@classytic/arc 1.1.0 → 2.1.2

package/dist/permissions/index.mjs

@@ -0,0 +1,579 @@
+import { a as getTeamId, c as isElevated, l as isMember, n as PUBLIC_SCOPE } from "../types-Beqn1Un7.mjs";
+import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-iagOozy0.mjs";
+import { t as MemoryCacheStore } from "../memory-cQgelFOj.mjs";
+import { a as presets_exports, c as readOnly, i as ownerWithAdminBypass, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly } from "../presets-BITljm96.mjs";
+import { randomUUID } from "node:crypto";
+
+//#region src/permissions/index.ts
+/**
+* Allow public access (no authentication required)
+*
+* @example
+* ```typescript
+* permissions: {
+*   list: allowPublic(),
+*   get: allowPublic(),
+* }
+* ```
+*/
+function allowPublic() {
+	const check = () => true;
+	check._isPublic = true;
+	return check;
+}
+/**
+* Require authentication (any authenticated user)
+*
+* @example
+* ```typescript
+* permissions: {
+*   create: requireAuth(),
+*   update: requireAuth(),
+* }
+* ```
+*/
+function requireAuth() {
+	const check = (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		return true;
+	};
+	return check;
+}
+/**
+* Require specific roles
+*
+* @param roles - Required roles (user needs at least one)
+* @param options - Optional bypass roles
+*
+* @example
+* ```typescript
+* permissions: {
+*   create: requireRoles(['admin', 'editor']),
+*   delete: requireRoles(['admin']),
+* }
+*
+* // With bypass roles
+* permissions: {
+*   update: requireRoles(['owner'], { bypassRoles: ['admin', 'superadmin'] }),
+* }
+* ```
+*/
+function requireRoles(roles, options) {
+	const check = (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		const userRoles = ctx.user.roles ?? [];
+		if (options?.bypassRoles?.some((r) => userRoles.includes(r))) return true;
+		if (roles.some((r) => userRoles.includes(r))) return true;
+		return {
+			granted: false,
+			reason: `Required roles: ${roles.join(", ")}`
+		};
+	};
+	check._roles = roles;
+	return check;
+}
+/**
+* Require resource ownership
+*
+* Returns filters to scope queries to user's owned resources.
+*
+* @param ownerField - Field containing owner ID (default: 'userId')
+* @param options - Optional bypass roles
+*
+* @example
+* ```typescript
+* permissions: {
+*   update: requireOwnership('userId'),
+*   delete: requireOwnership('createdBy', { bypassRoles: ['admin'] }),
+* }
+* ```
+*/
+function requireOwnership(ownerField = "userId", options) {
+	return (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		const userRoles = ctx.user.roles ?? [];
+		if (options?.bypassRoles?.some((r) => userRoles.includes(r))) return true;
+		const userId = ctx.user.id ?? ctx.user._id;
+		if (!userId) return {
+			granted: false,
+			reason: "User identity missing (no id or _id)"
+		};
+		return {
+			granted: true,
+			filters: { [ownerField]: userId }
+		};
+	};
+}
+/**
+* Combine multiple checks - ALL must pass (AND logic)
+*
+* @example
+* ```typescript
+* permissions: {
+*   update: allOf(
+*     requireAuth(),
+*     requireRoles(['editor']),
+*     requireOwnership('createdBy')
+*   ),
+* }
+* ```
+*/
+function allOf(...checks) {
+	return async (ctx) => {
+		let mergedFilters = {};
+		for (const check of checks) {
+			const result = await check(ctx);
+			const normalized = typeof result === "boolean" ? { granted: result } : result;
+			if (!normalized.granted) return normalized;
+			if (normalized.filters) mergedFilters = {
+				...mergedFilters,
+				...normalized.filters
+			};
+		}
+		return {
+			granted: true,
+			filters: Object.keys(mergedFilters).length > 0 ? mergedFilters : void 0
+		};
+	};
+}
+/**
+* Combine multiple checks - ANY must pass (OR logic)
+*
+* @example
+* ```typescript
+* permissions: {
+*   update: anyOf(
+*     requireRoles(['admin']),
+*     requireOwnership('createdBy')
+*   ),
+* }
+* ```
+*/
+function anyOf(...checks) {
+	return async (ctx) => {
+		const reasons = [];
+		for (const check of checks) {
+			const result = await check(ctx);
+			const normalized = typeof result === "boolean" ? { granted: result } : result;
+			if (normalized.granted) return normalized;
+			if (normalized.reason) reasons.push(normalized.reason);
+		}
+		return {
+			granted: false,
+			reason: reasons.join("; ")
+		};
+	};
+}
+/**
+* Deny all access
+*
+* @example
+* ```typescript
+* permissions: {
+*   delete: denyAll('Deletion not allowed'),
+* }
+* ```
+*/
+function denyAll(reason = "Access denied") {
+	return () => ({
+		granted: false,
+		reason
+	});
+}
+/**
+* Dynamic permission based on context
+*
+* @example
+* ```typescript
+* permissions: {
+*   update: when((ctx) => ctx.data?.status === 'draft'),
+* }
+* ```
+*/
+function when(condition) {
+	return async (ctx) => {
+		const result = await condition(ctx);
+		return {
+			granted: result,
+			reason: result ? void 0 : "Condition not met"
+		};
+	};
+}
+/** Read request.scope safely */
+function getScope(request) {
+	return request.scope ?? PUBLIC_SCOPE;
+}
+/**
+* Require membership in the active organization.
+* User must be authenticated AND have an active org (member or elevated scope).
+*
+* Reads `request.scope` set by auth adapters.
+*
+* @example
+* ```typescript
+* permissions: {
+*   list: requireOrgMembership(),
+*   get: requireOrgMembership(),
+* }
+* ```
+*/
+function requireOrgMembership() {
+	const check = (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		const scope = getScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (isMember(scope)) return true;
+		return {
+			granted: false,
+			reason: "Organization membership required"
+		};
+	};
+	check._orgPermission = "membership";
+	return check;
+}
+/**
+* Require specific org-level roles.
+* Reads `request.scope.orgRoles` (set by auth adapters).
+* Elevated scope always passes (platform admin bypass).
+*
+* @param roles - Required org roles (user needs at least one)
+*
+* @example
+* ```typescript
+* permissions: {
+*   create: requireOrgRole('admin', 'owner'),
+*   delete: requireOrgRole('owner'),
+* }
+* ```
+*/
+function requireOrgRole(...args) {
+	const roles = Array.isArray(args[0]) ? args[0] : args;
+	const check = (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		const scope = getScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (!isMember(scope)) return {
+			granted: false,
+			reason: "Organization membership required"
+		};
+		if (roles.some((r) => scope.orgRoles.includes(r))) return true;
+		return {
+			granted: false,
+			reason: `Required org roles: ${roles.join(", ")}`
+		};
+	};
+	check._orgRoles = roles;
+	return check;
+}
+/**
+* Create a scoped permission system for resource-action patterns.
+* Maps org roles to fine-grained permissions without external API calls.
+*
+* @example
+* ```typescript
+* const perms = createOrgPermissions({
+*   statements: {
+*     product: ['create', 'update', 'delete'],
+*     order: ['create', 'approve'],
+*   },
+*   roles: {
+*     owner: { product: ['create', 'update', 'delete'], order: ['create', 'approve'] },
+*     admin: { product: ['create', 'update'], order: ['create'] },
+*     member: { product: [], order: [] },
+*   },
+* });
+*
+* defineResource({
+*   permissions: {
+*     create: perms.can({ product: ['create'] }),
+*     delete: perms.can({ product: ['delete'] }),
+*   }
+* });
+* ```
+*/
+function createOrgPermissions(config) {
+	const { roles: roleMap } = config;
+	function hasPermissions(orgRoles, required) {
+		for (const [resource, actions] of Object.entries(required)) for (const action of actions) if (!orgRoles.some((role) => {
+			return (roleMap[role]?.[resource])?.includes(action);
+		})) return false;
+		return true;
+	}
+	return {
+		can(permissions) {
+			return (ctx) => {
+				if (!ctx.user) return {
+					granted: false,
+					reason: "Authentication required"
+				};
+				const scope = getScope(ctx.request);
+				if (isElevated(scope)) return true;
+				if (!isMember(scope)) return {
+					granted: false,
+					reason: "Organization membership required"
+				};
+				if (hasPermissions(scope.orgRoles, permissions)) return true;
+				return {
+					granted: false,
+					reason: `Missing permissions: ${Object.entries(permissions).map(([r, a]) => `${r}:[${a.join(",")}]`).join(", ")}`
+				};
+			};
+		},
+		requireRole(...roles) {
+			return requireOrgRole(roles);
+		},
+		requireMembership() {
+			return requireOrgMembership();
+		},
+		requireTeamMembership() {
+			return requireTeamMembership();
+		}
+	};
+}
+/**
+* Create a dynamic role-based permission matrix.
+*
+* Use this when role/action mappings are managed outside code
+* (e.g., admin UI matrix, DB-stored ACLs, remote policy service).
+*
+* Supports:
+* - org role union (any assigned org role can grant)
+* - global bypass roles
+* - wildcard resource/action (`*`)
+* - optional in-memory cache
+*/
+function createDynamicPermissionMatrix(config) {
+	const logger = config.logger ?? console;
+	const legacyTtlMs = config.cache?.ttlMs ?? 0;
+	const hasExternalStore = !!config.cacheStore;
+	const cacheTtlMs = legacyTtlMs > 0 ? legacyTtlMs : hasExternalStore ? 3e5 : 0;
+	const internalStore = !config.cacheStore && cacheTtlMs > 0 ? new MemoryCacheStore({
+		defaultTtlMs: cacheTtlMs,
+		maxEntries: config.cache?.maxEntries ?? 1e3
+	}) : void 0;
+	const cacheStore = config.cacheStore ?? internalStore;
+	const trackedKeys = /* @__PURE__ */ new Set();
+	const nodeId = randomUUID().slice(0, 8);
+	const DEFAULT_EVENT_TYPE = "arc.permissions.invalidated";
+	let eventBridge = null;
+	/** Clear local cache for an org without publishing events (avoids infinite loops). */
+	async function localInvalidateByOrg(orgId) {
+		if (!cacheStore) return;
+		const prefix = `${orgId}::`;
+		const toDelete = [];
+		for (const key of trackedKeys) if (key.startsWith(prefix)) toDelete.push(key);
+		for (const key of toDelete) try {
+			await cacheStore.delete(key);
+			trackedKeys.delete(key);
+		} catch (error) {
+			logger.warn(`[DynamicPermissionMatrix] invalidateByOrg delete failed for '${key}': ${error instanceof Error ? error.message : String(error)}`);
+		}
+	}
+	function isActionAllowed(actions, action) {
+		if (!actions || actions.length === 0) return false;
+		return actions.includes("*") || actions.includes(action);
+	}
+	function roleAllows(matrix, role, resource, action) {
+		const rolePermissions = matrix[role];
+		if (!rolePermissions) return false;
+		const resourceActions = rolePermissions[resource];
+		const wildcardResourceActions = rolePermissions["*"];
+		return isActionAllowed(resourceActions, action) || isActionAllowed(wildcardResourceActions, action);
+	}
+	function buildDefaultCacheKey(ctx, orgId, orgRoles) {
+		const userId = String(ctx.user?.id ?? ctx.user?._id ?? "anon");
+		const roles = (orgRoles ?? []).slice().sort().join(",");
+		return `${orgId ?? "no-org"}::${roles}::${userId}`;
+	}
+	async function resolveMatrix(ctx, orgId, orgRoles) {
+		if (!cacheStore) return config.resolveRolePermissions(ctx);
+		const cacheKey = config.cache?.key?.(ctx) ?? buildDefaultCacheKey(ctx, orgId, orgRoles);
+		if (!cacheKey) return config.resolveRolePermissions(ctx);
+		try {
+			const hit = await cacheStore.get(cacheKey);
+			if (hit) return hit;
+		} catch (error) {
+			logger.warn(`[DynamicPermissionMatrix] Cache get failed for '${cacheKey}': ${error instanceof Error ? error.message : String(error)}`);
+		}
+		const value = await config.resolveRolePermissions(ctx);
+		try {
+			await cacheStore.set(cacheKey, value, { ttlMs: cacheTtlMs });
+			trackedKeys.add(cacheKey);
+			const maxTracked = config.cache?.maxEntries ?? 1e4;
+			if (trackedKeys.size > maxTracked) {
+				const overflow = trackedKeys.size - maxTracked;
+				const iter = trackedKeys.values();
+				for (let i = 0; i < overflow; i++) {
+					const oldest = iter.next().value;
+					if (oldest) trackedKeys.delete(oldest);
+				}
+			}
+		} catch (error) {
+			logger.warn(`[DynamicPermissionMatrix] Cache set failed for '${cacheKey}': ${error instanceof Error ? error.message : String(error)}`);
+		}
+		return value;
+	}
+	function can(required) {
+		return async (ctx) => {
+			if (!ctx.user) return {
+				granted: false,
+				reason: "Authentication required"
+			};
+			const scope = getScope(ctx.request);
+			if (isElevated(scope)) return true;
+			if (!isMember(scope)) return {
+				granted: false,
+				reason: "Organization membership required"
+			};
+			const orgRoles = scope.orgRoles;
+			if (orgRoles.length === 0) return {
+				granted: false,
+				reason: "Not a member of this organization"
+			};
+			let matrix;
+			try {
+				matrix = await resolveMatrix(ctx, scope.organizationId, orgRoles);
+			} catch (error) {
+				return {
+					granted: false,
+					reason: `Permission matrix resolution failed: ${error instanceof Error ? error.message : String(error)}`
+				};
+			}
+			for (const [resource, actions] of Object.entries(required)) for (const action of actions) if (!orgRoles.some((role) => roleAllows(matrix, role, resource, action))) return {
+				granted: false,
+				reason: `Missing permission: ${resource}:${action}`
+			};
+			return true;
+		};
+	}
+	return {
+		can,
+		canAction(resource, action) {
+			return can({ [resource]: [action] });
+		},
+		requireRole(...roles) {
+			return requireOrgRole(roles);
+		},
+		requireMembership() {
+			return requireOrgMembership();
+		},
+		requireTeamMembership() {
+			return requireTeamMembership();
+		},
+		async invalidateByOrg(orgId) {
+			await localInvalidateByOrg(orgId);
+			if (eventBridge) try {
+				await eventBridge.publish(eventBridge.eventType, {
+					orgId,
+					nodeId
+				});
+			} catch (error) {
+				logger.warn(`[DynamicPermissionMatrix] Failed to publish invalidation event for org '${orgId}': ${error instanceof Error ? error.message : String(error)}`);
+			}
+		},
+		async clearCache() {
+			if (!cacheStore) return;
+			if (cacheStore.clear) try {
+				await cacheStore.clear();
+				trackedKeys.clear();
+				return;
+			} catch (error) {
+				logger.warn(`[DynamicPermissionMatrix] cacheStore.clear failed: ${error instanceof Error ? error.message : String(error)}`);
+			}
+			for (const key of trackedKeys) try {
+				await cacheStore.delete(key);
+			} catch (error) {
+				logger.warn(`[DynamicPermissionMatrix] Cache delete failed for '${key}': ${error instanceof Error ? error.message : String(error)}`);
+			}
+			trackedKeys.clear();
+		},
+		async connectEvents(events, options) {
+			if (eventBridge) await this.disconnectEvents();
+			const eventType = options?.eventType ?? DEFAULT_EVENT_TYPE;
+			const unsubscribeFn = await events.subscribe(eventType, async (event) => {
+				const payload = event.payload;
+				if (!payload?.orgId) return;
+				if (payload.nodeId === nodeId) return;
+				await localInvalidateByOrg(payload.orgId);
+				if (options?.onRemoteInvalidation) try {
+					await options.onRemoteInvalidation(payload.orgId);
+				} catch (error) {
+					logger.warn(`[DynamicPermissionMatrix] onRemoteInvalidation callback failed for org '${payload.orgId}': ${error instanceof Error ? error.message : String(error)}`);
+				}
+			});
+			eventBridge = {
+				publish: events.publish,
+				unsubscribe: typeof unsubscribeFn === "function" ? unsubscribeFn : null,
+				eventType,
+				onRemoteInvalidation: options?.onRemoteInvalidation
+			};
+		},
+		async disconnectEvents() {
+			if (!eventBridge) return;
+			try {
+				eventBridge.unsubscribe?.();
+			} catch (error) {
+				logger.warn(`[DynamicPermissionMatrix] disconnectEvents unsubscribe failed: ${error instanceof Error ? error.message : String(error)}`);
+			}
+			eventBridge = null;
+		},
+		get eventsConnected() {
+			return eventBridge !== null;
+		}
+	};
+}
+/**
+* Require membership in the active team.
+* User must be authenticated, a member of the active org, AND have an active team.
+*
+* Better Auth teams are flat member groups (no team-level roles).
+* Reads `request.scope.teamId` set by the Better Auth adapter.
+*
+* @example
+* ```typescript
+* permissions: {
+*   list: requireTeamMembership(),
+*   create: requireTeamMembership(),
+* }
+* ```
+*/
+function requireTeamMembership() {
+	const check = (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		const scope = getScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (!isMember(scope)) return {
+			granted: false,
+			reason: "Organization membership required"
+		};
+		if (!getTeamId(scope)) return {
+			granted: false,
+			reason: "No active team"
+		};
+		return true;
+	};
+	check._teamPermission = "membership";
+	return check;
+}
+
+//#endregion
+export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, denyAll, fields, fullPublic, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, when };
+//# sourceMappingURL=index.mjs.map

package/dist/permissions/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/permissions/index.ts"],"sourcesContent":["/**\r\n * Permission System\r\n *\r\n * Clean, function-based permission system.\r\n * PermissionCheck is THE ONLY way to define permissions.\r\n *\r\n * @example\r\n * ```typescript\r\n * import { allowPublic, requireAuth, requireRoles } from '@classytic/arc/permissions';\r\n *\r\n * defineResource({\r\n *   permissions: {\r\n *     list: allowPublic(),\r\n *     get: allowPublic(),\r\n *     create: requireAuth(),\r\n *     update: requireRoles(['admin', 'editor']),\r\n *     delete: requireRoles(['admin']),\r\n *   }\r\n * });\r\n * ```\r\n */\r\n\r\n// Re-export types\r\nexport type {\r\n  PermissionCheck,\r\n  PermissionContext,\r\n  PermissionResult,\r\n  UserBase,\r\n} from \"./types.js\";\r\nimport { randomUUID } from \"node:crypto\";\r\nimport { MemoryCacheStore } from \"../cache/memory.js\";\r\nimport type { CacheLogger, CacheStore } from \"../cache/interface.js\";\r\n\r\nexport interface DynamicPermissionMatrixConfig {\r\n  /**\r\n   * Resolve role → resource → actions map dynamically (DB/API/config service).\r\n   * Called at permission-check time (or cache miss if cache enabled).\r\n   */\r\n  resolveRolePermissions: (\r\n    ctx: PermissionContext,\r\n  ) =>\r\n    | Record<string, Record<string, readonly string[]>>\r\n    | Promise<Record<string, Record<string, readonly string[]>>>;\r\n  /**\r\n   * Optional cache store adapter.\r\n   * Use MemoryCacheStore for single-instance apps or RedisCacheStore for distributed setups.\r\n   */\r\n  cacheStore?: CacheStore<Record<string, Record<string, readonly string[]>>>;\r\n  /** Optional logger for cache/runtime failures (default: console) */\r\n  logger?: CacheLogger;\r\n  /**\r\n   * Legacy convenience in-memory cache config.\r\n   * If `cacheStore` is not provided and ttlMs > 0, Arc creates an internal MemoryCacheStore.\r\n   */\r\n  cache?: {\r\n    /** Cache TTL in milliseconds */\r\n    ttlMs: number;\r\n    /** Optional custom cache key builder */\r\n    key?: (ctx: PermissionContext) => string | null | undefined;\r\n    /** Hard entry cap for internal memory store (default: 1000) */\r\n    maxEntries?: number;\r\n  };\r\n}\r\n\r\n/** Minimal publish/subscribe interface for cross-node cache invalidation. */\r\nexport interface PermissionEventBus {\r\n  publish: <T>(type: string, payload: T) => Promise<void>;\r\n  subscribe: (\r\n    pattern: string,\r\n    handler: (event: { payload: unknown }) => void | Promise<void>,\r\n  ) => Promise<(() => void) | void>;\r\n}\r\n\r\nexport interface ConnectEventsOptions {\r\n  /** Called on remote invalidation for app-specific cleanup (e.g., resolver cache) */\r\n  onRemoteInvalidation?: (orgId: string) => void | Promise<void>;\r\n  /** Custom event type (default: 'arc.permissions.invalidated') */\r\n  eventType?: string;\r\n}\r\n\r\nexport interface DynamicPermissionMatrix {\r\n  can: (permissions: Record<string, readonly string[]>) => PermissionCheck;\r\n  canAction: (resource: string, action: string) => PermissionCheck;\r\n  requireRole: (...roles: string[]) => PermissionCheck;\r\n  requireMembership: () => PermissionCheck;\r\n  requireTeamMembership: () => PermissionCheck;\r\n  /** Invalidate cached permissions for a specific organization */\r\n  invalidateByOrg: (orgId: string) => Promise<void>;\r\n  clearCache: () => Promise<void>;\r\n\r\n  /**\r\n   * Connect to an event system for cross-node cache invalidation.\r\n   *\r\n   * Late-binding: call after the event plugin is registered (e.g., in onReady hook).\r\n   * Once connected, `invalidateByOrg()` auto-publishes an event, and incoming\r\n   * events from other nodes trigger local cache invalidation.\r\n   * Echo is suppressed via per-process nodeId matching.\r\n   */\r\n  connectEvents(\r\n    events: PermissionEventBus,\r\n    options?: ConnectEventsOptions,\r\n  ): Promise<void>;\r\n\r\n  /** Disconnect from the event system. Safe to call even if never connected. */\r\n  disconnectEvents(): Promise<void>;\r\n\r\n  /** Whether events are currently connected. */\r\n  readonly eventsConnected: boolean;\r\n}\r\n\r\n// Permission presets — common patterns in one call\r\nimport * as presets from \"./presets.js\";\r\nexport { presets as permissions };\r\nexport {\r\n  publicRead,\r\n  publicReadAdminWrite,\r\n  authenticated,\r\n  adminOnly,\r\n  ownerWithAdminBypass,\r\n  fullPublic,\r\n  readOnly,\r\n} from \"./presets.js\";\r\n\r\n// Field-level permissions\r\nexport {\r\n  fields,\r\n  applyFieldReadPermissions,\r\n  applyFieldWritePermissions,\r\n  resolveEffectiveRoles,\r\n} from \"./fields.js\";\r\nexport type {\r\n  FieldPermission,\r\n  FieldPermissionMap,\r\n  FieldPermissionType,\r\n} from \"./fields.js\";\r\n\r\nimport type {\r\n  PermissionCheck,\r\n  PermissionContext,\r\n  PermissionResult,\r\n} from \"./types.js\";\r\nimport type { FastifyRequest } from \"fastify\";\r\nimport type { RequestScope } from \"../scope/types.js\";\r\nimport {\r\n  isMember,\r\n  isElevated,\r\n  getOrgId,\r\n  getOrgRoles,\r\n  getTeamId,\r\n  PUBLIC_SCOPE,\r\n} from \"../scope/types.js\";\r\n\r\n// ============================================================================\r\n// Permission Helpers\r\n// ============================================================================\r\n\r\n/**\r\n * Allow public access (no authentication required)\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   list: allowPublic(),\r\n *   get: allowPublic(),\r\n * }\r\n * ```\r\n */\r\nexport function allowPublic(): PermissionCheck {\r\n  const check: PermissionCheck = () => true;\r\n  // Mark as public for OpenAPI documentation and introspection\r\n  check._isPublic = true;\r\n  return check;\r\n}\r\n\r\n/**\r\n * Require authentication (any authenticated user)\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   create: requireAuth(),\r\n *   update: requireAuth(),\r\n * }\r\n * ```\r\n */\r\nexport function requireAuth(): PermissionCheck {\r\n  const check: PermissionCheck = (ctx) => {\r\n    if (!ctx.user) {\r\n      return { granted: false, reason: \"Authentication required\" };\r\n    }\r\n    return true;\r\n  };\r\n  return check;\r\n}\r\n\r\n/**\r\n * Require specific roles\r\n *\r\n * @param roles - Required roles (user needs at least one)\r\n * @param options - Optional bypass roles\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   create: requireRoles(['admin', 'editor']),\r\n *   delete: requireRoles(['admin']),\r\n * }\r\n *\r\n * // With bypass roles\r\n * permissions: {\r\n *   update: requireRoles(['owner'], { bypassRoles: ['admin', 'superadmin'] }),\r\n * }\r\n * ```\r\n */\r\nexport function requireRoles(\r\n  roles: readonly string[],\r\n  options?: { bypassRoles?: readonly string[] },\r\n): PermissionCheck {\r\n  const check: PermissionCheck = (ctx) => {\r\n    if (!ctx.user) {\r\n      return { granted: false, reason: \"Authentication required\" };\r\n    }\r\n\r\n    const userRoles = (ctx.user.roles ?? []) as string[];\r\n\r\n    // Check bypass roles first\r\n    if (options?.bypassRoles?.some((r) => userRoles.includes(r))) {\r\n      return true;\r\n    }\r\n\r\n    // Check required roles (any match)\r\n    if (roles.some((r) => userRoles.includes(r))) {\r\n      return true;\r\n    }\r\n\r\n    return {\r\n      granted: false,\r\n      reason: `Required roles: ${roles.join(\", \")}`,\r\n    };\r\n  };\r\n  check._roles = roles;\r\n  return check;\r\n}\r\n\r\n/**\r\n * Require resource ownership\r\n *\r\n * Returns filters to scope queries to user's owned resources.\r\n *\r\n * @param ownerField - Field containing owner ID (default: 'userId')\r\n * @param options - Optional bypass roles\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   update: requireOwnership('userId'),\r\n *   delete: requireOwnership('createdBy', { bypassRoles: ['admin'] }),\r\n * }\r\n * ```\r\n */\r\nexport function requireOwnership<TDoc = any>(\r\n  ownerField: Extract<keyof TDoc, string> | string = \"userId\",\r\n  options?: { bypassRoles?: readonly string[] },\r\n): PermissionCheck<TDoc> {\r\n  return (ctx) => {\r\n    if (!ctx.user) {\r\n      return { granted: false, reason: \"Authentication required\" };\r\n    }\r\n\r\n    const userRoles = (ctx.user.roles ?? []) as string[];\r\n\r\n    // Check bypass roles\r\n    if (options?.bypassRoles?.some((r) => userRoles.includes(r))) {\r\n      return true;\r\n    }\r\n\r\n    // Return filters to scope to owned resources\r\n    const userId = ctx.user.id ?? ctx.user._id;\r\n    if (!userId) {\r\n      return { granted: false, reason: \"User identity missing (no id or _id)\" };\r\n    }\r\n    return {\r\n      granted: true,\r\n      filters: { [ownerField]: userId },\r\n    };\r\n  };\r\n}\r\n\r\n/**\r\n * Combine multiple checks - ALL must pass (AND logic)\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   update: allOf(\r\n *     requireAuth(),\r\n *     requireRoles(['editor']),\r\n *     requireOwnership('createdBy')\r\n *   ),\r\n * }\r\n * ```\r\n */\r\nexport function allOf(...checks: PermissionCheck[]): PermissionCheck {\r\n  return async (ctx) => {\r\n    let mergedFilters: Record<string, unknown> = {};\r\n\r\n    for (const check of checks) {\r\n      const result = await check(ctx);\r\n      const normalized: PermissionResult =\r\n        typeof result === \"boolean\" ? { granted: result } : result;\r\n\r\n      if (!normalized.granted) {\r\n        return normalized;\r\n      }\r\n\r\n      // Merge filters\r\n      if (normalized.filters) {\r\n        mergedFilters = { ...mergedFilters, ...normalized.filters };\r\n      }\r\n    }\r\n\r\n    return {\r\n      granted: true,\r\n      filters:\r\n        Object.keys(mergedFilters).length > 0 ? mergedFilters : undefined,\r\n    };\r\n  };\r\n}\r\n\r\n/**\r\n * Combine multiple checks - ANY must pass (OR logic)\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   update: anyOf(\r\n *     requireRoles(['admin']),\r\n *     requireOwnership('createdBy')\r\n *   ),\r\n * }\r\n * ```\r\n */\r\nexport function anyOf(...checks: PermissionCheck[]): PermissionCheck {\r\n  return async (ctx) => {\r\n    const reasons: string[] = [];\r\n\r\n    for (const check of checks) {\r\n      const result = await check(ctx);\r\n      const normalized: PermissionResult =\r\n        typeof result === \"boolean\" ? { granted: result } : result;\r\n\r\n      if (normalized.granted) {\r\n        return normalized;\r\n      }\r\n\r\n      if (normalized.reason) {\r\n        reasons.push(normalized.reason);\r\n      }\r\n    }\r\n\r\n    return {\r\n      granted: false,\r\n      reason: reasons.join(\"; \"),\r\n    };\r\n  };\r\n}\r\n\r\n/**\r\n * Deny all access\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   delete: denyAll('Deletion not allowed'),\r\n * }\r\n * ```\r\n */\r\nexport function denyAll(reason = \"Access denied\"): PermissionCheck {\r\n  return () => ({ granted: false, reason });\r\n}\r\n\r\n/**\r\n * Dynamic permission based on context\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   update: when((ctx) => ctx.data?.status === 'draft'),\r\n * }\r\n * ```\r\n */\r\nexport function when<TDoc = any>(\r\n  condition: (ctx: PermissionContext<TDoc>) => boolean | Promise<boolean>,\r\n): PermissionCheck<TDoc> {\r\n  return async (ctx) => {\r\n    const result = await condition(ctx);\r\n    return {\r\n      granted: result,\r\n      reason: result ? undefined : \"Condition not met\",\r\n    };\r\n  };\r\n}\r\n\r\n// ============================================================================\r\n// Organization Permission Helpers\r\n// ============================================================================\r\n\r\n/** Read request.scope safely */\r\nfunction getScope(request: FastifyRequest): RequestScope {\r\n  return request.scope ?? PUBLIC_SCOPE;\r\n}\r\n\r\n/**\r\n * Require membership in the active organization.\r\n * User must be authenticated AND have an active org (member or elevated scope).\r\n *\r\n * Reads `request.scope` set by auth adapters.\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   list: requireOrgMembership(),\r\n *   get: requireOrgMembership(),\r\n * }\r\n * ```\r\n */\r\nexport function requireOrgMembership<TDoc = any>(): PermissionCheck<TDoc> {\r\n  const check: PermissionCheck<TDoc> = (ctx) => {\r\n    if (!ctx.user) {\r\n      return { granted: false, reason: \"Authentication required\" };\r\n    }\r\n\r\n    const scope = getScope(ctx.request);\r\n    if (isElevated(scope)) return true;\r\n    if (isMember(scope)) return true;\r\n\r\n    return { granted: false, reason: \"Organization membership required\" };\r\n  };\r\n  check._orgPermission = \"membership\";\r\n  return check;\r\n}\r\n\r\n/**\r\n * Require specific org-level roles.\r\n * Reads `request.scope.orgRoles` (set by auth adapters).\r\n * Elevated scope always passes (platform admin bypass).\r\n *\r\n * @param roles - Required org roles (user needs at least one)\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   create: requireOrgRole('admin', 'owner'),\r\n *   delete: requireOrgRole('owner'),\r\n * }\r\n * ```\r\n */\r\nexport function requireOrgRole<TDoc = any>(\r\n  ...args: string[] | [readonly string[]]\r\n): PermissionCheck<TDoc> {\r\n  // Support both: requireOrgRole('admin', 'owner') and requireOrgRole(['admin', 'owner'])\r\n  const roles: readonly string[] = Array.isArray(args[0])\r\n    ? args[0]\r\n    : (args as string[]);\r\n\r\n  const check: PermissionCheck<TDoc> = (ctx) => {\r\n    if (!ctx.user) {\r\n      return { granted: false, reason: \"Authentication required\" };\r\n    }\r\n\r\n    const scope = getScope(ctx.request);\r\n    if (isElevated(scope)) return true;\r\n\r\n    if (!isMember(scope)) {\r\n      return { granted: false, reason: \"Organization membership required\" };\r\n    }\r\n\r\n    if (roles.some((r) => scope.orgRoles.includes(r))) {\r\n      return true;\r\n    }\r\n\r\n    return {\r\n      granted: false,\r\n      reason: `Required org roles: ${roles.join(\", \")}`,\r\n    };\r\n  };\r\n  check._orgRoles = roles;\r\n  return check;\r\n}\r\n\r\n/**\r\n * Create a scoped permission system for resource-action patterns.\r\n * Maps org roles to fine-grained permissions without external API calls.\r\n *\r\n * @example\r\n * ```typescript\r\n * const perms = createOrgPermissions({\r\n *   statements: {\r\n *     product: ['create', 'update', 'delete'],\r\n *     order: ['create', 'approve'],\r\n *   },\r\n *   roles: {\r\n *     owner: { product: ['create', 'update', 'delete'], order: ['create', 'approve'] },\r\n *     admin: { product: ['create', 'update'], order: ['create'] },\r\n *     member: { product: [], order: [] },\r\n *   },\r\n * });\r\n *\r\n * defineResource({\r\n *   permissions: {\r\n *     create: perms.can({ product: ['create'] }),\r\n *     delete: perms.can({ product: ['delete'] }),\r\n *   }\r\n * });\r\n * ```\r\n */\r\nexport function createOrgPermissions(config: {\r\n  statements: Record<string, readonly string[]>;\r\n  roles: Record<string, Record<string, readonly string[]>>;\r\n}): {\r\n  can: (permissions: Record<string, string[]>) => PermissionCheck;\r\n  requireRole: (...roles: string[]) => PermissionCheck;\r\n  requireMembership: () => PermissionCheck;\r\n  requireTeamMembership: () => PermissionCheck;\r\n} {\r\n  const { roles: roleMap } = config;\r\n\r\n  function hasPermissions(\r\n    orgRoles: string[],\r\n    required: Record<string, string[]>,\r\n  ): boolean {\r\n    // User's effective permissions = union of all their role permissions\r\n    for (const [resource, actions] of Object.entries(required)) {\r\n      for (const action of actions) {\r\n        const granted = orgRoles.some((role) => {\r\n          const perms = roleMap[role]?.[resource];\r\n          return perms?.includes(action);\r\n        });\r\n        if (!granted) return false;\r\n      }\r\n    }\r\n    return true;\r\n  }\r\n\r\n  return {\r\n    can(permissions: Record<string, string[]>): PermissionCheck {\r\n      return (ctx) => {\r\n        if (!ctx.user) {\r\n          return { granted: false, reason: \"Authentication required\" };\r\n        }\r\n\r\n        const scope = getScope(ctx.request);\r\n        if (isElevated(scope)) return true;\r\n\r\n        if (!isMember(scope)) {\r\n          return { granted: false, reason: \"Organization membership required\" };\r\n        }\r\n\r\n        if (hasPermissions(scope.orgRoles, permissions)) {\r\n          return true;\r\n        }\r\n\r\n        const needed = Object.entries(permissions)\r\n          .map(([r, a]) => `${r}:[${a.join(\",\")}]`)\r\n          .join(\", \");\r\n        return {\r\n          granted: false,\r\n          reason: `Missing permissions: ${needed}`,\r\n        };\r\n      };\r\n    },\r\n\r\n    requireRole(...roles: string[]): PermissionCheck {\r\n      return requireOrgRole(roles);\r\n    },\r\n\r\n    requireMembership(): PermissionCheck {\r\n      return requireOrgMembership();\r\n    },\r\n\r\n    requireTeamMembership(): PermissionCheck {\r\n      return requireTeamMembership();\r\n    },\r\n  };\r\n}\r\n\r\n/**\r\n * Create a dynamic role-based permission matrix.\r\n *\r\n * Use this when role/action mappings are managed outside code\r\n * (e.g., admin UI matrix, DB-stored ACLs, remote policy service).\r\n *\r\n * Supports:\r\n * - org role union (any assigned org role can grant)\r\n * - global bypass roles\r\n * - wildcard resource/action (`*`)\r\n * - optional in-memory cache\r\n */\r\nexport function createDynamicPermissionMatrix(\r\n  config: DynamicPermissionMatrixConfig,\r\n): DynamicPermissionMatrix {\r\n  const logger = config.logger ?? console;\r\n  const legacyTtlMs = config.cache?.ttlMs ?? 0;\r\n  const hasExternalStore = !!config.cacheStore;\r\n  const cacheTtlMs =\r\n    legacyTtlMs > 0 ? legacyTtlMs : hasExternalStore ? 300_000 : 0;\r\n\r\n  const internalStore =\r\n    !config.cacheStore && cacheTtlMs > 0\r\n      ? new MemoryCacheStore<Record<string, Record<string, readonly string[]>>>(\r\n          {\r\n            defaultTtlMs: cacheTtlMs,\r\n            maxEntries: config.cache?.maxEntries ?? 1000,\r\n          },\r\n        )\r\n      : undefined;\r\n\r\n  const cacheStore = config.cacheStore ?? internalStore;\r\n  const trackedKeys = new Set<string>();\r\n\r\n  // ── Cross-node event bridge (late-binding) ───────────────────────\r\n  const nodeId = randomUUID().slice(0, 8);\r\n  const DEFAULT_EVENT_TYPE = \"arc.permissions.invalidated\";\r\n\r\n  interface InternalEventBridge {\r\n    publish: <T>(type: string, payload: T) => Promise<void>;\r\n    unsubscribe: (() => void) | null;\r\n    eventType: string;\r\n    onRemoteInvalidation?: (orgId: string) => void | Promise<void>;\r\n  }\r\n\r\n  let eventBridge: InternalEventBridge | null = null;\r\n\r\n  /** Clear local cache for an org without publishing events (avoids infinite loops). */\r\n  async function localInvalidateByOrg(orgId: string): Promise<void> {\r\n    if (!cacheStore) return;\r\n    const prefix = `${orgId}::`;\r\n    const toDelete: string[] = [];\r\n    for (const key of trackedKeys) {\r\n      if (key.startsWith(prefix)) toDelete.push(key);\r\n    }\r\n    for (const key of toDelete) {\r\n      try {\r\n        await cacheStore.delete(key);\r\n        trackedKeys.delete(key);\r\n      } catch (error) {\r\n        logger.warn(\r\n          `[DynamicPermissionMatrix] invalidateByOrg delete failed for '${key}': ${error instanceof Error ? error.message : String(error)}`,\r\n        );\r\n      }\r\n    }\r\n  }\r\n\r\n  function isActionAllowed(\r\n    actions: readonly string[] | undefined,\r\n    action: string,\r\n  ): boolean {\r\n    if (!actions || actions.length === 0) return false;\r\n    return actions.includes(\"*\") || actions.includes(action);\r\n  }\r\n\r\n  function roleAllows(\r\n    matrix: Record<string, Record<string, readonly string[]>>,\r\n    role: string,\r\n    resource: string,\r\n    action: string,\r\n  ): boolean {\r\n    const rolePermissions = matrix[role];\r\n    if (!rolePermissions) return false;\r\n    const resourceActions = rolePermissions[resource];\r\n    const wildcardResourceActions = rolePermissions[\"*\"];\r\n    return (\r\n      isActionAllowed(resourceActions, action) ||\r\n      isActionAllowed(wildcardResourceActions, action)\r\n    );\r\n  }\r\n\r\n  function buildDefaultCacheKey(\r\n    ctx: PermissionContext,\r\n    orgId?: string,\r\n    orgRoles?: string[],\r\n  ): string {\r\n    const userId = String(ctx.user?.id ?? ctx.user?._id ?? \"anon\");\r\n    const roles = (orgRoles ?? []).slice().sort().join(\",\");\r\n    return `${orgId ?? \"no-org\"}::${roles}::${userId}`;\r\n  }\r\n\r\n  async function resolveMatrix(\r\n    ctx: PermissionContext,\r\n    orgId?: string,\r\n    orgRoles?: string[],\r\n  ): Promise<Record<string, Record<string, readonly string[]>>> {\r\n    if (!cacheStore) {\r\n      return config.resolveRolePermissions(ctx);\r\n    }\r\n\r\n    const customKey = config.cache?.key?.(ctx);\r\n    const cacheKey = customKey ?? buildDefaultCacheKey(ctx, orgId, orgRoles);\r\n\r\n    if (!cacheKey) {\r\n      return config.resolveRolePermissions(ctx);\r\n    }\r\n\r\n    try {\r\n      const hit = await cacheStore.get(cacheKey);\r\n      if (hit) return hit;\r\n    } catch (error) {\r\n      logger.warn(\r\n        `[DynamicPermissionMatrix] Cache get failed for '${cacheKey}': ${error instanceof Error ? error.message : String(error)}`,\r\n      );\r\n    }\r\n\r\n    const value = await config.resolveRolePermissions(ctx);\r\n\r\n    try {\r\n      await cacheStore.set(cacheKey, value, { ttlMs: cacheTtlMs });\r\n      trackedKeys.add(cacheKey);\r\n\r\n      // Cap tracked keys to prevent unbounded memory growth\r\n      const maxTracked = config.cache?.maxEntries ?? 10_000;\r\n      if (trackedKeys.size > maxTracked) {\r\n        const overflow = trackedKeys.size - maxTracked;\r\n        const iter = trackedKeys.values();\r\n        for (let i = 0; i < overflow; i++) {\r\n          const oldest = iter.next().value;\r\n          if (oldest) trackedKeys.delete(oldest);\r\n        }\r\n      }\r\n    } catch (error) {\r\n      logger.warn(\r\n        `[DynamicPermissionMatrix] Cache set failed for '${cacheKey}': ${error instanceof Error ? error.message : String(error)}`,\r\n      );\r\n    }\r\n\r\n    return value;\r\n  }\r\n\r\n  function can(required: Record<string, readonly string[]>): PermissionCheck {\r\n    return async (ctx) => {\r\n      if (!ctx.user) {\r\n        return { granted: false, reason: \"Authentication required\" };\r\n      }\r\n\r\n      const scope = getScope(ctx.request);\r\n      if (isElevated(scope)) return true;\r\n\r\n      if (!isMember(scope)) {\r\n        return { granted: false, reason: \"Organization membership required\" };\r\n      }\r\n\r\n      const orgRoles = scope.orgRoles;\r\n      if (orgRoles.length === 0) {\r\n        return { granted: false, reason: \"Not a member of this organization\" };\r\n      }\r\n\r\n      let matrix: Record<string, Record<string, readonly string[]>>;\r\n      try {\r\n        matrix = await resolveMatrix(ctx, scope.organizationId, orgRoles);\r\n      } catch (error) {\r\n        const message = error instanceof Error ? error.message : String(error);\r\n        return {\r\n          granted: false,\r\n          reason: `Permission matrix resolution failed: ${message}`,\r\n        };\r\n      }\r\n\r\n      for (const [resource, actions] of Object.entries(required)) {\r\n        for (const action of actions) {\r\n          const granted = orgRoles.some((role) =>\r\n            roleAllows(matrix, role, resource, action),\r\n          );\r\n          if (!granted) {\r\n            return {\r\n              granted: false,\r\n              reason: `Missing permission: ${resource}:${action}`,\r\n            };\r\n          }\r\n        }\r\n      }\r\n\r\n      return true;\r\n    };\r\n  }\r\n\r\n  return {\r\n    can,\r\n    canAction(resource: string, action: string): PermissionCheck {\r\n      return can({ [resource]: [action] });\r\n    },\r\n    requireRole(...roles: string[]): PermissionCheck {\r\n      return requireOrgRole(roles);\r\n    },\r\n    requireMembership(): PermissionCheck {\r\n      return requireOrgMembership();\r\n    },\r\n    requireTeamMembership(): PermissionCheck {\r\n      return requireTeamMembership();\r\n    },\r\n    async invalidateByOrg(orgId: string): Promise<void> {\r\n      await localInvalidateByOrg(orgId);\r\n\r\n      // Publish cross-node invalidation event (fail-open)\r\n      if (eventBridge) {\r\n        try {\r\n          await eventBridge.publish(eventBridge.eventType, { orgId, nodeId });\r\n        } catch (error) {\r\n          logger.warn(\r\n            `[DynamicPermissionMatrix] Failed to publish invalidation event for org '${orgId}': ${error instanceof Error ? error.message : String(error)}`,\r\n          );\r\n        }\r\n      }\r\n    },\r\n    async clearCache(): Promise<void> {\r\n      if (!cacheStore) return;\r\n\r\n      if (cacheStore.clear) {\r\n        try {\r\n          await cacheStore.clear();\r\n          trackedKeys.clear();\r\n          return;\r\n        } catch (error) {\r\n          logger.warn(\r\n            `[DynamicPermissionMatrix] cacheStore.clear failed: ${error instanceof Error ? error.message : String(error)}`,\r\n          );\r\n        }\r\n      }\r\n\r\n      // Fallback for stores without clear(): delete known keys for this process.\r\n      for (const key of trackedKeys) {\r\n        try {\r\n          await cacheStore.delete(key);\r\n        } catch (error) {\r\n          logger.warn(\r\n            `[DynamicPermissionMatrix] Cache delete failed for '${key}': ${error instanceof Error ? error.message : String(error)}`,\r\n          );\r\n        }\r\n      }\r\n      trackedKeys.clear();\r\n    },\r\n\r\n    async connectEvents(\r\n      events: PermissionEventBus,\r\n      options?: ConnectEventsOptions,\r\n    ): Promise<void> {\r\n      // Disconnect previous connection if any (idempotent reconnect)\r\n      if (eventBridge) {\r\n        await this.disconnectEvents();\r\n      }\r\n\r\n      const eventType = options?.eventType ?? DEFAULT_EVENT_TYPE;\r\n\r\n      const unsubscribeFn = await events.subscribe(eventType, async (event) => {\r\n        const payload = event.payload as\r\n          | { orgId?: string; nodeId?: string }\r\n          | undefined;\r\n        if (!payload?.orgId) return;\r\n\r\n        // Echo dedup: skip events published by this node\r\n        if (payload.nodeId === nodeId) return;\r\n\r\n        // Clear local permission matrix cache (no re-publish)\r\n        await localInvalidateByOrg(payload.orgId);\r\n\r\n        // App-specific cleanup callback\r\n        if (options?.onRemoteInvalidation) {\r\n          try {\r\n            await options.onRemoteInvalidation(payload.orgId);\r\n          } catch (error) {\r\n            logger.warn(\r\n              `[DynamicPermissionMatrix] onRemoteInvalidation callback failed for org '${payload.orgId}': ${error instanceof Error ? error.message : String(error)}`,\r\n            );\r\n          }\r\n        }\r\n      });\r\n\r\n      eventBridge = {\r\n        publish: events.publish,\r\n        unsubscribe: typeof unsubscribeFn === \"function\" ? unsubscribeFn : null,\r\n        eventType,\r\n        onRemoteInvalidation: options?.onRemoteInvalidation,\r\n      };\r\n    },\r\n\r\n    async disconnectEvents(): Promise<void> {\r\n      if (!eventBridge) return;\r\n      try {\r\n        eventBridge.unsubscribe?.();\r\n      } catch (error) {\r\n        logger.warn(\r\n          `[DynamicPermissionMatrix] disconnectEvents unsubscribe failed: ${error instanceof Error ? error.message : String(error)}`,\r\n        );\r\n      }\r\n      eventBridge = null;\r\n    },\r\n\r\n    get eventsConnected(): boolean {\r\n      return eventBridge !== null;\r\n    },\r\n  };\r\n}\r\n\r\n// ============================================================================\r\n// Team Permission Helpers\r\n// ============================================================================\r\n\r\n/**\r\n * Require membership in the active team.\r\n * User must be authenticated, a member of the active org, AND have an active team.\r\n *\r\n * Better Auth teams are flat member groups (no team-level roles).\r\n * Reads `request.scope.teamId` set by the Better Auth adapter.\r\n *\r\n * @example\r\n * ```typescript\r\n * permissions: {\r\n *   list: requireTeamMembership(),\r\n *   create: requireTeamMembership(),\r\n * }\r\n * ```\r\n */\r\nexport function requireTeamMembership<TDoc = any>(): PermissionCheck<TDoc> {\r\n  const check: PermissionCheck<TDoc> = (ctx) => {\r\n    if (!ctx.user) {\r\n      return { granted: false, reason: \"Authentication required\" };\r\n    }\r\n\r\n    const scope = getScope(ctx.request);\r\n    if (isElevated(scope)) return true;\r\n\r\n    if (!isMember(scope)) {\r\n      return { granted: false, reason: \"Organization membership required\" };\r\n    }\r\n\r\n    const teamId = getTeamId(scope);\r\n    if (!teamId) {\r\n      return { granted: false, reason: \"No active team\" };\r\n    }\r\n\r\n    return true;\r\n  };\r\n  check._teamPermission = \"membership\";\r\n  return check;\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAuKA,SAAgB,cAA+B;CAC7C,MAAM,cAA+B;AAErC,OAAM,YAAY;AAClB,QAAO;;;;;;;;;;;;;AAcT,SAAgB,cAA+B;CAC7C,MAAM,SAA0B,QAAQ;AACtC,MAAI,CAAC,IAAI,KACP,QAAO;GAAE,SAAS;GAAO,QAAQ;GAA2B;AAE9D,SAAO;;AAET,QAAO;;;;;;;;;;;;;;;;;;;;;AAsBT,SAAgB,aACd,OACA,SACiB;CACjB,MAAM,SAA0B,QAAQ;AACtC,MAAI,CAAC,IAAI,KACP,QAAO;GAAE,SAAS;GAAO,QAAQ;GAA2B;EAG9D,MAAM,YAAa,IAAI,KAAK,SAAS,EAAE;AAGvC,MAAI,SAAS,aAAa,MAAM,MAAM,UAAU,SAAS,EAAE,CAAC,CAC1D,QAAO;AAIT,MAAI,MAAM,MAAM,MAAM,UAAU,SAAS,EAAE,CAAC,CAC1C,QAAO;AAGT,SAAO;GACL,SAAS;GACT,QAAQ,mBAAmB,MAAM,KAAK,KAAK;GAC5C;;AAEH,OAAM,SAAS;AACf,QAAO;;;;;;;;;;;;;;;;;;AAmBT,SAAgB,iBACd,aAAmD,UACnD,SACuB;AACvB,SAAQ,QAAQ;AACd,MAAI,CAAC,IAAI,KACP,QAAO;GAAE,SAAS;GAAO,QAAQ;GAA2B;EAG9D,MAAM,YAAa,IAAI,KAAK,SAAS,EAAE;AAGvC,MAAI,SAAS,aAAa,MAAM,MAAM,UAAU,SAAS,EAAE,CAAC,CAC1D,QAAO;EAIT,MAAM,SAAS,IAAI,KAAK,MAAM,IAAI,KAAK;AACvC,MAAI,CAAC,OACH,QAAO;GAAE,SAAS;GAAO,QAAQ;GAAwC;AAE3E,SAAO;GACL,SAAS;GACT,SAAS,GAAG,aAAa,QAAQ;GAClC;;;;;;;;;;;;;;;;;AAkBL,SAAgB,MAAM,GAAG,QAA4C;AACnE,QAAO,OAAO,QAAQ;EACpB,IAAI,gBAAyC,EAAE;AAE/C,OAAK,MAAM,SAAS,QAAQ;GAC1B,MAAM,SAAS,MAAM,MAAM,IAAI;GAC/B,MAAM,aACJ,OAAO,WAAW,YAAY,EAAE,SAAS,QAAQ,GAAG;AAEtD,OAAI,CAAC,WAAW,QACd,QAAO;AAIT,OAAI,WAAW,QACb,iBAAgB;IAAE,GAAG;IAAe,GAAG,WAAW;IAAS;;AAI/D,SAAO;GACL,SAAS;GACT,SACE,OAAO,KAAK,cAAc,CAAC,SAAS,IAAI,gBAAgB;GAC3D;;;;;;;;;;;;;;;;AAiBL,SAAgB,MAAM,GAAG,QAA4C;AACnE,QAAO,OAAO,QAAQ;EACpB,MAAM,UAAoB,EAAE;AAE5B,OAAK,MAAM,SAAS,QAAQ;GAC1B,MAAM,SAAS,MAAM,MAAM,IAAI;GAC/B,MAAM,aACJ,OAAO,WAAW,YAAY,EAAE,SAAS,QAAQ,GAAG;AAEtD,OAAI,WAAW,QACb,QAAO;AAGT,OAAI,WAAW,OACb,SAAQ,KAAK,WAAW,OAAO;;AAInC,SAAO;GACL,SAAS;GACT,QAAQ,QAAQ,KAAK,KAAK;GAC3B;;;;;;;;;;;;;AAcL,SAAgB,QAAQ,SAAS,iBAAkC;AACjE,eAAc;EAAE,SAAS;EAAO;EAAQ;;;;;;;;;;;;AAa1C,SAAgB,KACd,WACuB;AACvB,QAAO,OAAO,QAAQ;EACpB,MAAM,SAAS,MAAM,UAAU,IAAI;AACnC,SAAO;GACL,SAAS;GACT,QAAQ,SAAS,SAAY;GAC9B;;;;AASL,SAAS,SAAS,SAAuC;AACvD,QAAO,QAAQ,SAAS;;;;;;;;;;;;;;;;AAiB1B,SAAgB,uBAA0D;CACxE,MAAM,SAAgC,QAAQ;AAC5C,MAAI,CAAC,IAAI,KACP,QAAO;GAAE,SAAS;GAAO,QAAQ;GAA2B;EAG9D,MAAM,QAAQ,SAAS,IAAI,QAAQ;AACnC,MAAI,WAAW,MAAM,CAAE,QAAO;AAC9B,MAAI,SAAS,MAAM,CAAE,QAAO;AAE5B,SAAO;GAAE,SAAS;GAAO,QAAQ;GAAoC;;AAEvE,OAAM,iBAAiB;AACvB,QAAO;;;;;;;;;;;;;;;;;AAkBT,SAAgB,eACd,GAAG,MACoB;CAEvB,MAAM,QAA2B,MAAM,QAAQ,KAAK,GAAG,GACnD,KAAK,KACJ;CAEL,MAAM,SAAgC,QAAQ;AAC5C,MAAI,CAAC,IAAI,KACP,QAAO;GAAE,SAAS;GAAO,QAAQ;GAA2B;EAG9D,MAAM,QAAQ,SAAS,IAAI,QAAQ;AACnC,MAAI,WAAW,MAAM,CAAE,QAAO;AAE9B,MAAI,CAAC,SAAS,MAAM,CAClB,QAAO;GAAE,SAAS;GAAO,QAAQ;GAAoC;AAGvE,MAAI,MAAM,MAAM,MAAM,MAAM,SAAS,SAAS,EAAE,CAAC,CAC/C,QAAO;AAGT,SAAO;GACL,SAAS;GACT,QAAQ,uBAAuB,MAAM,KAAK,KAAK;GAChD;;AAEH,OAAM,YAAY;AAClB,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BT,SAAgB,qBAAqB,QAQnC;CACA,MAAM,EAAE,OAAO,YAAY;CAE3B,SAAS,eACP,UACA,UACS;AAET,OAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,SAAS,CACxD,MAAK,MAAM,UAAU,QAKnB,KAAI,CAJY,SAAS,MAAM,SAAS;AAEtC,WADc,QAAQ,QAAQ,YAChB,SAAS,OAAO;IAC9B,CACY,QAAO;AAGzB,SAAO;;AAGT,QAAO;EACL,IAAI,aAAwD;AAC1D,WAAQ,QAAQ;AACd,QAAI,CAAC,IAAI,KACP,QAAO;KAAE,SAAS;KAAO,QAAQ;KAA2B;IAG9D,MAAM,QAAQ,SAAS,IAAI,QAAQ;AACnC,QAAI,WAAW,MAAM,CAAE,QAAO;AAE9B,QAAI,CAAC,SAAS,MAAM,CAClB,QAAO;KAAE,SAAS;KAAO,QAAQ;KAAoC;AAGvE,QAAI,eAAe,MAAM,UAAU,YAAY,CAC7C,QAAO;AAMT,WAAO;KACL,SAAS;KACT,QAAQ,wBALK,OAAO,QAAQ,YAAY,CACvC,KAAK,CAAC,GAAG,OAAO,GAAG,EAAE,IAAI,EAAE,KAAK,IAAI,CAAC,GAAG,CACxC,KAAK,KAAK;KAIZ;;;EAIL,YAAY,GAAG,OAAkC;AAC/C,UAAO,eAAe,MAAM;;EAG9B,oBAAqC;AACnC,UAAO,sBAAsB;;EAG/B,wBAAyC;AACvC,UAAO,uBAAuB;;EAEjC;;;;;;;;;;;;;;AAeH,SAAgB,8BACd,QACyB;CACzB,MAAM,SAAS,OAAO,UAAU;CAChC,MAAM,cAAc,OAAO,OAAO,SAAS;CAC3C,MAAM,mBAAmB,CAAC,CAAC,OAAO;CAClC,MAAM,aACJ,cAAc,IAAI,cAAc,mBAAmB,MAAU;CAE/D,MAAM,gBACJ,CAAC,OAAO,cAAc,aAAa,IAC/B,IAAI,iBACF;EACE,cAAc;EACd,YAAY,OAAO,OAAO,cAAc;EACzC,CACF,GACD;CAEN,MAAM,aAAa,OAAO,cAAc;CACxC,MAAM,8BAAc,IAAI,KAAa;CAGrC,MAAM,SAAS,YAAY,CAAC,MAAM,GAAG,EAAE;CACvC,MAAM,qBAAqB;CAS3B,IAAI,cAA0C;;CAG9C,eAAe,qBAAqB,OAA8B;AAChE,MAAI,CAAC,WAAY;EACjB,MAAM,SAAS,GAAG,MAAM;EACxB,MAAM,WAAqB,EAAE;AAC7B,OAAK,MAAM,OAAO,YAChB,KAAI,IAAI,WAAW,OAAO,CAAE,UAAS,KAAK,IAAI;AAEhD,OAAK,MAAM,OAAO,SAChB,KAAI;AACF,SAAM,WAAW,OAAO,IAAI;AAC5B,eAAY,OAAO,IAAI;WAChB,OAAO;AACd,UAAO,KACL,gEAAgE,IAAI,KAAK,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GAChI;;;CAKP,SAAS,gBACP,SACA,QACS;AACT,MAAI,CAAC,WAAW,QAAQ,WAAW,EAAG,QAAO;AAC7C,SAAO,QAAQ,SAAS,IAAI,IAAI,QAAQ,SAAS,OAAO;;CAG1D,SAAS,WACP,QACA,MACA,UACA,QACS;EACT,MAAM,kBAAkB,OAAO;AAC/B,MAAI,CAAC,gBAAiB,QAAO;EAC7B,MAAM,kBAAkB,gBAAgB;EACxC,MAAM,0BAA0B,gBAAgB;AAChD,SACE,gBAAgB,iBAAiB,OAAO,IACxC,gBAAgB,yBAAyB,OAAO;;CAIpD,SAAS,qBACP,KACA,OACA,UACQ;EACR,MAAM,SAAS,OAAO,IAAI,MAAM,MAAM,IAAI,MAAM,OAAO,OAAO;EAC9D,MAAM,SAAS,YAAY,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI;AACvD,SAAO,GAAG,SAAS,SAAS,IAAI,MAAM,IAAI;;CAG5C,eAAe,cACb,KACA,OACA,UAC4D;AAC5D,MAAI,CAAC,WACH,QAAO,OAAO,uBAAuB,IAAI;EAI3C,MAAM,WADY,OAAO,OAAO,MAAM,IAAI,IACZ,qBAAqB,KAAK,OAAO,SAAS;AAExE,MAAI,CAAC,SACH,QAAO,OAAO,uBAAuB,IAAI;AAG3C,MAAI;GACF,MAAM,MAAM,MAAM,WAAW,IAAI,SAAS;AAC1C,OAAI,IAAK,QAAO;WACT,OAAO;AACd,UAAO,KACL,mDAAmD,SAAS,KAAK,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACxH;;EAGH,MAAM,QAAQ,MAAM,OAAO,uBAAuB,IAAI;AAEtD,MAAI;AACF,SAAM,WAAW,IAAI,UAAU,OAAO,EAAE,OAAO,YAAY,CAAC;AAC5D,eAAY,IAAI,SAAS;GAGzB,MAAM,aAAa,OAAO,OAAO,cAAc;AAC/C,OAAI,YAAY,OAAO,YAAY;IACjC,MAAM,WAAW,YAAY,OAAO;IACpC,MAAM,OAAO,YAAY,QAAQ;AACjC,SAAK,IAAI,IAAI,GAAG,IAAI,UAAU,KAAK;KACjC,MAAM,SAAS,KAAK,MAAM,CAAC;AAC3B,SAAI,OAAQ,aAAY,OAAO,OAAO;;;WAGnC,OAAO;AACd,UAAO,KACL,mDAAmD,SAAS,KAAK,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACxH;;AAGH,SAAO;;CAGT,SAAS,IAAI,UAA8D;AACzE,SAAO,OAAO,QAAQ;AACpB,OAAI,CAAC,IAAI,KACP,QAAO;IAAE,SAAS;IAAO,QAAQ;IAA2B;GAG9D,MAAM,QAAQ,SAAS,IAAI,QAAQ;AACnC,OAAI,WAAW,MAAM,CAAE,QAAO;AAE9B,OAAI,CAAC,SAAS,MAAM,CAClB,QAAO;IAAE,SAAS;IAAO,QAAQ;IAAoC;GAGvE,MAAM,WAAW,MAAM;AACvB,OAAI,SAAS,WAAW,EACtB,QAAO;IAAE,SAAS;IAAO,QAAQ;IAAqC;GAGxE,IAAI;AACJ,OAAI;AACF,aAAS,MAAM,cAAc,KAAK,MAAM,gBAAgB,SAAS;YAC1D,OAAO;AAEd,WAAO;KACL,SAAS;KACT,QAAQ,wCAHM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;KAIrE;;AAGH,QAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,SAAS,CACxD,MAAK,MAAM,UAAU,QAInB,KAAI,CAHY,SAAS,MAAM,SAC7B,WAAW,QAAQ,MAAM,UAAU,OAAO,CAC3C,CAEC,QAAO;IACL,SAAS;IACT,QAAQ,uBAAuB,SAAS,GAAG;IAC5C;AAKP,UAAO;;;AAIX,QAAO;EACL;EACA,UAAU,UAAkB,QAAiC;AAC3D,UAAO,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC;;EAEtC,YAAY,GAAG,OAAkC;AAC/C,UAAO,eAAe,MAAM;;EAE9B,oBAAqC;AACnC,UAAO,sBAAsB;;EAE/B,wBAAyC;AACvC,UAAO,uBAAuB;;EAEhC,MAAM,gBAAgB,OAA8B;AAClD,SAAM,qBAAqB,MAAM;AAGjC,OAAI,YACF,KAAI;AACF,UAAM,YAAY,QAAQ,YAAY,WAAW;KAAE;KAAO;KAAQ,CAAC;YAC5D,OAAO;AACd,WAAO,KACL,2EAA2E,MAAM,KAAK,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GAC7I;;;EAIP,MAAM,aAA4B;AAChC,OAAI,CAAC,WAAY;AAEjB,OAAI,WAAW,MACb,KAAI;AACF,UAAM,WAAW,OAAO;AACxB,gBAAY,OAAO;AACnB;YACO,OAAO;AACd,WAAO,KACL,sDAAsD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GAC7G;;AAKL,QAAK,MAAM,OAAO,YAChB,KAAI;AACF,UAAM,WAAW,OAAO,IAAI;YACrB,OAAO;AACd,WAAO,KACL,sDAAsD,IAAI,KAAK,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACtH;;AAGL,eAAY,OAAO;;EAGrB,MAAM,cACJ,QACA,SACe;AAEf,OAAI,YACF,OAAM,KAAK,kBAAkB;GAG/B,MAAM,YAAY,SAAS,aAAa;GAExC,MAAM,gBAAgB,MAAM,OAAO,UAAU,WAAW,OAAO,UAAU;IACvE,MAAM,UAAU,MAAM;AAGtB,QAAI,CAAC,SAAS,MAAO;AAGrB,QAAI,QAAQ,WAAW,OAAQ;AAG/B,UAAM,qBAAqB,QAAQ,MAAM;AAGzC,QAAI,SAAS,qBACX,KAAI;AACF,WAAM,QAAQ,qBAAqB,QAAQ,MAAM;aAC1C,OAAO;AACd,YAAO,KACL,2EAA2E,QAAQ,MAAM,KAAK,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACrJ;;KAGL;AAEF,iBAAc;IACZ,SAAS,OAAO;IAChB,aAAa,OAAO,kBAAkB,aAAa,gBAAgB;IACnE;IACA,sBAAsB,SAAS;IAChC;;EAGH,MAAM,mBAAkC;AACtC,OAAI,CAAC,YAAa;AAClB,OAAI;AACF,gBAAY,eAAe;YACpB,OAAO;AACd,WAAO,KACL,kEAAkE,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzH;;AAEH,iBAAc;;EAGhB,IAAI,kBAA2B;AAC7B,UAAO,gBAAgB;;EAE1B;;;;;;;;;;;;;;;;;AAsBH,SAAgB,wBAA2D;CACzE,MAAM,SAAgC,QAAQ;AAC5C,MAAI,CAAC,IAAI,KACP,QAAO;GAAE,SAAS;GAAO,QAAQ;GAA2B;EAG9D,MAAM,QAAQ,SAAS,IAAI,QAAQ;AACnC,MAAI,WAAW,MAAM,CAAE,QAAO;AAE9B,MAAI,CAAC,SAAS,MAAM,CAClB,QAAO;GAAE,SAAS;GAAO,QAAQ;GAAoC;AAIvE,MAAI,CADW,UAAU,MAAM,CAE7B,QAAO;GAAE,SAAS;GAAO,QAAQ;GAAkB;AAGrD,SAAO;;AAET,OAAM,kBAAkB;AACxB,QAAO"}