npm - @carlonicora/nestjs-neo4jsonapi - Versions diffs - 1.63.0 → 1.64.0 - Mend

@carlonicora/nestjs-neo4jsonapi 1.63.0 → 1.64.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/dist/foundations/rbac/services/rbac-reconciler.service.js ADDED Viewed

@@ -0,0 +1,192 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RbacReconcilerService = void 0;
+const common_1 = require("@nestjs/common");
+const neo4j_service_1 = require("../../../core/neo4j/services/neo4j.service");
+const logging_service_1 = require("../../../core/logging/services/logging.service");
+const system_roles_1 = require("../../../common/constants/system.roles");
+const rbac_tokens_1 = require("../rbac.tokens");
+const resolver_1 = require("../dsl/resolver");
+const ADMINISTRATOR_ID = system_roles_1.SystemRoles.Administrator;
+/**
+ * Applies the declared `RbacMatrix` to Neo4j at application bootstrap.
+ *
+ * Behaviour (per spec §6.3):
+ *  - Administrator role is never written as an HAS_PERMISSIONS edge — the
+ *    security layer short-circuits for it.
+ *  - Module defaults are stored on `Module.permissions`.
+ *  - Role-specific permissions are stored on `(Role)-[:HAS_PERMISSIONS]->(Module)`.
+ *  - Deletions are scoped to modules declared in the matrix: edges for
+ *    undeclared modules are left untouched.
+ *  - Preflight aborts with a clear error if any referenced role or module is
+ *    missing from the DB (seed migrations must run first).
+ */
+let RbacReconcilerService = class RbacReconcilerService {
+    constructor(neo4j, matrix, logger) {
+        this.neo4j = neo4j;
+        this.matrix = matrix;
+        this.logger = logger;
+    }
+    async onApplicationBootstrap() {
+        if (!this.matrix) {
+            this.logger.log("RBAC reconciler: no matrix configured, skipping");
+            return;
+        }
+        await this.preflight();
+        const actual = await this.readActualState();
+        const diff = this.computeDiff(actual);
+        if (diff.operations.length === 0) {
+            this.logger.log("RBAC reconcile: no changes");
+            return;
+        }
+        await this.apply(diff.operations);
+        this.logger.log(`RBAC reconcile: ${diff.defaultsChanged} defaults changed, ${diff.edgesUpserted} edges upserted, ${diff.edgesRemoved} edges removed`);
+    }
+    async preflight() {
+        const moduleIds = new Set();
+        const roleIds = new Set();
+        for (const moduleId of (0, resolver_1.iterateDeclaredModules)(this.matrix)) {
+            moduleIds.add(moduleId);
+        }
+        for (const { roleId } of (0, resolver_1.iterateDeclaredEdges)(this.matrix)) {
+            if (roleId === ADMINISTRATOR_ID)
+                continue;
+            roleIds.add(roleId);
+        }
+        const missingRoles = await this.findMissing("Role", Array.from(roleIds));
+        const missingModules = await this.findMissing("Module", Array.from(moduleIds));
+        if (missingRoles.length > 0 || missingModules.length > 0) {
+            throw new Error(`RBAC reconcile aborted - referenced entities not found in DB. ` +
+                `Roles missing: ${missingRoles.join(", ") || "none"}. ` +
+                `Modules missing: ${missingModules.join(", ") || "none"}. ` +
+                `Apply seed migrations before declaring these in the matrix.`);
+        }
+    }
+    async findMissing(label, ids) {
+        if (ids.length === 0)
+            return [];
+        const result = await this.neo4j.read(`MATCH (n:${label}) WHERE n.id IN $ids RETURN n.id AS id`, { ids });
+        const found = new Set(result.records.map((r) => r.get("id")));
+        return ids.filter((id) => !found.has(id));
+    }
+    async readActualState() {
+        const modulesResult = await this.neo4j.read(`MATCH (m:Module) RETURN m.id AS id, m.permissions AS permissions`, {});
+        const edgesResult = await this.neo4j.read(`MATCH (r:Role)-[p:HAS_PERMISSIONS]->(m:Module) RETURN r.id AS roleId, m.id AS moduleId, p.permissions AS permissions`, {});
+        const moduleDefaults = {};
+        for (const rec of modulesResult.records) {
+            moduleDefaults[rec.get("id")] = rec.get("permissions");
+        }
+        const edges = [];
+        for (const rec of edgesResult.records) {
+            edges.push({
+                roleId: rec.get("roleId"),
+                moduleId: rec.get("moduleId"),
+                permissions: rec.get("permissions"),
+            });
+        }
+        return { moduleDefaults, edges };
+    }
+    computeDiff(actual) {
+        const operations = [];
+        let defaultsChanged = 0;
+        let edgesUpserted = 0;
+        let edgesRemoved = 0;
+        const declaredModules = new Set(Array.from((0, resolver_1.iterateDeclaredModules)(this.matrix)));
+        const sortedModules = Array.from(declaredModules).sort();
+        // Defaults
+        for (const moduleId of sortedModules) {
+            const expected = (0, resolver_1.resolveDefault)(this.matrix, moduleId);
+            if (expected === undefined)
+                continue;
+            if (actual.moduleDefaults[moduleId] !== expected) {
+                operations.push({ kind: "setDefault", params: { moduleId, permissions: expected } });
+                defaultsChanged++;
+            }
+        }
+        // Edges — expected (Administrator excluded)
+        const expectedEdgeKeys = new Set();
+        const sortedEdges = Array.from((0, resolver_1.iterateDeclaredEdges)(this.matrix))
+            .filter((e) => e.roleId !== ADMINISTRATOR_ID)
+            .sort((a, b) => (a.moduleId + a.roleId).localeCompare(b.moduleId + b.roleId));
+        const actualByKey = new Map();
+        for (const edge of actual.edges) {
+            actualByKey.set(`${edge.roleId}|${edge.moduleId}`, edge.permissions);
+        }
+        for (const { roleId, moduleId } of sortedEdges) {
+            const expected = (0, resolver_1.resolveForRole)(this.matrix, roleId, moduleId);
+            if (expected === undefined)
+                continue;
+            const key = `${roleId}|${moduleId}`;
+            expectedEdgeKeys.add(key);
+            if (actualByKey.get(key) !== expected) {
+                operations.push({
+                    kind: "upsertEdge",
+                    params: { roleId, moduleId, permissions: expected },
+                });
+                edgesUpserted++;
+            }
+        }
+        // Edges — to delete (scoped to declared modules only; Administrator never managed)
+        for (const edge of actual.edges) {
+            if (!declaredModules.has(edge.moduleId))
+                continue;
+            if (edge.roleId === ADMINISTRATOR_ID)
+                continue;
+            const key = `${edge.roleId}|${edge.moduleId}`;
+            if (!expectedEdgeKeys.has(key)) {
+                operations.push({
+                    kind: "deleteEdge",
+                    params: { roleId: edge.roleId, moduleId: edge.moduleId },
+                });
+                edgesRemoved++;
+            }
+        }
+        return { operations, defaultsChanged, edgesUpserted, edgesRemoved };
+    }
+    async apply(operations) {
+        const queries = operations.map((op) => {
+            if (op.kind === "setDefault") {
+                return {
+                    query: `MATCH (m:Module {id: $moduleId}) SET m.permissions = $permissions`,
+                    params: op.params,
+                };
+            }
+            if (op.kind === "upsertEdge") {
+                return {
+                    query: `MATCH (role:Role {id: $roleId}) ` +
+                        `MATCH (module:Module {id: $moduleId}) ` +
+                        `MERGE (role)-[permissions:HAS_PERMISSIONS]->(module) ` +
+                        `ON CREATE SET permissions.permissions = $permissions ` +
+                        `ON MATCH SET permissions.permissions = $permissions`,
+                    params: op.params,
+                };
+            }
+            // deleteEdge
+            return {
+                query: `MATCH (role:Role {id: $roleId})-[p:HAS_PERMISSIONS]->(module:Module {id: $moduleId}) DELETE p`,
+                params: op.params,
+            };
+        });
+        await this.neo4j.executeInTransaction(queries);
+    }
+};
+exports.RbacReconcilerService = RbacReconcilerService;
+exports.RbacReconcilerService = RbacReconcilerService = __decorate([
+    (0, common_1.Injectable)(),
+    __param(1, (0, common_1.Optional)()),
+    __param(1, (0, common_1.Inject)(rbac_tokens_1.RBAC_MATRIX_TOKEN)),
+    __metadata("design:paramtypes", [neo4j_service_1.Neo4jService, Object, logging_service_1.AppLoggingService])
+], RbacReconcilerService);
+//# sourceMappingURL=rbac-reconciler.service.js.map

package/dist/foundations/rbac/services/rbac-reconciler.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac-reconciler.service.js","sourceRoot":"","sources":["../../../../src/foundations/rbac/services/rbac-reconciler.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAAsF;AACtF,8EAA0E;AAC1E,oFAAmF;AACnF,yEAAqE;AACrE,gDAAmD;AAEnD,8CAA+G;AAE/G,MAAM,gBAAgB,GAAW,0BAAW,CAAC,aAAa,CAAC;AAY3D;;;;;;;;;;;;GAYG;AAEI,IAAM,qBAAqB,GAA3B,MAAM,qBAAqB;IAChC,YACmB,KAAmB,EACoB,MAAyB,EAChE,MAAyB;QAFzB,UAAK,GAAL,KAAK,CAAc;QACoB,WAAM,GAAN,MAAM,CAAmB;QAChE,WAAM,GAAN,MAAM,CAAmB;IACzC,CAAC;IAEJ,KAAK,CAAC,sBAAsB;QAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAEvB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAEtC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,mBAAmB,IAAI,CAAC,eAAe,sBAAsB,IAAI,CAAC,aAAa,oBAAoB,IAAI,CAAC,YAAY,gBAAgB,CACrI,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;QACpC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAElC,KAAK,MAAM,QAAQ,IAAI,IAAA,iCAAsB,EAAC,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC;YAC5D,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC;QACD,KAAK,MAAM,EAAE,MAAM,EAAE,IAAI,IAAA,+BAAoB,EAAC,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC;YAC5D,IAAI,MAAM,KAAK,gBAAgB;gBAAE,SAAS;YAC1C,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACzE,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;QAE/E,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CACb,gEAAgE;gBAC9D,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,IAAI;gBACvD,oBAAoB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,IAAI;gBAC3D,6DAA6D,CAChE,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,KAAwB,EAAE,GAAa;QAC/D,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,KAAK,wCAAwC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QACzG,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAW,CAAC,CAAC,CAAC;QACrF,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5C,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,kEAAkE,EAAE,EAAE,CAAC,CAAC;QACpH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CACvC,sHAAsH,EACtH,EAAE,CACH,CAAC;QAEF,MAAM,cAAc,GAAkC,EAAE,CAAC;QACzD,KAAK,MAAM,GAAG,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACxC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAW,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,aAAa,CAAkB,CAAC;QACpF,CAAC;QACD,MAAM,KAAK,GAAqE,EAAE,CAAC;QACnF,KAAK,MAAM,GAAG,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC;gBACT,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAW;gBACnC,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,UAAU,CAAW;gBACvC,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,aAAa,CAAW;aAC9C,CAAC,CAAC;QACL,CAAC;QACD,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAEO,WAAW,CAAC,MAAmB;QAMrC,MAAM,UAAU,GAAyB,EAAE,CAAC;QAC5C,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS,KAAK,CAAC,IAAI,CAAC,IAAA,iCAAsB,EAAC,IAAI,CAAC,MAAO,CAAC,CAAC,CAAC,CAAC;QAC1F,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC;QAEzD,WAAW;QACX,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,IAAA,yBAAc,EAAC,IAAI,CAAC,MAAO,EAAE,QAAQ,CAAC,CAAC;YACxD,IAAI,QAAQ,KAAK,SAAS;gBAAE,SAAS;YACrC,IAAI,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACjD,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;gBACrF,eAAe,EAAE,CAAC;YACpB,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAA,+BAAoB,EAAC,IAAI,CAAC,MAAO,CAAC,CAAC;aAC/D,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,gBAAgB,CAAC;aAC5C,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAEhF,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC9C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,WAAW,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACvE,CAAC;QAED,KAAK,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,WAAW,EAAE,CAAC;YAC/C,MAAM,QAAQ,GAAG,IAAA,yBAAc,EAAC,IAAI,CAAC,MAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAChE,IAAI,QAAQ,KAAK,SAAS;gBAAE,SAAS;YACrC,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,QAAQ,EAAE,CAAC;YACpC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1B,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACtC,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,YAAY;oBAClB,MAAM,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE;iBACpD,CAAC,CAAC;gBACH,aAAa,EAAE,CAAC;YAClB,CAAC;QACH,CAAC;QAED,mFAAmF;QACnF,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAClD,IAAI,IAAI,CAAC,MAAM,KAAK,gBAAgB;gBAAE,SAAS;YAC/C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC9C,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,YAAY;oBAClB,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE;iBACzD,CAAC,CAAC;gBACH,YAAY,EAAE,CAAC;YACjB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;IACtE,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,UAAgC;QAClD,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YACpC,IAAI,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC7B,OAAO;oBACL,KAAK,EAAE,mEAAmE;oBAC1E,MAAM,EAAE,EAAE,CAAC,MAAM;iBAClB,CAAC;YACJ,CAAC;YACD,IAAI,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC7B,OAAO;oBACL,KAAK,EACH,kCAAkC;wBAClC,wCAAwC;wBACxC,uDAAuD;wBACvD,uDAAuD;wBACvD,qDAAqD;oBACvD,MAAM,EAAE,EAAE,CAAC,MAAM;iBAClB,CAAC;YACJ,CAAC;YACD,aAAa;YACb,OAAO;gBACL,KAAK,EAAE,+FAA+F;gBACtG,MAAM,EAAE,EAAE,CAAC,MAAM;aAClB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;CACF,CAAA;AAjLY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,mBAAU,GAAE;IAIR,WAAA,IAAA,iBAAQ,GAAE,CAAA;IAAE,WAAA,IAAA,eAAM,EAAC,+BAAiB,CAAC,CAAA;qCADd,4BAAY,UAEX,mCAAiB;GAJjC,qBAAqB,CAiLjC"}

package/dist/tools/generate-rbac-paths/index.js CHANGED Viewed

@@ -50,6 +50,7 @@ program
     .option("--output <path>", "Output file path", "src/features/rbac/module-relationships.map.ts")
     .option("--skip <names>", "Comma-separated entity names to skip", "")
     .option("--max-depth <n>", "BFS max depth", "4")
+    .option("--module-id-map <path>", "Path to labelName→UUID JSON map (required for UUID-keyed output)", "")
     .parse();
 function scanDescriptors(dir, skipEntities) {
     const entities = [];
@@ -141,19 +142,6 @@ function bfsToUser(graph, startEntity, maxDepth) {
     }
     return paths;
 }
-function generateOutput(moduleUserPaths) {
-    const entries = Object.entries(moduleUserPaths)
-        .sort(([a], [b]) => a.localeCompare(b))
-        .map(([key, paths]) => `  ${JSON.stringify(key)}: ${JSON.stringify(paths)}`)
-        .join(",\n");
-    return `// Auto-generated by generate-rbac-paths CLI tool
-// Do not edit manually - regenerate with: pnpm generate:rbac-paths
-export const MODULE_USER_PATHS: Record<string, string[]> = {
-${entries}
-};
-`;
-}
 async function main() {
     const options = program.opts();
     const dir = options.dir;
@@ -164,31 +152,48 @@ async function main() {
         .map((s) => s.trim())
         .filter(Boolean);
     const skipEntities = [...DEFAULT_SKIP_ENTITIES, ...extraSkip];
+    const moduleIdMapPath = options.moduleIdMap;
+    if (!moduleIdMapPath) {
+        console.error("--module-id-map is required. See apps/api/scripts/build-module-id-map.ts.");
+        process.exit(1);
+    }
+    const moduleIdMap = JSON.parse(fs.readFileSync(moduleIdMapPath, "utf8"));
     console.info("\nRBAC Path Generation CLI");
     console.info("========================\n");
     console.info(`Scanning: ${dir}`);
     console.info(`Output: ${output}`);
     console.info(`Max depth: ${maxDepth}`);
+    console.info(`Module id map: ${moduleIdMapPath}`);
     console.info(`Skip entities: ${skipEntities.join(", ")}\n`);
     const entities = scanDescriptors(dir, skipEntities);
     console.info(`Found ${entities.length} entities\n`);
     const graph = buildGraph(entities);
-    const moduleUserPaths = {};
+    const entitiesByLabel = new Map();
+    const pathsByEntity = new Map();
     for (const entity of entities) {
-        const normalizedName = entity.labelName.charAt(0).toLowerCase() + entity.labelName.slice(1);
+        entitiesByLabel.set(entity.labelName, entity);
         const paths = bfsToUser(graph, entity.labelName, maxDepth);
+        pathsByEntity.set(entity.labelName, paths);
         if (paths.length > 0) {
-            moduleUserPaths[normalizedName] = paths;
-            console.info(`  ${normalizedName}: [${paths.join(", ")}]`);
+            console.info(`  ${entity.labelName}: [${paths.join(", ")}]`);
         }
     }
-    const content = generateOutput(moduleUserPaths);
+    // Ensure every mapped module has an entry (possibly empty)
+    const finalMap = {};
+    for (const [labelName, uuid] of Object.entries(moduleIdMap)) {
+        const entity = entitiesByLabel.get(labelName);
+        finalMap[uuid] = entity ? Array.from(pathsByEntity.get(labelName) ?? []) : [];
+    }
+    const content = `// Auto-generated by generate-rbac-paths CLI tool\n` +
+        `// Do not edit manually - regenerate with: pnpm generate:rbac-paths\n\n` +
+        `export const MODULE_USER_PATHS = ${JSON.stringify(finalMap, null, 2)} as const;\n\n` +
+        `export type ModuleUserPathsType = typeof MODULE_USER_PATHS;\n`;
     const outputDir = path.dirname(output);
     if (!fs.existsSync(outputDir)) {
         fs.mkdirSync(outputDir, { recursive: true });
     }
     fs.writeFileSync(output, content, "utf-8");
-    console.info(`\nGenerated ${output} with ${Object.keys(moduleUserPaths).length} entity paths\n`);
+    console.info(`\nGenerated ${output} with ${Object.keys(finalMap).length} module entries\n`);
 }
 main().catch((error) => {
     console.error("\nGeneration failed:", error.message);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@carlonicora/nestjs-neo4jsonapi",
-  "version": "1.63.0",
+  "version": "1.64.0",
   "description": "NestJS foundation package with JSON:API, Neo4j, Redis, LangChain agents, and common utilities",
   "author": "Carlo Nicora",
   "license": "GPL-3.0-or-later",