@contractspec/lib.identity-rbac 1.56.1 → 1.58.0

package/dist/policies/engine.js

@@ -1,168 +1,155 @@
-//#region src/policies/engine.ts
-/**
-* Standard permissions for identity-rbac module.
-*/
-const Permission = {
-	USER_CREATE: "user.create",
-	USER_READ: "user.read",
-	USER_UPDATE: "user.update",
-	USER_DELETE: "user.delete",
-	USER_LIST: "user.list",
-	USER_MANAGE: "user.manage",
-	ORG_CREATE: "org.create",
-	ORG_READ: "org.read",
-	ORG_UPDATE: "org.update",
-	ORG_DELETE: "org.delete",
-	ORG_LIST: "org.list",
-	MEMBER_INVITE: "member.invite",
-	MEMBER_REMOVE: "member.remove",
-	MEMBER_UPDATE_ROLE: "member.update_role",
-	MEMBER_LIST: "member.list",
-	MANAGE_MEMBERS: "org.manage_members",
-	TEAM_CREATE: "team.create",
-	TEAM_UPDATE: "team.update",
-	TEAM_DELETE: "team.delete",
-	TEAM_MANAGE: "team.manage",
-	ROLE_CREATE: "role.create",
-	ROLE_UPDATE: "role.update",
-	ROLE_DELETE: "role.delete",
-	ROLE_ASSIGN: "role.assign",
-	ROLE_REVOKE: "role.revoke",
-	BILLING_VIEW: "billing.view",
-	BILLING_MANAGE: "billing.manage",
-	PROJECT_CREATE: "project.create",
-	PROJECT_READ: "project.read",
-	PROJECT_UPDATE: "project.update",
-	PROJECT_DELETE: "project.delete",
-	PROJECT_MANAGE: "project.manage",
-	ADMIN_ACCESS: "admin.access",
-	ADMIN_IMPERSONATE: "admin.impersonate"
+// @bun
+// src/policies/engine.ts
+var Permission = {
+  USER_CREATE: "user.create",
+  USER_READ: "user.read",
+  USER_UPDATE: "user.update",
+  USER_DELETE: "user.delete",
+  USER_LIST: "user.list",
+  USER_MANAGE: "user.manage",
+  ORG_CREATE: "org.create",
+  ORG_READ: "org.read",
+  ORG_UPDATE: "org.update",
+  ORG_DELETE: "org.delete",
+  ORG_LIST: "org.list",
+  MEMBER_INVITE: "member.invite",
+  MEMBER_REMOVE: "member.remove",
+  MEMBER_UPDATE_ROLE: "member.update_role",
+  MEMBER_LIST: "member.list",
+  MANAGE_MEMBERS: "org.manage_members",
+  TEAM_CREATE: "team.create",
+  TEAM_UPDATE: "team.update",
+  TEAM_DELETE: "team.delete",
+  TEAM_MANAGE: "team.manage",
+  ROLE_CREATE: "role.create",
+  ROLE_UPDATE: "role.update",
+  ROLE_DELETE: "role.delete",
+  ROLE_ASSIGN: "role.assign",
+  ROLE_REVOKE: "role.revoke",
+  BILLING_VIEW: "billing.view",
+  BILLING_MANAGE: "billing.manage",
+  PROJECT_CREATE: "project.create",
+  PROJECT_READ: "project.read",
+  PROJECT_UPDATE: "project.update",
+  PROJECT_DELETE: "project.delete",
+  PROJECT_MANAGE: "project.manage",
+  ADMIN_ACCESS: "admin.access",
+  ADMIN_IMPERSONATE: "admin.impersonate"
 };
-/**
-* Standard role definitions.
-*/
-const StandardRole = {
-	OWNER: {
-		name: "owner",
-		description: "Organization owner with full access",
-		permissions: Object.values(Permission)
-	},
-	ADMIN: {
-		name: "admin",
-		description: "Administrator with most permissions",
-		permissions: [
-			Permission.USER_READ,
-			Permission.USER_LIST,
-			Permission.ORG_READ,
-			Permission.ORG_UPDATE,
-			Permission.MEMBER_INVITE,
-			Permission.MEMBER_REMOVE,
-			Permission.MEMBER_UPDATE_ROLE,
-			Permission.MEMBER_LIST,
-			Permission.MANAGE_MEMBERS,
-			Permission.TEAM_CREATE,
-			Permission.TEAM_UPDATE,
-			Permission.TEAM_DELETE,
-			Permission.TEAM_MANAGE,
-			Permission.PROJECT_CREATE,
-			Permission.PROJECT_READ,
-			Permission.PROJECT_UPDATE,
-			Permission.PROJECT_DELETE,
-			Permission.PROJECT_MANAGE,
-			Permission.BILLING_VIEW
-		]
-	},
-	MEMBER: {
-		name: "member",
-		description: "Regular organization member",
-		permissions: [
-			Permission.USER_READ,
-			Permission.ORG_READ,
-			Permission.MEMBER_LIST,
-			Permission.PROJECT_READ,
-			Permission.PROJECT_CREATE
-		]
-	},
-	VIEWER: {
-		name: "viewer",
-		description: "Read-only access",
-		permissions: [
-			Permission.USER_READ,
-			Permission.ORG_READ,
-			Permission.MEMBER_LIST,
-			Permission.PROJECT_READ
-		]
-	}
+var StandardRole = {
+  OWNER: {
+    name: "owner",
+    description: "Organization owner with full access",
+    permissions: Object.values(Permission)
+  },
+  ADMIN: {
+    name: "admin",
+    description: "Administrator with most permissions",
+    permissions: [
+      Permission.USER_READ,
+      Permission.USER_LIST,
+      Permission.ORG_READ,
+      Permission.ORG_UPDATE,
+      Permission.MEMBER_INVITE,
+      Permission.MEMBER_REMOVE,
+      Permission.MEMBER_UPDATE_ROLE,
+      Permission.MEMBER_LIST,
+      Permission.MANAGE_MEMBERS,
+      Permission.TEAM_CREATE,
+      Permission.TEAM_UPDATE,
+      Permission.TEAM_DELETE,
+      Permission.TEAM_MANAGE,
+      Permission.PROJECT_CREATE,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_UPDATE,
+      Permission.PROJECT_DELETE,
+      Permission.PROJECT_MANAGE,
+      Permission.BILLING_VIEW
+    ]
+  },
+  MEMBER: {
+    name: "member",
+    description: "Regular organization member",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_CREATE
+    ]
+  },
+  VIEWER: {
+    name: "viewer",
+    description: "Read-only access",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ
+    ]
+  }
 };
-/**
-* RBAC Policy Engine for permission checks.
-*/
-var RBACPolicyEngine = class {
-	roleCache = /* @__PURE__ */ new Map();
-	bindingCache = /* @__PURE__ */ new Map();
-	/**
-	* Check if a user has a specific permission.
-	*/
-	async checkPermission(input, bindings) {
-		const { userId, orgId, permission } = input;
-		const now = /* @__PURE__ */ new Date();
-		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
-		if (activeBindings.length === 0) return {
-			allowed: false,
-			reason: "No active role bindings found"
-		};
-		for (const binding of activeBindings) if (binding.role.permissions.includes(permission)) return {
-			allowed: true,
-			matchedRole: binding.role.name
-		};
-		return {
-			allowed: false,
-			reason: `No role grants the "${permission}" permission`
-		};
-	}
-	/**
-	* Get all permissions for a user in a context.
-	*/
-	async getPermissions(userId, orgId, bindings) {
-		const now = /* @__PURE__ */ new Date();
-		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
-		const permissions = /* @__PURE__ */ new Set();
-		const roles = [];
-		for (const binding of activeBindings) {
-			roles.push(binding.role);
-			for (const perm of binding.role.permissions) permissions.add(perm);
-		}
-		return {
-			permissions,
-			roles
-		};
-	}
-	/**
-	* Check if user has any of the specified permissions.
-	*/
-	async hasAnyPermission(userId, orgId, permissions, bindings) {
-		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-		return permissions.some((p) => userPerms.has(p));
-	}
-	/**
-	* Check if user has all of the specified permissions.
-	*/
-	async hasAllPermissions(userId, orgId, permissions, bindings) {
-		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-		return permissions.every((p) => userPerms.has(p));
-	}
-};
-/**
-* Create a new RBAC policy engine instance.
-*/
+
+class RBACPolicyEngine {
+  roleCache = new Map;
+  bindingCache = new Map;
+  async checkPermission(input, bindings) {
+    const { userId, orgId, permission } = input;
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    if (activeBindings.length === 0) {
+      return {
+        allowed: false,
+        reason: "No active role bindings found"
+      };
+    }
+    for (const binding of activeBindings) {
+      if (binding.role.permissions.includes(permission)) {
+        return {
+          allowed: true,
+          matchedRole: binding.role.name
+        };
+      }
+    }
+    return {
+      allowed: false,
+      reason: `No role grants the "${permission}" permission`
+    };
+  }
+  async getPermissions(userId, orgId, bindings) {
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    const permissions = new Set;
+    const roles = [];
+    for (const binding of activeBindings) {
+      roles.push(binding.role);
+      for (const perm of binding.role.permissions) {
+        permissions.add(perm);
+      }
+    }
+    return { permissions, roles };
+  }
+  async hasAnyPermission(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.some((p) => userPerms.has(p));
+  }
+  async hasAllPermissions(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.every((p) => userPerms.has(p));
+  }
+}
 function createRBACEngine() {
-	return new RBACPolicyEngine();
+  return new RBACPolicyEngine;
 }
-
-//#endregion
-export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };
-//# sourceMappingURL=engine.js.map
+export {
+  createRBACEngine,
+  StandardRole,
+  RBACPolicyEngine,
+  Permission
+};

package/dist/policies/index.d.ts

@@ -1,2 +1,2 @@
-import { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine } from "./engine.js";
-export { Permission, type PermissionCheckInput, type PermissionCheckResult, type PermissionKey, type PolicyBindingForEval, RBACPolicyEngine, type RoleWithPermissions, StandardRole, createRBACEngine };
+export { Permission, StandardRole, RBACPolicyEngine, createRBACEngine, type PermissionKey, type PermissionCheckInput, type PermissionCheckResult, type RoleWithPermissions, type PolicyBindingForEval, } from './engine';
+//# sourceMappingURL=index.d.ts.map

package/dist/policies/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policies/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,UAAU,CAAC"}

package/dist/policies/index.js

@@ -1,3 +1,155 @@
-import { Permission, RBACPolicyEngine, StandardRole, createRBACEngine } from "./engine.js";
+// @bun
+// src/policies/engine.ts
+var Permission = {
+  USER_CREATE: "user.create",
+  USER_READ: "user.read",
+  USER_UPDATE: "user.update",
+  USER_DELETE: "user.delete",
+  USER_LIST: "user.list",
+  USER_MANAGE: "user.manage",
+  ORG_CREATE: "org.create",
+  ORG_READ: "org.read",
+  ORG_UPDATE: "org.update",
+  ORG_DELETE: "org.delete",
+  ORG_LIST: "org.list",
+  MEMBER_INVITE: "member.invite",
+  MEMBER_REMOVE: "member.remove",
+  MEMBER_UPDATE_ROLE: "member.update_role",
+  MEMBER_LIST: "member.list",
+  MANAGE_MEMBERS: "org.manage_members",
+  TEAM_CREATE: "team.create",
+  TEAM_UPDATE: "team.update",
+  TEAM_DELETE: "team.delete",
+  TEAM_MANAGE: "team.manage",
+  ROLE_CREATE: "role.create",
+  ROLE_UPDATE: "role.update",
+  ROLE_DELETE: "role.delete",
+  ROLE_ASSIGN: "role.assign",
+  ROLE_REVOKE: "role.revoke",
+  BILLING_VIEW: "billing.view",
+  BILLING_MANAGE: "billing.manage",
+  PROJECT_CREATE: "project.create",
+  PROJECT_READ: "project.read",
+  PROJECT_UPDATE: "project.update",
+  PROJECT_DELETE: "project.delete",
+  PROJECT_MANAGE: "project.manage",
+  ADMIN_ACCESS: "admin.access",
+  ADMIN_IMPERSONATE: "admin.impersonate"
+};
+var StandardRole = {
+  OWNER: {
+    name: "owner",
+    description: "Organization owner with full access",
+    permissions: Object.values(Permission)
+  },
+  ADMIN: {
+    name: "admin",
+    description: "Administrator with most permissions",
+    permissions: [
+      Permission.USER_READ,
+      Permission.USER_LIST,
+      Permission.ORG_READ,
+      Permission.ORG_UPDATE,
+      Permission.MEMBER_INVITE,
+      Permission.MEMBER_REMOVE,
+      Permission.MEMBER_UPDATE_ROLE,
+      Permission.MEMBER_LIST,
+      Permission.MANAGE_MEMBERS,
+      Permission.TEAM_CREATE,
+      Permission.TEAM_UPDATE,
+      Permission.TEAM_DELETE,
+      Permission.TEAM_MANAGE,
+      Permission.PROJECT_CREATE,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_UPDATE,
+      Permission.PROJECT_DELETE,
+      Permission.PROJECT_MANAGE,
+      Permission.BILLING_VIEW
+    ]
+  },
+  MEMBER: {
+    name: "member",
+    description: "Regular organization member",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_CREATE
+    ]
+  },
+  VIEWER: {
+    name: "viewer",
+    description: "Read-only access",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ
+    ]
+  }
+};
 
-export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };
+class RBACPolicyEngine {
+  roleCache = new Map;
+  bindingCache = new Map;
+  async checkPermission(input, bindings) {
+    const { userId, orgId, permission } = input;
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    if (activeBindings.length === 0) {
+      return {
+        allowed: false,
+        reason: "No active role bindings found"
+      };
+    }
+    for (const binding of activeBindings) {
+      if (binding.role.permissions.includes(permission)) {
+        return {
+          allowed: true,
+          matchedRole: binding.role.name
+        };
+      }
+    }
+    return {
+      allowed: false,
+      reason: `No role grants the "${permission}" permission`
+    };
+  }
+  async getPermissions(userId, orgId, bindings) {
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    const permissions = new Set;
+    const roles = [];
+    for (const binding of activeBindings) {
+      roles.push(binding.role);
+      for (const perm of binding.role.permissions) {
+        permissions.add(perm);
+      }
+    }
+    return { permissions, roles };
+  }
+  async hasAnyPermission(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.some((p) => userPerms.has(p));
+  }
+  async hasAllPermissions(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.every((p) => userPerms.has(p));
+  }
+}
+function createRBACEngine() {
+  return new RBACPolicyEngine;
+}
+export {
+  createRBACEngine,
+  StandardRole,
+  RBACPolicyEngine,
+  Permission
+};