@contractspec/lib.identity-rbac 1.44.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +102 -0
- package/dist/contracts/index.d.ts +4 -0
- package/dist/contracts/index.js +5 -0
- package/dist/contracts/organization.d.ts +896 -0
- package/dist/contracts/organization.d.ts.map +1 -0
- package/dist/contracts/organization.js +605 -0
- package/dist/contracts/organization.js.map +1 -0
- package/dist/contracts/rbac.d.ts +612 -0
- package/dist/contracts/rbac.d.ts.map +1 -0
- package/dist/contracts/rbac.js +484 -0
- package/dist/contracts/rbac.js.map +1 -0
- package/dist/contracts/user.d.ts +611 -0
- package/dist/contracts/user.d.ts.map +1 -0
- package/dist/contracts/user.js +333 -0
- package/dist/contracts/user.js.map +1 -0
- package/dist/entities/index.d.ts +177 -0
- package/dist/entities/index.d.ts.map +1 -0
- package/dist/entities/index.js +36 -0
- package/dist/entities/index.js.map +1 -0
- package/dist/entities/organization.d.ts +87 -0
- package/dist/entities/organization.d.ts.map +1 -0
- package/dist/entities/organization.js +151 -0
- package/dist/entities/organization.js.map +1 -0
- package/dist/entities/rbac.d.ts +88 -0
- package/dist/entities/rbac.d.ts.map +1 -0
- package/dist/entities/rbac.js +138 -0
- package/dist/entities/rbac.js.map +1 -0
- package/dist/entities/user.d.ts +88 -0
- package/dist/entities/user.d.ts.map +1 -0
- package/dist/entities/user.js +194 -0
- package/dist/entities/user.js.map +1 -0
- package/dist/events.d.ts +690 -0
- package/dist/events.d.ts.map +1 -0
- package/dist/events.js +683 -0
- package/dist/events.js.map +1 -0
- package/dist/identity-rbac.feature.d.ts +12 -0
- package/dist/identity-rbac.feature.d.ts.map +1 -0
- package/dist/identity-rbac.feature.js +188 -0
- package/dist/identity-rbac.feature.js.map +1 -0
- package/dist/index.d.ts +12 -0
- package/dist/index.js +14 -0
- package/dist/policies/engine.d.ts +133 -0
- package/dist/policies/engine.d.ts.map +1 -0
- package/dist/policies/engine.js +168 -0
- package/dist/policies/engine.js.map +1 -0
- package/dist/policies/index.d.ts +2 -0
- package/dist/policies/index.js +3 -0
- package/package.json +78 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"events.js","names":[],"sources":["../src/events.ts"],"sourcesContent":["import { SchemaModel, ScalarTypeEnum } from '@contractspec/lib.schema';\nimport { defineEvent } from '@contractspec/lib.contracts';\n\n// ============ User Event Payloads ============\n\nconst UserCreatedPayload = new SchemaModel({\n name: 'UserCreatedPayload',\n description: 'Payload for user created event',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst UserUpdatedPayload = new SchemaModel({\n name: 'UserUpdatedPayload',\n description: 'Payload for user updated event',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n updatedFields: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n updatedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst UserDeletedPayload = new SchemaModel({\n name: 'UserDeletedPayload',\n description: 'Payload for user deleted event',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },\n deletedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst UserEmailVerifiedPayload = new SchemaModel({\n name: 'UserEmailVerifiedPayload',\n description: 'Payload for user email verified event',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },\n verifiedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\n// ============ Organization Event Payloads ============\n\nconst OrgCreatedPayload = new SchemaModel({\n name: 'OrgCreatedPayload',\n description: 'Payload for org created event',\n fields: {\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n slug: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n createdBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst OrgUpdatedPayload = new SchemaModel({\n name: 'OrgUpdatedPayload',\n description: 'Payload for org updated event',\n fields: {\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n updatedFields: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n updatedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n updatedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst OrgDeletedPayload = new SchemaModel({\n name: 'OrgDeletedPayload',\n description: 'Payload for org deleted event',\n fields: {\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n deletedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n deletedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\n// ============ Member Event Payloads ============\n\nconst OrgMemberAddedPayload = new SchemaModel({\n name: 'OrgMemberAddedPayload',\n description: 'Payload for member added event',\n fields: {\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n role: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n invitedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n joinedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst OrgMemberRemovedPayload = new SchemaModel({\n name: 'OrgMemberRemovedPayload',\n description: 'Payload for member removed event',\n fields: {\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n removedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n reason: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }, // left | removed | banned\n removedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst OrgMemberRoleChangedPayload = new SchemaModel({\n name: 'OrgMemberRoleChangedPayload',\n description: 'Payload for member role changed event',\n fields: {\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n previousRole: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n newRole: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n changedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n changedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\n// ============ Invitation Event Payloads ============\n\nconst OrgInviteSentPayload = new SchemaModel({\n name: 'OrgInviteSentPayload',\n description: 'Payload for invite sent event',\n fields: {\n invitationId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },\n role: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n invitedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n sentAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst OrgInviteAcceptedPayload = new SchemaModel({\n name: 'OrgInviteAcceptedPayload',\n description: 'Payload for invite accepted event',\n fields: {\n invitationId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n acceptedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst OrgInviteDeclinedPayload = new SchemaModel({\n name: 'OrgInviteDeclinedPayload',\n description: 'Payload for invite declined event',\n fields: {\n invitationId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n declinedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\n// ============ Role Event Payloads ============\n\nconst RoleAssignedPayload = new SchemaModel({\n name: 'RoleAssignedPayload',\n description: 'Payload for role assigned event',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n roleName: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n assignedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n assignedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nconst RoleRevokedPayload = new SchemaModel({\n name: 'RoleRevokedPayload',\n description: 'Payload for role revoked event',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n roleName: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n revokedBy: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n revokedAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\n// ============ User Events ============\n\n/**\n * Emitted when a new user is created.\n */\nexport const UserCreatedEvent = defineEvent({\n meta: {\n key: 'user.created',\n version: 1,\n description: 'A new user has been created.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['user', 'created', 'identity'],\n },\n payload: UserCreatedPayload,\n});\n\n/**\n * Emitted when a user profile is updated.\n */\nexport const UserUpdatedEvent = defineEvent({\n meta: {\n key: 'user.updated',\n version: 1,\n description: 'A user profile has been updated.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['user', 'updated', 'identity'],\n },\n payload: UserUpdatedPayload,\n});\n\n/**\n * Emitted when a user is deleted.\n */\nexport const UserDeletedEvent = defineEvent({\n meta: {\n key: 'user.deleted',\n version: 1,\n description: 'A user account has been deleted.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['user', 'deleted', 'identity'],\n },\n pii: ['email'],\n payload: UserDeletedPayload,\n});\n\n/**\n * Emitted when a user's email is verified.\n */\nexport const UserEmailVerifiedEvent = defineEvent({\n meta: {\n key: 'user.email_verified',\n version: 1,\n description: 'A user has verified their email address.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['user', 'verified', 'identity'],\n },\n payload: UserEmailVerifiedPayload,\n});\n\n// ============ Organization Events ============\n\n/**\n * Emitted when a new organization is created.\n */\nexport const OrgCreatedEvent = defineEvent({\n meta: {\n key: 'org.created',\n version: 1,\n description: 'A new organization has been created.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'created', 'identity'],\n },\n payload: OrgCreatedPayload,\n});\n\n/**\n * Emitted when an organization is updated.\n */\nexport const OrgUpdatedEvent = defineEvent({\n meta: {\n key: 'org.updated',\n version: 1,\n description: 'An organization has been updated.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'updated', 'identity'],\n },\n payload: OrgUpdatedPayload,\n});\n\n/**\n * Emitted when an organization is deleted.\n */\nexport const OrgDeletedEvent = defineEvent({\n meta: {\n key: 'org.deleted',\n version: 1,\n description: 'An organization has been deleted.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'deleted', 'identity'],\n },\n payload: OrgDeletedPayload,\n});\n\n// ============ Member Events ============\n\n/**\n * Emitted when a member joins an organization.\n */\nexport const OrgMemberAddedEvent = defineEvent({\n meta: {\n key: 'org.member.added',\n version: 1,\n description: 'A user has joined an organization.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'member', 'added', 'identity'],\n },\n payload: OrgMemberAddedPayload,\n});\n\n/**\n * Emitted when a member leaves or is removed from an organization.\n */\nexport const OrgMemberRemovedEvent = defineEvent({\n meta: {\n key: 'org.member.removed',\n version: 1,\n description: 'A user has left or been removed from an organization.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'member', 'removed', 'identity'],\n },\n payload: OrgMemberRemovedPayload,\n});\n\n/**\n * Emitted when a member's role is changed.\n */\nexport const OrgMemberRoleChangedEvent = defineEvent({\n meta: {\n key: 'org.member.role_changed',\n version: 1,\n description: \"A member's role in an organization has changed.\",\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'member', 'role', 'changed', 'identity'],\n },\n payload: OrgMemberRoleChangedPayload,\n});\n\n// ============ Invitation Events ============\n\n/**\n * Emitted when an invitation is sent.\n */\nexport const OrgInviteSentEvent = defineEvent({\n meta: {\n key: 'org.invite.sent',\n version: 1,\n description: 'An invitation to join an organization has been sent.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'invite', 'sent', 'identity'],\n },\n pii: ['email'],\n payload: OrgInviteSentPayload,\n});\n\n/**\n * Emitted when an invitation is accepted.\n */\nexport const OrgInviteAcceptedEvent = defineEvent({\n meta: {\n key: 'org.invite.accepted',\n version: 1,\n description: 'An invitation has been accepted.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'invite', 'accepted', 'identity'],\n },\n payload: OrgInviteAcceptedPayload,\n});\n\n/**\n * Emitted when an invitation is declined.\n */\nexport const OrgInviteDeclinedEvent = defineEvent({\n meta: {\n key: 'org.invite.declined',\n version: 1,\n description: 'An invitation has been declined.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['org', 'invite', 'declined', 'identity'],\n },\n payload: OrgInviteDeclinedPayload,\n});\n\n// ============ Role Events ============\n\n/**\n * Emitted when a role is assigned to a user or organization.\n */\nexport const RoleAssignedEvent = defineEvent({\n meta: {\n key: 'role.assigned',\n version: 1,\n description: 'A role has been assigned.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['role', 'assigned', 'identity'],\n },\n payload: RoleAssignedPayload,\n});\n\n/**\n * Emitted when a role is revoked from a user or organization.\n */\nexport const RoleRevokedEvent = defineEvent({\n meta: {\n key: 'role.revoked',\n version: 1,\n description: 'A role has been revoked.',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['role', 'revoked', 'identity'],\n },\n payload: RoleRevokedPayload,\n});\n\n// ============ All Events ============\n\n/**\n * All identity-rbac events.\n */\nexport const IdentityRbacEvents = {\n UserCreatedEvent,\n UserUpdatedEvent,\n UserDeletedEvent,\n UserEmailVerifiedEvent,\n OrgCreatedEvent,\n OrgUpdatedEvent,\n OrgDeletedEvent,\n OrgMemberAddedEvent,\n OrgMemberRemovedEvent,\n OrgMemberRoleChangedEvent,\n OrgInviteSentEvent,\n OrgInviteAcceptedEvent,\n OrgInviteDeclinedEvent,\n RoleAssignedEvent,\n RoleRevokedEvent,\n};\n"],"mappings":";;;;AAKA,MAAM,qBAAqB,IAAI,YAAY;CACzC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,cAAc;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAClE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAM,qBAAqB,IAAI,YAAY;CACzC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,eAAe;GACb,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAM,qBAAqB,IAAI,YAAY;CACzC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,cAAc;GAAE,YAAY;GAAO;EACjE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAM,2BAA2B,IAAI,YAAY;CAC/C,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,cAAc;GAAE,YAAY;GAAO;EACjE,YAAY;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACnE;CACF,CAAC;AAIF,MAAM,oBAAoB,IAAI,YAAY;CACxC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAClE,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAM,oBAAoB,IAAI,YAAY;CACxC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,eAAe;GACb,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAM,oBAAoB,IAAI,YAAY;CACxC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAIF,MAAM,wBAAwB,IAAI,YAAY;CAC5C,MAAM;CACN,aAAa;CACb,QAAQ;EACN,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACvE,UAAU;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACjE;CACF,CAAC;AAEF,MAAM,0BAA0B,IAAI,YAAY;CAC9C,MAAM;CACN,aAAa;CACb,QAAQ;EACN,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACvE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAM,8BAA8B,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,cAAc;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EAC3E,SAAS;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACtE,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAIF,MAAM,uBAAuB,IAAI,YAAY;CAC3C,MAAM;CACN,aAAa;CACb,QAAQ;EACN,cAAc;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EAC3E,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,OAAO;GAAE,MAAM,eAAe,cAAc;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EAChE,QAAQ;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAC/D;CACF,CAAC;AAEF,MAAM,2BAA2B,IAAI,YAAY;CAC/C,MAAM;CACN,aAAa;CACb,QAAQ;EACN,cAAc;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EAC3E,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACnE;CACF,CAAC;AAEF,MAAM,2BAA2B,IAAI,YAAY;CAC/C,MAAM;CACN,aAAa;CACb,QAAQ;EACN,cAAc;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EAC3E,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACpE,YAAY;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACnE;CACF,CAAC;AAIF,MAAM,sBAAsB,IAAI,YAAY;CAC1C,MAAM;CACN,aAAa;CACb,QAAQ;EACN,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EAChE,YAAY;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACnE;CACF,CAAC;AAEF,MAAM,qBAAqB,IAAI,YAAY;CACzC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACxE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;;;;AAOF,MAAa,mBAAmB,YAAY;CAC1C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAQ;GAAW;GAAW;EACtC;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,mBAAmB,YAAY;CAC1C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAQ;GAAW;GAAW;EACtC;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,mBAAmB,YAAY;CAC1C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAQ;GAAW;GAAW;EACtC;CACD,KAAK,CAAC,QAAQ;CACd,SAAS;CACV,CAAC;;;;AAKF,MAAa,yBAAyB,YAAY;CAChD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAQ;GAAY;GAAW;EACvC;CACD,SAAS;CACV,CAAC;;;;AAOF,MAAa,kBAAkB,YAAY;CACzC,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAW;GAAW;EACrC;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,kBAAkB,YAAY;CACzC,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAW;GAAW;EACrC;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,kBAAkB,YAAY;CACzC,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAW;GAAW;EACrC;CACD,SAAS;CACV,CAAC;;;;AAOF,MAAa,sBAAsB,YAAY;CAC7C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAU;GAAS;GAAW;EAC7C;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,wBAAwB,YAAY;CAC/C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAU;GAAW;GAAW;EAC/C;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,4BAA4B,YAAY;CACnD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAU;GAAQ;GAAW;GAAW;EACvD;CACD,SAAS;CACV,CAAC;;;;AAOF,MAAa,qBAAqB,YAAY;CAC5C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAU;GAAQ;GAAW;EAC5C;CACD,KAAK,CAAC,QAAQ;CACd,SAAS;CACV,CAAC;;;;AAKF,MAAa,yBAAyB,YAAY;CAChD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAU;GAAY;GAAW;EAChD;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,yBAAyB,YAAY;CAChD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAO;GAAU;GAAY;GAAW;EAChD;CACD,SAAS;CACV,CAAC;;;;AAOF,MAAa,oBAAoB,YAAY;CAC3C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAQ;GAAY;GAAW;EACvC;CACD,SAAS;CACV,CAAC;;;;AAKF,MAAa,mBAAmB,YAAY;CAC1C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,aAAa;EACb,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAQ;GAAW;GAAW;EACtC;CACD,SAAS;CACV,CAAC;;;;AAOF,MAAa,qBAAqB;CAChC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { FeatureModuleSpec } from "@contractspec/lib.contracts";
|
|
2
|
+
|
|
3
|
+
//#region src/identity-rbac.feature.d.ts
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Identity RBAC feature module that bundles user, organization,
|
|
7
|
+
* and role-based access control capabilities.
|
|
8
|
+
*/
|
|
9
|
+
declare const IdentityRbacFeature: FeatureModuleSpec;
|
|
10
|
+
//#endregion
|
|
11
|
+
export { IdentityRbacFeature };
|
|
12
|
+
//# sourceMappingURL=identity-rbac.feature.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"identity-rbac.feature.d.ts","names":[],"sources":["../src/identity-rbac.feature.ts"],"sourcesContent":[],"mappings":";;;;;;;;cAWa,qBAAqB"}
|
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
//#region src/identity-rbac.feature.ts
|
|
2
|
+
/**
|
|
3
|
+
* Identity RBAC feature module that bundles user, organization,
|
|
4
|
+
* and role-based access control capabilities.
|
|
5
|
+
*/
|
|
6
|
+
const IdentityRbacFeature = {
|
|
7
|
+
meta: {
|
|
8
|
+
key: "identity-rbac",
|
|
9
|
+
version: 1,
|
|
10
|
+
title: "Identity & RBAC",
|
|
11
|
+
description: "User identity, organization management, and role-based access control",
|
|
12
|
+
domain: "platform",
|
|
13
|
+
owners: ["@platform.identity-rbac"],
|
|
14
|
+
tags: [
|
|
15
|
+
"identity",
|
|
16
|
+
"rbac",
|
|
17
|
+
"users",
|
|
18
|
+
"organizations",
|
|
19
|
+
"permissions"
|
|
20
|
+
],
|
|
21
|
+
stability: "stable"
|
|
22
|
+
},
|
|
23
|
+
operations: [
|
|
24
|
+
{
|
|
25
|
+
key: "identity.user.create",
|
|
26
|
+
version: 1
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
key: "identity.user.update",
|
|
30
|
+
version: 1
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
key: "identity.user.delete",
|
|
34
|
+
version: 1
|
|
35
|
+
},
|
|
36
|
+
{
|
|
37
|
+
key: "identity.user.me",
|
|
38
|
+
version: 1
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
key: "identity.user.list",
|
|
42
|
+
version: 1
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
key: "identity.org.create",
|
|
46
|
+
version: 1
|
|
47
|
+
},
|
|
48
|
+
{
|
|
49
|
+
key: "identity.org.update",
|
|
50
|
+
version: 1
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
key: "identity.org.get",
|
|
54
|
+
version: 1
|
|
55
|
+
},
|
|
56
|
+
{
|
|
57
|
+
key: "identity.org.list",
|
|
58
|
+
version: 1
|
|
59
|
+
},
|
|
60
|
+
{
|
|
61
|
+
key: "identity.org.invite",
|
|
62
|
+
version: 1
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
key: "identity.org.invite.accept",
|
|
66
|
+
version: 1
|
|
67
|
+
},
|
|
68
|
+
{
|
|
69
|
+
key: "identity.org.member.remove",
|
|
70
|
+
version: 1
|
|
71
|
+
},
|
|
72
|
+
{
|
|
73
|
+
key: "identity.org.members.list",
|
|
74
|
+
version: 1
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
key: "identity.rbac.role.create",
|
|
78
|
+
version: 1
|
|
79
|
+
},
|
|
80
|
+
{
|
|
81
|
+
key: "identity.rbac.role.update",
|
|
82
|
+
version: 1
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
key: "identity.rbac.role.delete",
|
|
86
|
+
version: 1
|
|
87
|
+
},
|
|
88
|
+
{
|
|
89
|
+
key: "identity.rbac.role.list",
|
|
90
|
+
version: 1
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
key: "identity.rbac.assign",
|
|
94
|
+
version: 1
|
|
95
|
+
},
|
|
96
|
+
{
|
|
97
|
+
key: "identity.rbac.revoke",
|
|
98
|
+
version: 1
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
key: "identity.rbac.check",
|
|
102
|
+
version: 1
|
|
103
|
+
},
|
|
104
|
+
{
|
|
105
|
+
key: "identity.rbac.permissions",
|
|
106
|
+
version: 1
|
|
107
|
+
}
|
|
108
|
+
],
|
|
109
|
+
events: [
|
|
110
|
+
{
|
|
111
|
+
key: "user.created",
|
|
112
|
+
version: 1
|
|
113
|
+
},
|
|
114
|
+
{
|
|
115
|
+
key: "user.updated",
|
|
116
|
+
version: 1
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
key: "user.deleted",
|
|
120
|
+
version: 1
|
|
121
|
+
},
|
|
122
|
+
{
|
|
123
|
+
key: "user.email_verified",
|
|
124
|
+
version: 1
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
key: "org.created",
|
|
128
|
+
version: 1
|
|
129
|
+
},
|
|
130
|
+
{
|
|
131
|
+
key: "org.updated",
|
|
132
|
+
version: 1
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
key: "org.deleted",
|
|
136
|
+
version: 1
|
|
137
|
+
},
|
|
138
|
+
{
|
|
139
|
+
key: "org.member.added",
|
|
140
|
+
version: 1
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
key: "org.member.removed",
|
|
144
|
+
version: 1
|
|
145
|
+
},
|
|
146
|
+
{
|
|
147
|
+
key: "org.member.role_changed",
|
|
148
|
+
version: 1
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
key: "org.invite.sent",
|
|
152
|
+
version: 1
|
|
153
|
+
},
|
|
154
|
+
{
|
|
155
|
+
key: "org.invite.accepted",
|
|
156
|
+
version: 1
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
key: "org.invite.declined",
|
|
160
|
+
version: 1
|
|
161
|
+
},
|
|
162
|
+
{
|
|
163
|
+
key: "role.assigned",
|
|
164
|
+
version: 1
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
key: "role.revoked",
|
|
168
|
+
version: 1
|
|
169
|
+
}
|
|
170
|
+
],
|
|
171
|
+
presentations: [],
|
|
172
|
+
opToPresentation: [],
|
|
173
|
+
presentationsTargets: [],
|
|
174
|
+
capabilities: {
|
|
175
|
+
provides: [{
|
|
176
|
+
key: "identity",
|
|
177
|
+
version: 1
|
|
178
|
+
}, {
|
|
179
|
+
key: "rbac",
|
|
180
|
+
version: 1
|
|
181
|
+
}],
|
|
182
|
+
requires: []
|
|
183
|
+
}
|
|
184
|
+
};
|
|
185
|
+
|
|
186
|
+
//#endregion
|
|
187
|
+
export { IdentityRbacFeature };
|
|
188
|
+
//# sourceMappingURL=identity-rbac.feature.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"identity-rbac.feature.js","names":["IdentityRbacFeature: FeatureModuleSpec"],"sources":["../src/identity-rbac.feature.ts"],"sourcesContent":["/**\n * Identity RBAC Feature Module Specification\n *\n * Defines the feature module for identity management and role-based access control.\n */\nimport type { FeatureModuleSpec } from '@contractspec/lib.contracts';\n\n/**\n * Identity RBAC feature module that bundles user, organization,\n * and role-based access control capabilities.\n */\nexport const IdentityRbacFeature: FeatureModuleSpec = {\n meta: {\n key: 'identity-rbac',\n version: 1,\n title: 'Identity & RBAC',\n description:\n 'User identity, organization management, and role-based access control',\n domain: 'platform',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'users', 'organizations', 'permissions'],\n stability: 'stable',\n },\n\n // All contract operations included in this feature\n operations: [\n // User operations\n { key: 'identity.user.create', version: 1 },\n { key: 'identity.user.update', version: 1 },\n { key: 'identity.user.delete', version: 1 },\n { key: 'identity.user.me', version: 1 },\n { key: 'identity.user.list', version: 1 },\n\n // Organization operations\n { key: 'identity.org.create', version: 1 },\n { key: 'identity.org.update', version: 1 },\n { key: 'identity.org.get', version: 1 },\n { key: 'identity.org.list', version: 1 },\n { key: 'identity.org.invite', version: 1 },\n { key: 'identity.org.invite.accept', version: 1 },\n { key: 'identity.org.member.remove', version: 1 },\n { key: 'identity.org.members.list', version: 1 },\n\n // RBAC operations\n { key: 'identity.rbac.role.create', version: 1 },\n { key: 'identity.rbac.role.update', version: 1 },\n { key: 'identity.rbac.role.delete', version: 1 },\n { key: 'identity.rbac.role.list', version: 1 },\n { key: 'identity.rbac.assign', version: 1 },\n { key: 'identity.rbac.revoke', version: 1 },\n { key: 'identity.rbac.check', version: 1 },\n { key: 'identity.rbac.permissions', version: 1 },\n ],\n\n // Events emitted by this feature\n events: [\n // User events\n { key: 'user.created', version: 1 },\n { key: 'user.updated', version: 1 },\n { key: 'user.deleted', version: 1 },\n { key: 'user.email_verified', version: 1 },\n\n // Organization events\n { key: 'org.created', version: 1 },\n { key: 'org.updated', version: 1 },\n { key: 'org.deleted', version: 1 },\n { key: 'org.member.added', version: 1 },\n { key: 'org.member.removed', version: 1 },\n { key: 'org.member.role_changed', version: 1 },\n\n // Invitation events\n { key: 'org.invite.sent', version: 1 },\n { key: 'org.invite.accepted', version: 1 },\n { key: 'org.invite.declined', version: 1 },\n\n // Role events\n { key: 'role.assigned', version: 1 },\n { key: 'role.revoked', version: 1 },\n ],\n\n // No presentations for this library feature\n presentations: [],\n opToPresentation: [],\n presentationsTargets: [],\n\n // Capability definitions\n capabilities: {\n provides: [\n { key: 'identity', version: 1 },\n { key: 'rbac', version: 1 },\n ],\n requires: [],\n },\n};\n"],"mappings":";;;;;AAWA,MAAaA,sBAAyC;CACpD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,OAAO;EACP,aACE;EACF,QAAQ;EACR,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;GAAiB;GAAc;EACnE,WAAW;EACZ;CAGD,YAAY;EAEV;GAAE,KAAK;GAAwB,SAAS;GAAG;EAC3C;GAAE,KAAK;GAAwB,SAAS;GAAG;EAC3C;GAAE,KAAK;GAAwB,SAAS;GAAG;EAC3C;GAAE,KAAK;GAAoB,SAAS;GAAG;EACvC;GAAE,KAAK;GAAsB,SAAS;GAAG;EAGzC;GAAE,KAAK;GAAuB,SAAS;GAAG;EAC1C;GAAE,KAAK;GAAuB,SAAS;GAAG;EAC1C;GAAE,KAAK;GAAoB,SAAS;GAAG;EACvC;GAAE,KAAK;GAAqB,SAAS;GAAG;EACxC;GAAE,KAAK;GAAuB,SAAS;GAAG;EAC1C;GAAE,KAAK;GAA8B,SAAS;GAAG;EACjD;GAAE,KAAK;GAA8B,SAAS;GAAG;EACjD;GAAE,KAAK;GAA6B,SAAS;GAAG;EAGhD;GAAE,KAAK;GAA6B,SAAS;GAAG;EAChD;GAAE,KAAK;GAA6B,SAAS;GAAG;EAChD;GAAE,KAAK;GAA6B,SAAS;GAAG;EAChD;GAAE,KAAK;GAA2B,SAAS;GAAG;EAC9C;GAAE,KAAK;GAAwB,SAAS;GAAG;EAC3C;GAAE,KAAK;GAAwB,SAAS;GAAG;EAC3C;GAAE,KAAK;GAAuB,SAAS;GAAG;EAC1C;GAAE,KAAK;GAA6B,SAAS;GAAG;EACjD;CAGD,QAAQ;EAEN;GAAE,KAAK;GAAgB,SAAS;GAAG;EACnC;GAAE,KAAK;GAAgB,SAAS;GAAG;EACnC;GAAE,KAAK;GAAgB,SAAS;GAAG;EACnC;GAAE,KAAK;GAAuB,SAAS;GAAG;EAG1C;GAAE,KAAK;GAAe,SAAS;GAAG;EAClC;GAAE,KAAK;GAAe,SAAS;GAAG;EAClC;GAAE,KAAK;GAAe,SAAS;GAAG;EAClC;GAAE,KAAK;GAAoB,SAAS;GAAG;EACvC;GAAE,KAAK;GAAsB,SAAS;GAAG;EACzC;GAAE,KAAK;GAA2B,SAAS;GAAG;EAG9C;GAAE,KAAK;GAAmB,SAAS;GAAG;EACtC;GAAE,KAAK;GAAuB,SAAS;GAAG;EAC1C;GAAE,KAAK;GAAuB,SAAS;GAAG;EAG1C;GAAE,KAAK;GAAiB,SAAS;GAAG;EACpC;GAAE,KAAK;GAAgB,SAAS;GAAG;EACpC;CAGD,eAAe,EAAE;CACjB,kBAAkB,EAAE;CACpB,sBAAsB,EAAE;CAGxB,cAAc;EACZ,UAAU,CACR;GAAE,KAAK;GAAY,SAAS;GAAG,EAC/B;GAAE,KAAK;GAAQ,SAAS;GAAG,CAC5B;EACD,UAAU,EAAE;EACb;CACF"}
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { CreateUserContract, CreateUserInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, SuccessResultModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel } from "./contracts/user.js";
|
|
2
|
+
import { AcceptInviteContract, AcceptInviteInputModel, CreateOrgContract, CreateOrgInputModel, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, RemoveMemberContract, RemoveMemberInputModel, UpdateOrgContract, UpdateOrgInputModel } from "./contracts/organization.js";
|
|
3
|
+
import { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel } from "./contracts/rbac.js";
|
|
4
|
+
import "./contracts/index.js";
|
|
5
|
+
import { AccountEntity, SessionEntity, UserEntity, VerificationEntity } from "./entities/user.js";
|
|
6
|
+
import { InvitationEntity, MemberEntity, OrganizationEntity, OrganizationTypeEnum, TeamEntity, TeamMemberEntity } from "./entities/organization.js";
|
|
7
|
+
import { ApiKeyEntity, PasskeyEntity, PermissionEntity, PolicyBindingEntity, RoleEntity } from "./entities/rbac.js";
|
|
8
|
+
import { identityRbacEntities, identityRbacSchemaContribution } from "./entities/index.js";
|
|
9
|
+
import { IdentityRbacEvents, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, RoleAssignedEvent, RoleRevokedEvent, UserCreatedEvent, UserDeletedEvent, UserEmailVerifiedEvent, UserUpdatedEvent } from "./events.js";
|
|
10
|
+
import { IdentityRbacFeature } from "./identity-rbac.feature.js";
|
|
11
|
+
import { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine } from "./policies/engine.js";
|
|
12
|
+
export { AcceptInviteContract, AcceptInviteInputModel, AccountEntity, ApiKeyEntity, AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateOrgContract, CreateOrgInputModel, CreateRoleContract, CreateRoleInputModel, CreateUserContract, CreateUserInputModel, DeleteRoleContract, DeleteRoleInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, GetOrgContract, GetOrgInputModel, IdentityRbacEvents, IdentityRbacFeature, InvitationEntity, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListRolesContract, ListRolesOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, MemberEntity, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, OrganizationEntity, OrganizationModel, OrganizationTypeEnum, OrganizationWithRoleModel, PasskeyEntity, Permission, PermissionCheckInput, PermissionCheckResult, PermissionCheckResultModel, PermissionEntity, PermissionKey, PolicyBindingEntity, PolicyBindingForEval, PolicyBindingModel, RBACPolicyEngine, RemoveMemberContract, RemoveMemberInputModel, RevokeRoleContract, RevokeRoleInputModel, RoleAssignedEvent, RoleEntity, RoleModel, RoleRevokedEvent, RoleWithPermissions, SessionEntity, StandardRole, SuccessResultModel, TeamEntity, TeamMemberEntity, UpdateOrgContract, UpdateOrgInputModel, UpdateRoleContract, UpdateRoleInputModel, UpdateUserContract, UpdateUserInputModel, UserCreatedEvent, UserDeletedEvent, UserDeletedPayloadModel, UserEmailVerifiedEvent, UserEntity, UserProfileModel, UserUpdatedEvent, VerificationEntity, createRBACEngine, identityRbacEntities, identityRbacSchemaContribution };
|
package/dist/index.js
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import { IdentityRbacEvents, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, RoleAssignedEvent, RoleRevokedEvent, UserCreatedEvent, UserDeletedEvent, UserEmailVerifiedEvent, UserUpdatedEvent } from "./events.js";
|
|
2
|
+
import { IdentityRbacFeature } from "./identity-rbac.feature.js";
|
|
3
|
+
import { AccountEntity, SessionEntity, UserEntity, VerificationEntity } from "./entities/user.js";
|
|
4
|
+
import { InvitationEntity, MemberEntity, OrganizationEntity, OrganizationTypeEnum, TeamEntity, TeamMemberEntity } from "./entities/organization.js";
|
|
5
|
+
import { ApiKeyEntity, PasskeyEntity, PermissionEntity, PolicyBindingEntity, RoleEntity } from "./entities/rbac.js";
|
|
6
|
+
import { identityRbacEntities, identityRbacSchemaContribution } from "./entities/index.js";
|
|
7
|
+
import { CreateUserContract, CreateUserInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, SuccessResultModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel } from "./contracts/user.js";
|
|
8
|
+
import { AcceptInviteContract, AcceptInviteInputModel, CreateOrgContract, CreateOrgInputModel, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, RemoveMemberContract, RemoveMemberInputModel, UpdateOrgContract, UpdateOrgInputModel } from "./contracts/organization.js";
|
|
9
|
+
import { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel } from "./contracts/rbac.js";
|
|
10
|
+
import "./contracts/index.js";
|
|
11
|
+
import { Permission, RBACPolicyEngine, StandardRole, createRBACEngine } from "./policies/engine.js";
|
|
12
|
+
import "./policies/index.js";
|
|
13
|
+
|
|
14
|
+
export { AcceptInviteContract, AcceptInviteInputModel, AccountEntity, ApiKeyEntity, AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateOrgContract, CreateOrgInputModel, CreateRoleContract, CreateRoleInputModel, CreateUserContract, CreateUserInputModel, DeleteRoleContract, DeleteRoleInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, GetOrgContract, GetOrgInputModel, IdentityRbacEvents, IdentityRbacFeature, InvitationEntity, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListRolesContract, ListRolesOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, MemberEntity, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, OrganizationEntity, OrganizationModel, OrganizationTypeEnum, OrganizationWithRoleModel, PasskeyEntity, Permission, PermissionCheckResultModel, PermissionEntity, PolicyBindingEntity, PolicyBindingModel, RBACPolicyEngine, RemoveMemberContract, RemoveMemberInputModel, RevokeRoleContract, RevokeRoleInputModel, RoleAssignedEvent, RoleEntity, RoleModel, RoleRevokedEvent, SessionEntity, StandardRole, SuccessResultModel, TeamEntity, TeamMemberEntity, UpdateOrgContract, UpdateOrgInputModel, UpdateRoleContract, UpdateRoleInputModel, UpdateUserContract, UpdateUserInputModel, UserCreatedEvent, UserDeletedEvent, UserDeletedPayloadModel, UserEmailVerifiedEvent, UserEntity, UserProfileModel, UserUpdatedEvent, VerificationEntity, createRBACEngine, identityRbacEntities, identityRbacSchemaContribution };
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
//#region src/policies/engine.d.ts
|
|
2
|
+
/**
|
|
3
|
+
* Standard permissions for identity-rbac module.
|
|
4
|
+
*/
|
|
5
|
+
declare const Permission: {
|
|
6
|
+
readonly USER_CREATE: "user.create";
|
|
7
|
+
readonly USER_READ: "user.read";
|
|
8
|
+
readonly USER_UPDATE: "user.update";
|
|
9
|
+
readonly USER_DELETE: "user.delete";
|
|
10
|
+
readonly USER_LIST: "user.list";
|
|
11
|
+
readonly USER_MANAGE: "user.manage";
|
|
12
|
+
readonly ORG_CREATE: "org.create";
|
|
13
|
+
readonly ORG_READ: "org.read";
|
|
14
|
+
readonly ORG_UPDATE: "org.update";
|
|
15
|
+
readonly ORG_DELETE: "org.delete";
|
|
16
|
+
readonly ORG_LIST: "org.list";
|
|
17
|
+
readonly MEMBER_INVITE: "member.invite";
|
|
18
|
+
readonly MEMBER_REMOVE: "member.remove";
|
|
19
|
+
readonly MEMBER_UPDATE_ROLE: "member.update_role";
|
|
20
|
+
readonly MEMBER_LIST: "member.list";
|
|
21
|
+
readonly MANAGE_MEMBERS: "org.manage_members";
|
|
22
|
+
readonly TEAM_CREATE: "team.create";
|
|
23
|
+
readonly TEAM_UPDATE: "team.update";
|
|
24
|
+
readonly TEAM_DELETE: "team.delete";
|
|
25
|
+
readonly TEAM_MANAGE: "team.manage";
|
|
26
|
+
readonly ROLE_CREATE: "role.create";
|
|
27
|
+
readonly ROLE_UPDATE: "role.update";
|
|
28
|
+
readonly ROLE_DELETE: "role.delete";
|
|
29
|
+
readonly ROLE_ASSIGN: "role.assign";
|
|
30
|
+
readonly ROLE_REVOKE: "role.revoke";
|
|
31
|
+
readonly BILLING_VIEW: "billing.view";
|
|
32
|
+
readonly BILLING_MANAGE: "billing.manage";
|
|
33
|
+
readonly PROJECT_CREATE: "project.create";
|
|
34
|
+
readonly PROJECT_READ: "project.read";
|
|
35
|
+
readonly PROJECT_UPDATE: "project.update";
|
|
36
|
+
readonly PROJECT_DELETE: "project.delete";
|
|
37
|
+
readonly PROJECT_MANAGE: "project.manage";
|
|
38
|
+
readonly ADMIN_ACCESS: "admin.access";
|
|
39
|
+
readonly ADMIN_IMPERSONATE: "admin.impersonate";
|
|
40
|
+
};
|
|
41
|
+
type PermissionKey = (typeof Permission)[keyof typeof Permission];
|
|
42
|
+
/**
|
|
43
|
+
* Standard role definitions.
|
|
44
|
+
*/
|
|
45
|
+
declare const StandardRole: {
|
|
46
|
+
readonly OWNER: {
|
|
47
|
+
readonly name: "owner";
|
|
48
|
+
readonly description: "Organization owner with full access";
|
|
49
|
+
readonly permissions: ("user.create" | "user.read" | "user.update" | "user.delete" | "user.list" | "user.manage" | "org.create" | "org.read" | "org.update" | "org.delete" | "org.list" | "member.invite" | "member.remove" | "member.update_role" | "member.list" | "org.manage_members" | "team.create" | "team.update" | "team.delete" | "team.manage" | "role.create" | "role.update" | "role.delete" | "role.assign" | "role.revoke" | "billing.view" | "billing.manage" | "project.create" | "project.read" | "project.update" | "project.delete" | "project.manage" | "admin.access" | "admin.impersonate")[];
|
|
50
|
+
};
|
|
51
|
+
readonly ADMIN: {
|
|
52
|
+
readonly name: "admin";
|
|
53
|
+
readonly description: "Administrator with most permissions";
|
|
54
|
+
readonly permissions: readonly ["user.read", "user.list", "org.read", "org.update", "member.invite", "member.remove", "member.update_role", "member.list", "org.manage_members", "team.create", "team.update", "team.delete", "team.manage", "project.create", "project.read", "project.update", "project.delete", "project.manage", "billing.view"];
|
|
55
|
+
};
|
|
56
|
+
readonly MEMBER: {
|
|
57
|
+
readonly name: "member";
|
|
58
|
+
readonly description: "Regular organization member";
|
|
59
|
+
readonly permissions: readonly ["user.read", "org.read", "member.list", "project.read", "project.create"];
|
|
60
|
+
};
|
|
61
|
+
readonly VIEWER: {
|
|
62
|
+
readonly name: "viewer";
|
|
63
|
+
readonly description: "Read-only access";
|
|
64
|
+
readonly permissions: readonly ["user.read", "org.read", "member.list", "project.read"];
|
|
65
|
+
};
|
|
66
|
+
};
|
|
67
|
+
/**
|
|
68
|
+
* Permission check input.
|
|
69
|
+
*/
|
|
70
|
+
interface PermissionCheckInput {
|
|
71
|
+
userId: string;
|
|
72
|
+
orgId?: string;
|
|
73
|
+
permission: PermissionKey | string;
|
|
74
|
+
}
|
|
75
|
+
/**
|
|
76
|
+
* Permission check result.
|
|
77
|
+
*/
|
|
78
|
+
interface PermissionCheckResult {
|
|
79
|
+
allowed: boolean;
|
|
80
|
+
reason?: string;
|
|
81
|
+
matchedRole?: string;
|
|
82
|
+
}
|
|
83
|
+
/**
|
|
84
|
+
* Role with permissions.
|
|
85
|
+
*/
|
|
86
|
+
interface RoleWithPermissions {
|
|
87
|
+
id: string;
|
|
88
|
+
name: string;
|
|
89
|
+
permissions: string[];
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* Policy binding for permission evaluation.
|
|
93
|
+
*/
|
|
94
|
+
interface PolicyBindingForEval {
|
|
95
|
+
roleId: string;
|
|
96
|
+
role: RoleWithPermissions;
|
|
97
|
+
targetType: 'user' | 'organization';
|
|
98
|
+
targetId: string;
|
|
99
|
+
expiresAt?: Date | null;
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* RBAC Policy Engine for permission checks.
|
|
103
|
+
*/
|
|
104
|
+
declare class RBACPolicyEngine {
|
|
105
|
+
private roleCache;
|
|
106
|
+
private bindingCache;
|
|
107
|
+
/**
|
|
108
|
+
* Check if a user has a specific permission.
|
|
109
|
+
*/
|
|
110
|
+
checkPermission(input: PermissionCheckInput, bindings: PolicyBindingForEval[]): Promise<PermissionCheckResult>;
|
|
111
|
+
/**
|
|
112
|
+
* Get all permissions for a user in a context.
|
|
113
|
+
*/
|
|
114
|
+
getPermissions(userId: string, orgId: string | undefined, bindings: PolicyBindingForEval[]): Promise<{
|
|
115
|
+
permissions: Set<string>;
|
|
116
|
+
roles: RoleWithPermissions[];
|
|
117
|
+
}>;
|
|
118
|
+
/**
|
|
119
|
+
* Check if user has any of the specified permissions.
|
|
120
|
+
*/
|
|
121
|
+
hasAnyPermission(userId: string, orgId: string | undefined, permissions: string[], bindings: PolicyBindingForEval[]): Promise<boolean>;
|
|
122
|
+
/**
|
|
123
|
+
* Check if user has all of the specified permissions.
|
|
124
|
+
*/
|
|
125
|
+
hasAllPermissions(userId: string, orgId: string | undefined, permissions: string[], bindings: PolicyBindingForEval[]): Promise<boolean>;
|
|
126
|
+
}
|
|
127
|
+
/**
|
|
128
|
+
* Create a new RBAC policy engine instance.
|
|
129
|
+
*/
|
|
130
|
+
declare function createRBACEngine(): RBACPolicyEngine;
|
|
131
|
+
//#endregion
|
|
132
|
+
export { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine };
|
|
133
|
+
//# sourceMappingURL=engine.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"engine.d.ts","names":[],"sources":["../../src/policies/engine.ts"],"sourcesContent":[],"mappings":";;AAGA;AAoDA;AAKa,cAzDA,UA6GH,EAAA;EAKO,SAAA,WAAA,EAAA,aAGH;EAMG,SAAA,SAAA,EAAA,WAAqB;EASrB,SAAA,WAAA,EAAmB,aAAA;EASnB,SAAA,WAAA,EAAA,aAET;EASK,SAAA,SAAA,EAAgB,WAAA;EAQlB,SAAA,WAAA,EAAA,aAAA;EACG,SAAA,UAAA,EAAA,YAAA;EACD,SAAA,QAAA,EAAA,UAAA;EAAR,SAAA,UAAA,EAAA,YAAA;EAmDS,SAAA,UAAA,EAAA,YAAA;EAEG,SAAA,QAAA,EAAA,UAAA;EACN,SAAA,aAAA,EAAA,eAAA;EAFN,SAAA,aAAA,EAAA,eAAA;EA4CS,SAAA,kBAAA,EAAA,oBAAA;EACT,SAAA,WAAA,EAAA,aAAA;EAiBS,SAAA,cAAA,EAAA,oBAAA;EACT,SAAA,WAAA,EAAA,aAAA;EAAO,SAAA,WAAA,EAAA,aAAA;EAcI,SAAA,WAAgB,EAAA,aAAI;;;;;;;;;;;;;;;;;KA/OxB,aAAA,WAAwB,yBAAyB;;;;cAKhD;;;;;;;;;;;;;;;;;;;;;;;;;UAyDI,oBAAA;;;cAGH;;;;;UAMG,qBAAA;;;;;;;;UASA,mBAAA;;;;;;;;UASA,oBAAA;;QAET;;;cAGM;;;;;cAMD,gBAAA;;;;;;yBAQF,gCACG,yBACT,QAAQ;;;;sEAmDC,yBACT;iBACY;WACN;;;;;+FA0CG,yBACT;;;;gGAiBS,yBACT;;;;;iBAcW,gBAAA,CAAA,GAAoB"}
|
|
@@ -0,0 +1,168 @@
|
|
|
1
|
+
//#region src/policies/engine.ts
|
|
2
|
+
/**
|
|
3
|
+
* Standard permissions for identity-rbac module.
|
|
4
|
+
*/
|
|
5
|
+
const Permission = {
|
|
6
|
+
USER_CREATE: "user.create",
|
|
7
|
+
USER_READ: "user.read",
|
|
8
|
+
USER_UPDATE: "user.update",
|
|
9
|
+
USER_DELETE: "user.delete",
|
|
10
|
+
USER_LIST: "user.list",
|
|
11
|
+
USER_MANAGE: "user.manage",
|
|
12
|
+
ORG_CREATE: "org.create",
|
|
13
|
+
ORG_READ: "org.read",
|
|
14
|
+
ORG_UPDATE: "org.update",
|
|
15
|
+
ORG_DELETE: "org.delete",
|
|
16
|
+
ORG_LIST: "org.list",
|
|
17
|
+
MEMBER_INVITE: "member.invite",
|
|
18
|
+
MEMBER_REMOVE: "member.remove",
|
|
19
|
+
MEMBER_UPDATE_ROLE: "member.update_role",
|
|
20
|
+
MEMBER_LIST: "member.list",
|
|
21
|
+
MANAGE_MEMBERS: "org.manage_members",
|
|
22
|
+
TEAM_CREATE: "team.create",
|
|
23
|
+
TEAM_UPDATE: "team.update",
|
|
24
|
+
TEAM_DELETE: "team.delete",
|
|
25
|
+
TEAM_MANAGE: "team.manage",
|
|
26
|
+
ROLE_CREATE: "role.create",
|
|
27
|
+
ROLE_UPDATE: "role.update",
|
|
28
|
+
ROLE_DELETE: "role.delete",
|
|
29
|
+
ROLE_ASSIGN: "role.assign",
|
|
30
|
+
ROLE_REVOKE: "role.revoke",
|
|
31
|
+
BILLING_VIEW: "billing.view",
|
|
32
|
+
BILLING_MANAGE: "billing.manage",
|
|
33
|
+
PROJECT_CREATE: "project.create",
|
|
34
|
+
PROJECT_READ: "project.read",
|
|
35
|
+
PROJECT_UPDATE: "project.update",
|
|
36
|
+
PROJECT_DELETE: "project.delete",
|
|
37
|
+
PROJECT_MANAGE: "project.manage",
|
|
38
|
+
ADMIN_ACCESS: "admin.access",
|
|
39
|
+
ADMIN_IMPERSONATE: "admin.impersonate"
|
|
40
|
+
};
|
|
41
|
+
/**
|
|
42
|
+
* Standard role definitions.
|
|
43
|
+
*/
|
|
44
|
+
const StandardRole = {
|
|
45
|
+
OWNER: {
|
|
46
|
+
name: "owner",
|
|
47
|
+
description: "Organization owner with full access",
|
|
48
|
+
permissions: Object.values(Permission)
|
|
49
|
+
},
|
|
50
|
+
ADMIN: {
|
|
51
|
+
name: "admin",
|
|
52
|
+
description: "Administrator with most permissions",
|
|
53
|
+
permissions: [
|
|
54
|
+
Permission.USER_READ,
|
|
55
|
+
Permission.USER_LIST,
|
|
56
|
+
Permission.ORG_READ,
|
|
57
|
+
Permission.ORG_UPDATE,
|
|
58
|
+
Permission.MEMBER_INVITE,
|
|
59
|
+
Permission.MEMBER_REMOVE,
|
|
60
|
+
Permission.MEMBER_UPDATE_ROLE,
|
|
61
|
+
Permission.MEMBER_LIST,
|
|
62
|
+
Permission.MANAGE_MEMBERS,
|
|
63
|
+
Permission.TEAM_CREATE,
|
|
64
|
+
Permission.TEAM_UPDATE,
|
|
65
|
+
Permission.TEAM_DELETE,
|
|
66
|
+
Permission.TEAM_MANAGE,
|
|
67
|
+
Permission.PROJECT_CREATE,
|
|
68
|
+
Permission.PROJECT_READ,
|
|
69
|
+
Permission.PROJECT_UPDATE,
|
|
70
|
+
Permission.PROJECT_DELETE,
|
|
71
|
+
Permission.PROJECT_MANAGE,
|
|
72
|
+
Permission.BILLING_VIEW
|
|
73
|
+
]
|
|
74
|
+
},
|
|
75
|
+
MEMBER: {
|
|
76
|
+
name: "member",
|
|
77
|
+
description: "Regular organization member",
|
|
78
|
+
permissions: [
|
|
79
|
+
Permission.USER_READ,
|
|
80
|
+
Permission.ORG_READ,
|
|
81
|
+
Permission.MEMBER_LIST,
|
|
82
|
+
Permission.PROJECT_READ,
|
|
83
|
+
Permission.PROJECT_CREATE
|
|
84
|
+
]
|
|
85
|
+
},
|
|
86
|
+
VIEWER: {
|
|
87
|
+
name: "viewer",
|
|
88
|
+
description: "Read-only access",
|
|
89
|
+
permissions: [
|
|
90
|
+
Permission.USER_READ,
|
|
91
|
+
Permission.ORG_READ,
|
|
92
|
+
Permission.MEMBER_LIST,
|
|
93
|
+
Permission.PROJECT_READ
|
|
94
|
+
]
|
|
95
|
+
}
|
|
96
|
+
};
|
|
97
|
+
/**
|
|
98
|
+
* RBAC Policy Engine for permission checks.
|
|
99
|
+
*/
|
|
100
|
+
var RBACPolicyEngine = class {
|
|
101
|
+
roleCache = /* @__PURE__ */ new Map();
|
|
102
|
+
bindingCache = /* @__PURE__ */ new Map();
|
|
103
|
+
/**
|
|
104
|
+
* Check if a user has a specific permission.
|
|
105
|
+
*/
|
|
106
|
+
async checkPermission(input, bindings) {
|
|
107
|
+
const { userId, orgId, permission } = input;
|
|
108
|
+
const now = /* @__PURE__ */ new Date();
|
|
109
|
+
const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
|
|
110
|
+
const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
|
|
111
|
+
const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
|
|
112
|
+
if (activeBindings.length === 0) return {
|
|
113
|
+
allowed: false,
|
|
114
|
+
reason: "No active role bindings found"
|
|
115
|
+
};
|
|
116
|
+
for (const binding of activeBindings) if (binding.role.permissions.includes(permission)) return {
|
|
117
|
+
allowed: true,
|
|
118
|
+
matchedRole: binding.role.name
|
|
119
|
+
};
|
|
120
|
+
return {
|
|
121
|
+
allowed: false,
|
|
122
|
+
reason: `No role grants the "${permission}" permission`
|
|
123
|
+
};
|
|
124
|
+
}
|
|
125
|
+
/**
|
|
126
|
+
* Get all permissions for a user in a context.
|
|
127
|
+
*/
|
|
128
|
+
async getPermissions(userId, orgId, bindings) {
|
|
129
|
+
const now = /* @__PURE__ */ new Date();
|
|
130
|
+
const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
|
|
131
|
+
const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
|
|
132
|
+
const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
|
|
133
|
+
const permissions = /* @__PURE__ */ new Set();
|
|
134
|
+
const roles = [];
|
|
135
|
+
for (const binding of activeBindings) {
|
|
136
|
+
roles.push(binding.role);
|
|
137
|
+
for (const perm of binding.role.permissions) permissions.add(perm);
|
|
138
|
+
}
|
|
139
|
+
return {
|
|
140
|
+
permissions,
|
|
141
|
+
roles
|
|
142
|
+
};
|
|
143
|
+
}
|
|
144
|
+
/**
|
|
145
|
+
* Check if user has any of the specified permissions.
|
|
146
|
+
*/
|
|
147
|
+
async hasAnyPermission(userId, orgId, permissions, bindings) {
|
|
148
|
+
const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
|
|
149
|
+
return permissions.some((p) => userPerms.has(p));
|
|
150
|
+
}
|
|
151
|
+
/**
|
|
152
|
+
* Check if user has all of the specified permissions.
|
|
153
|
+
*/
|
|
154
|
+
async hasAllPermissions(userId, orgId, permissions, bindings) {
|
|
155
|
+
const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
|
|
156
|
+
return permissions.every((p) => userPerms.has(p));
|
|
157
|
+
}
|
|
158
|
+
};
|
|
159
|
+
/**
|
|
160
|
+
* Create a new RBAC policy engine instance.
|
|
161
|
+
*/
|
|
162
|
+
function createRBACEngine() {
|
|
163
|
+
return new RBACPolicyEngine();
|
|
164
|
+
}
|
|
165
|
+
|
|
166
|
+
//#endregion
|
|
167
|
+
export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };
|
|
168
|
+
//# sourceMappingURL=engine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"engine.js","names":["roles: RoleWithPermissions[]"],"sources":["../../src/policies/engine.ts"],"sourcesContent":["/**\n * Standard permissions for identity-rbac module.\n */\nexport const Permission = {\n // User permissions\n USER_CREATE: 'user.create',\n USER_READ: 'user.read',\n USER_UPDATE: 'user.update',\n USER_DELETE: 'user.delete',\n USER_LIST: 'user.list',\n USER_MANAGE: 'user.manage',\n\n // Organization permissions\n ORG_CREATE: 'org.create',\n ORG_READ: 'org.read',\n ORG_UPDATE: 'org.update',\n ORG_DELETE: 'org.delete',\n ORG_LIST: 'org.list',\n\n // Member permissions\n MEMBER_INVITE: 'member.invite',\n MEMBER_REMOVE: 'member.remove',\n MEMBER_UPDATE_ROLE: 'member.update_role',\n MEMBER_LIST: 'member.list',\n MANAGE_MEMBERS: 'org.manage_members',\n\n // Team permissions\n TEAM_CREATE: 'team.create',\n TEAM_UPDATE: 'team.update',\n TEAM_DELETE: 'team.delete',\n TEAM_MANAGE: 'team.manage',\n\n // Role permissions\n ROLE_CREATE: 'role.create',\n ROLE_UPDATE: 'role.update',\n ROLE_DELETE: 'role.delete',\n ROLE_ASSIGN: 'role.assign',\n ROLE_REVOKE: 'role.revoke',\n\n // Billing permissions\n BILLING_VIEW: 'billing.view',\n BILLING_MANAGE: 'billing.manage',\n\n // Project permissions\n PROJECT_CREATE: 'project.create',\n PROJECT_READ: 'project.read',\n PROJECT_UPDATE: 'project.update',\n PROJECT_DELETE: 'project.delete',\n PROJECT_MANAGE: 'project.manage',\n\n // Admin permissions\n ADMIN_ACCESS: 'admin.access',\n ADMIN_IMPERSONATE: 'admin.impersonate',\n} as const;\n\nexport type PermissionKey = (typeof Permission)[keyof typeof Permission];\n\n/**\n * Standard role definitions.\n */\nexport const StandardRole = {\n OWNER: {\n name: 'owner',\n description: 'Organization owner with full access',\n permissions: Object.values(Permission),\n },\n ADMIN: {\n name: 'admin',\n description: 'Administrator with most permissions',\n permissions: [\n Permission.USER_READ,\n Permission.USER_LIST,\n Permission.ORG_READ,\n Permission.ORG_UPDATE,\n Permission.MEMBER_INVITE,\n Permission.MEMBER_REMOVE,\n Permission.MEMBER_UPDATE_ROLE,\n Permission.MEMBER_LIST,\n Permission.MANAGE_MEMBERS,\n Permission.TEAM_CREATE,\n Permission.TEAM_UPDATE,\n Permission.TEAM_DELETE,\n Permission.TEAM_MANAGE,\n Permission.PROJECT_CREATE,\n Permission.PROJECT_READ,\n Permission.PROJECT_UPDATE,\n Permission.PROJECT_DELETE,\n Permission.PROJECT_MANAGE,\n Permission.BILLING_VIEW,\n ],\n },\n MEMBER: {\n name: 'member',\n description: 'Regular organization member',\n permissions: [\n Permission.USER_READ,\n Permission.ORG_READ,\n Permission.MEMBER_LIST,\n Permission.PROJECT_READ,\n Permission.PROJECT_CREATE,\n ],\n },\n VIEWER: {\n name: 'viewer',\n description: 'Read-only access',\n permissions: [\n Permission.USER_READ,\n Permission.ORG_READ,\n Permission.MEMBER_LIST,\n Permission.PROJECT_READ,\n ],\n },\n} as const;\n\n/**\n * Permission check input.\n */\nexport interface PermissionCheckInput {\n userId: string;\n orgId?: string;\n permission: PermissionKey | string;\n}\n\n/**\n * Permission check result.\n */\nexport interface PermissionCheckResult {\n allowed: boolean;\n reason?: string;\n matchedRole?: string;\n}\n\n/**\n * Role with permissions.\n */\nexport interface RoleWithPermissions {\n id: string;\n name: string;\n permissions: string[];\n}\n\n/**\n * Policy binding for permission evaluation.\n */\nexport interface PolicyBindingForEval {\n roleId: string;\n role: RoleWithPermissions;\n targetType: 'user' | 'organization';\n targetId: string;\n expiresAt?: Date | null;\n}\n\n/**\n * RBAC Policy Engine for permission checks.\n */\nexport class RBACPolicyEngine {\n private roleCache = new Map<string, RoleWithPermissions>();\n private bindingCache = new Map<string, PolicyBindingForEval[]>();\n\n /**\n * Check if a user has a specific permission.\n */\n async checkPermission(\n input: PermissionCheckInput,\n bindings: PolicyBindingForEval[]\n ): Promise<PermissionCheckResult> {\n const { userId, orgId, permission } = input;\n const now = new Date();\n\n // Get all applicable bindings\n const userBindings = bindings.filter(\n (b) => b.targetType === 'user' && b.targetId === userId\n );\n\n const orgBindings = orgId\n ? bindings.filter(\n (b) => b.targetType === 'organization' && b.targetId === orgId\n )\n : [];\n\n const allBindings = [...userBindings, ...orgBindings];\n\n // Filter out expired bindings\n const activeBindings = allBindings.filter(\n (b) => !b.expiresAt || b.expiresAt > now\n );\n\n if (activeBindings.length === 0) {\n return {\n allowed: false,\n reason: 'No active role bindings found',\n };\n }\n\n // Check if any role grants the permission\n for (const binding of activeBindings) {\n if (binding.role.permissions.includes(permission)) {\n return {\n allowed: true,\n matchedRole: binding.role.name,\n };\n }\n }\n\n return {\n allowed: false,\n reason: `No role grants the \"${permission}\" permission`,\n };\n }\n\n /**\n * Get all permissions for a user in a context.\n */\n async getPermissions(\n userId: string,\n orgId: string | undefined,\n bindings: PolicyBindingForEval[]\n ): Promise<{\n permissions: Set<string>;\n roles: RoleWithPermissions[];\n }> {\n const now = new Date();\n\n // Get all applicable bindings\n const userBindings = bindings.filter(\n (b) => b.targetType === 'user' && b.targetId === userId\n );\n\n const orgBindings = orgId\n ? bindings.filter(\n (b) => b.targetType === 'organization' && b.targetId === orgId\n )\n : [];\n\n const allBindings = [...userBindings, ...orgBindings];\n\n // Filter out expired bindings\n const activeBindings = allBindings.filter(\n (b) => !b.expiresAt || b.expiresAt > now\n );\n\n const permissions = new Set<string>();\n const roles: RoleWithPermissions[] = [];\n\n for (const binding of activeBindings) {\n roles.push(binding.role);\n for (const perm of binding.role.permissions) {\n permissions.add(perm);\n }\n }\n\n return { permissions, roles };\n }\n\n /**\n * Check if user has any of the specified permissions.\n */\n async hasAnyPermission(\n userId: string,\n orgId: string | undefined,\n permissions: string[],\n bindings: PolicyBindingForEval[]\n ): Promise<boolean> {\n const { permissions: userPerms } = await this.getPermissions(\n userId,\n orgId,\n bindings\n );\n\n return permissions.some((p) => userPerms.has(p));\n }\n\n /**\n * Check if user has all of the specified permissions.\n */\n async hasAllPermissions(\n userId: string,\n orgId: string | undefined,\n permissions: string[],\n bindings: PolicyBindingForEval[]\n ): Promise<boolean> {\n const { permissions: userPerms } = await this.getPermissions(\n userId,\n orgId,\n bindings\n );\n\n return permissions.every((p) => userPerms.has(p));\n }\n}\n\n/**\n * Create a new RBAC policy engine instance.\n */\nexport function createRBACEngine(): RBACPolicyEngine {\n return new RBACPolicyEngine();\n}\n"],"mappings":";;;;AAGA,MAAa,aAAa;CAExB,aAAa;CACb,WAAW;CACX,aAAa;CACb,aAAa;CACb,WAAW;CACX,aAAa;CAGb,YAAY;CACZ,UAAU;CACV,YAAY;CACZ,YAAY;CACZ,UAAU;CAGV,eAAe;CACf,eAAe;CACf,oBAAoB;CACpB,aAAa;CACb,gBAAgB;CAGhB,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CAGb,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CAGb,cAAc;CACd,gBAAgB;CAGhB,gBAAgB;CAChB,cAAc;CACd,gBAAgB;CAChB,gBAAgB;CAChB,gBAAgB;CAGhB,cAAc;CACd,mBAAmB;CACpB;;;;AAOD,MAAa,eAAe;CAC1B,OAAO;EACL,MAAM;EACN,aAAa;EACb,aAAa,OAAO,OAAO,WAAW;EACvC;CACD,OAAO;EACL,MAAM;EACN,aAAa;EACb,aAAa;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACZ;EACF;CACD,QAAQ;EACN,MAAM;EACN,aAAa;EACb,aAAa;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACZ;EACF;CACD,QAAQ;EACN,MAAM;EACN,aAAa;EACb,aAAa;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACX,WAAW;GACZ;EACF;CACF;;;;AA2CD,IAAa,mBAAb,MAA8B;CAC5B,AAAQ,4BAAY,IAAI,KAAkC;CAC1D,AAAQ,+BAAe,IAAI,KAAqC;;;;CAKhE,MAAM,gBACJ,OACA,UACgC;EAChC,MAAM,EAAE,QAAQ,OAAO,eAAe;EACtC,MAAM,sBAAM,IAAI,MAAM;EAGtB,MAAM,eAAe,SAAS,QAC3B,MAAM,EAAE,eAAe,UAAU,EAAE,aAAa,OAClD;EAED,MAAM,cAAc,QAChB,SAAS,QACN,MAAM,EAAE,eAAe,kBAAkB,EAAE,aAAa,MAC1D,GACD,EAAE;EAKN,MAAM,iBAHc,CAAC,GAAG,cAAc,GAAG,YAAY,CAGlB,QAChC,MAAM,CAAC,EAAE,aAAa,EAAE,YAAY,IACtC;AAED,MAAI,eAAe,WAAW,EAC5B,QAAO;GACL,SAAS;GACT,QAAQ;GACT;AAIH,OAAK,MAAM,WAAW,eACpB,KAAI,QAAQ,KAAK,YAAY,SAAS,WAAW,CAC/C,QAAO;GACL,SAAS;GACT,aAAa,QAAQ,KAAK;GAC3B;AAIL,SAAO;GACL,SAAS;GACT,QAAQ,uBAAuB,WAAW;GAC3C;;;;;CAMH,MAAM,eACJ,QACA,OACA,UAIC;EACD,MAAM,sBAAM,IAAI,MAAM;EAGtB,MAAM,eAAe,SAAS,QAC3B,MAAM,EAAE,eAAe,UAAU,EAAE,aAAa,OAClD;EAED,MAAM,cAAc,QAChB,SAAS,QACN,MAAM,EAAE,eAAe,kBAAkB,EAAE,aAAa,MAC1D,GACD,EAAE;EAKN,MAAM,iBAHc,CAAC,GAAG,cAAc,GAAG,YAAY,CAGlB,QAChC,MAAM,CAAC,EAAE,aAAa,EAAE,YAAY,IACtC;EAED,MAAM,8BAAc,IAAI,KAAa;EACrC,MAAMA,QAA+B,EAAE;AAEvC,OAAK,MAAM,WAAW,gBAAgB;AACpC,SAAM,KAAK,QAAQ,KAAK;AACxB,QAAK,MAAM,QAAQ,QAAQ,KAAK,YAC9B,aAAY,IAAI,KAAK;;AAIzB,SAAO;GAAE;GAAa;GAAO;;;;;CAM/B,MAAM,iBACJ,QACA,OACA,aACA,UACkB;EAClB,MAAM,EAAE,aAAa,cAAc,MAAM,KAAK,eAC5C,QACA,OACA,SACD;AAED,SAAO,YAAY,MAAM,MAAM,UAAU,IAAI,EAAE,CAAC;;;;;CAMlD,MAAM,kBACJ,QACA,OACA,aACA,UACkB;EAClB,MAAM,EAAE,aAAa,cAAc,MAAM,KAAK,eAC5C,QACA,OACA,SACD;AAED,SAAO,YAAY,OAAO,MAAM,UAAU,IAAI,EAAE,CAAC;;;;;;AAOrD,SAAgB,mBAAqC;AACnD,QAAO,IAAI,kBAAkB"}
|
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
import { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine } from "./engine.js";
|
|
2
|
+
export { Permission, type PermissionCheckInput, type PermissionCheckResult, type PermissionKey, type PolicyBindingForEval, RBACPolicyEngine, type RoleWithPermissions, StandardRole, createRBACEngine };
|