@contractspec/lib.identity-rbac 0.0.0-canary-20260113162409

package/dist/policies/engine.js

@@ -0,0 +1,168 @@
+//#region src/policies/engine.ts
+/**
+* Standard permissions for identity-rbac module.
+*/
+const Permission = {
+	USER_CREATE: "user.create",
+	USER_READ: "user.read",
+	USER_UPDATE: "user.update",
+	USER_DELETE: "user.delete",
+	USER_LIST: "user.list",
+	USER_MANAGE: "user.manage",
+	ORG_CREATE: "org.create",
+	ORG_READ: "org.read",
+	ORG_UPDATE: "org.update",
+	ORG_DELETE: "org.delete",
+	ORG_LIST: "org.list",
+	MEMBER_INVITE: "member.invite",
+	MEMBER_REMOVE: "member.remove",
+	MEMBER_UPDATE_ROLE: "member.update_role",
+	MEMBER_LIST: "member.list",
+	MANAGE_MEMBERS: "org.manage_members",
+	TEAM_CREATE: "team.create",
+	TEAM_UPDATE: "team.update",
+	TEAM_DELETE: "team.delete",
+	TEAM_MANAGE: "team.manage",
+	ROLE_CREATE: "role.create",
+	ROLE_UPDATE: "role.update",
+	ROLE_DELETE: "role.delete",
+	ROLE_ASSIGN: "role.assign",
+	ROLE_REVOKE: "role.revoke",
+	BILLING_VIEW: "billing.view",
+	BILLING_MANAGE: "billing.manage",
+	PROJECT_CREATE: "project.create",
+	PROJECT_READ: "project.read",
+	PROJECT_UPDATE: "project.update",
+	PROJECT_DELETE: "project.delete",
+	PROJECT_MANAGE: "project.manage",
+	ADMIN_ACCESS: "admin.access",
+	ADMIN_IMPERSONATE: "admin.impersonate"
+};
+/**
+* Standard role definitions.
+*/
+const StandardRole = {
+	OWNER: {
+		name: "owner",
+		description: "Organization owner with full access",
+		permissions: Object.values(Permission)
+	},
+	ADMIN: {
+		name: "admin",
+		description: "Administrator with most permissions",
+		permissions: [
+			Permission.USER_READ,
+			Permission.USER_LIST,
+			Permission.ORG_READ,
+			Permission.ORG_UPDATE,
+			Permission.MEMBER_INVITE,
+			Permission.MEMBER_REMOVE,
+			Permission.MEMBER_UPDATE_ROLE,
+			Permission.MEMBER_LIST,
+			Permission.MANAGE_MEMBERS,
+			Permission.TEAM_CREATE,
+			Permission.TEAM_UPDATE,
+			Permission.TEAM_DELETE,
+			Permission.TEAM_MANAGE,
+			Permission.PROJECT_CREATE,
+			Permission.PROJECT_READ,
+			Permission.PROJECT_UPDATE,
+			Permission.PROJECT_DELETE,
+			Permission.PROJECT_MANAGE,
+			Permission.BILLING_VIEW
+		]
+	},
+	MEMBER: {
+		name: "member",
+		description: "Regular organization member",
+		permissions: [
+			Permission.USER_READ,
+			Permission.ORG_READ,
+			Permission.MEMBER_LIST,
+			Permission.PROJECT_READ,
+			Permission.PROJECT_CREATE
+		]
+	},
+	VIEWER: {
+		name: "viewer",
+		description: "Read-only access",
+		permissions: [
+			Permission.USER_READ,
+			Permission.ORG_READ,
+			Permission.MEMBER_LIST,
+			Permission.PROJECT_READ
+		]
+	}
+};
+/**
+* RBAC Policy Engine for permission checks.
+*/
+var RBACPolicyEngine = class {
+	roleCache = /* @__PURE__ */ new Map();
+	bindingCache = /* @__PURE__ */ new Map();
+	/**
+	* Check if a user has a specific permission.
+	*/
+	async checkPermission(input, bindings) {
+		const { userId, orgId, permission } = input;
+		const now = /* @__PURE__ */ new Date();
+		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
+		if (activeBindings.length === 0) return {
+			allowed: false,
+			reason: "No active role bindings found"
+		};
+		for (const binding of activeBindings) if (binding.role.permissions.includes(permission)) return {
+			allowed: true,
+			matchedRole: binding.role.name
+		};
+		return {
+			allowed: false,
+			reason: `No role grants the "${permission}" permission`
+		};
+	}
+	/**
+	* Get all permissions for a user in a context.
+	*/
+	async getPermissions(userId, orgId, bindings) {
+		const now = /* @__PURE__ */ new Date();
+		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
+		const permissions = /* @__PURE__ */ new Set();
+		const roles = [];
+		for (const binding of activeBindings) {
+			roles.push(binding.role);
+			for (const perm of binding.role.permissions) permissions.add(perm);
+		}
+		return {
+			permissions,
+			roles
+		};
+	}
+	/**
+	* Check if user has any of the specified permissions.
+	*/
+	async hasAnyPermission(userId, orgId, permissions, bindings) {
+		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+		return permissions.some((p) => userPerms.has(p));
+	}
+	/**
+	* Check if user has all of the specified permissions.
+	*/
+	async hasAllPermissions(userId, orgId, permissions, bindings) {
+		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+		return permissions.every((p) => userPerms.has(p));
+	}
+};
+/**
+* Create a new RBAC policy engine instance.
+*/
+function createRBACEngine() {
+	return new RBACPolicyEngine();
+}
+
+//#endregion
+export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };
+//# sourceMappingURL=engine.js.map

package/dist/policies/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","names":[],"sources":["../../src/policies/engine.ts"],"sourcesContent":["/**\n * Standard permissions for identity-rbac module.\n */\nexport const Permission = {\n  // User permissions\n  USER_CREATE: 'user.create',\n  USER_READ: 'user.read',\n  USER_UPDATE: 'user.update',\n  USER_DELETE: 'user.delete',\n  USER_LIST: 'user.list',\n  USER_MANAGE: 'user.manage',\n\n  // Organization permissions\n  ORG_CREATE: 'org.create',\n  ORG_READ: 'org.read',\n  ORG_UPDATE: 'org.update',\n  ORG_DELETE: 'org.delete',\n  ORG_LIST: 'org.list',\n\n  // Member permissions\n  MEMBER_INVITE: 'member.invite',\n  MEMBER_REMOVE: 'member.remove',\n  MEMBER_UPDATE_ROLE: 'member.update_role',\n  MEMBER_LIST: 'member.list',\n  MANAGE_MEMBERS: 'org.manage_members',\n\n  // Team permissions\n  TEAM_CREATE: 'team.create',\n  TEAM_UPDATE: 'team.update',\n  TEAM_DELETE: 'team.delete',\n  TEAM_MANAGE: 'team.manage',\n\n  // Role permissions\n  ROLE_CREATE: 'role.create',\n  ROLE_UPDATE: 'role.update',\n  ROLE_DELETE: 'role.delete',\n  ROLE_ASSIGN: 'role.assign',\n  ROLE_REVOKE: 'role.revoke',\n\n  // Billing permissions\n  BILLING_VIEW: 'billing.view',\n  BILLING_MANAGE: 'billing.manage',\n\n  // Project permissions\n  PROJECT_CREATE: 'project.create',\n  PROJECT_READ: 'project.read',\n  PROJECT_UPDATE: 'project.update',\n  PROJECT_DELETE: 'project.delete',\n  PROJECT_MANAGE: 'project.manage',\n\n  // Admin permissions\n  ADMIN_ACCESS: 'admin.access',\n  ADMIN_IMPERSONATE: 'admin.impersonate',\n} as const;\n\nexport type PermissionKey = (typeof Permission)[keyof typeof Permission];\n\n/**\n * Standard role definitions.\n */\nexport const StandardRole = {\n  OWNER: {\n    name: 'owner',\n    description: 'Organization owner with full access',\n    permissions: Object.values(Permission),\n  },\n  ADMIN: {\n    name: 'admin',\n    description: 'Administrator with most permissions',\n    permissions: [\n      Permission.USER_READ,\n      Permission.USER_LIST,\n      Permission.ORG_READ,\n      Permission.ORG_UPDATE,\n      Permission.MEMBER_INVITE,\n      Permission.MEMBER_REMOVE,\n      Permission.MEMBER_UPDATE_ROLE,\n      Permission.MEMBER_LIST,\n      Permission.MANAGE_MEMBERS,\n      Permission.TEAM_CREATE,\n      Permission.TEAM_UPDATE,\n      Permission.TEAM_DELETE,\n      Permission.TEAM_MANAGE,\n      Permission.PROJECT_CREATE,\n      Permission.PROJECT_READ,\n      Permission.PROJECT_UPDATE,\n      Permission.PROJECT_DELETE,\n      Permission.PROJECT_MANAGE,\n      Permission.BILLING_VIEW,\n    ],\n  },\n  MEMBER: {\n    name: 'member',\n    description: 'Regular organization member',\n    permissions: [\n      Permission.USER_READ,\n      Permission.ORG_READ,\n      Permission.MEMBER_LIST,\n      Permission.PROJECT_READ,\n      Permission.PROJECT_CREATE,\n    ],\n  },\n  VIEWER: {\n    name: 'viewer',\n    description: 'Read-only access',\n    permissions: [\n      Permission.USER_READ,\n      Permission.ORG_READ,\n      Permission.MEMBER_LIST,\n      Permission.PROJECT_READ,\n    ],\n  },\n} as const;\n\n/**\n * Permission check input.\n */\nexport interface PermissionCheckInput {\n  userId: string;\n  orgId?: string;\n  permission: PermissionKey | string;\n}\n\n/**\n * Permission check result.\n */\nexport interface PermissionCheckResult {\n  allowed: boolean;\n  reason?: string;\n  matchedRole?: string;\n}\n\n/**\n * Role with permissions.\n */\nexport interface RoleWithPermissions {\n  id: string;\n  name: string;\n  permissions: string[];\n}\n\n/**\n * Policy binding for permission evaluation.\n */\nexport interface PolicyBindingForEval {\n  roleId: string;\n  role: RoleWithPermissions;\n  targetType: 'user' | 'organization';\n  targetId: string;\n  expiresAt?: Date | null;\n}\n\n/**\n * RBAC Policy Engine for permission checks.\n */\nexport class RBACPolicyEngine {\n  private roleCache = new Map<string, RoleWithPermissions>();\n  private bindingCache = new Map<string, PolicyBindingForEval[]>();\n\n  /**\n   * Check if a user has a specific permission.\n   */\n  async checkPermission(\n    input: PermissionCheckInput,\n    bindings: PolicyBindingForEval[]\n  ): Promise<PermissionCheckResult> {\n    const { userId, orgId, permission } = input;\n    const now = new Date();\n\n    // Get all applicable bindings\n    const userBindings = bindings.filter(\n      (b) => b.targetType === 'user' && b.targetId === userId\n    );\n\n    const orgBindings = orgId\n      ? bindings.filter(\n          (b) => b.targetType === 'organization' && b.targetId === orgId\n        )\n      : [];\n\n    const allBindings = [...userBindings, ...orgBindings];\n\n    // Filter out expired bindings\n    const activeBindings = allBindings.filter(\n      (b) => !b.expiresAt || b.expiresAt > now\n    );\n\n    if (activeBindings.length === 0) {\n      return {\n        allowed: false,\n        reason: 'No active role bindings found',\n      };\n    }\n\n    // Check if any role grants the permission\n    for (const binding of activeBindings) {\n      if (binding.role.permissions.includes(permission)) {\n        return {\n          allowed: true,\n          matchedRole: binding.role.name,\n        };\n      }\n    }\n\n    return {\n      allowed: false,\n      reason: `No role grants the \"${permission}\" permission`,\n    };\n  }\n\n  /**\n   * Get all permissions for a user in a context.\n   */\n  async getPermissions(\n    userId: string,\n    orgId: string | undefined,\n    bindings: PolicyBindingForEval[]\n  ): Promise<{\n    permissions: Set<string>;\n    roles: RoleWithPermissions[];\n  }> {\n    const now = new Date();\n\n    // Get all applicable bindings\n    const userBindings = bindings.filter(\n      (b) => b.targetType === 'user' && b.targetId === userId\n    );\n\n    const orgBindings = orgId\n      ? bindings.filter(\n          (b) => b.targetType === 'organization' && b.targetId === orgId\n        )\n      : [];\n\n    const allBindings = [...userBindings, ...orgBindings];\n\n    // Filter out expired bindings\n    const activeBindings = allBindings.filter(\n      (b) => !b.expiresAt || b.expiresAt > now\n    );\n\n    const permissions = new Set<string>();\n    const roles: RoleWithPermissions[] = [];\n\n    for (const binding of activeBindings) {\n      roles.push(binding.role);\n      for (const perm of binding.role.permissions) {\n        permissions.add(perm);\n      }\n    }\n\n    return { permissions, roles };\n  }\n\n  /**\n   * Check if user has any of the specified permissions.\n   */\n  async hasAnyPermission(\n    userId: string,\n    orgId: string | undefined,\n    permissions: string[],\n    bindings: PolicyBindingForEval[]\n  ): Promise<boolean> {\n    const { permissions: userPerms } = await this.getPermissions(\n      userId,\n      orgId,\n      bindings\n    );\n\n    return permissions.some((p) => userPerms.has(p));\n  }\n\n  /**\n   * Check if user has all of the specified permissions.\n   */\n  async hasAllPermissions(\n    userId: string,\n    orgId: string | undefined,\n    permissions: string[],\n    bindings: PolicyBindingForEval[]\n  ): Promise<boolean> {\n    const { permissions: userPerms } = await this.getPermissions(\n      userId,\n      orgId,\n      bindings\n    );\n\n    return permissions.every((p) => userPerms.has(p));\n  }\n}\n\n/**\n * Create a new RBAC policy engine instance.\n */\nexport function createRBACEngine(): RBACPolicyEngine {\n  return new RBACPolicyEngine();\n}\n"],"mappings":";;;;AAGA,MAAa,aAAa;CAExB,aAAa;CACb,WAAW;CACX,aAAa;CACb,aAAa;CACb,WAAW;CACX,aAAa;CAGb,YAAY;CACZ,UAAU;CACV,YAAY;CACZ,YAAY;CACZ,UAAU;CAGV,eAAe;CACf,eAAe;CACf,oBAAoB;CACpB,aAAa;CACb,gBAAgB;CAGhB,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CAGb,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CAGb,cAAc;CACd,gBAAgB;CAGhB,gBAAgB;CAChB,cAAc;CACd,gBAAgB;CAChB,gBAAgB;CAChB,gBAAgB;CAGhB,cAAc;CACd,mBAAmB;CACpB;;;;AAOD,MAAa,eAAe;CAC1B,OAAO;EACL,MAAM;EACN,aAAa;EACb,aAAa,OAAO,OAAO,WAAW;EACvC;CACD,OAAO;EACL,MAAM;EACN,aAAa;EACb,aAAa;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACZ;EACF;CACD,QAAQ;EACN,MAAM;EACN,aAAa;EACb,aAAa;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACZ;EACF;CACD,QAAQ;EACN,MAAM;EACN,aAAa;EACb,aAAa;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACZ;EACF;CACF;;;;AA2CD,IAAa,mBAAb,MAA8B;CAC5B,AAAQ,4BAAY,IAAI,KAAkC;CAC1D,AAAQ,+BAAe,IAAI,KAAqC;;;;CAKhE,MAAM,gBACJ,OACA,UACgC;EAChC,MAAM,EAAE,QAAQ,OAAO,eAAe;EACtC,MAAM,sBAAM,IAAI,MAAM;EAGtB,MAAM,eAAe,SAAS,QAC3B,MAAM,EAAE,eAAe,UAAU,EAAE,aAAa,OAClD;EAED,MAAM,cAAc,QAChB,SAAS,QACN,MAAM,EAAE,eAAe,kBAAkB,EAAE,aAAa,MAC1D,GACD,EAAE;EAKN,MAAM,iBAHc,CAAC,GAAG,cAAc,GAAG,YAAY,CAGlB,QAChC,MAAM,CAAC,EAAE,aAAa,EAAE,YAAY,IACtC;AAED,MAAI,eAAe,WAAW,EAC5B,QAAO;GACL,SAAS;GACT,QAAQ;GACT;AAIH,OAAK,MAAM,WAAW,eACpB,KAAI,QAAQ,KAAK,YAAY,SAAS,WAAW,CAC/C,QAAO;GACL,SAAS;GACT,aAAa,QAAQ,KAAK;GAC3B;AAIL,SAAO;GACL,SAAS;GACT,QAAQ,uBAAuB,WAAW;GAC3C;;;;;CAMH,MAAM,eACJ,QACA,OACA,UAIC;EACD,MAAM,sBAAM,IAAI,MAAM;EAGtB,MAAM,eAAe,SAAS,QAC3B,MAAM,EAAE,eAAe,UAAU,EAAE,aAAa,OAClD;EAED,MAAM,cAAc,QAChB,SAAS,QACN,MAAM,EAAE,eAAe,kBAAkB,EAAE,aAAa,MAC1D,GACD,EAAE;EAKN,MAAM,iBAHc,CAAC,GAAG,cAAc,GAAG,YAAY,CAGlB,QAChC,MAAM,CAAC,EAAE,aAAa,EAAE,YAAY,IACtC;EAED,MAAM,8BAAc,IAAI,KAAa;EACrC,MAAM,QAA+B,EAAE;AAEvC,OAAK,MAAM,WAAW,gBAAgB;AACpC,SAAM,KAAK,QAAQ,KAAK;AACxB,QAAK,MAAM,QAAQ,QAAQ,KAAK,YAC9B,aAAY,IAAI,KAAK;;AAIzB,SAAO;GAAE;GAAa;GAAO;;;;;CAM/B,MAAM,iBACJ,QACA,OACA,aACA,UACkB;EAClB,MAAM,EAAE,aAAa,cAAc,MAAM,KAAK,eAC5C,QACA,OACA,SACD;AAED,SAAO,YAAY,MAAM,MAAM,UAAU,IAAI,EAAE,CAAC;;;;;CAMlD,MAAM,kBACJ,QACA,OACA,aACA,UACkB;EAClB,MAAM,EAAE,aAAa,cAAc,MAAM,KAAK,eAC5C,QACA,OACA,SACD;AAED,SAAO,YAAY,OAAO,MAAM,UAAU,IAAI,EAAE,CAAC;;;;;;AAOrD,SAAgB,mBAAqC;AACnD,QAAO,IAAI,kBAAkB"}

package/dist/policies/index.d.ts

@@ -0,0 +1,2 @@
+import { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine } from "./engine.js";
+export { Permission, type PermissionCheckInput, type PermissionCheckResult, type PermissionKey, type PolicyBindingForEval, RBACPolicyEngine, type RoleWithPermissions, StandardRole, createRBACEngine };

package/dist/policies/index.js

@@ -0,0 +1,3 @@
+import { Permission, RBACPolicyEngine, StandardRole, createRBACEngine } from "./engine.js";
+
+export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };

package/package.json

@@ -0,0 +1,85 @@
+{
+  "name": "@contractspec/lib.identity-rbac",
+  "version": "0.0.0-canary-20260113162409",
+  "description": "Identity, Organizations, and RBAC module for ContractSpec applications",
+  "keywords": [
+    "contractspec",
+    "identity",
+    "rbac",
+    "authorization",
+    "organizations",
+    "typescript"
+  ],
+  "types": "./dist/index.d.ts",
+  "type": "module",
+  "scripts": {
+    "publish:pkg": "bun publish --tolerate-republish --ignore-scripts --verbose",
+    "publish:pkg:canary": "bun publish:pkg --tag canary",
+    "build": "bun build:types && bun build:bundle",
+    "build:bundle": "tsdown",
+    "build:types": "tsc --noEmit",
+    "dev": "bun build:bundle --watch",
+    "clean": "rimraf dist .turbo",
+    "lint": "bun lint:fix",
+    "lint:fix": "eslint src --fix",
+    "lint:check": "eslint src"
+  },
+  "dependencies": {
+    "@contractspec/lib.schema": "0.0.0-canary-20260113162409",
+    "@contractspec/lib.contracts": "0.0.0-canary-20260113162409",
+    "zod": "^4.3.5"
+  },
+  "devDependencies": {
+    "@contractspec/tool.typescript": "0.0.0-canary-20260113162409",
+    "@contractspec/tool.tsdown": "0.0.0-canary-20260113162409",
+    "typescript": "^5.9.3"
+  },
+  "exports": {
+    ".": "./dist/index.js",
+    "./contracts": "./dist/contracts/index.js",
+    "./contracts/organization": "./dist/contracts/organization.js",
+    "./contracts/rbac": "./dist/contracts/rbac.js",
+    "./contracts/user": "./dist/contracts/user.js",
+    "./entities": "./dist/entities/index.js",
+    "./entities/organization": "./dist/entities/organization.js",
+    "./entities/rbac": "./dist/entities/rbac.js",
+    "./entities/user": "./dist/entities/user.js",
+    "./events": "./dist/events.js",
+    "./identity-rbac.capability": "./dist/identity-rbac.capability.js",
+    "./identity-rbac.feature": "./dist/identity-rbac.feature.js",
+    "./policies": "./dist/policies/index.js",
+    "./policies/engine": "./dist/policies/engine.js",
+    "./*": "./*"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "exports": {
+      ".": "./dist/index.js",
+      "./contracts": "./dist/contracts/index.js",
+      "./contracts/organization": "./dist/contracts/organization.js",
+      "./contracts/rbac": "./dist/contracts/rbac.js",
+      "./contracts/user": "./dist/contracts/user.js",
+      "./entities": "./dist/entities/index.js",
+      "./entities/organization": "./dist/entities/organization.js",
+      "./entities/rbac": "./dist/entities/rbac.js",
+      "./entities/user": "./dist/entities/user.js",
+      "./events": "./dist/events.js",
+      "./identity-rbac.feature": "./dist/identity-rbac.feature.js",
+      "./policies": "./dist/policies/index.js",
+      "./policies/engine": "./dist/policies/engine.js",
+      "./*": "./*"
+    },
+    "registry": "https://registry.npmjs.org/"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/lssm-tech/contractspec.git",
+    "directory": "packages/libs/identity-rbac"
+  },
+  "homepage": "https://contractspec.io"
+}