@cfast/permissions 0.5.1 → 0.7.0

package/dist/{client-DpwiMpD0.d.ts → client-DyadVgmx.d.ts}

@@ -420,4 +420,4 @@ declare class PermissionRegistrationError extends Error {
     constructor(subject: string, availableTables: readonly string[]);
 }
 
-export { CRUD_ACTIONS as C, type DrizzleTable as D, ForbiddenError as F, type Grant as G, type LookupDb as L, type PermissionsConfig as P, type SchemaMap as S, type TableName as T, type WithLookups as W, type Permissions as a, type PermissionAction as b, type SubjectInput as c, type WhereClause as d, type PermissionDescriptor as e, type PermissionCheckResult as f, type ColumnsOf as g, type CrudAction as h, type GrantFn as i, type LookupFn as j, PermissionRegistrationError as k, type SqlNameOf as l, getTableName as m };
+export { type CrudAction as C, type DrizzleTable as D, ForbiddenError as F, type Grant as G, type LookupDb as L, type PermissionsConfig as P, type SchemaMap as S, type TableName as T, type WithLookups as W, type Permissions as a, type PermissionAction as b, type SubjectInput as c, type WhereClause as d, type PermissionDescriptor as e, type PermissionCheckResult as f, CRUD_ACTIONS as g, type ColumnsOf as h, type GrantFn as i, type LookupFn as j, PermissionRegistrationError as k, type SqlNameOf as l, getTableName as m };

package/dist/client.d.ts

@@ -1 +1 @@
-export { h as CrudAction, F as ForbiddenError, b as PermissionAction, f as PermissionCheckResult, e as PermissionDescriptor } from './client-DpwiMpD0.js';
+export { C as CrudAction, F as ForbiddenError, b as PermissionAction, f as PermissionCheckResult, e as PermissionDescriptor } from './client-DyadVgmx.js';

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { P as PermissionsConfig, a as Permissions, S as SchemaMap, b as PermissionAction, c as SubjectInput, W as WithLookups, d as WhereClause, G as Grant, e as PermissionDescriptor, f as PermissionCheckResult } from './client-DpwiMpD0.js';
-export { C as CRUD_ACTIONS, g as ColumnsOf, h as CrudAction, D as DrizzleTable, F as ForbiddenError, i as GrantFn, L as LookupDb, j as LookupFn, k as PermissionRegistrationError, l as SqlNameOf, T as TableName, m as getTableName } from './client-DpwiMpD0.js';
+import { P as PermissionsConfig, a as Permissions, S as SchemaMap, b as PermissionAction, c as SubjectInput, W as WithLookups, d as WhereClause, G as Grant, e as PermissionDescriptor, f as PermissionCheckResult, C as CrudAction, D as DrizzleTable } from './client-DyadVgmx.js';
+export { g as CRUD_ACTIONS, h as ColumnsOf, F as ForbiddenError, i as GrantFn, L as LookupDb, j as LookupFn, k as PermissionRegistrationError, l as SqlNameOf, T as TableName, m as getTableName } from './client-DyadVgmx.js';
 
 /**
  * Creates a permission configuration that can be shared between server-side
@@ -263,4 +263,60 @@ type UserWithRoles = {
 declare function resolveGrants(permissions: Permissions, user: UserWithRoles): Grant[];
 declare function resolveGrants(permissions: Permissions, roles: readonly string[]): Grant[];
 
-export { Grant, PermissionAction, PermissionCheckResult, PermissionDescriptor, Permissions, PermissionsConfig, SchemaMap, SubjectInput, type UserWithRoles, WhereClause, WithLookups, can, checkPermissions, definePermissions, grant, resolveGrants };
+/**
+ * A single granted action for a table, including the matching grants.
+ *
+ * - `unrestricted: true` means at least one grant has no `where` clause,
+ *   so the action is unconditionally permitted for every row.
+ * - `unrestricted: false` means all matching grants have `where` clauses,
+ *   so whether the action is permitted depends on the specific row.
+ */
+type GrantedAction = {
+    action: CrudAction;
+    grants: Grant[];
+    unrestricted: boolean;
+};
+/**
+ * Returns the distinct CRUD actions that are granted for a given table.
+ *
+ * `manage` grants are expanded into the four CRUD actions. For each action,
+ * the result includes the matching grants and whether any of them is
+ * unrestricted (no `where` clause). Actions with no matching grant at all
+ * are excluded from the result.
+ *
+ * Used by `@cfast/db` to build `_can` annotations on query results.
+ *
+ * @param grants - The user's resolved permission grants.
+ * @param table - The Drizzle table to check grants against.
+ * @returns Array of GrantedAction objects for each permitted action.
+ */
+declare function getGrantedActions(grants: Grant[], table: DrizzleTable): GrantedAction[];
+
+/**
+ * Resolves table-level CRUD permissions for every table in a schema.
+ *
+ * Iterates each key in the schema map, extracts its table name, and calls
+ * {@link can} for each of the four CRUD actions (`read`, `create`, `update`,
+ * `delete`). Returns a flat, serializable map suitable for embedding in
+ * loader data and sending to the client.
+ *
+ * This is a pure grant-structural check — no database access, no SQL.
+ * Row-level `where` clauses on grants are ignored; the result reflects
+ * whether the user has *any* grant for the action on the table.
+ *
+ * @param grants - The user's resolved permission grants.
+ * @param schema - A schema map (e.g. `import * as schema from "./schema"`).
+ * @returns A record keyed by SQL table name, each mapping CRUD actions to booleans.
+ *
+ * @example
+ * ```ts
+ * import { resolveTablePermissions } from "@cfast/permissions";
+ * import * as schema from "../db/schema";
+ *
+ * const perms = resolveTablePermissions(grants, schema);
+ * // { posts: { read: true, create: true, update: false, delete: false }, ... }
+ * ```
+ */
+declare function resolveTablePermissions(grants: Grant[], schema: SchemaMap): Record<string, Record<CrudAction, boolean>>;
+
+export { CrudAction, DrizzleTable, Grant, type GrantedAction, PermissionAction, PermissionCheckResult, PermissionDescriptor, Permissions, PermissionsConfig, SchemaMap, SubjectInput, type UserWithRoles, WhereClause, WithLookups, can, checkPermissions, definePermissions, getGrantedActions, grant, resolveGrants, resolveTablePermissions };

package/dist/index.js

@@ -234,6 +234,42 @@ function resolveGrants(permissions, userOrRoles) {
   }
   return result;
 }
+
+// src/granted-actions.ts
+function getGrantedActions(grants, table) {
+  const targetName = getTableName(table);
+  const result = [];
+  for (const action of CRUD_ACTIONS) {
+    const matching = grants.filter((g) => {
+      const actionOk = g.action === action || g.action === "manage";
+      if (!actionOk) return false;
+      if (g.subject === "all") return true;
+      if (g.subject === table) return true;
+      return getTableName(g.subject) === targetName;
+    });
+    if (matching.length === 0) continue;
+    const unrestricted = matching.some((g) => !g.where);
+    result.push({ action, grants: matching, unrestricted });
+  }
+  return result;
+}
+
+// src/resolve-table-permissions.ts
+function resolveTablePermissions(grants, schema) {
+  const result = {};
+  for (const key of Object.keys(schema)) {
+    const table = schema[key];
+    const tableName = getTableName(table);
+    if (tableName === "unknown") continue;
+    if (result[tableName]) continue;
+    const perms = {};
+    for (const action of CRUD_ACTIONS) {
+      perms[action] = can(grants, action, table);
+    }
+    result[tableName] = perms;
+  }
+  return result;
+}
 export {
   CRUD_ACTIONS,
   ForbiddenError,
@@ -241,7 +277,9 @@ export {
   can,
   checkPermissions,
   definePermissions,
+  getGrantedActions,
   getTableName,
   grant,
-  resolveGrants
+  resolveGrants,
+  resolveTablePermissions
 };

package/llms.txt

@@ -209,11 +209,38 @@ can<typeof schema>(grants, "create", "posts")        // ✓ string form, type-ch
 // can<typeof schema>(grants, "create", "unknownTable")  // ✗ TypeScript error
 ```
 
+### `getGrantedActions(grants, table): GrantedAction[]`
+```typescript
+import { getGrantedActions } from "@cfast/permissions";
+function getGrantedActions(grants: Grant[], table: DrizzleTable): GrantedAction[]
+
+type GrantedAction = {
+  action: CrudAction;         // "read" | "create" | "update" | "delete"
+  grants: Grant[];            // the matching grants
+  unrestricted: boolean;      // true if any grant has no `where` clause
+};
+```
+Returns the distinct CRUD actions that are granted for a given table. `manage` grants are expanded into the four CRUD actions. For each action, the result includes the matching grants and whether any of them is unrestricted (no `where` clause). Actions with no matching grant are excluded.
+
+Used internally by `@cfast/db` to build row-level `_can` annotations on query results.
+
 ### `CRUD_ACTIONS`
 ```typescript
 const CRUD_ACTIONS: readonly CrudAction[] = ["read", "create", "update", "delete"];
 ```
 
+### `resolveTablePermissions(grants, schema): Record<string, Record<CrudAction, boolean>>`
+```typescript
+import { resolveTablePermissions } from "@cfast/permissions";
+import * as schema from "../db/schema";
+
+const perms = resolveTablePermissions(grants, schema);
+// { posts: { read: true, create: true, update: false, delete: false }, ... }
+```
+Pure grant-structural check for every table in the schema. No DB, no SQL. Returns a serializable map. Skips non-table entries (e.g. relation objects) and deduplicates when multiple JS keys map to the same SQL name.
+
+Used internally by `cfastJson()` from `@cfast/actions` to embed table permissions in loader data.
+
 ### Client entrypoint
 ```typescript
 import { ForbiddenError, can } from "@cfast/permissions/client";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cfast/permissions",
-  "version": "0.5.1",
+  "version": "0.7.0",
   "description": "Isomorphic, composable permission system with Drizzle-native row-level access control",
   "keywords": [
     "cfast",