac.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAuE;AACvE,mEAA+D;AAC/D,6FAAuF;AACvF,oEAAgE;AAChE,0DAAsD;AACtD,gFAA2E;AAC3E,+FAA0F;AAC1F,mFAA8E;AAC9E,qDAA2D;AAC3D,+CAAkD;AAElD,2EAAsE;AACtE,yGAA6F;AAGtF,IAAM,UAAU,kBAAhB,MAAM,UAAU;IACrB,MAAM,CAAC,QAAQ,CAAC,OAIf;QACC,MAAM,SAAS,GAAe;YAC5B,gCAAc;YACd,0BAAW;YACX,2DAA2B;YAC3B,+CAAqB;YACrB,IAAA,oDAAoB,EAAC,+CAAqB,CAAC;YAC3C;gBACE,OAAO,EAAE,wCAAuB;gBAChC,QAAQ,EAAE,OAAO,CAAC,eAAe;aAClC;YACD;gBACE,OAAO,EAAE,+BAAiB;gBAC1B,QAAQ,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;aAC/B;SACF,CAAC;QAEF,MAAM,WAAW,GAAgB,CAAC,gCAAc,EAAE,wDAAyB,CAAC,CAAC;QAC7E,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CAAC,uCAAiB,CAAC,CAAC;QACtC,CAAC;QAED,OAAO;YACL,MAAM,EAAE,YAAU;YAClB,WAAW;YACX,SAAS;YACT,OAAO,EAAE,CAAC,0BAAW,CAAC;SACvB,CAAC;IACJ,CAAC;CACF,CAAA;AAlCY,gCAAU;qBAAV,UAAU;IADtB,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,UAAU,CAkCtB"}

package/dist/foundations/rbac/rbac.tokens.d.ts

@@ -0,0 +1,11 @@
+/**
+ * DI token for the declarative RBAC matrix.
+ *
+ * Applications provide an `RbacMatrix` under this token; `RbacReconcilerService`
+ * reads it at bootstrap and reconciles Neo4j against it.
+ *
+ * Note: `MODULE_USER_PATHS_TOKEN` already lives in `rbac.constants.ts` — import
+ * it from there rather than duplicating it here.
+ */
+export declare const RBAC_MATRIX_TOKEN: unique symbol;
+//# sourceMappingURL=rbac.tokens.d.ts.map

package/dist/foundations/rbac/rbac.tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.tokens.d.ts","sourceRoot":"","sources":["../../../src/foundations/rbac/rbac.tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,eAAO,MAAM,iBAAiB,eAA8B,CAAC"}

package/dist/foundations/rbac/rbac.tokens.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RBAC_MATRIX_TOKEN = void 0;
+/**
+ * DI token for the declarative RBAC matrix.
+ *
+ * Applications provide an `RbacMatrix` under this token; `RbacReconcilerService`
+ * reads it at bootstrap and reconciles Neo4j against it.
+ *
+ * Note: `MODULE_USER_PATHS_TOKEN` already lives in `rbac.constants.ts` — import
+ * it from there rather than duplicating it here.
+ */
+exports.RBAC_MATRIX_TOKEN = Symbol("RBAC_MATRIX_TOKEN");
+//# sourceMappingURL=rbac.tokens.js.map

package/dist/foundations/rbac/rbac.tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.tokens.js","sourceRoot":"","sources":["../../../src/foundations/rbac/rbac.tokens.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;GAQG;AACU,QAAA,iBAAiB,GAAG,MAAM,CAAC,mBAAmB,CAAC,CAAC"}

package/dist/foundations/rbac/serializer/matrix-to-ts.d.ts

@@ -0,0 +1,13 @@
+import type { RbacMatrix } from "../dsl/types";
+interface Options {
+    roleNames: Record<string, string>;
+    moduleNames: Record<string, string>;
+}
+/**
+ * Serialise an RbacMatrix to formatted TypeScript source.
+ * Deterministic: module and role keys are sorted by UUID; tokens are
+ * normalised per action.
+ */
+export declare function serializeMatrixToTs(matrix: RbacMatrix, opts: Options): Promise<string>;
+export {};
+//# sourceMappingURL=matrix-to-ts.d.ts.map

package/dist/foundations/rbac/serializer/matrix-to-ts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"matrix-to-ts.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/serializer/matrix-to-ts.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAa,MAAM,cAAc,CAAC;AAE1D,UAAU,OAAO;IACf,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAmC5F"}

package/dist/foundations/rbac/serializer/matrix-to-ts.js

@@ -0,0 +1,74 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.serializeMatrixToTs = serializeMatrixToTs;
+// packages/nestjs-neo4jsonapi/src/foundations/rbac/serializer/matrix-to-ts.ts
+const prettier_1 = __importDefault(require("prettier"));
+/**
+ * Serialise an RbacMatrix to formatted TypeScript source.
+ * Deterministic: module and role keys are sorted by UUID; tokens are
+ * normalised per action.
+ */
+async function serializeMatrixToTs(matrix, opts) {
+    const moduleIds = Object.keys(matrix).sort();
+    const lines = [];
+    lines.push(`// Auto-maintained by the RBAC UI. Edit via \`pnpm dev\` + UI, or by hand.`);
+    lines.push(``);
+    lines.push(`import { RoleId, ModuleId } from "@neural-erp/shared";`);
+    lines.push(`import { perm, defineRbac } from "@carlonicora/nestjs-neo4jsonapi";`);
+    lines.push(`import { MODULE_USER_PATHS } from "../features/rbac/module-relationships.map";`);
+    lines.push(``);
+    lines.push(`export const rbac = defineRbac<typeof MODULE_USER_PATHS>({`);
+    for (const moduleId of moduleIds) {
+        const block = matrix[moduleId];
+        if (!block)
+            continue;
+        const moduleName = opts.moduleNames[moduleId];
+        if (!moduleName) {
+            throw new Error(`Unknown module UUID: ${moduleId}. Check module-id.map.json.`);
+        }
+        lines.push(`  [ModuleId.${moduleName}]: {`);
+        lines.push(`    default: ${renderTokens(block.default)},`);
+        const roleIds = Object.keys(block)
+            .filter((k) => k !== "default")
+            .sort();
+        for (const roleId of roleIds) {
+            const roleName = opts.roleNames[roleId];
+            if (!roleName)
+                throw new Error(`Unknown role UUID: ${roleId}`);
+            lines.push(`    [RoleId.${roleName}]: ${renderTokens(block[roleId])},`);
+        }
+        lines.push(`  },`);
+    }
+    lines.push(`});`);
+    lines.push(``);
+    const raw = lines.join("\n");
+    return prettier_1.default.format(raw, { parser: "typescript" });
+}
+function renderTokens(tokens) {
+    // `scope === false` has no emission (absence of a token is the "deny"
+    // semantics). Drop defensively before any shape-checking so malformed state
+    // never leaks to disk as `perm.X("false")`.
+    const valid = tokens.filter((t) => t.scope === true || (typeof t.scope === "string" && t.scope.length > 0));
+    // perm.full collapse
+    const isFull = valid.length === 4 && valid.every((t) => t.scope === true) && new Set(valid.map((t) => t.action)).size === 4;
+    if (isFull)
+        return "perm.full";
+    if (valid.length === 0)
+        return "[]";
+    // Render each token
+    const parts = [...valid]
+        .sort((a, b) => {
+        const order = { read: 0, create: 1, update: 2, delete: 3 };
+        return order[a.action] - order[b.action];
+    })
+        .map((t) => {
+        if (t.scope === true)
+            return `perm.${t.action}`;
+        return `perm.${t.action}("${t.scope}")`;
+    });
+    return `[${parts.join(", ")}]`;
+}
+//# sourceMappingURL=matrix-to-ts.js.map

package/dist/foundations/rbac/serializer/matrix-to-ts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"matrix-to-ts.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/serializer/matrix-to-ts.ts"],"names":[],"mappings":";;;;;AAcA,kDAmCC;AAjDD,8EAA8E;AAC9E,wDAAgC;AAQhC;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CAAC,MAAkB,EAAE,IAAa;IACzE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;IACrE,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAC7F,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;IAEzE,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC/B,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,wBAAwB,QAAQ,6BAA6B,CAAC,CAAC;QACjF,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,eAAe,UAAU,MAAM,CAAC,CAAC;QAC5C,KAAK,CAAC,IAAI,CAAC,gBAAgB,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;aAC/B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC;aAC9B,IAAI,EAAE,CAAC;QACV,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACxC,IAAI,CAAC,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC;YAC/D,KAAK,CAAC,IAAI,CAAC,eAAe,QAAQ,MAAM,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;QAC1E,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrB,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,OAAO,kBAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,YAAY,CAAC,MAAmB;IACvC,sEAAsE;IACtE,4EAA4E;IAC5E,4CAA4C;IAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAE5G,qBAAqB;IACrB,MAAM,MAAM,GACV,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC;IAC/G,IAAI,MAAM;QAAE,OAAO,WAAW,CAAC;IAE/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,oBAAoB;IACpB,MAAM,KAAK,GAAG,CAAC,GAAG,KAAK,CAAC;SACrB,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,MAAM,KAAK,GAA2B,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;QACnF,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC3C,CAAC,CAAC;SACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACT,IAAI,CAAC,CAAC,KAAK,KAAK,IAAI;YAAE,OAAO,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;QAChD,OAAO,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC;IAC1C,CAAC,CAAC,CAAC;IACL,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;AACjC,CAAC"}

package/dist/foundations/rbac/services/rbac-reconciler.service.d.ts

@@ -0,0 +1,30 @@
+import { OnApplicationBootstrap } from "@nestjs/common";
+import { Neo4jService } from "../../../core/neo4j/services/neo4j.service";
+import { AppLoggingService } from "../../../core/logging/services/logging.service";
+import type { RbacMatrix } from "../dsl/types";
+/**
+ * Applies the declared `RbacMatrix` to Neo4j at application bootstrap.
+ *
+ * Behaviour (per spec §6.3):
+ *  - Administrator role is never written as an HAS_PERMISSIONS edge — the
+ *    security layer short-circuits for it.
+ *  - Module defaults are stored on `Module.permissions`.
+ *  - Role-specific permissions are stored on `(Role)-[:HAS_PERMISSIONS]->(Module)`.
+ *  - Deletions are scoped to modules declared in the matrix: edges for
+ *    undeclared modules are left untouched.
+ *  - Preflight aborts with a clear error if any referenced role or module is
+ *    missing from the DB (seed migrations must run first).
+ */
+export declare class RbacReconcilerService implements OnApplicationBootstrap {
+    private readonly neo4j;
+    private readonly matrix;
+    private readonly logger;
+    constructor(neo4j: Neo4jService, matrix: RbacMatrix | null, logger: AppLoggingService);
+    onApplicationBootstrap(): Promise<void>;
+    private preflight;
+    private findMissing;
+    private readActualState;
+    private computeDiff;
+    private apply;
+}
+//# sourceMappingURL=rbac-reconciler.service.d.ts.map

package/dist/foundations/rbac/services/rbac-reconciler.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-reconciler.service.d.ts","sourceRoot":"","sources":["../../../../src/foundations/rbac/services/rbac-reconciler.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgC,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AACtF,OAAO,EAAE,YAAY,EAAE,MAAM,4CAA4C,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,gDAAgD,CAAC;AAGnF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAe/C;;;;;;;;;;;;GAYG;AACH,qBACa,qBAAsB,YAAW,sBAAsB;IAEhE,OAAO,CAAC,QAAQ,CAAC,KAAK;IACiB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAC9D,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFN,KAAK,EAAE,YAAY,EACoB,MAAM,EAAE,UAAU,GAAG,IAAI,EAChE,MAAM,EAAE,iBAAiB;IAGtC,sBAAsB,IAAI,OAAO,CAAC,IAAI,CAAC;YAsB/B,SAAS;YAyBT,WAAW;YAOX,eAAe;IAsB7B,OAAO,CAAC,WAAW;YAkEL,KAAK;CA4BpB"}