@code-rag/core 0.1.0

package/dist/auth/rbac.test.js

@@ -0,0 +1,224 @@
+import { describe, it, expect } from 'vitest';
+import { RBACManager } from './rbac.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function createUser(overrides) {
+    return {
+        id: 'user-1',
+        email: 'dev@example.com',
+        name: 'Test User',
+        roles: ['viewer'],
+        allowedRepos: ['repo-a', 'repo-b'],
+        ...overrides,
+    };
+}
+function createSearchResult(repoName) {
+    return {
+        chunkId: 'chunk-1',
+        content: 'function foo() {}',
+        nlSummary: 'A function named foo',
+        score: 0.95,
+        method: 'hybrid',
+        metadata: {
+            chunkType: 'function',
+            name: 'foo',
+            declarations: [],
+            imports: [],
+            exports: [],
+            repoName,
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe('RBACManager', () => {
+    const rbac = new RBACManager();
+    // -----------------------------------------------------------------------
+    // hasPermission
+    // -----------------------------------------------------------------------
+    describe('hasPermission', () => {
+        it('should allow viewer to search', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.hasPermission(user, 'search')).toBe(true);
+        });
+        it('should allow viewer to access context', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.hasPermission(user, 'context')).toBe(true);
+        });
+        it('should allow viewer to access status', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.hasPermission(user, 'status')).toBe(true);
+        });
+        it('should deny viewer from explain', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.hasPermission(user, 'explain')).toBe(false);
+        });
+        it('should deny viewer from docs', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.hasPermission(user, 'docs')).toBe(false);
+        });
+        it('should deny viewer from index', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.hasPermission(user, 'index')).toBe(false);
+        });
+        it('should deny viewer from configure', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.hasPermission(user, 'configure')).toBe(false);
+        });
+        it('should allow developer to explain', () => {
+            const user = createUser({ roles: ['developer'] });
+            expect(rbac.hasPermission(user, 'explain')).toBe(true);
+        });
+        it('should allow developer to access docs', () => {
+            const user = createUser({ roles: ['developer'] });
+            expect(rbac.hasPermission(user, 'docs')).toBe(true);
+        });
+        it('should deny developer from index', () => {
+            const user = createUser({ roles: ['developer'] });
+            expect(rbac.hasPermission(user, 'index')).toBe(false);
+        });
+        it('should deny developer from configure', () => {
+            const user = createUser({ roles: ['developer'] });
+            expect(rbac.hasPermission(user, 'configure')).toBe(false);
+        });
+        it('should allow admin to perform all actions', () => {
+            const user = createUser({ roles: ['admin'] });
+            const allActions = [
+                'search', 'context', 'status', 'explain', 'docs', 'index', 'configure',
+            ];
+            for (const action of allActions) {
+                expect(rbac.hasPermission(user, action)).toBe(true);
+            }
+        });
+        it('should allow action if any role permits it', () => {
+            const user = createUser({ roles: ['viewer', 'developer'] });
+            expect(rbac.hasPermission(user, 'explain')).toBe(true);
+        });
+        it('should deny action if no role permits it', () => {
+            const user = createUser({ roles: ['viewer', 'developer'] });
+            expect(rbac.hasPermission(user, 'index')).toBe(false);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // canAccessRepo
+    // -----------------------------------------------------------------------
+    describe('canAccessRepo', () => {
+        it('should allow access when repo is in allowedRepos', () => {
+            const user = createUser({ allowedRepos: ['repo-a', 'repo-b'] });
+            expect(rbac.canAccessRepo(user, 'repo-a')).toBe(true);
+        });
+        it('should deny access when repo is not in allowedRepos', () => {
+            const user = createUser({ allowedRepos: ['repo-a'] });
+            expect(rbac.canAccessRepo(user, 'repo-c')).toBe(false);
+        });
+        it('should grant admin with empty allowedRepos access to all repos', () => {
+            const user = createUser({ roles: ['admin'], allowedRepos: [] });
+            expect(rbac.canAccessRepo(user, 'any-repo')).toBe(true);
+        });
+        it('should restrict non-admin with empty allowedRepos', () => {
+            const user = createUser({ roles: ['viewer'], allowedRepos: [] });
+            expect(rbac.canAccessRepo(user, 'any-repo')).toBe(false);
+        });
+        it('should restrict admin with explicit allowedRepos to those repos', () => {
+            const user = createUser({
+                roles: ['admin'],
+                allowedRepos: ['repo-x'],
+            });
+            expect(rbac.canAccessRepo(user, 'repo-x')).toBe(true);
+            expect(rbac.canAccessRepo(user, 'repo-y')).toBe(false);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // filterResultsByAccess
+    // -----------------------------------------------------------------------
+    describe('filterResultsByAccess', () => {
+        it('should keep results from allowed repos', () => {
+            const user = createUser({ allowedRepos: ['repo-a'] });
+            const results = [
+                createSearchResult('repo-a'),
+                createSearchResult('repo-b'),
+            ];
+            const filtered = rbac.filterResultsByAccess(user, results);
+            expect(filtered).toHaveLength(1);
+            expect(filtered[0].metadata.repoName).toBe('repo-a');
+        });
+        it('should keep results without repoName (single-repo mode)', () => {
+            const user = createUser({ allowedRepos: ['repo-a'] });
+            const results = [
+                createSearchResult(undefined),
+                createSearchResult('repo-b'),
+            ];
+            const filtered = rbac.filterResultsByAccess(user, results);
+            expect(filtered).toHaveLength(1);
+            expect(filtered[0].metadata.repoName).toBeUndefined();
+        });
+        it('should return all results for admin with empty allowedRepos', () => {
+            const user = createUser({ roles: ['admin'], allowedRepos: [] });
+            const results = [
+                createSearchResult('repo-a'),
+                createSearchResult('repo-b'),
+                createSearchResult('repo-c'),
+            ];
+            const filtered = rbac.filterResultsByAccess(user, results);
+            expect(filtered).toHaveLength(3);
+        });
+        it('should return empty array when no results match', () => {
+            const user = createUser({ allowedRepos: ['repo-x'] });
+            const results = [
+                createSearchResult('repo-a'),
+                createSearchResult('repo-b'),
+            ];
+            const filtered = rbac.filterResultsByAccess(user, results);
+            expect(filtered).toHaveLength(0);
+        });
+        it('should not mutate the original results array', () => {
+            const user = createUser({ allowedRepos: ['repo-a'] });
+            const results = [
+                createSearchResult('repo-a'),
+                createSearchResult('repo-b'),
+            ];
+            const originalLength = results.length;
+            rbac.filterResultsByAccess(user, results);
+            expect(results).toHaveLength(originalLength);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // getRoleLevel & getHighestRole
+    // -----------------------------------------------------------------------
+    describe('getRoleLevel', () => {
+        it('should return 0 for viewer', () => {
+            expect(rbac.getRoleLevel('viewer')).toBe(0);
+        });
+        it('should return 1 for developer', () => {
+            expect(rbac.getRoleLevel('developer')).toBe(1);
+        });
+        it('should return 2 for admin', () => {
+            expect(rbac.getRoleLevel('admin')).toBe(2);
+        });
+        it('should maintain hierarchy ordering', () => {
+            expect(rbac.getRoleLevel('admin')).toBeGreaterThan(rbac.getRoleLevel('developer'));
+            expect(rbac.getRoleLevel('developer')).toBeGreaterThan(rbac.getRoleLevel('viewer'));
+        });
+    });
+    describe('getHighestRole', () => {
+        it('should return admin when user has admin role', () => {
+            const user = createUser({ roles: ['viewer', 'admin'] });
+            expect(rbac.getHighestRole(user)).toBe('admin');
+        });
+        it('should return developer when user has developer but not admin', () => {
+            const user = createUser({ roles: ['viewer', 'developer'] });
+            expect(rbac.getHighestRole(user)).toBe('developer');
+        });
+        it('should return viewer when that is the only role', () => {
+            const user = createUser({ roles: ['viewer'] });
+            expect(rbac.getHighestRole(user)).toBe('viewer');
+        });
+        it('should return admin when all roles are present', () => {
+            const user = createUser({ roles: ['viewer', 'developer', 'admin'] });
+            expect(rbac.getHighestRole(user)).toBe('admin');
+        });
+    });
+});
+//# sourceMappingURL=rbac.test.js.map

package/dist/auth/rbac.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.test.js","sourceRoot":"","sources":["../../src/auth/rbac.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAIxC,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,UAAU,CAAC,SAAyB;IAC3C,OAAO;QACL,EAAE,EAAE,QAAQ;QACZ,KAAK,EAAE,iBAAiB;QACxB,IAAI,EAAE,WAAW;QACjB,KAAK,EAAE,CAAC,QAAQ,CAAC;QACjB,YAAY,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAClC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAiB;IAC3C,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,OAAO,EAAE,mBAAmB;QAC5B,SAAS,EAAE,sBAAsB;QACjC,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,QAAQ;QAChB,QAAQ,EAAE;YACR,SAAS,EAAE,UAAU;YACrB,IAAI,EAAE,KAAK;YACX,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,EAAE;YACX,OAAO,EAAE,EAAE;YACX,QAAQ;SACT;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;IAE/B,0EAA0E;IAC1E,gBAAgB;IAChB,0EAA0E;IAE1E,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;YACzC,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC9C,MAAM,UAAU,GAAa;gBAC3B,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW;aACvE,CAAC;YACF,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;gBAChC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC;YAC5D,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC;YAC5D,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,gBAAgB;IAChB,0EAA0E;IAE1E,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC;YAChE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;YAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;YACxE,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC;YAChE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;YAC3D,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;YACzE,MAAM,IAAI,GAAG,UAAU,CAAC;gBACtB,KAAK,EAAE,CAAC,OAAO,CAAC;gBAChB,YAAY,EAAE,CAAC,QAAQ,CAAC;aACzB,CAAC,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,wBAAwB;IACxB,0EAA0E;IAE1E,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,OAAO,GAAG;gBACd,kBAAkB,CAAC,QAAQ,CAAC;gBAC5B,kBAAkB,CAAC,QAAQ,CAAC;aAC7B,CAAC;YACF,MAAM,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,OAAO,GAAG;gBACd,kBAAkB,CAAC,SAAS,CAAC;gBAC7B,kBAAkB,CAAC,QAAQ,CAAC;aAC7B,CAAC;YACF,MAAM,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,aAAa,EAAE,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;YACrE,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC;YAChE,MAAM,OAAO,GAAG;gBACd,kBAAkB,CAAC,QAAQ,CAAC;gBAC5B,kBAAkB,CAAC,QAAQ,CAAC;gBAC5B,kBAAkB,CAAC,QAAQ,CAAC;aAC7B,CAAC;YACF,MAAM,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,OAAO,GAAG;gBACd,kBAAkB,CAAC,QAAQ,CAAC;gBAC5B,kBAAkB,CAAC,QAAQ,CAAC;aAC7B,CAAC;YACF,MAAM,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,OAAO,GAAG;gBACd,kBAAkB,CAAC,QAAQ,CAAC;gBAC5B,kBAAkB,CAAC,QAAQ,CAAC;aAC7B,CAAC;YACF,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC;YACtC,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,gCAAgC;IAChC,0EAA0E;IAE1E,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACnC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC;YACnF,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;QACtF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YACxD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;YACvE,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC;YAC5D,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YACrE,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/saml-provider.d.ts

@@ -0,0 +1,51 @@
+import { type Result } from 'neverthrow';
+import type { AuthProvider, AuthToken, Role, SAMLConfig, User } from './types.js';
+import { AuthError } from './types.js';
+/**
+ * SAML 2.0 `AuthProvider` implementation.
+ *
+ * Handles AuthnRequest generation and SAML Response validation for
+ * enterprise SSO integration.
+ */
+export declare class SAMLProvider implements AuthProvider {
+    readonly name = "saml";
+    private readonly config;
+    private idpMetadata;
+    /** Users whose info has been resolved (in-memory cache). */
+    private readonly userCache;
+    /** Counter for unique AuthnRequest IDs. */
+    private requestCounter;
+    /**
+     * Pluggable `fetch` function — defaults to the global `fetch`.
+     */
+    private readonly fetchFn;
+    constructor(config: SAMLConfig, fetchFn?: typeof fetch);
+    /**
+     * Fetches and parses IdP metadata XML to discover SSO URL, certificate,
+     * and NameID format.
+     */
+    initialize(): Promise<Result<void, AuthError>>;
+    /**
+     * Creates a SAML AuthnRequest and returns the IdP redirect URL together
+     * with the request ID (for later response correlation).
+     */
+    generateAuthRequest(): Result<{
+        url: string;
+        id: string;
+    }, AuthError>;
+    authenticate(token: string): Promise<Result<AuthToken, AuthError>>;
+    getUserRoles(userId: string): Promise<Result<readonly Role[], AuthError>>;
+    getUserRepos(userId: string): Promise<Result<readonly string[], AuthError>>;
+    /**
+     * Validates a Base64-encoded SAML Response: checks XML signature,
+     * conditions (audience, timestamps), and extracts the user.
+     */
+    validateResponse(samlResponseB64: string): Promise<Result<User, AuthError>>;
+    /**
+     * Maps SAML attributes to a CodeRAG `User`.
+     */
+    mapAttributes(attributes: Readonly<Record<string, string>>, xml?: string): User;
+    private mapRoleValues;
+    private verifyXmlSignature;
+    private checkConditions;
+}

package/dist/auth/saml-provider.js

@@ -0,0 +1,355 @@
+import { ok, err } from 'neverthrow';
+import { createVerify } from 'node:crypto';
+import { AuthError } from './types.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Extracts the text content of the first occurrence of `tagName` from XML.
+ * This is a minimal, dependency-free XML "parser" — it does **not** handle
+ * namespaces, CDATA, or nested elements with the same local name.  Sufficient
+ * for SAML metadata / response parsing.
+ */
+function xmlGetText(xml, tagName) {
+    // Match both with and without namespace prefix
+    const localName = tagName.includes(':') ? tagName.split(':').pop() : tagName;
+    // Try with namespace prefix first, then without
+    for (const name of [tagName, localName]) {
+        const esc = escapeRegex(name);
+        const patterns = [
+            // <ns:Tag ...>content</ns:Tag> — requires tag name to end at > or whitespace
+            new RegExp(`<(?:[a-zA-Z0-9_]+:)?${esc}(?:\\s[^>]*)?>([\\s\\S]*?)<\\/(?:[a-zA-Z0-9_]+:)?${esc}>`, 'i'),
+            // <Tag ...>content</Tag>
+            new RegExp(`<${esc}(?:\\s[^>]*)?>([\\s\\S]*?)<\\/${esc}>`, 'i'),
+        ];
+        for (const re of patterns) {
+            const match = re.exec(xml);
+            if (match?.[1] !== undefined) {
+                return match[1].trim();
+            }
+        }
+    }
+    return undefined;
+}
+/**
+ * Extracts an attribute value from the first element matching `tagName`.
+ */
+function xmlGetAttr(xml, tagName, attrName) {
+    const localName = tagName.includes(':') ? tagName.split(':').pop() : tagName;
+    for (const name of [tagName, localName]) {
+        const esc = escapeRegex(name);
+        // Match <ns:Tag ...> or <Tag ...> — tag name must be followed by whitespace, /, or >
+        const tagRe = new RegExp(`<(?:[a-zA-Z0-9_]+:)?${esc}(?:\\s[^>]*|\\/)?>`, 'i');
+        const tagMatch = tagRe.exec(xml);
+        if (tagMatch) {
+            const attrRe = new RegExp(`${escapeRegex(attrName)}\\s*=\\s*"([^"]*)"`, 'i');
+            const attrMatch = attrRe.exec(tagMatch[0]);
+            if (attrMatch?.[1] !== undefined) {
+                return attrMatch[1];
+            }
+        }
+    }
+    return undefined;
+}
+/**
+ * Extracts all SAML attribute values from a SAML Response.
+ * Returns a map of attribute name -> value.
+ */
+function extractSamlAttributes(xml) {
+    const attrs = {};
+    // Match <saml:Attribute Name="..."><saml:AttributeValue>...</saml:AttributeValue></saml:Attribute>
+    const attrRe = /<[^>]*?Attribute\s[^>]*?Name\s*=\s*"([^"]*)"[^>]*?>([\s\S]*?)<\/[^>]*?Attribute>/gi;
+    let attrMatch = attrRe.exec(xml);
+    while (attrMatch) {
+        const name = attrMatch[1];
+        const body = attrMatch[2];
+        if (name && body) {
+            // Get the first AttributeValue
+            const valueRe = /<[^>]*?AttributeValue[^>]*?>([\s\S]*?)<\/[^>]*?AttributeValue>/i;
+            const valueMatch = valueRe.exec(body);
+            if (valueMatch?.[1] !== undefined) {
+                attrs[name] = valueMatch[1].trim();
+            }
+        }
+        attrMatch = attrRe.exec(xml);
+    }
+    return attrs;
+}
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+// ---------------------------------------------------------------------------
+// SAMLProvider
+// ---------------------------------------------------------------------------
+/**
+ * SAML 2.0 `AuthProvider` implementation.
+ *
+ * Handles AuthnRequest generation and SAML Response validation for
+ * enterprise SSO integration.
+ */
+export class SAMLProvider {
+    name = 'saml';
+    config;
+    idpMetadata;
+    /** Users whose info has been resolved (in-memory cache). */
+    userCache = new Map();
+    /** Counter for unique AuthnRequest IDs. */
+    requestCounter = 0;
+    /**
+     * Pluggable `fetch` function — defaults to the global `fetch`.
+     */
+    fetchFn;
+    constructor(config, fetchFn) {
+        this.config = config;
+        this.fetchFn = fetchFn ?? globalThis.fetch;
+    }
+    // -----------------------------------------------------------------------
+    // Initialization
+    // -----------------------------------------------------------------------
+    /**
+     * Fetches and parses IdP metadata XML to discover SSO URL, certificate,
+     * and NameID format.
+     */
+    async initialize() {
+        try {
+            const response = await this.fetchFn(this.config.idpMetadataUrl);
+            if (!response.ok) {
+                return err(new AuthError(`IdP metadata fetch failed: HTTP ${String(response.status)}`));
+            }
+            const xml = await response.text();
+            const entityId = xmlGetAttr(xml, 'EntityDescriptor', 'entityID') ?? '';
+            const ssoUrl = xmlGetAttr(xml, 'SingleSignOnService', 'Location') ?? '';
+            const certificate = xmlGetText(xml, 'X509Certificate') ?? '';
+            const nameIdFormat = xmlGetText(xml, 'NameIDFormat') ??
+                'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';
+            if (!entityId || !ssoUrl || !certificate) {
+                return err(new AuthError('IdP metadata missing required fields (entityID, SSO URL, or certificate)'));
+            }
+            this.idpMetadata = { entityId, ssoUrl, certificate, nameIdFormat };
+            return ok(undefined);
+        }
+        catch (cause) {
+            const message = cause instanceof Error ? cause.message : 'Unknown error';
+            return err(new AuthError(`SAML initialization error: ${message}`));
+        }
+    }
+    // -----------------------------------------------------------------------
+    // AuthnRequest generation
+    // -----------------------------------------------------------------------
+    /**
+     * Creates a SAML AuthnRequest and returns the IdP redirect URL together
+     * with the request ID (for later response correlation).
+     */
+    generateAuthRequest() {
+        if (!this.idpMetadata) {
+            return err(new AuthError('SAML not initialized — call initialize() first'));
+        }
+        this.requestCounter += 1;
+        const id = `_coderag_${Date.now()}_${String(this.requestCounter)}`;
+        const issueInstant = new Date().toISOString();
+        const authnRequest = [
+            '<samlp:AuthnRequest',
+            ' xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"',
+            ' xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"',
+            ` ID="${id}"`,
+            ' Version="2.0"',
+            ` IssueInstant="${issueInstant}"`,
+            ` Destination="${this.idpMetadata.ssoUrl}"`,
+            ` AssertionConsumerServiceURL="${this.config.spAcsUrl}"`,
+            ` ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">`,
+            `  <saml:Issuer>${this.config.spEntityId}</saml:Issuer>`,
+            '  <samlp:NameIDPolicy',
+            `   Format="${this.idpMetadata.nameIdFormat}"`,
+            '   AllowCreate="true" />',
+            '</samlp:AuthnRequest>',
+        ].join('\n');
+        const encoded = Buffer.from(authnRequest).toString('base64');
+        const separator = this.idpMetadata.ssoUrl.includes('?') ? '&' : '?';
+        const url = `${this.idpMetadata.ssoUrl}${separator}SAMLRequest=${encodeURIComponent(encoded)}`;
+        return ok({ url, id });
+    }
+    // -----------------------------------------------------------------------
+    // AuthProvider implementation
+    // -----------------------------------------------------------------------
+    async authenticate(token) {
+        const userResult = await this.validateResponse(token);
+        if (userResult.isErr()) {
+            return err(userResult.error);
+        }
+        const user = userResult.value;
+        const now = Math.floor(Date.now() / 1000);
+        const authToken = {
+            userId: user.id,
+            email: user.email,
+            roles: user.roles,
+            exp: now + 3600, // 1 hour default
+            iat: now,
+        };
+        return ok(authToken);
+    }
+    async getUserRoles(userId) {
+        const user = this.userCache.get(userId);
+        if (user) {
+            return ok(user.roles);
+        }
+        return ok(['viewer']);
+    }
+    async getUserRepos(userId) {
+        const user = this.userCache.get(userId);
+        if (user) {
+            return ok(user.allowedRepos);
+        }
+        return ok([]);
+    }
+    // -----------------------------------------------------------------------
+    // SAML Response validation
+    // -----------------------------------------------------------------------
+    /**
+     * Validates a Base64-encoded SAML Response: checks XML signature,
+     * conditions (audience, timestamps), and extracts the user.
+     */
+    async validateResponse(samlResponseB64) {
+        let xml;
+        try {
+            xml = Buffer.from(samlResponseB64, 'base64').toString('utf-8');
+        }
+        catch {
+            return err(new AuthError('Invalid Base64 SAML response'));
+        }
+        // Verify signature
+        const sigResult = this.verifyXmlSignature(xml);
+        if (sigResult.isErr()) {
+            return err(sigResult.error);
+        }
+        // Check conditions
+        const condResult = this.checkConditions(xml);
+        if (condResult.isErr()) {
+            return err(condResult.error);
+        }
+        // Extract user
+        const user = this.mapAttributes(extractSamlAttributes(xml), xml);
+        this.userCache.set(user.id, user);
+        return ok(user);
+    }
+    // -----------------------------------------------------------------------
+    // Attribute mapping
+    // -----------------------------------------------------------------------
+    /**
+     * Maps SAML attributes to a CodeRAG `User`.
+     */
+    mapAttributes(attributes, xml) {
+        const email = attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'] ??
+            attributes['email'] ??
+            attributes['Email'] ??
+            '';
+        const name = attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'] ??
+            attributes['displayName'] ??
+            attributes['name'] ??
+            email;
+        // Extract NameID as user ID
+        let nameId = '';
+        if (xml) {
+            nameId = xmlGetText(xml, 'NameID') ?? '';
+        }
+        const id = nameId || email;
+        // Map roles
+        const roleAttr = attributes['http://schemas.microsoft.com/ws/2008/06/identity/claims/role'] ??
+            attributes['role'] ??
+            attributes['Role'] ??
+            '';
+        const roles = this.mapRoleValues(roleAttr);
+        return { id, email, name, roles, allowedRepos: [] };
+    }
+    // -----------------------------------------------------------------------
+    // Private helpers
+    // -----------------------------------------------------------------------
+    mapRoleValues(roleValue) {
+        const mapping = this.config.roleMapping ?? {};
+        const values = roleValue
+            .split(',')
+            .map((v) => v.trim())
+            .filter(Boolean);
+        const roles = new Set();
+        for (const value of values) {
+            const mapped = mapping[value];
+            if (mapped) {
+                roles.add(mapped);
+            }
+            if (value === 'admin' || value === 'developer' || value === 'viewer') {
+                roles.add(value);
+            }
+        }
+        if (roles.size === 0) {
+            return ['viewer'];
+        }
+        return [...roles];
+    }
+    verifyXmlSignature(xml) {
+        if (!this.idpMetadata) {
+            return err(new AuthError('SAML not initialized — call initialize() first'));
+        }
+        // Extract SignatureValue and signed content
+        const signatureValue = xmlGetText(xml, 'SignatureValue');
+        if (!signatureValue) {
+            return err(new AuthError('No SignatureValue found in SAML response'));
+        }
+        // Extract the signed content (the Assertion element)
+        const digestValue = xmlGetText(xml, 'DigestValue');
+        if (!digestValue) {
+            return err(new AuthError('No DigestValue found in SAML response'));
+        }
+        // Verify using the IdP certificate or public key
+        const signedInfo = xmlGetText(xml, 'SignedInfo');
+        if (!signedInfo) {
+            return err(new AuthError('No SignedInfo found in SAML response'));
+        }
+        // Reconstruct SignedInfo as canonical XML for verification
+        const signedInfoXml = `<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">${signedInfo}</SignedInfo>`;
+        const signature = Buffer.from(signatureValue.replace(/\s/g, ''), 'base64');
+        // Try certificate format first, then public key format
+        const keyFormats = [
+            `-----BEGIN CERTIFICATE-----\n${this.idpMetadata.certificate}\n-----END CERTIFICATE-----`,
+            `-----BEGIN PUBLIC KEY-----\n${this.idpMetadata.certificate}\n-----END PUBLIC KEY-----`,
+        ];
+        for (const keyPem of keyFormats) {
+            try {
+                const verifier = createVerify('RSA-SHA256');
+                verifier.update(signedInfoXml);
+                const valid = verifier.verify(keyPem, signature);
+                if (valid) {
+                    return ok(undefined);
+                }
+                return err(new AuthError('Invalid SAML response signature'));
+            }
+            catch {
+                // Try next format
+                continue;
+            }
+        }
+        return err(new AuthError('Signature verification failed: unsupported key format'));
+    }
+    checkConditions(xml) {
+        // Check NotBefore / NotOnOrAfter
+        const notBeforeStr = xmlGetAttr(xml, 'Conditions', 'NotBefore');
+        const notOnOrAfterStr = xmlGetAttr(xml, 'Conditions', 'NotOnOrAfter');
+        const now = new Date();
+        if (notBeforeStr) {
+            const notBefore = new Date(notBeforeStr);
+            if (now < notBefore) {
+                return err(new AuthError('SAML assertion not yet valid'));
+            }
+        }
+        if (notOnOrAfterStr) {
+            const notOnOrAfter = new Date(notOnOrAfterStr);
+            if (now >= notOnOrAfter) {
+                return err(new AuthError('SAML assertion expired'));
+            }
+        }
+        // Check audience restriction
+        const audience = xmlGetText(xml, 'Audience');
+        if (audience && audience !== this.config.spEntityId) {
+            return err(new AuthError(`SAML audience mismatch: expected ${this.config.spEntityId}, got ${audience}`));
+        }
+        return ok(undefined);
+    }
+}