npm - @classytic/arc - Versions diffs - 2.6.2 → 2.7.1 - Mend

@classytic/arc 2.6.2 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (135) hide show

package/README.md +95 -1
package/dist/{BaseController-AbbRx3e0.mjs → BaseController-CpMfCXdn.mjs} +214 -16
package/dist/adapters/index.d.mts +2 -2
package/dist/adapters/index.mjs +1 -1
package/dist/{adapters-CTn28N4y.mjs → adapters-BxGgSHjj.mjs} +7 -13
package/dist/applyPermissionResult-D6GPMsvh.mjs +37 -0
package/dist/audit/index.d.mts +1 -1
package/dist/audit/index.mjs +1 -1
package/dist/audit/mongodb.d.mts +1 -1
package/dist/audit/mongodb.mjs +1 -1
package/dist/auth/index.d.mts +4 -4
package/dist/auth/index.mjs +7 -6
package/dist/auth/mongoose.d.mts +191 -0
package/dist/auth/mongoose.mjs +73 -0
package/dist/auth/redis-session.d.mts +1 -1
package/dist/{betterAuthOpenApi-lz0IRbXJ.mjs → betterAuthOpenApi-CCw3YX0g.mjs} +1 -1
package/dist/cache/index.d.mts +2 -2
package/dist/cache/index.mjs +2 -2
package/dist/cli/commands/docs.mjs +2 -2
package/dist/cli/commands/generate.mjs +1 -1
package/dist/cli/commands/init.mjs +7 -5
package/dist/cli/commands/introspect.mjs +1 -1
package/dist/core/index.d.mts +3 -3
package/dist/core/index.mjs +4 -4
package/dist/{core-C1XCMtqM.mjs → core-BWekSEju.mjs} +41 -13
package/dist/{createApp-D2w0LdYJ.mjs → createApp-B_nvKNAQ.mjs} +11 -11
package/dist/{defineResource-Ckxg6HrZ.mjs → defineResource-DZzyl4a4.mjs} +73 -56
package/dist/docs/index.d.mts +2 -2
package/dist/docs/index.mjs +1 -1
package/dist/dynamic/index.d.mts +2 -2
package/dist/dynamic/index.mjs +2 -2
package/dist/{elevation-BEdACOLB.mjs → elevation-By_p2lnn.mjs} +1 -1
package/dist/elevation-Dm-HTBCt.d.mts +23 -0
package/dist/{errorHandler-Do4vVQ1f.d.mts → errorHandler-COa51ho_.d.mts} +1 -1
package/dist/{errorHandler-r2595m8T.mjs → errorHandler-DXUttWEO.mjs} +1 -1
package/dist/{eventPlugin-DW45v4V5.d.mts → eventPlugin-BgLxJkIB.d.mts} +1 -1
package/dist/{eventPlugin-Ba00swHF.mjs → eventPlugin-DsaNNXzZ.mjs} +1 -1
package/dist/events/index.d.mts +3 -3
package/dist/events/index.mjs +1 -1
package/dist/events/transports/redis-stream-entry.d.mts +1 -1
package/dist/events/transports/redis.d.mts +1 -1
package/dist/factory/index.d.mts +1 -1
package/dist/factory/index.mjs +1 -1
package/dist/hooks/index.d.mts +1 -1
package/dist/hooks/index.mjs +1 -1
package/dist/idempotency/index.d.mts +3 -3
package/dist/idempotency/mongodb.d.mts +1 -1
package/dist/idempotency/redis.d.mts +1 -1
package/dist/index-BYpRGXif.d.mts +640 -0
package/dist/{index-B4uZm82R.d.mts → index-KXM8_JmQ.d.mts} +47 -4
package/dist/{index-DrCqa3Jq.d.mts → index-StgFaQKD.d.mts} +3 -3
package/dist/index.d.mts +8 -8
package/dist/index.mjs +10 -9
package/dist/integrations/event-gateway.d.mts +1 -1
package/dist/integrations/event-gateway.mjs +1 -1
package/dist/integrations/index.d.mts +1 -1
package/dist/integrations/mcp/index.d.mts +2 -2
package/dist/integrations/mcp/index.mjs +1 -1
package/dist/integrations/mcp/testing.d.mts +1 -1
package/dist/integrations/mcp/testing.mjs +1 -1
package/dist/{interface-CrN45qz1.d.mts → interface-Dwzqt4mn.d.mts} +204 -18
package/dist/{mongodb-pMvOlR5_.d.mts → mongodb-Bq90j-Uj.d.mts} +1 -1
package/dist/{mongodb-kltrBPa1.d.mts → mongodb-DdyYlIXg.d.mts} +1 -1
package/dist/{openapi-CBmZ6EQN.mjs → openapi-C5UhIeWu.mjs} +1 -1
package/dist/org/index.d.mts +2 -2
package/dist/org/index.mjs +1 -1
package/dist/permissions/index.d.mts +4 -4
package/dist/permissions/index.mjs +3 -2
package/dist/{permissions-C8ImI8gC.mjs → permissions-CH4cNwJi.mjs} +358 -64
package/dist/plugins/index.d.mts +4 -4
package/dist/plugins/index.mjs +10 -10
package/dist/plugins/response-cache.mjs +1 -1
package/dist/plugins/tracing-entry.d.mts +1 -1
package/dist/plugins/tracing-entry.mjs +1 -1
package/dist/policies/index.d.mts +1 -1
package/dist/presets/index.d.mts +3 -3
package/dist/presets/index.mjs +1 -1
package/dist/presets/multiTenant.d.mts +53 -3
package/dist/presets/multiTenant.mjs +89 -47
package/dist/{presets-BMfdy34e.mjs → presets-BFrGvvjL.mjs} +2 -2
package/dist/{queryCachePlugin-DcmETvcB.d.mts → queryCachePlugin-Bw8XyJpX.d.mts} +1 -1
package/dist/{queryCachePlugin-XtFplYO9.mjs → queryCachePlugin-CwTpR04-.mjs} +2 -2
package/dist/{redis-D0Qc-9EW.d.mts → redis-CyCntzTO.d.mts} +1 -1
package/dist/{redis-stream-BW9UKLZM.d.mts → redis-stream-We_Ucl9-.d.mts} +1 -1
package/dist/registry/index.d.mts +1 -1
package/dist/registry/index.mjs +2 -2
package/dist/{resourceToTools-DH3c3e-T.mjs → resourceToTools-CkVSSzKg.mjs} +313 -33
package/dist/rpc/index.d.mts +1 -1
package/dist/rpc/index.mjs +1 -1
package/dist/scope/index.d.mts +3 -2
package/dist/scope/index.mjs +4 -3
package/dist/{sse-BF7GR7IB.mjs → sse-Bp3dabF1.mjs} +2 -2
package/dist/testing/index.d.mts +2 -2
package/dist/testing/index.mjs +1 -1
package/dist/types/index.d.mts +4 -3
package/dist/types/index.mjs +1 -1
package/dist/types-AOD8fxIw.mjs +229 -0
package/dist/types-CNEbix8T.d.mts +286 -0
package/dist/{types-DurlBP2N.d.mts → types-ClmkMDK1.d.mts} +1 -1
package/dist/{types-C1Z28coa.d.mts → types-D0qf0Mf4.d.mts} +9 -9
package/dist/types-DPsC0taJ.d.mts +178 -0
package/dist/utils/index.d.mts +3 -3
package/dist/utils/index.mjs +5 -5
package/package.json +34 -22
package/skills/arc/SKILL.md +278 -6
package/skills/arc/references/multi-tenancy.md +208 -0
package/dist/elevation-C_taLQrM.d.mts +0 -147
package/dist/index-NGZksqM5.d.mts +0 -398
package/dist/types-BNUccdcf.d.mts +0 -101
package/dist/types-BhtYdxZU.mjs +0 -91
/package/dist/{EventTransport-wc5hSLik.d.mts → EventTransport-CUpRK_Lg.d.mts} +0 -0
/package/dist/{HookSystem-COkyWztM.mjs → HookSystem-D7lfx--K.mjs} +0 -0
/package/dist/{ResourceRegistry-C6ngvOnn.mjs → ResourceRegistry-DsHiG9cL.mjs} +0 -0
/package/dist/{caching-BSXB-Xr7.mjs → caching-5DtLwIqb.mjs} +0 -0
/package/dist/{circuitBreaker-JP2GdJ4b.d.mts → circuitBreaker-DwxrljLB.d.mts} +0 -0
/package/dist/{circuitBreaker-BOBOpN2w.mjs → circuitBreaker-l18oRgL5.mjs} +0 -0
/package/dist/{errors-CcVbl1-T.d.mts → errors-CCSsMpXE.d.mts} +0 -0
/package/dist/{errors-NoQKsbAT.mjs → errors-Cg58SLNi.mjs} +0 -0
/package/dist/{externalPaths-DpO-s7r8.d.mts → externalPaths-Dg7OLsKo.d.mts} +0 -0
/package/dist/{fields-DFwdaWCq.d.mts → fields-CYuLMJPD.d.mts} +0 -0
/package/dist/{interface-gr-7qo9j.d.mts → interface-B9rHWPxD.d.mts} +0 -0
/package/dist/{interface-D_BWALyZ.d.mts → interface-CnluRL4_.d.mts} +0 -0
/package/dist/{logger-Dz3j1ItV.mjs → logger-DLg8-Ueg.mjs} +0 -0
/package/dist/{memory-BFAYkf8H.mjs → memory-Cp7_cAko.mjs} +0 -0
/package/dist/{metrics-Csh4nsvv.mjs → metrics-Qnvwc-LQ.mjs} +0 -0
/package/dist/{mongodb-BuQ7fNTg.mjs → mongodb-mlgxkYI3.mjs} +0 -0
/package/dist/{pluralize-CcT6qF0a.mjs → pluralize-COpOVar8.mjs} +0 -0
/package/dist/{registry-I-ogLgL9.mjs → registry-B3lRFBWo.mjs} +0 -0
/package/dist/{requestContext-DYtmNpm5.mjs → requestContext-xHIKedG6.mjs} +0 -0
/package/dist/{schemaConverter-DjzHpFam.mjs → schemaConverter-0TyONAwM.mjs} +0 -0
/package/dist/{sessionManager-wbkYj2HL.d.mts → sessionManager-IW4sbIea.d.mts} +0 -0
/package/dist/{tracing-bz_U4EM1.d.mts → tracing-65B51Dw3.d.mts} +0 -0
/package/dist/{typeGuards-Cj5Rgvlg.mjs → typeGuards-CcFZXgU7.mjs} +0 -0
/package/dist/{utils-Dc0WhlIl.mjs → utils-B-l6410F.mjs} +0 -0
/package/dist/{versioning-BzfeHmhj.mjs → versioning-aUUVziBY.mjs} +0 -0

package/dist/elevation-C_taLQrM.d.mts DELETED Viewed

@@ -1,147 +0,0 @@
-import { FastifyPluginAsync, FastifyRequest } from "fastify";
-//#region src/scope/types.d.ts
-/**
- * Request Scope — The One Standard
- *
- * Discriminated union representing the access context of every request.
- * Replaces scattered orgScope/orgRoles/organizationId/bypassRoles.
- *
- * Set once by auth adapters, read everywhere by permissions/presets/guards.
- *
- * @example
- * ```typescript
- * // In a permission check
- * const scope = request.scope;
- * if (isElevated(scope)) return true;
- * if (isMember(scope) && scope.orgRoles.includes('admin')) return true;
- *
- * // Get user identity from scope
- * const userId = getUserId(scope);
- * const globalRoles = getUserRoles(scope);
- * ```
- */
-/**
- * Request scope — 4 kinds, 4 states, no ambiguity.
- *
- * | Kind          | Meaning                           |
- * |---------------|-----------------------------------|
- * | public        | No authentication                 |
- * | authenticated | Logged in, no org context          |
- * | member        | In an org with specific roles      |
- * | elevated      | Platform admin, explicit elevation |
- *
- * `userId` and `userRoles` are available on all authenticated variants.
- * `orgRoles` are org-level roles (from membership); `userRoles` are global roles (from user document).
- */
-type RequestScope = {
-  kind: "public";
-} | {
-  kind: "authenticated";
-  userId?: string;
-  userRoles?: string[];
-} | {
-  kind: "member";
-  userId?: string;
-  userRoles: string[];
-  organizationId: string;
-  orgRoles: string[];
-  teamId?: string;
-} | {
-  kind: "elevated";
-  userId?: string;
-  organizationId?: string;
-  elevatedBy: string;
-};
-/** Check if scope is `member` kind */
-declare function isMember(scope: RequestScope): scope is Extract<RequestScope, {
-  kind: "member";
-}>;
-/** Check if scope is `elevated` kind */
-declare function isElevated(scope: RequestScope): scope is Extract<RequestScope, {
-  kind: "elevated";
-}>;
-/** Check if scope has org access (member OR elevated) */
-declare function hasOrgAccess(scope: RequestScope): boolean;
-/** Check if request is authenticated (any kind except public) */
-declare function isAuthenticated(scope: RequestScope): boolean;
-/** Get organizationId from scope (if present) */
-declare function getOrgId(scope: RequestScope): string | undefined;
-/** Get org roles from scope (empty array if not a member) */
-declare function getOrgRoles(scope: RequestScope): string[];
-/** Get team ID from scope (only available on member kind) */
-declare function getTeamId(scope: RequestScope): string | undefined;
-/**
- * Get userId from scope (available on authenticated, member, elevated).
- *
- * @example
- * ```typescript
- * import { getUserId } from '@classytic/arc/scope';
- * const userId = getUserId(request.scope);
- * ```
- */
-declare function getUserId(scope: RequestScope): string | undefined;
-/**
- * Get global user roles from scope (available on authenticated and member).
- * These are user-level roles (e.g. superadmin, finance-admin) distinct from
- * org-level roles (scope.orgRoles).
- *
- * @example
- * ```typescript
- * import { getUserRoles } from '@classytic/arc/scope';
- * const globalRoles = getUserRoles(request.scope);
- * ```
- */
-declare function getUserRoles(scope: RequestScope): string[];
-/**
- * Org context — canonical extraction from a Fastify request.
- *
- * Works regardless of auth type (JWT, Better Auth, custom) by reading
- * `request.scope` and `request.user`. Eliminates the need for each resource
- * to re-invent org extraction from headers/user/scope.
- *
- * @example
- * ```typescript
- * import { getOrgContext } from '@classytic/arc/scope';
- *
- * handler: async (request, reply) => {
- *   const { userId, organizationId, roles, orgRoles } = getOrgContext(request);
- * }
- * ```
- */
-declare function getOrgContext(request: {
-  scope?: RequestScope;
-  user?: Record<string, unknown> | null;
-  headers?: Record<string, string | string[] | undefined>;
-}): {
-  userId: string | undefined;
-  organizationId: string | undefined;
-  roles: string[];
-  orgRoles: string[];
-};
-/** Default public scope — used as initial decoration value */
-declare const PUBLIC_SCOPE: Readonly<RequestScope>;
-/** Default authenticated scope — used when user is logged in but no org */
-declare const AUTHENTICATED_SCOPE: Readonly<RequestScope>;
-//#endregion
-//#region src/scope/elevation.d.ts
-interface ElevationOptions {
-  /** Roles that can use elevation (default: ['superadmin']) */
-  platformRoles?: string[];
-  /** Header name for scope declaration (default: 'x-arc-scope') */
-  scopeHeader?: string;
-  /** Header name for target organization (default: 'x-organization-id') */
-  orgHeader?: string;
-  /** Called when elevation happens — use for audit logging */
-  onElevation?: (event: ElevationEvent) => void | Promise<void>;
-}
-interface ElevationEvent {
-  userId: string;
-  organizationId?: string;
-  request: FastifyRequest;
-  timestamp: Date;
-}
-declare const elevationPlugin: FastifyPluginAsync<ElevationOptions>;
-declare const _default: FastifyPluginAsync<ElevationOptions>;
-//#endregion
-export { isMember as _, AUTHENTICATED_SCOPE as a, getOrgContext as c, getTeamId as d, getUserId as f, isElevated as g, isAuthenticated as h, elevationPlugin as i, getOrgId as l, hasOrgAccess as m, ElevationOptions as n, PUBLIC_SCOPE as o, getUserRoles as p, _default as r, RequestScope as s, ElevationEvent as t, getOrgRoles as u };

package/dist/index-NGZksqM5.d.mts DELETED Viewed

@@ -1,398 +0,0 @@
-import { n as PermissionContext, t as PermissionCheck } from "./types-BNUccdcf.mjs";
-import { i as CacheStore, t as CacheLogger } from "./interface-D_BWALyZ.mjs";
-//#region src/permissions/roleHierarchy.d.ts
-/**
- * Role Hierarchy — Composable RBAC Inheritance
- *
- * Expands roles based on an inheritance map. Apply at scope-building time
- * so that requireRoles() works with the already-expanded list.
- *
- * @example
- * ```typescript
- * import { createRoleHierarchy } from '@classytic/arc/permissions';
- *
- * const hierarchy = createRoleHierarchy({
- *   superadmin: ['admin'],
- *   admin: ['branch_manager'],
- *   branch_manager: ['member'],
- * });
- *
- * // When building scope:
- * const expandedRoles = hierarchy.expand(user.roles);
- * // ['superadmin'] → ['superadmin', 'admin', 'branch_manager', 'member']
- *
- * // Check inclusion:
- * hierarchy.includes(['admin'], 'branch_manager'); // true (admin inherits branch_manager)
- * hierarchy.includes(['member'], 'admin');          // false (child doesn't inherit parent)
- * ```
- */
-interface RoleHierarchy {
-  /** Expand roles to include all inherited (child) roles. Deduplicated. */
-  expand(roles: readonly string[]): string[];
-  /** Check if any of the user's roles (expanded) include the required role. */
-  includes(userRoles: readonly string[], requiredRole: string): boolean;
-}
-/**
- * Create a role hierarchy from a parent → children map.
- *
- * Each key is a parent role, each value is the array of roles it inherits.
- * Inheritance is transitive: if A → B and B → C, then A expands to [A, B, C].
- * Circular references are handled safely (visited set).
- */
-declare function createRoleHierarchy(map: Record<string, readonly string[]>): RoleHierarchy;
-declare namespace presets_d_exports {
-  export { adminOnly, authenticated, fullPublic, ownerWithAdminBypass, publicRead, publicReadAdminWrite, readOnly };
-}
-/**
- * ResourcePermissions shape — matches the type in types/index.ts
- */
-interface ResourcePermissions<TDoc = any> {
-  list?: PermissionCheck<TDoc>;
-  get?: PermissionCheck<TDoc>;
-  create?: PermissionCheck<TDoc>;
-  update?: PermissionCheck<TDoc>;
-  delete?: PermissionCheck<TDoc>;
-}
-type PermissionOverrides<TDoc = any> = Partial<ResourcePermissions<TDoc>>;
-/**
- * Public read, authenticated write.
- * list + get = allowPublic(), create + update + delete = requireAuth()
- */
-declare function publicRead<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
-/**
- * Public read, admin write.
- * list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
- */
-declare function publicReadAdminWrite<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
-/**
- * All operations require authentication.
- */
-declare function authenticated<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
-/**
- * All operations require specific roles.
- * @param roles - Required roles (user needs at least one). Default: ['admin']
- */
-declare function adminOnly<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
-/**
- * Owner-scoped with admin bypass.
- * list = auth (scoped to owner), get = auth, create = auth,
- * update + delete = ownership check with admin bypass.
- *
- * @param ownerField - Field containing owner ID (default: 'userId')
- * @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
- */
-declare function ownerWithAdminBypass<TDoc = any>(ownerField?: Extract<keyof TDoc, string> | string, bypassRoles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
-/**
- * Full public access — no auth required for any operation.
- * Use sparingly (dev/testing, truly public APIs).
- */
-declare function fullPublic<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
-/**
- * Read-only: list + get authenticated, write operations denied.
- * Useful for computed/derived resources.
- */
-declare function readOnly<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
-//#endregion
-//#region src/permissions/index.d.ts
-interface DynamicPermissionMatrixConfig {
-  /**
-   * Resolve role → resource → actions map dynamically (DB/API/config service).
-   * Called at permission-check time (or cache miss if cache enabled).
-   */
-  resolveRolePermissions: (ctx: PermissionContext) => Record<string, Record<string, readonly string[]>> | Promise<Record<string, Record<string, readonly string[]>>>;
-  /**
-   * Optional cache store adapter.
-   * Use MemoryCacheStore for single-instance apps or RedisCacheStore for distributed setups.
-   */
-  cacheStore?: CacheStore<Record<string, Record<string, readonly string[]>>>;
-  /** Optional logger for cache/runtime failures (default: console) */
-  logger?: CacheLogger;
-  /**
-   * Legacy convenience in-memory cache config.
-   * If `cacheStore` is not provided and ttlMs > 0, Arc creates an internal MemoryCacheStore.
-   */
-  cache?: {
-    /** Cache TTL in milliseconds */ttlMs: number; /** Optional custom cache key builder */
-    key?: (ctx: PermissionContext) => string | null | undefined; /** Hard entry cap for internal memory store (default: 1000) */
-    maxEntries?: number;
-  };
-}
-/** Minimal publish/subscribe interface for cross-node cache invalidation. */
-interface PermissionEventBus {
-  publish: <T>(type: string, payload: T) => Promise<void>;
-  subscribe: (pattern: string, handler: (event: {
-    payload: unknown;
-  }) => void | Promise<void>) => Promise<(() => void) | undefined>;
-}
-interface ConnectEventsOptions {
-  /** Called on remote invalidation for app-specific cleanup (e.g., resolver cache) */
-  onRemoteInvalidation?: (orgId: string) => void | Promise<void>;
-  /** Custom event type (default: 'arc.permissions.invalidated') */
-  eventType?: string;
-}
-interface DynamicPermissionMatrix {
-  can: (permissions: Record<string, readonly string[]>) => PermissionCheck;
-  canAction: (resource: string, action: string) => PermissionCheck;
-  requireRole: (...roles: string[]) => PermissionCheck;
-  requireMembership: () => PermissionCheck;
-  requireTeamMembership: () => PermissionCheck;
-  /** Invalidate cached permissions for a specific organization */
-  invalidateByOrg: (orgId: string) => Promise<void>;
-  clearCache: () => Promise<void>;
-  /**
-   * Connect to an event system for cross-node cache invalidation.
-   *
-   * Late-binding: call after the event plugin is registered (e.g., in onReady hook).
-   * Once connected, `invalidateByOrg()` auto-publishes an event, and incoming
-   * events from other nodes trigger local cache invalidation.
-   * Echo is suppressed via per-process nodeId matching.
-   */
-  connectEvents(events: PermissionEventBus, options?: ConnectEventsOptions): Promise<void>;
-  /** Disconnect from the event system. Safe to call even if never connected. */
-  disconnectEvents(): Promise<void>;
-  /** Whether events are currently connected. */
-  readonly eventsConnected: boolean;
-}
-/**
- * Allow public access (no authentication required)
- *
- * @example
- * ```typescript
- * permissions: {
- *   list: allowPublic(),
- *   get: allowPublic(),
- * }
- * ```
- */
-declare function allowPublic(): PermissionCheck;
-/**
- * Require authentication (any authenticated user)
- *
- * @example
- * ```typescript
- * permissions: {
- *   create: requireAuth(),
- *   update: requireAuth(),
- * }
- * ```
- */
-declare function requireAuth(): PermissionCheck;
-/**
- * Require specific roles
- *
- * @param roles - Required roles (user needs at least one)
- * @param options - Optional bypass roles
- *
- * @example
- * ```typescript
- * permissions: {
- *   create: requireRoles(['admin', 'editor']),
- *   delete: requireRoles(['admin']),
- * }
- *
- * // With bypass roles
- * permissions: {
- *   update: requireRoles(['owner'], { bypassRoles: ['admin', 'superadmin'] }),
- * }
- * ```
- */
-declare function requireRoles(roles: readonly string[], options?: {
-  bypassRoles?: readonly string[];
-  /**
-   * Also check org membership roles (`scope.orgRoles`) when in org context.
-   * Default: `false` — only checks platform roles (`user.role`).
-   *
-   * Set to `true` when using Better Auth organization plugin where roles like
-   * 'admin' are assigned at the org level, not the user level.
-   *
-   * For org-only role checks, prefer `requireOrgRole('admin')` instead.
-   */
-  includeOrgRoles?: boolean;
-}): PermissionCheck;
-/**
- * Unified role check — checks both platform roles AND org roles.
- *
- * This is the recommended helper for Better Auth organization plugin users.
- * It checks `user.role` (platform) first, then `scope.orgRoles` (org membership).
- * Elevated scope always passes.
- *
- * For platform-only checks: use `requireRoles(['admin'])`
- * For org-only checks: use `requireOrgRole('admin')`
- *
- * @example
- * ```typescript
- * permissions: {
- *   create: roles('admin', 'editor'),  // passes if user has role at either level
- *   delete: roles('admin'),
- * }
- * ```
- */
-declare function roles(...args: string[] | [readonly string[]]): PermissionCheck;
-/**
- * Require resource ownership
- *
- * Returns filters to scope queries to user's owned resources.
- *
- * @param ownerField - Field containing owner ID (default: 'userId')
- * @param options - Optional bypass roles
- *
- * @example
- * ```typescript
- * permissions: {
- *   update: requireOwnership('userId'),
- *   delete: requireOwnership('createdBy', { bypassRoles: ['admin'] }),
- * }
- * ```
- */
-declare function requireOwnership<TDoc = Record<string, unknown>>(ownerField?: Extract<keyof TDoc, string> | string, options?: {
-  bypassRoles?: readonly string[];
-}): PermissionCheck<TDoc>;
-/**
- * Combine multiple checks - ALL must pass (AND logic)
- *
- * @example
- * ```typescript
- * permissions: {
- *   update: allOf(
- *     requireAuth(),
- *     requireRoles(['editor']),
- *     requireOwnership('createdBy')
- *   ),
- * }
- * ```
- */
-declare function allOf(...checks: PermissionCheck[]): PermissionCheck;
-/**
- * Combine multiple checks - ANY must pass (OR logic)
- *
- * @example
- * ```typescript
- * permissions: {
- *   update: anyOf(
- *     requireRoles(['admin']),
- *     requireOwnership('createdBy')
- *   ),
- * }
- * ```
- */
-declare function anyOf(...checks: PermissionCheck[]): PermissionCheck;
-/**
- * Deny all access
- *
- * @example
- * ```typescript
- * permissions: {
- *   delete: denyAll('Deletion not allowed'),
- * }
- * ```
- */
-declare function denyAll(reason?: string): PermissionCheck;
-/**
- * Dynamic permission based on context
- *
- * @example
- * ```typescript
- * permissions: {
- *   update: when((ctx) => ctx.data?.status === 'draft'),
- * }
- * ```
- */
-declare function when<TDoc = Record<string, unknown>>(condition: (ctx: PermissionContext<TDoc>) => boolean | Promise<boolean>): PermissionCheck<TDoc>;
-/**
- * Require membership in the active organization.
- * User must be authenticated AND have an active org (member or elevated scope).
- *
- * Reads `request.scope` set by auth adapters.
- *
- * @example
- * ```typescript
- * permissions: {
- *   list: requireOrgMembership(),
- *   get: requireOrgMembership(),
- * }
- * ```
- */
-declare function requireOrgMembership<TDoc = Record<string, unknown>>(): PermissionCheck<TDoc>;
-/**
- * Require specific org-level roles.
- * Reads `request.scope.orgRoles` (set by auth adapters).
- * Elevated scope always passes (platform admin bypass).
- *
- * @param roles - Required org roles (user needs at least one)
- *
- * @example
- * ```typescript
- * permissions: {
- *   create: requireOrgRole('admin', 'owner'),
- *   delete: requireOrgRole('owner'),
- * }
- * ```
- */
-declare function requireOrgRole<TDoc = Record<string, unknown>>(...args: string[] | [readonly string[]]): PermissionCheck<TDoc>;
-/**
- * Create a scoped permission system for resource-action patterns.
- * Maps org roles to fine-grained permissions without external API calls.
- *
- * @example
- * ```typescript
- * const perms = createOrgPermissions({
- *   statements: {
- *     product: ['create', 'update', 'delete'],
- *     order: ['create', 'approve'],
- *   },
- *   roles: {
- *     owner: { product: ['create', 'update', 'delete'], order: ['create', 'approve'] },
- *     admin: { product: ['create', 'update'], order: ['create'] },
- *     member: { product: [], order: [] },
- *   },
- * });
- *
- * defineResource({
- *   permissions: {
- *     create: perms.can({ product: ['create'] }),
- *     delete: perms.can({ product: ['delete'] }),
- *   }
- * });
- * ```
- */
-declare function createOrgPermissions(config: {
-  statements: Record<string, readonly string[]>;
-  roles: Record<string, Record<string, readonly string[]>>;
-}): {
-  can: (permissions: Record<string, string[]>) => PermissionCheck;
-  requireRole: (...roles: string[]) => PermissionCheck;
-  requireMembership: () => PermissionCheck;
-  requireTeamMembership: () => PermissionCheck;
-};
-/**
- * Create a dynamic role-based permission matrix.
- *
- * Use this when role/action mappings are managed outside code
- * (e.g., admin UI matrix, DB-stored ACLs, remote policy service).
- *
- * Supports:
- * - org role union (any assigned org role can grant)
- * - global bypass roles
- * - wildcard resource/action (`*`)
- * - optional in-memory cache
- */
-declare function createDynamicPermissionMatrix(config: DynamicPermissionMatrixConfig): DynamicPermissionMatrix;
-/**
- * Require membership in the active team.
- * User must be authenticated, a member of the active org, AND have an active team.
- *
- * Better Auth teams are flat member groups (no team-level roles).
- * Reads `request.scope.teamId` set by the Better Auth adapter.
- *
- * @example
- * ```typescript
- * permissions: {
- *   list: requireTeamMembership(),
- *   create: requireTeamMembership(),
- * }
- * ```
- */
-declare function requireTeamMembership<TDoc = Record<string, unknown>>(): PermissionCheck<TDoc>;
-//#endregion
-export { presets_d_exports as C, RoleHierarchy as D, readOnly as E, createRoleHierarchy as O, ownerWithAdminBypass as S, publicReadAdminWrite as T, roles as _, allOf as a, authenticated as b, createDynamicPermissionMatrix as c, requireAuth as d, requireOrgMembership as f, requireTeamMembership as g, requireRoles as h, PermissionEventBus as i, createOrgPermissions as l, requireOwnership as m, DynamicPermissionMatrix as n, allowPublic as o, requireOrgRole as p, DynamicPermissionMatrixConfig as r, anyOf as s, ConnectEventsOptions as t, denyAll as u, when as v, publicRead as w, fullPublic as x, adminOnly as y };

package/dist/types-BNUccdcf.d.mts DELETED Viewed

@@ -1,101 +0,0 @@
-import { FastifyRequest } from "fastify";
-//#region src/permissions/types.d.ts
-/**
- * User base interface - minimal shape Arc expects
- * Your actual User can have any additional fields
- */
-interface UserBase {
-  id?: string;
-  _id?: string;
-  /** User roles — string (comma-separated), string[], or undefined. Matches Better Auth's admin plugin pattern. */
-  role?: string | string[];
-  [key: string]: unknown;
-}
-/**
- * Extract normalized roles from a user object.
- *
- * Reads `user.role` which can be:
- * - A comma-separated string: `"superadmin,user"` (Better Auth admin plugin)
- * - A string array: `["admin", "user"]` (JWT / custom auth)
- * - A single string: `"admin"`
- */
-/**
- * Normalize a raw role value (string, comma-separated string, or array) into a string[].
- * Shared low-level helper used by both getUserRoles() and the Better Auth adapter.
- */
-declare function normalizeRoles(value: unknown): string[];
-declare function getUserRoles(user: UserBase | null | undefined): string[];
-/**
- * Context passed to permission check functions
- */
-interface PermissionContext<TDoc = Record<string, unknown>> {
-  /** Authenticated user or null if unauthenticated */
-  user: UserBase | null;
-  /** Fastify request object */
-  request: FastifyRequest;
-  /** Resource name being accessed */
-  resource: string;
-  /** Action being performed (list, get, create, update, delete, or custom operation name) */
-  action: string;
-  /** Resource ID for single-resource operations (shortcut for params.id) */
-  resourceId?: string;
-  /** All route parameters (slug, parentId, custom params, etc.) */
-  params?: Record<string, string>;
-  /** Request body data */
-  data?: Partial<TDoc> | Record<string, unknown>;
-}
-/**
- * Result from permission check
- */
-interface PermissionResult {
-  /** Whether access is granted */
-  granted: boolean;
-  /** Reason for denial (for error messages) */
-  reason?: string;
-  /** Query filters to apply (for ownership patterns) */
-  filters?: Record<string, unknown>;
-}
-/**
- * Permission Check Function
- *
- * THE ONLY way to define permissions in Arc.
- * Returns boolean, PermissionResult, or Promise of either.
- *
- * @example
- * ```typescript
- * // Simple boolean return
- * const isAdmin: PermissionCheck = (ctx) => getUserRoles(ctx.user).includes('admin');
- *
- * // With filters for ownership
- * const ownedByUser: PermissionCheck = (ctx) => ({
- *   granted: true,
- *   filters: { userId: ctx.user?.id }
- * });
- *
- * // Async check
- * const canAccessOrg: PermissionCheck = async (ctx) => {
- *   const isMember = await checkMembership(ctx.user?.id, ctx.organizationId);
- *   return { granted: isMember, reason: isMember ? undefined : 'Not a member' };
- * };
- * ```
- */
-type PermissionCheck<TDoc = Record<string, unknown>> = ((context: PermissionContext<TDoc>) => boolean | PermissionResult | Promise<boolean | PermissionResult>) & PermissionCheckMeta;
-/**
- * Optional metadata attached to permission check functions.
- * Used for OpenAPI docs, introspection, and route-level auth decisions.
- */
-interface PermissionCheckMeta {
-  /** Set by allowPublic() — marks the endpoint as publicly accessible */
-  _isPublic?: boolean;
-  /** Set by requireRoles() — the roles required for access */
-  _roles?: readonly string[];
-  /** Set by requireOrgMembership() — org-level permission type */
-  _orgPermission?: string;
-  /** Set by requireOrgRole() — the org roles required for access */
-  _orgRoles?: readonly string[];
-  /** Set by requireTeamMembership() — team-level permission type */
-  _teamPermission?: string;
-}
-//#endregion
-export { getUserRoles as a, UserBase as i, PermissionContext as n, normalizeRoles as o, PermissionResult as r, PermissionCheck as t };