@composurecdk/iam 0.6.0 → 0.8.0

package/dist/commonjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC"}

package/dist/commonjs/index.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WildcardResourceError = exports.StatementBuilder = exports.createStatementBuilder = exports.createServiceRoleBuilder = exports.createManagedPolicyBuilder = exports.ROLE_DEFAULTS = exports.createRoleBuilder = void 0;
+var role_builder_js_1 = require("./role-builder.js");
+Object.defineProperty(exports, "createRoleBuilder", { enumerable: true, get: function () { return role_builder_js_1.createRoleBuilder; } });
+var role_defaults_js_1 = require("./role-defaults.js");
+Object.defineProperty(exports, "ROLE_DEFAULTS", { enumerable: true, get: function () { return role_defaults_js_1.ROLE_DEFAULTS; } });
+var managed_policy_builder_js_1 = require("./managed-policy-builder.js");
+Object.defineProperty(exports, "createManagedPolicyBuilder", { enumerable: true, get: function () { return managed_policy_builder_js_1.createManagedPolicyBuilder; } });
+var service_role_builder_js_1 = require("./service-role-builder.js");
+Object.defineProperty(exports, "createServiceRoleBuilder", { enumerable: true, get: function () { return service_role_builder_js_1.createServiceRoleBuilder; } });
+var statement_builder_js_1 = require("./statement-builder.js");
+Object.defineProperty(exports, "createStatementBuilder", { enumerable: true, get: function () { return statement_builder_js_1.createStatementBuilder; } });
+Object.defineProperty(exports, "StatementBuilder", { enumerable: true, get: function () { return statement_builder_js_1.StatementBuilder; } });
+Object.defineProperty(exports, "WildcardResourceError", { enumerable: true, get: function () { return statement_builder_js_1.WildcardResourceError; } });
+//# sourceMappingURL=index.js.map

package/dist/commonjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,qDAK2B;AAJzB,oHAAA,iBAAiB,OAAA;AAKnB,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AACtB,yEAKqC;AAJnC,uIAAA,0BAA0B,OAAA;AAK5B,qEAAqE;AAA5D,mIAAA,wBAAwB,OAAA;AACjC,+DAIgC;AAH9B,8HAAA,sBAAsB,OAAA;AACtB,wHAAA,gBAAgB,OAAA;AAChB,6HAAA,qBAAqB,OAAA"}

package/dist/{managed-policy-builder.d.ts → commonjs/managed-policy-builder.d.ts}

@@ -1,6 +1,6 @@
 import { ManagedPolicy, type ManagedPolicyProps, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import type { IConstruct } from "constructs";
-import { type IBuilder, type Lifecycle } from "@composurecdk/core";
+import { COPY_STATE, type IBuilder, type Lifecycle } from "@composurecdk/core";
 import { StatementBuilder } from "./statement-builder.js";
 /**
  * Configuration properties for the customer-managed IAM policy builder.
@@ -47,6 +47,8 @@ declare class ManagedPolicyBuilder implements Lifecycle<ManagedPolicyBuilderResu
      * validation runs at the composition boundary.
      */
     addStatements(statements: (PolicyStatement | StatementBuilder)[]): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: ManagedPolicyBuilder): void;
     build(scope: IConstruct, id: string): ManagedPolicyBuilderResult;
 }
 /**

package/dist/commonjs/managed-policy-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-policy-builder.d.ts","sourceRoot":"","sources":["../../src/managed-policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC9F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAW,UAAU,EAAE,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;GAMG;AACH,MAAM,MAAM,yBAAyB,GAAG,kBAAkB,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,0DAA0D;IAC1D,MAAM,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,MAAM,qBAAqB,GAAG,QAAQ,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAE9F,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAG/C;;;;;;OAMG;IACH,aAAa,CAAC,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GAAG,IAAI;IAKvE,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAIhD,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,0BAA0B;CAajE;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAGlE"}

package/dist/commonjs/managed-policy-builder.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createManagedPolicyBuilder = createManagedPolicyBuilder;
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const core_1 = require("@composurecdk/core");
+const statement_builder_js_1 = require("./statement-builder.js");
+class ManagedPolicyBuilder {
+    props = {};
+    #extraStatements = [];
+    /**
+     * Append policy statements to the managed policy.
+     *
+     * Accepts either {@link PolicyStatement} or {@link StatementBuilder}.
+     * Statement builders are resolved during {@link build} so wildcard-resource
+     * validation runs at the composition boundary.
+     */
+    addStatements(statements) {
+        this.#extraStatements.push(...statements);
+        return this;
+    }
+    /** @internal — see ADR-0005. */
+    [core_1.COPY_STATE](target) {
+        target.#extraStatements.push(...this.#extraStatements);
+    }
+    build(scope, id) {
+        const resolvedExtras = this.#extraStatements.map((s) => s instanceof statement_builder_js_1.StatementBuilder ? s.build() : s);
+        const mergedProps = {
+            ...this.props,
+            statements: [...(this.props.statements ?? []), ...resolvedExtras],
+        };
+        const policy = new aws_iam_1.ManagedPolicy(scope, id, mergedProps);
+        return { policy };
+    }
+}
+/**
+ * Creates a new {@link IManagedPolicyBuilder} for configuring an AWS IAM
+ * customer-managed policy.
+ *
+ * @returns A fluent builder for a customer-managed policy.
+ */
+function createManagedPolicyBuilder() {
+    // eslint-disable-next-line composurecdk/builder-must-be-tagged -- AWS::IAM::ManagedPolicy has no Tags property
+    return (0, core_1.Builder)(ManagedPolicyBuilder);
+}
+//# sourceMappingURL=managed-policy-builder.js.map

package/dist/commonjs/managed-policy-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-policy-builder.js","sourceRoot":"","sources":["../../src/managed-policy-builder.ts"],"names":[],"mappings":";;AAqFA,gEAGC;AAxFD,iDAA8F;AAE9F,6CAAwF;AACxF,iEAA0D;AAwC1D,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,gBAAgB,GAA2C,EAAE,CAAC;IAEvE;;;;;;OAMG;IACH,aAAa,CAAC,UAAkD;QAC9D,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,iBAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,YAAY,uCAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;QAEF,MAAM,WAAW,GAAuB;YACtC,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC;SAClE,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,uBAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACzD,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;CACF;AAED;;;;;GAKG;AACH,SAAgB,0BAA0B;IACxC,+GAA+G;IAC/G,OAAO,IAAA,cAAO,EAAkD,oBAAoB,CAAC,CAAC;AACxF,CAAC"}

package/dist/commonjs/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

package/dist/{role-builder.d.ts → commonjs/role-builder.d.ts}

@@ -1,6 +1,7 @@
 import { type IManagedPolicy, PolicyDocument, PolicyStatement, Role, type RoleProps } from "aws-cdk-lib/aws-iam";
 import type { IConstruct } from "constructs";
-import { type IBuilder, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { COPY_STATE, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { type ITaggedBuilder } from "@composurecdk/cloudformation";
 import { StatementBuilder } from "./statement-builder.js";
 /**
  * Configuration properties for the IAM role builder.
@@ -74,7 +75,7 @@ export interface RoleBuilderResult {
  *   ]);
  * ```
  */
-export type IRoleBuilder = IBuilder<RoleBuilderProps, RoleBuilder>;
+export type IRoleBuilder = ITaggedBuilder<RoleBuilderProps, RoleBuilder>;
 declare class RoleBuilder implements Lifecycle<RoleBuilderResult> {
     #private;
     props: Partial<RoleBuilderProps>;
@@ -90,6 +91,8 @@ declare class RoleBuilder implements Lifecycle<RoleBuilderResult> {
      * rather than at configuration time).
      */
     addInlinePolicyStatements(name: string, statements: (PolicyStatement | StatementBuilder)[]): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: RoleBuilder): void;
     build(scope: IConstruct, id: string, context?: Record<string, object>): RoleBuilderResult;
 }
 /**

package/dist/commonjs/role-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-builder.d.ts","sourceRoot":"","sources":["../../src/role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,cAAc,EACnB,cAAc,EACd,eAAe,EACf,IAAI,EACJ,KAAK,SAAS,EACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAElF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;;GAOG;AACH,MAAM,WAAW,gBAAiB,SAAQ,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC;IAC9E;;;;;;;;OAQG;IACH,mBAAmB,CAAC,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC;CAClD;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,IAAI,EAAE,IAAI,CAAC;IAEX;;;;;;;;;;;OAWG;IACH,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAChD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,MAAM,YAAY,GAAG,cAAc,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;AAOzE,cAAM,WAAY,YAAW,SAAS,CAAC,iBAAiB,CAAC;;IACvD,KAAK,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAM;IAGtC;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GACjD,IAAI;IAKP,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAIvC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,GAAG,iBAAiB;CA8C9F;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,IAAI,YAAY,CAEhD"}

package/dist/commonjs/role-builder.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createRoleBuilder = createRoleBuilder;
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const core_1 = require("@composurecdk/core");
+const cloudformation_1 = require("@composurecdk/cloudformation");
+const role_defaults_js_1 = require("./role-defaults.js");
+const statement_builder_js_1 = require("./statement-builder.js");
+class RoleBuilder {
+    props = {};
+    #inlinePolicies = [];
+    /**
+     * Append an inline policy to the role, embedded in the underlying
+     * `AWS::IAM::Role` resource's `Policies` array. The policy name becomes
+     * the key under which the resulting {@link PolicyDocument} appears in
+     * {@link RoleBuilderResult.inlinePolicies}.
+     *
+     * Accepts either {@link PolicyStatement} instances or
+     * {@link StatementBuilder}s (which are built lazily during {@link build}
+     * so that wildcard-resource validation runs at the composition boundary
+     * rather than at configuration time).
+     */
+    addInlinePolicyStatements(name, statements) {
+        this.#inlinePolicies.push({ name, statements });
+        return this;
+    }
+    /** @internal — see ADR-0005. */
+    [core_1.COPY_STATE](target) {
+        target.#inlinePolicies.push(...this.#inlinePolicies);
+    }
+    build(scope, id, context = {}) {
+        const { permissionsBoundary, assumedBy, inlinePolicies: propsInlinePolicies, ...rest } = this.props;
+        if (!assumedBy) {
+            throw new Error(`RoleBuilder "${id}": assumedBy(...) must be called before build(). ` +
+                `An IAM role requires a trust policy principal.`);
+        }
+        const resolvedBoundary = permissionsBoundary
+            ? (0, core_1.resolve)(permissionsBoundary, context)
+            : undefined;
+        const addedInlinePolicies = {};
+        for (const entry of this.#inlinePolicies) {
+            const resolvedStatements = entry.statements.map((s) => s instanceof statement_builder_js_1.StatementBuilder ? s.build() : s);
+            addedInlinePolicies[entry.name] = new aws_iam_1.PolicyDocument({ statements: resolvedStatements });
+        }
+        const mergedInlinePolicies = {
+            ...(propsInlinePolicies ?? {}),
+            ...addedInlinePolicies,
+        };
+        const mergedProps = {
+            ...role_defaults_js_1.ROLE_DEFAULTS,
+            ...rest,
+            assumedBy,
+            ...(Object.keys(mergedInlinePolicies).length > 0
+                ? { inlinePolicies: mergedInlinePolicies }
+                : {}),
+            ...(resolvedBoundary ? { permissionsBoundary: resolvedBoundary } : {}),
+        };
+        const role = new aws_iam_1.Role(scope, id, mergedProps);
+        return { role, inlinePolicies: addedInlinePolicies };
+    }
+}
+/**
+ * Creates a new {@link IRoleBuilder} for configuring an AWS IAM role.
+ *
+ * @returns A fluent builder for an AWS IAM role.
+ *
+ * @example
+ * ```ts
+ * const role = createRoleBuilder()
+ *   .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+ *   .description("Lambda execution role")
+ *   .build(stack, "LambdaRole");
+ * ```
+ */
+function createRoleBuilder() {
+    return (0, cloudformation_1.taggedBuilder)(RoleBuilder);
+}
+//# sourceMappingURL=role-builder.js.map

package/dist/commonjs/role-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-builder.js","sourceRoot":"","sources":["../../src/role-builder.ts"],"names":[],"mappings":";;AAwLA,8CAEC;AA1LD,iDAM6B;AAE7B,6CAA0F;AAC1F,iEAAkF;AAClF,yDAAmD;AACnD,iEAA0D;AAoF1D,MAAM,WAAW;IACf,KAAK,GAA8B,EAAE,CAAC;IAC7B,eAAe,GAAwB,EAAE,CAAC;IAEnD;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAY,EACZ,UAAkD;QAElD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,iBAAU,CAAC,CAAC,MAAmB;QAC9B,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU,EAAE,UAAkC,EAAE;QACvE,MAAM,EACJ,mBAAmB,EACnB,SAAS,EACT,cAAc,EAAE,mBAAmB,EACnC,GAAG,IAAI,EACR,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,gBAAgB,EAAE,mDAAmD;gBACnE,gDAAgD,CACnD,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAG,mBAAmB;YAC1C,CAAC,CAAC,IAAA,cAAO,EAAC,mBAAmB,EAAE,OAAO,CAAC;YACvC,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,mBAAmB,GAAmC,EAAE,CAAC;QAC/D,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzC,MAAM,kBAAkB,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACpD,CAAC,YAAY,uCAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;YACF,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,wBAAc,CAAC,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,oBAAoB,GAAmC;YAC3D,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC9B,GAAG,mBAAmB;SACvB,CAAC;QAEF,MAAM,WAAW,GAAc;YAC7B,GAAG,gCAAa;YAChB,GAAG,IAAI;YACP,SAAS;YACT,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;gBAC9C,CAAC,CAAC,EAAE,cAAc,EAAE,oBAAoB,EAAE;gBAC1C,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,cAAI,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAE9C,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACvD,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,iBAAiB;IAC/B,OAAO,IAAA,8BAAa,EAAgC,WAAW,CAAC,CAAC;AACnE,CAAC"}

package/dist/commonjs/role-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-defaults.d.ts","sourceRoot":"","sources":["../../src/role-defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAErD;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,OAAO,CAAC,SAAS,CAa5C,CAAC"}

package/dist/commonjs/role-defaults.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ROLE_DEFAULTS = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+/**
+ * Secure, AWS-recommended defaults applied to every IAM role built with
+ * {@link createRoleBuilder}. Each property can be individually overridden
+ * via the builder's fluent API.
+ */
+exports.ROLE_DEFAULTS = {
+    /**
+     * Cap the session duration to one hour by default.
+     *
+     * Short-lived credentials reduce the blast radius of leaked or misused
+     * role sessions. Callers that genuinely need longer sessions (for
+     * example, long-running batch jobs that assume the role once) should
+     * override via {@link IRoleBuilder.maxSessionDuration}.
+     *
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_define_guardrails.html
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+     */
+    maxSessionDuration: aws_cdk_lib_1.Duration.hours(1),
+};
+//# sourceMappingURL=role-defaults.js.map

package/dist/commonjs/role-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-defaults.js","sourceRoot":"","sources":["../../src/role-defaults.ts"],"names":[],"mappings":";;;AAAA,6CAAuC;AAGvC;;;;GAIG;AACU,QAAA,aAAa,GAAuB;IAC/C;;;;;;;;;;OAUG;IACH,kBAAkB,EAAE,sBAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;CACtC,CAAC"}

package/dist/commonjs/service-role-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-role-builder.d.ts","sourceRoot":"","sources":["../../src/service-role-builder.ts"],"names":[],"mappings":"AACA,OAAO,EAAqB,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,GAAG,YAAY,CAE/E"}

package/dist/commonjs/service-role-builder.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createServiceRoleBuilder = createServiceRoleBuilder;
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const role_builder_js_1 = require("./role-builder.js");
+/**
+ * Creates a pre-configured {@link IRoleBuilder} whose trust policy allows
+ * the given AWS service principal to assume the role.
+ *
+ * Thin sugar over {@link createRoleBuilder} for the most common role shape:
+ * a service-assumable role (Lambda, EC2, Budgets, etc.) with no extra
+ * trust-policy conditions. Any property set by the caller afterwards
+ * (including `assumedBy`) still wins, because the underlying builder
+ * simply records the last value written.
+ *
+ * @param servicePrincipal - The service identifier, e.g.
+ *   `"lambda.amazonaws.com"` or `"budgets.amazonaws.com"`.
+ * @returns A role builder with `assumedBy` preset to the given service.
+ *
+ * @example
+ * ```ts
+ * const role = createServiceRoleBuilder("lambda.amazonaws.com")
+ *   .description("Execution role for StopEC2 Lambda")
+ *   .addInlinePolicyStatements("StopEC2", [ ... ]);
+ * ```
+ */
+function createServiceRoleBuilder(servicePrincipal) {
+    return (0, role_builder_js_1.createRoleBuilder)().assumedBy(new aws_iam_1.ServicePrincipal(servicePrincipal));
+}
+//# sourceMappingURL=service-role-builder.js.map

package/dist/commonjs/service-role-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-role-builder.js","sourceRoot":"","sources":["../../src/service-role-builder.ts"],"names":[],"mappings":";;AAwBA,4DAEC;AA1BD,iDAAuD;AACvD,uDAAyE;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAgB,wBAAwB,CAAC,gBAAwB;IAC/D,OAAO,IAAA,mCAAiB,GAAE,CAAC,SAAS,CAAC,IAAI,0BAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;AAC/E,CAAC"}

package/dist/commonjs/statement-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement-builder.d.ts","sourceRoot":"","sources":["../../src/statement-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,KAAK,UAAU,EACf,eAAe,EAEhB,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;;;GASG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,GAAG,CAAC,EAAE,MAAM;CAOzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,gBAAgB;;IAY3B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAKtB,KAAK,IAAI,IAAI;IAKb,IAAI,IAAI,IAAI;IAKZ,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAK5B,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKhC,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKnC,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKpC,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKvC,UAAU,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK1C,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK7C,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI;IAKrE;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,UAAO,GAAG,IAAI;IAK1C;;;;;OAKG;IACH,KAAK,IAAI,eAAe;CAuBzB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,IAAI,gBAAgB,CAEzD"}

package/dist/commonjs/statement-builder.js

@@ -0,0 +1,158 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StatementBuilder = exports.WildcardResourceError = void 0;
+exports.createStatementBuilder = createStatementBuilder;
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+/**
+ * Thrown when a {@link StatementBuilder} is built with an `Allow` effect and
+ * an unrestricted resource (`"*"`) without the caller having explicitly
+ * opted in via {@link StatementBuilder.allowWildcardResources}.
+ *
+ * Wildcard-resource allow statements grant the widest possible permission
+ * surface and should be an intentional choice, not an accident.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html
+ */
+class WildcardResourceError extends Error {
+    constructor(sid) {
+        super(`PolicyStatement${sid ? ` "${sid}"` : ""} has Effect=Allow with a wildcard resource ("*"). ` +
+            `Scope the resources or call allowWildcardResources(true) to opt in explicitly.`);
+        this.name = "WildcardResourceError";
+    }
+}
+exports.WildcardResourceError = WildcardResourceError;
+/**
+ * Fluent wrapper around the CDK {@link PolicyStatement}.
+ *
+ * Unlike other ComposureCDK builders this one is **not** a
+ * {@link Lifecycle} — a policy statement is inline data attached to a Role,
+ * ManagedPolicy, or resource policy rather than a standalone CDK construct,
+ * so there is nothing to attach to a scope.
+ *
+ * The builder exists to:
+ * - centralise least-privilege validation (wildcard-resource guard,
+ *   {@link WildcardResourceError}),
+ * - give every consumer (Role, ManagedPolicy, SNS TopicPolicy, future
+ *   SQS/S3 bucket policies) one fluent API,
+ * - remain interchangeable with raw {@link PolicyStatement} instances via
+ *   {@link StatementBuilder.build}.
+ *
+ * @example
+ * ```ts
+ * const stmt = createStatementBuilder()
+ *   .sid("StopDevInstances")
+ *   .allow()
+ *   .actions(["ec2:StopInstances", "ec2:DescribeInstances"])
+ *   .resources(["*"])
+ *   .allowWildcardResources(true)
+ *   .build();
+ * ```
+ */
+class StatementBuilder {
+    #sid;
+    #effect = aws_iam_1.Effect.ALLOW;
+    #actions = [];
+    #notActions = [];
+    #resources = [];
+    #notResources = [];
+    #principals = [];
+    #notPrincipals = [];
+    #conditions;
+    #allowWildcardResources = false;
+    sid(sid) {
+        this.#sid = sid;
+        return this;
+    }
+    allow() {
+        this.#effect = aws_iam_1.Effect.ALLOW;
+        return this;
+    }
+    deny() {
+        this.#effect = aws_iam_1.Effect.DENY;
+        return this;
+    }
+    effect(effect) {
+        this.#effect = effect;
+        return this;
+    }
+    actions(actions) {
+        this.#actions = [...actions];
+        return this;
+    }
+    notActions(actions) {
+        this.#notActions = [...actions];
+        return this;
+    }
+    resources(resources) {
+        this.#resources = [...resources];
+        return this;
+    }
+    notResources(resources) {
+        this.#notResources = [...resources];
+        return this;
+    }
+    principals(principals) {
+        this.#principals = [...principals];
+        return this;
+    }
+    notPrincipals(principals) {
+        this.#notPrincipals = [...principals];
+        return this;
+    }
+    conditions(conditions) {
+        this.#conditions = { ...conditions };
+        return this;
+    }
+    /**
+     * Opt in to Effect=Allow statements with wildcard resources (`"*"`).
+     *
+     * The builder rejects wildcard resources by default to surface
+     * least-privilege violations; call this to acknowledge that the
+     * statement genuinely needs unrestricted scope (for example actions
+     * such as `ec2:DescribeInstances` that do not support resource-level
+     * permissions).
+     *
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+     */
+    allowWildcardResources(allow = true) {
+        this.#allowWildcardResources = allow;
+        return this;
+    }
+    /**
+     * Construct and return a {@link PolicyStatement} from the configured state.
+     *
+     * @throws {WildcardResourceError} when the statement is an Allow with a
+     *   wildcard resource and wildcard resources have not been opted in to.
+     */
+    build() {
+        if (this.#effect === aws_iam_1.Effect.ALLOW &&
+            !this.#allowWildcardResources &&
+            this.#resources.some((r) => r === "*")) {
+            throw new WildcardResourceError(this.#sid);
+        }
+        const props = {
+            sid: this.#sid,
+            effect: this.#effect,
+            actions: this.#actions.length > 0 ? this.#actions : undefined,
+            notActions: this.#notActions.length > 0 ? this.#notActions : undefined,
+            resources: this.#resources.length > 0 ? this.#resources : undefined,
+            notResources: this.#notResources.length > 0 ? this.#notResources : undefined,
+            principals: this.#principals.length > 0 ? this.#principals : undefined,
+            notPrincipals: this.#notPrincipals.length > 0 ? this.#notPrincipals : undefined,
+            conditions: this.#conditions,
+        };
+        return new aws_iam_1.PolicyStatement(props);
+    }
+}
+exports.StatementBuilder = StatementBuilder;
+/**
+ * Creates a new {@link StatementBuilder} for configuring an IAM
+ * {@link PolicyStatement} with least-privilege guardrails.
+ *
+ * @returns A fluent builder that produces a {@link PolicyStatement} when
+ *   {@link StatementBuilder.build} is called.
+ */
+function createStatementBuilder() {
+    return new StatementBuilder();
+}
+//# sourceMappingURL=statement-builder.js.map

package/dist/commonjs/statement-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement-builder.js","sourceRoot":"","sources":["../../src/statement-builder.ts"],"names":[],"mappings":";;;AA+KA,wDAEC;AAjLD,iDAK6B;AAE7B;;;;;;;;;GASG;AACH,MAAa,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,GAAY;QACtB,KAAK,CACH,kBAAkB,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,oDAAoD;YAC1F,gFAAgF,CACnF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AARD,sDAQC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAa,gBAAgB;IAC3B,IAAI,CAAU;IACd,OAAO,GAAW,gBAAM,CAAC,KAAK,CAAC;IAC/B,QAAQ,GAAa,EAAE,CAAC;IACxB,WAAW,GAAa,EAAE,CAAC;IAC3B,UAAU,GAAa,EAAE,CAAC;IAC1B,aAAa,GAAa,EAAE,CAAC;IAC7B,WAAW,GAAiB,EAAE,CAAC;IAC/B,cAAc,GAAiB,EAAE,CAAC;IAClC,WAAW,CAA2C;IACtD,uBAAuB,GAAG,KAAK,CAAC;IAEhC,GAAG,CAAC,GAAW;QACb,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,GAAG,gBAAM,CAAC,KAAK,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI;QACF,IAAI,CAAC,OAAO,GAAG,gBAAM,CAAC,IAAI,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,MAAc;QACnB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,OAAiB;QACvB,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,OAAiB;QAC1B,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,CAAC,SAAmB;QAC3B,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,YAAY,CAAC,SAAmB;QAC9B,IAAI,CAAC,aAAa,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAwB;QACjC,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,aAAa,CAAC,UAAwB;QACpC,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAmD;QAC5D,IAAI,CAAC,WAAW,GAAG,EAAE,GAAG,UAAU,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,GAAG,IAAI;QACjC,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,KAAK;QACH,IACE,IAAI,CAAC,OAAO,KAAK,gBAAM,CAAC,KAAK;YAC7B,CAAC,IAAI,CAAC,uBAAuB;YAC7B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,EACtC,CAAC;YACD,MAAM,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,KAAK,GAAyB;YAClC,GAAG,EAAE,IAAI,CAAC,IAAI;YACd,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YAC7D,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACnE,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;YAC5E,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS;YAC/E,UAAU,EAAE,IAAI,CAAC,WAAW;SAC7B,CAAC;QAEF,OAAO,IAAI,yBAAe,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;CACF;AAhHD,4CAgHC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB;IACpC,OAAO,IAAI,gBAAgB,EAAE,CAAC;AAChC,CAAC"}

package/dist/esm/index.d.ts

@@ -0,0 +1,6 @@
+export { createRoleBuilder, type IRoleBuilder, type RoleBuilderProps, type RoleBuilderResult, } from "./role-builder.js";
+export { ROLE_DEFAULTS } from "./role-defaults.js";
+export { createManagedPolicyBuilder, type IManagedPolicyBuilder, type ManagedPolicyBuilderProps, type ManagedPolicyBuilderResult, } from "./managed-policy-builder.js";
+export { createServiceRoleBuilder } from "./service-role-builder.js";
+export { createStatementBuilder, StatementBuilder, WildcardResourceError, } from "./statement-builder.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC"}

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,GAIlB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EACL,0BAA0B,GAI3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC"}

package/dist/esm/managed-policy-builder.d.ts

@@ -0,0 +1,62 @@
+import { ManagedPolicy, type ManagedPolicyProps, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import type { IConstruct } from "constructs";
+import { COPY_STATE, type IBuilder, type Lifecycle } from "@composurecdk/core";
+import { StatementBuilder } from "./statement-builder.js";
+/**
+ * Configuration properties for the customer-managed IAM policy builder.
+ *
+ * Extends the CDK {@link ManagedPolicyProps} unchanged — the builder adds
+ * an {@link IManagedPolicyBuilder.addStatements | addStatements} method that
+ * accepts either {@link PolicyStatement} or {@link StatementBuilder}.
+ */
+export type ManagedPolicyBuilderProps = ManagedPolicyProps;
+/**
+ * The build output of an {@link IManagedPolicyBuilder}.
+ */
+export interface ManagedPolicyBuilderResult {
+    /** The customer-managed policy created by the builder. */
+    policy: ManagedPolicy;
+}
+/**
+ * A fluent builder for configuring and creating an AWS IAM
+ * customer-managed policy.
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html
+ *
+ * @example
+ * ```ts
+ * const boundary = createManagedPolicyBuilder()
+ *   .managedPolicyName("ops-boundary")
+ *   .addStatements([
+ *     createStatementBuilder()
+ *       .allow()
+ *       .actions(["s3:GetObject"])
+ *       .resources(["arn:aws:s3:::my-bucket/*"]),
+ *   ]);
+ * ```
+ */
+export type IManagedPolicyBuilder = IBuilder<ManagedPolicyBuilderProps, ManagedPolicyBuilder>;
+declare class ManagedPolicyBuilder implements Lifecycle<ManagedPolicyBuilderResult> {
+    #private;
+    props: Partial<ManagedPolicyBuilderProps>;
+    /**
+     * Append policy statements to the managed policy.
+     *
+     * Accepts either {@link PolicyStatement} or {@link StatementBuilder}.
+     * Statement builders are resolved during {@link build} so wildcard-resource
+     * validation runs at the composition boundary.
+     */
+    addStatements(statements: (PolicyStatement | StatementBuilder)[]): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: ManagedPolicyBuilder): void;
+    build(scope: IConstruct, id: string): ManagedPolicyBuilderResult;
+}
+/**
+ * Creates a new {@link IManagedPolicyBuilder} for configuring an AWS IAM
+ * customer-managed policy.
+ *
+ * @returns A fluent builder for a customer-managed policy.
+ */
+export declare function createManagedPolicyBuilder(): IManagedPolicyBuilder;
+export {};
+//# sourceMappingURL=managed-policy-builder.d.ts.map

package/dist/esm/managed-policy-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-policy-builder.d.ts","sourceRoot":"","sources":["../../src/managed-policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC9F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAW,UAAU,EAAE,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;GAMG;AACH,MAAM,MAAM,yBAAyB,GAAG,kBAAkB,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,0DAA0D;IAC1D,MAAM,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,MAAM,qBAAqB,GAAG,QAAQ,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAE9F,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAG/C;;;;;;OAMG;IACH,aAAa,CAAC,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GAAG,IAAI;IAKvE,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAIhD,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,0BAA0B;CAajE;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAGlE"}

package/dist/{managed-policy-builder.js → esm/managed-policy-builder.js}

@@ -1,5 +1,5 @@
 import { ManagedPolicy } from "aws-cdk-lib/aws-iam";
-import { Builder } from "@composurecdk/core";
+import { Builder, COPY_STATE } from "@composurecdk/core";
 import { StatementBuilder } from "./statement-builder.js";
 class ManagedPolicyBuilder {
     props = {};
@@ -15,6 +15,10 @@ class ManagedPolicyBuilder {
         this.#extraStatements.push(...statements);
         return this;
     }
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target) {
+        target.#extraStatements.push(...this.#extraStatements);
+    }
     build(scope, id) {
         const resolvedExtras = this.#extraStatements.map((s) => s instanceof StatementBuilder ? s.build() : s);
         const mergedProps = {
@@ -32,6 +36,7 @@ class ManagedPolicyBuilder {
  * @returns A fluent builder for a customer-managed policy.
  */
 export function createManagedPolicyBuilder() {
+    // eslint-disable-next-line composurecdk/builder-must-be-tagged -- AWS::IAM::ManagedPolicy has no Tags property
     return Builder(ManagedPolicyBuilder);
 }
 //# sourceMappingURL=managed-policy-builder.js.map

package/dist/esm/managed-policy-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"managed-policy-builder.js","sourceRoot":"","sources":["../../src/managed-policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAA4C,MAAM,qBAAqB,CAAC;AAE9F,OAAO,EAAE,OAAO,EAAE,UAAU,EAAiC,MAAM,oBAAoB,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAwC1D,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,gBAAgB,GAA2C,EAAE,CAAC;IAEvE;;;;;;OAMG;IACH,aAAa,CAAC,UAAkD;QAC9D,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,YAAY,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;QAEF,MAAM,WAAW,GAAuB;YACtC,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC;SAClE,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACzD,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B;IACxC,+GAA+G;IAC/G,OAAO,OAAO,CAAkD,oBAAoB,CAAC,CAAC;AACxF,CAAC"}

package/dist/esm/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

package/dist/esm/role-builder.d.ts

@@ -0,0 +1,113 @@
+import { type IManagedPolicy, PolicyDocument, PolicyStatement, Role, type RoleProps } from "aws-cdk-lib/aws-iam";
+import type { IConstruct } from "constructs";
+import { COPY_STATE, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { type ITaggedBuilder } from "@composurecdk/cloudformation";
+import { StatementBuilder } from "./statement-builder.js";
+/**
+ * Configuration properties for the IAM role builder.
+ *
+ * Extends the CDK {@link RoleProps} with builder-specific options for
+ * cross-component wiring: `permissionsBoundary` accepts a {@link Resolvable}
+ * so boundary policies built by sibling components can be referenced at
+ * configuration time.
+ */
+export interface RoleBuilderProps extends Omit<RoleProps, "permissionsBoundary"> {
+    /**
+     * A permissions boundary that caps the maximum permissions this role
+     * can ever grant, regardless of inline or managed policies attached.
+     *
+     * Accepts a concrete {@link IManagedPolicy} or a {@link Resolvable} for
+     * cross-component wiring (e.g. `ref("boundary", r => r.policy)`).
+     *
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+     */
+    permissionsBoundary?: Resolvable<IManagedPolicy>;
+}
+/**
+ * The build output of an {@link IRoleBuilder}.
+ *
+ * Exposes every CDK construct the builder creates so consumers can reference,
+ * extend, or attach additional policies to them.
+ */
+export interface RoleBuilderResult {
+    /** The IAM role construct created by the builder. */
+    role: Role;
+    /**
+     * Inline {@link PolicyDocument}s created for each
+     * {@link IRoleBuilder.addInlinePolicyStatements} call, keyed by the
+     * policy name supplied to the call.
+     *
+     * The documents are embedded in the underlying `AWS::IAM::Role`
+     * resource via the native `Policies` array — no separate
+     * `AWS::IAM::Policy` resources are created.
+     *
+     * Inline policies supplied directly via the native `inlinePolicies`
+     * prop on {@link RoleProps} do not appear in this map.
+     */
+    inlinePolicies: Record<string, PolicyDocument>;
+}
+/**
+ * A fluent builder for configuring and creating an AWS IAM role.
+ *
+ * Each configuration property from the CDK {@link RoleProps} is exposed as
+ * an overloaded method: call with a value to set it, or with no arguments
+ * to read the current value.
+ *
+ * The builder implements {@link Lifecycle}, so it can be used directly as a
+ * component in a {@link compose | composed system}. When built it creates
+ * an IAM role with well-architected defaults ({@link ROLE_DEFAULTS}) and
+ * returns a {@link RoleBuilderResult}.
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html
+ *
+ * @example
+ * ```ts
+ * const role = createRoleBuilder()
+ *   .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+ *   .description("Execution role for the budget remediation Lambda")
+ *   .addInlinePolicyStatements("StopEC2", [
+ *     createStatementBuilder()
+ *       .allow()
+ *       .actions(["ec2:StopInstances", "ec2:DescribeInstances"])
+ *       .resources(["*"])
+ *       .allowWildcardResources(true)
+ *       .build(),
+ *   ]);
+ * ```
+ */
+export type IRoleBuilder = ITaggedBuilder<RoleBuilderProps, RoleBuilder>;
+declare class RoleBuilder implements Lifecycle<RoleBuilderResult> {
+    #private;
+    props: Partial<RoleBuilderProps>;
+    /**
+     * Append an inline policy to the role, embedded in the underlying
+     * `AWS::IAM::Role` resource's `Policies` array. The policy name becomes
+     * the key under which the resulting {@link PolicyDocument} appears in
+     * {@link RoleBuilderResult.inlinePolicies}.
+     *
+     * Accepts either {@link PolicyStatement} instances or
+     * {@link StatementBuilder}s (which are built lazily during {@link build}
+     * so that wildcard-resource validation runs at the composition boundary
+     * rather than at configuration time).
+     */
+    addInlinePolicyStatements(name: string, statements: (PolicyStatement | StatementBuilder)[]): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: RoleBuilder): void;
+    build(scope: IConstruct, id: string, context?: Record<string, object>): RoleBuilderResult;
+}
+/**
+ * Creates a new {@link IRoleBuilder} for configuring an AWS IAM role.
+ *
+ * @returns A fluent builder for an AWS IAM role.
+ *
+ * @example
+ * ```ts
+ * const role = createRoleBuilder()
+ *   .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+ *   .description("Lambda execution role")
+ *   .build(stack, "LambdaRole");
+ * ```
+ */
+export declare function createRoleBuilder(): IRoleBuilder;
+export {};
+//# sourceMappingURL=role-builder.d.ts.map

package/dist/esm/role-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-builder.d.ts","sourceRoot":"","sources":["../../src/role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,cAAc,EACnB,cAAc,EACd,eAAe,EACf,IAAI,EACJ,KAAK,SAAS,EACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAElF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;;GAOG;AACH,MAAM,WAAW,gBAAiB,SAAQ,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC;IAC9E;;;;;;;;OAQG;IACH,mBAAmB,CAAC,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC;CAClD;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,IAAI,EAAE,IAAI,CAAC;IAEX;;;;;;;;;;;OAWG;IACH,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAChD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,MAAM,YAAY,GAAG,cAAc,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;AAOzE,cAAM,WAAY,YAAW,SAAS,CAAC,iBAAiB,CAAC;;IACvD,KAAK,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAM;IAGtC;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GACjD,IAAI;IAKP,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAIvC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,GAAG,iBAAiB;CA8C9F;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,IAAI,YAAY,CAEhD"}

package/dist/{role-builder.js → esm/role-builder.js}

@@ -1,5 +1,6 @@
 import { PolicyDocument, Role, } from "aws-cdk-lib/aws-iam";
-import { Builder, resolve, } from "@composurecdk/core";
+import { COPY_STATE, resolve } from "@composurecdk/core";
+import { taggedBuilder } from "@composurecdk/cloudformation";
 import { ROLE_DEFAULTS } from "./role-defaults.js";
 import { StatementBuilder } from "./statement-builder.js";
 class RoleBuilder {
@@ -20,6 +21,10 @@ class RoleBuilder {
         this.#inlinePolicies.push({ name, statements });
         return this;
     }
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target) {
+        target.#inlinePolicies.push(...this.#inlinePolicies);
+    }
     build(scope, id, context = {}) {
         const { permissionsBoundary, assumedBy, inlinePolicies: propsInlinePolicies, ...rest } = this.props;
         if (!assumedBy) {
@@ -65,6 +70,6 @@ class RoleBuilder {
  * ```
  */
 export function createRoleBuilder() {
-    return Builder(RoleBuilder);
+    return taggedBuilder(RoleBuilder);
 }
 //# sourceMappingURL=role-builder.js.map

package/dist/esm/role-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-builder.js","sourceRoot":"","sources":["../../src/role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,cAAc,EAEd,IAAI,GAEL,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAkB,OAAO,EAAmB,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAoF1D,MAAM,WAAW;IACf,KAAK,GAA8B,EAAE,CAAC;IAC7B,eAAe,GAAwB,EAAE,CAAC;IAEnD;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAY,EACZ,UAAkD;QAElD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAmB;QAC9B,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU,EAAE,UAAkC,EAAE;QACvE,MAAM,EACJ,mBAAmB,EACnB,SAAS,EACT,cAAc,EAAE,mBAAmB,EACnC,GAAG,IAAI,EACR,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,gBAAgB,EAAE,mDAAmD;gBACnE,gDAAgD,CACnD,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAG,mBAAmB;YAC1C,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,OAAO,CAAC;YACvC,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,mBAAmB,GAAmC,EAAE,CAAC;QAC/D,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzC,MAAM,kBAAkB,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACpD,CAAC,YAAY,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;YACF,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,cAAc,CAAC,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,oBAAoB,GAAmC;YAC3D,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC9B,GAAG,mBAAmB;SACvB,CAAC;QAEF,MAAM,WAAW,GAAc;YAC7B,GAAG,aAAa;YAChB,GAAG,IAAI;YACP,SAAS;YACT,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;gBAC9C,CAAC,CAAC,EAAE,cAAc,EAAE,oBAAoB,EAAE;gBAC1C,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAE9C,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACvD,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,aAAa,CAAgC,WAAW,CAAC,CAAC;AACnE,CAAC"}

package/dist/esm/role-defaults.d.ts

@@ -0,0 +1,8 @@
+import type { RoleProps } from "aws-cdk-lib/aws-iam";
+/**
+ * Secure, AWS-recommended defaults applied to every IAM role built with
+ * {@link createRoleBuilder}. Each property can be individually overridden
+ * via the builder's fluent API.
+ */
+export declare const ROLE_DEFAULTS: Partial<RoleProps>;
+//# sourceMappingURL=role-defaults.d.ts.map

package/dist/esm/role-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-defaults.d.ts","sourceRoot":"","sources":["../../src/role-defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAErD;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,OAAO,CAAC,SAAS,CAa5C,CAAC"}

package/dist/esm/role-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-defaults.js","sourceRoot":"","sources":["../../src/role-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAuB;IAC/C;;;;;;;;;;OAUG;IACH,kBAAkB,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;CACtC,CAAC"}

package/dist/esm/service-role-builder.d.ts

@@ -0,0 +1,24 @@
+import { type IRoleBuilder } from "./role-builder.js";
+/**
+ * Creates a pre-configured {@link IRoleBuilder} whose trust policy allows
+ * the given AWS service principal to assume the role.
+ *
+ * Thin sugar over {@link createRoleBuilder} for the most common role shape:
+ * a service-assumable role (Lambda, EC2, Budgets, etc.) with no extra
+ * trust-policy conditions. Any property set by the caller afterwards
+ * (including `assumedBy`) still wins, because the underlying builder
+ * simply records the last value written.
+ *
+ * @param servicePrincipal - The service identifier, e.g.
+ *   `"lambda.amazonaws.com"` or `"budgets.amazonaws.com"`.
+ * @returns A role builder with `assumedBy` preset to the given service.
+ *
+ * @example
+ * ```ts
+ * const role = createServiceRoleBuilder("lambda.amazonaws.com")
+ *   .description("Execution role for StopEC2 Lambda")
+ *   .addInlinePolicyStatements("StopEC2", [ ... ]);
+ * ```
+ */
+export declare function createServiceRoleBuilder(servicePrincipal: string): IRoleBuilder;
+//# sourceMappingURL=service-role-builder.d.ts.map

package/dist/esm/service-role-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-role-builder.d.ts","sourceRoot":"","sources":["../../src/service-role-builder.ts"],"names":[],"mappings":"AACA,OAAO,EAAqB,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,GAAG,YAAY,CAE/E"}

package/dist/esm/service-role-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-role-builder.js","sourceRoot":"","sources":["../../src/service-role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAqB,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,wBAAwB,CAAC,gBAAwB;IAC/D,OAAO,iBAAiB,EAAE,CAAC,SAAS,CAAC,IAAI,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;AAC/E,CAAC"}

package/dist/esm/statement-builder.d.ts

@@ -0,0 +1,83 @@
+import { Effect, type IPrincipal, PolicyStatement } from "aws-cdk-lib/aws-iam";
+/**
+ * Thrown when a {@link StatementBuilder} is built with an `Allow` effect and
+ * an unrestricted resource (`"*"`) without the caller having explicitly
+ * opted in via {@link StatementBuilder.allowWildcardResources}.
+ *
+ * Wildcard-resource allow statements grant the widest possible permission
+ * surface and should be an intentional choice, not an accident.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html
+ */
+export declare class WildcardResourceError extends Error {
+    constructor(sid?: string);
+}
+/**
+ * Fluent wrapper around the CDK {@link PolicyStatement}.
+ *
+ * Unlike other ComposureCDK builders this one is **not** a
+ * {@link Lifecycle} — a policy statement is inline data attached to a Role,
+ * ManagedPolicy, or resource policy rather than a standalone CDK construct,
+ * so there is nothing to attach to a scope.
+ *
+ * The builder exists to:
+ * - centralise least-privilege validation (wildcard-resource guard,
+ *   {@link WildcardResourceError}),
+ * - give every consumer (Role, ManagedPolicy, SNS TopicPolicy, future
+ *   SQS/S3 bucket policies) one fluent API,
+ * - remain interchangeable with raw {@link PolicyStatement} instances via
+ *   {@link StatementBuilder.build}.
+ *
+ * @example
+ * ```ts
+ * const stmt = createStatementBuilder()
+ *   .sid("StopDevInstances")
+ *   .allow()
+ *   .actions(["ec2:StopInstances", "ec2:DescribeInstances"])
+ *   .resources(["*"])
+ *   .allowWildcardResources(true)
+ *   .build();
+ * ```
+ */
+export declare class StatementBuilder {
+    #private;
+    sid(sid: string): this;
+    allow(): this;
+    deny(): this;
+    effect(effect: Effect): this;
+    actions(actions: string[]): this;
+    notActions(actions: string[]): this;
+    resources(resources: string[]): this;
+    notResources(resources: string[]): this;
+    principals(principals: IPrincipal[]): this;
+    notPrincipals(principals: IPrincipal[]): this;
+    conditions(conditions: Record<string, Record<string, unknown>>): this;
+    /**
+     * Opt in to Effect=Allow statements with wildcard resources (`"*"`).
+     *
+     * The builder rejects wildcard resources by default to surface
+     * least-privilege violations; call this to acknowledge that the
+     * statement genuinely needs unrestricted scope (for example actions
+     * such as `ec2:DescribeInstances` that do not support resource-level
+     * permissions).
+     *
+     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+     */
+    allowWildcardResources(allow?: boolean): this;
+    /**
+     * Construct and return a {@link PolicyStatement} from the configured state.
+     *
+     * @throws {WildcardResourceError} when the statement is an Allow with a
+     *   wildcard resource and wildcard resources have not been opted in to.
+     */
+    build(): PolicyStatement;
+}
+/**
+ * Creates a new {@link StatementBuilder} for configuring an IAM
+ * {@link PolicyStatement} with least-privilege guardrails.
+ *
+ * @returns A fluent builder that produces a {@link PolicyStatement} when
+ *   {@link StatementBuilder.build} is called.
+ */
+export declare function createStatementBuilder(): StatementBuilder;
+//# sourceMappingURL=statement-builder.d.ts.map

package/dist/esm/statement-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement-builder.d.ts","sourceRoot":"","sources":["../../src/statement-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,KAAK,UAAU,EACf,eAAe,EAEhB,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;;;GASG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,GAAG,CAAC,EAAE,MAAM;CAOzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,gBAAgB;;IAY3B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAKtB,KAAK,IAAI,IAAI;IAKb,IAAI,IAAI,IAAI;IAKZ,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAK5B,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKhC,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKnC,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKpC,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKvC,UAAU,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK1C,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK7C,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI;IAKrE;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,UAAO,GAAG,IAAI;IAK1C;;;;;OAKG;IACH,KAAK,IAAI,eAAe;CAuBzB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,IAAI,gBAAgB,CAEzD"}

package/dist/esm/statement-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement-builder.js","sourceRoot":"","sources":["../../src/statement-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EAEN,eAAe,GAEhB,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;;;GASG;AACH,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,GAAY;QACtB,KAAK,CACH,kBAAkB,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,oDAAoD;YAC1F,gFAAgF,CACnF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,OAAO,gBAAgB;IAC3B,IAAI,CAAU;IACd,OAAO,GAAW,MAAM,CAAC,KAAK,CAAC;IAC/B,QAAQ,GAAa,EAAE,CAAC;IACxB,WAAW,GAAa,EAAE,CAAC;IAC3B,UAAU,GAAa,EAAE,CAAC;IAC1B,aAAa,GAAa,EAAE,CAAC;IAC7B,WAAW,GAAiB,EAAE,CAAC;IAC/B,cAAc,GAAiB,EAAE,CAAC;IAClC,WAAW,CAA2C;IACtD,uBAAuB,GAAG,KAAK,CAAC;IAEhC,GAAG,CAAC,GAAW;QACb,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI;QACF,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,MAAc;QACnB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,OAAiB;QACvB,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,OAAiB;QAC1B,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,CAAC,SAAmB;QAC3B,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,YAAY,CAAC,SAAmB;QAC9B,IAAI,CAAC,aAAa,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAwB;QACjC,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,aAAa,CAAC,UAAwB;QACpC,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAmD;QAC5D,IAAI,CAAC,WAAW,GAAG,EAAE,GAAG,UAAU,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,GAAG,IAAI;QACjC,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,KAAK;QACH,IACE,IAAI,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK;YAC7B,CAAC,IAAI,CAAC,uBAAuB;YAC7B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,EACtC,CAAC;YACD,MAAM,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,KAAK,GAAyB;YAClC,GAAG,EAAE,IAAI,CAAC,IAAI;YACd,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YAC7D,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACnE,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;YAC5E,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS;YAC/E,UAAU,EAAE,IAAI,CAAC,WAAW;SAC7B,CAAC;QAEF,OAAO,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO,IAAI,gBAAgB,EAAE,CAAC;AAChC,CAAC"}

package/package.json

@@ -1,29 +1,22 @@
 {
   "name": "@composurecdk/iam",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "Composable IAM role, policy, and statement builders with well-architected defaults",
   "repository": {
     "type": "git",
     "url": "https://github.com/laazyj/composureCDK",
     "directory": "packages/iam"
   },
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "import": "./dist/index.js",
-      "types": "./dist/index.d.ts"
-    }
-  },
   "files": [
     "dist",
     "README.md",
     "LICENSE"
   ],
   "scripts": {
-    "clean": "rm -rf dist",
-    "build": "tsc -p tsconfig.build.json",
+    "clean": "rm -rf dist .tshy .tshy-build",
+    "build": "tshy",
     "typecheck": "tsc --noEmit",
+    "check:exports": "attw --pack . --profile node16 && publint",
     "test": "vitest run --passWithNoTests",
     "test:watch": "vitest"
   },
@@ -34,16 +27,42 @@
     "access": "public"
   },
   "type": "module",
+  "engines": {
+    "node": ">=20"
+  },
+  "tshy": {
+    "exports": {
+      "./package.json": "./package.json",
+      ".": "./src/index.ts"
+    }
+  },
   "peerDependencies": {
-    "@composurecdk/core": "^0.6.0",
+    "@composurecdk/cloudformation": "^0.8.0",
+    "@composurecdk/core": "^0.8.0",
     "aws-cdk-lib": "^2.0.0",
     "constructs": "^10.0.0"
   },
   "devDependencies": {
-    "@types/node": "^25.6.0",
-    "aws-cdk-lib": "^2.250.0",
+    "@types/node": "^25.6.2",
+    "aws-cdk-lib": "^2.253.1",
     "constructs": "^10.6.0",
     "typescript": "^6.0.3",
     "vitest": "^4.1.4"
-  }
+  },
+  "exports": {
+    "./package.json": "./package.json",
+    ".": {
+      "import": {
+        "types": "./dist/esm/index.d.ts",
+        "default": "./dist/esm/index.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/index.d.ts",
+        "default": "./dist/commonjs/index.js"
+      }
+    }
+  },
+  "main": "./dist/commonjs/index.js",
+  "types": "./dist/commonjs/index.d.ts",
+  "module": "./dist/esm/index.js"
 }

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC"}

package/dist/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,GAIlB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EACL,0BAA0B,GAI3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC"}

package/dist/managed-policy-builder.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"managed-policy-builder.d.ts","sourceRoot":"","sources":["../src/managed-policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC9F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAW,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;GAMG;AACH,MAAM,MAAM,yBAAyB,GAAG,kBAAkB,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,0DAA0D;IAC1D,MAAM,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,MAAM,qBAAqB,GAAG,QAAQ,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAE9F,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAG/C;;;;;;OAMG;IACH,aAAa,CAAC,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GAAG,IAAI;IAKvE,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,0BAA0B;CAajE;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}

package/dist/managed-policy-builder.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"managed-policy-builder.js","sourceRoot":"","sources":["../src/managed-policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAA4C,MAAM,qBAAqB,CAAC;AAE9F,OAAO,EAAE,OAAO,EAAiC,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAuC1D,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,gBAAgB,GAA2C,EAAE,CAAC;IAEvE;;;;;;OAMG;IACH,aAAa,CAAC,UAAkD;QAC9D,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,YAAY,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;QAEF,MAAM,WAAW,GAAuB;YACtC,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,GAAG,cAAc,CAAC;SAClE,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACzD,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,OAAO,CAAkD,oBAAoB,CAAC,CAAC;AACxF,CAAC"}

package/dist/role-builder.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"role-builder.d.ts","sourceRoot":"","sources":["../src/role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,cAAc,EACnB,cAAc,EACd,eAAe,EACf,IAAI,EACJ,KAAK,SAAS,EACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,SAAS,EAEd,KAAK,UAAU,EAChB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;;;;;;GAOG;AACH,MAAM,WAAW,gBAAiB,SAAQ,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC;IAC9E;;;;;;;;OAQG;IACH,mBAAmB,CAAC,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC;CAClD;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,IAAI,EAAE,IAAI,CAAC;IAEX;;;;;;;;;;;OAWG;IACH,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAChD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;AAOnE,cAAM,WAAY,YAAW,SAAS,CAAC,iBAAiB,CAAC;;IACvD,KAAK,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAM;IAGtC;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,CAAC,eAAe,GAAG,gBAAgB,CAAC,EAAE,GACjD,IAAI;IAKP,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,GAAG,iBAAiB;CA8C9F;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,IAAI,YAAY,CAEhD"}

package/dist/role-builder.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"role-builder.js","sourceRoot":"","sources":["../src/role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,cAAc,EAEd,IAAI,GAEL,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,OAAO,EAGP,OAAO,GAER,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAoF1D,MAAM,WAAW;IACf,KAAK,GAA8B,EAAE,CAAC;IAC7B,eAAe,GAAwB,EAAE,CAAC;IAEnD;;;;;;;;;;OAUG;IACH,yBAAyB,CACvB,IAAY,EACZ,UAAkD;QAElD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU,EAAE,UAAkC,EAAE;QACvE,MAAM,EACJ,mBAAmB,EACnB,SAAS,EACT,cAAc,EAAE,mBAAmB,EACnC,GAAG,IAAI,EACR,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,gBAAgB,EAAE,mDAAmD;gBACnE,gDAAgD,CACnD,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAG,mBAAmB;YAC1C,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,OAAO,CAAC;YACvC,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,mBAAmB,GAAmC,EAAE,CAAC;QAC/D,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzC,MAAM,kBAAkB,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACpD,CAAC,YAAY,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;YACF,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,cAAc,CAAC,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,oBAAoB,GAAmC;YAC3D,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC9B,GAAG,mBAAmB;SACvB,CAAC;QAEF,MAAM,WAAW,GAAc;YAC7B,GAAG,aAAa;YAChB,GAAG,IAAI;YACP,SAAS;YACT,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;gBAC9C,CAAC,CAAC,EAAE,cAAc,EAAE,oBAAoB,EAAE;gBAC1C,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAE9C,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACvD,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,OAAO,CAAgC,WAAW,CAAC,CAAC;AAC7D,CAAC"}

package/dist/role-defaults.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"role-defaults.d.ts","sourceRoot":"","sources":["../src/role-defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAErD;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,OAAO,CAAC,SAAS,CAa5C,CAAC"}

package/dist/role-defaults.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"role-defaults.js","sourceRoot":"","sources":["../src/role-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAuB;IAC/C;;;;;;;;;;OAUG;IACH,kBAAkB,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;CACtC,CAAC"}

package/dist/service-role-builder.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"service-role-builder.d.ts","sourceRoot":"","sources":["../src/service-role-builder.ts"],"names":[],"mappings":"AACA,OAAO,EAAqB,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,GAAG,YAAY,CAE/E"}

package/dist/service-role-builder.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"service-role-builder.js","sourceRoot":"","sources":["../src/service-role-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAqB,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,wBAAwB,CAAC,gBAAwB;IAC/D,OAAO,iBAAiB,EAAE,CAAC,SAAS,CAAC,IAAI,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;AAC/E,CAAC"}

package/dist/statement-builder.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"statement-builder.d.ts","sourceRoot":"","sources":["../src/statement-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,KAAK,UAAU,EACf,eAAe,EAEhB,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;;;GASG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,GAAG,CAAC,EAAE,MAAM;CAOzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,gBAAgB;;IAY3B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAKtB,KAAK,IAAI,IAAI;IAKb,IAAI,IAAI,IAAI;IAKZ,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAK5B,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKhC,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKnC,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKpC,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAKvC,UAAU,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK1C,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI;IAK7C,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI;IAKrE;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,UAAO,GAAG,IAAI;IAK1C;;;;;OAKG;IACH,KAAK,IAAI,eAAe;CAuBzB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,IAAI,gBAAgB,CAEzD"}

package/dist/statement-builder.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"statement-builder.js","sourceRoot":"","sources":["../src/statement-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EAEN,eAAe,GAEhB,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;;;GASG;AACH,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,GAAY;QACtB,KAAK,CACH,kBAAkB,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,oDAAoD;YAC1F,gFAAgF,CACnF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,OAAO,gBAAgB;IAC3B,IAAI,CAAU;IACd,OAAO,GAAW,MAAM,CAAC,KAAK,CAAC;IAC/B,QAAQ,GAAa,EAAE,CAAC;IACxB,WAAW,GAAa,EAAE,CAAC;IAC3B,UAAU,GAAa,EAAE,CAAC;IAC1B,aAAa,GAAa,EAAE,CAAC;IAC7B,WAAW,GAAiB,EAAE,CAAC;IAC/B,cAAc,GAAiB,EAAE,CAAC;IAClC,WAAW,CAA2C;IACtD,uBAAuB,GAAG,KAAK,CAAC;IAEhC,GAAG,CAAC,GAAW;QACb,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI;QACF,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,MAAc;QACnB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,OAAiB;QACvB,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,OAAiB;QAC1B,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,CAAC,SAAmB;QAC3B,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,YAAY,CAAC,SAAmB;QAC9B,IAAI,CAAC,aAAa,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAwB;QACjC,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,aAAa,CAAC,UAAwB;QACpC,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,UAAmD;QAC5D,IAAI,CAAC,WAAW,GAAG,EAAE,GAAG,UAAU,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,KAAK,GAAG,IAAI;QACjC,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,KAAK;QACH,IACE,IAAI,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK;YAC7B,CAAC,IAAI,CAAC,uBAAuB;YAC7B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,EACtC,CAAC;YACD,MAAM,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,KAAK,GAAyB;YAClC,GAAG,EAAE,IAAI,CAAC,IAAI;YACd,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YAC7D,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACnE,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;YAC5E,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS;YAC/E,UAAU,EAAE,IAAI,CAAC,WAAW;SAC7B,CAAC;QAEF,OAAO,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO,IAAI,gBAAgB,EAAE,CAAC;AAChC,CAAC"}