@contractspec/lib.identity-rbac 1.57.0 → 1.58.0

package/dist/browser/policies/engine.js

@@ -0,0 +1,154 @@
+// src/policies/engine.ts
+var Permission = {
+  USER_CREATE: "user.create",
+  USER_READ: "user.read",
+  USER_UPDATE: "user.update",
+  USER_DELETE: "user.delete",
+  USER_LIST: "user.list",
+  USER_MANAGE: "user.manage",
+  ORG_CREATE: "org.create",
+  ORG_READ: "org.read",
+  ORG_UPDATE: "org.update",
+  ORG_DELETE: "org.delete",
+  ORG_LIST: "org.list",
+  MEMBER_INVITE: "member.invite",
+  MEMBER_REMOVE: "member.remove",
+  MEMBER_UPDATE_ROLE: "member.update_role",
+  MEMBER_LIST: "member.list",
+  MANAGE_MEMBERS: "org.manage_members",
+  TEAM_CREATE: "team.create",
+  TEAM_UPDATE: "team.update",
+  TEAM_DELETE: "team.delete",
+  TEAM_MANAGE: "team.manage",
+  ROLE_CREATE: "role.create",
+  ROLE_UPDATE: "role.update",
+  ROLE_DELETE: "role.delete",
+  ROLE_ASSIGN: "role.assign",
+  ROLE_REVOKE: "role.revoke",
+  BILLING_VIEW: "billing.view",
+  BILLING_MANAGE: "billing.manage",
+  PROJECT_CREATE: "project.create",
+  PROJECT_READ: "project.read",
+  PROJECT_UPDATE: "project.update",
+  PROJECT_DELETE: "project.delete",
+  PROJECT_MANAGE: "project.manage",
+  ADMIN_ACCESS: "admin.access",
+  ADMIN_IMPERSONATE: "admin.impersonate"
+};
+var StandardRole = {
+  OWNER: {
+    name: "owner",
+    description: "Organization owner with full access",
+    permissions: Object.values(Permission)
+  },
+  ADMIN: {
+    name: "admin",
+    description: "Administrator with most permissions",
+    permissions: [
+      Permission.USER_READ,
+      Permission.USER_LIST,
+      Permission.ORG_READ,
+      Permission.ORG_UPDATE,
+      Permission.MEMBER_INVITE,
+      Permission.MEMBER_REMOVE,
+      Permission.MEMBER_UPDATE_ROLE,
+      Permission.MEMBER_LIST,
+      Permission.MANAGE_MEMBERS,
+      Permission.TEAM_CREATE,
+      Permission.TEAM_UPDATE,
+      Permission.TEAM_DELETE,
+      Permission.TEAM_MANAGE,
+      Permission.PROJECT_CREATE,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_UPDATE,
+      Permission.PROJECT_DELETE,
+      Permission.PROJECT_MANAGE,
+      Permission.BILLING_VIEW
+    ]
+  },
+  MEMBER: {
+    name: "member",
+    description: "Regular organization member",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_CREATE
+    ]
+  },
+  VIEWER: {
+    name: "viewer",
+    description: "Read-only access",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ
+    ]
+  }
+};
+
+class RBACPolicyEngine {
+  roleCache = new Map;
+  bindingCache = new Map;
+  async checkPermission(input, bindings) {
+    const { userId, orgId, permission } = input;
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    if (activeBindings.length === 0) {
+      return {
+        allowed: false,
+        reason: "No active role bindings found"
+      };
+    }
+    for (const binding of activeBindings) {
+      if (binding.role.permissions.includes(permission)) {
+        return {
+          allowed: true,
+          matchedRole: binding.role.name
+        };
+      }
+    }
+    return {
+      allowed: false,
+      reason: `No role grants the "${permission}" permission`
+    };
+  }
+  async getPermissions(userId, orgId, bindings) {
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    const permissions = new Set;
+    const roles = [];
+    for (const binding of activeBindings) {
+      roles.push(binding.role);
+      for (const perm of binding.role.permissions) {
+        permissions.add(perm);
+      }
+    }
+    return { permissions, roles };
+  }
+  async hasAnyPermission(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.some((p) => userPerms.has(p));
+  }
+  async hasAllPermissions(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.every((p) => userPerms.has(p));
+  }
+}
+function createRBACEngine() {
+  return new RBACPolicyEngine;
+}
+export {
+  createRBACEngine,
+  StandardRole,
+  RBACPolicyEngine,
+  Permission
+};

package/dist/browser/policies/index.js

@@ -0,0 +1,154 @@
+// src/policies/engine.ts
+var Permission = {
+  USER_CREATE: "user.create",
+  USER_READ: "user.read",
+  USER_UPDATE: "user.update",
+  USER_DELETE: "user.delete",
+  USER_LIST: "user.list",
+  USER_MANAGE: "user.manage",
+  ORG_CREATE: "org.create",
+  ORG_READ: "org.read",
+  ORG_UPDATE: "org.update",
+  ORG_DELETE: "org.delete",
+  ORG_LIST: "org.list",
+  MEMBER_INVITE: "member.invite",
+  MEMBER_REMOVE: "member.remove",
+  MEMBER_UPDATE_ROLE: "member.update_role",
+  MEMBER_LIST: "member.list",
+  MANAGE_MEMBERS: "org.manage_members",
+  TEAM_CREATE: "team.create",
+  TEAM_UPDATE: "team.update",
+  TEAM_DELETE: "team.delete",
+  TEAM_MANAGE: "team.manage",
+  ROLE_CREATE: "role.create",
+  ROLE_UPDATE: "role.update",
+  ROLE_DELETE: "role.delete",
+  ROLE_ASSIGN: "role.assign",
+  ROLE_REVOKE: "role.revoke",
+  BILLING_VIEW: "billing.view",
+  BILLING_MANAGE: "billing.manage",
+  PROJECT_CREATE: "project.create",
+  PROJECT_READ: "project.read",
+  PROJECT_UPDATE: "project.update",
+  PROJECT_DELETE: "project.delete",
+  PROJECT_MANAGE: "project.manage",
+  ADMIN_ACCESS: "admin.access",
+  ADMIN_IMPERSONATE: "admin.impersonate"
+};
+var StandardRole = {
+  OWNER: {
+    name: "owner",
+    description: "Organization owner with full access",
+    permissions: Object.values(Permission)
+  },
+  ADMIN: {
+    name: "admin",
+    description: "Administrator with most permissions",
+    permissions: [
+      Permission.USER_READ,
+      Permission.USER_LIST,
+      Permission.ORG_READ,
+      Permission.ORG_UPDATE,
+      Permission.MEMBER_INVITE,
+      Permission.MEMBER_REMOVE,
+      Permission.MEMBER_UPDATE_ROLE,
+      Permission.MEMBER_LIST,
+      Permission.MANAGE_MEMBERS,
+      Permission.TEAM_CREATE,
+      Permission.TEAM_UPDATE,
+      Permission.TEAM_DELETE,
+      Permission.TEAM_MANAGE,
+      Permission.PROJECT_CREATE,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_UPDATE,
+      Permission.PROJECT_DELETE,
+      Permission.PROJECT_MANAGE,
+      Permission.BILLING_VIEW
+    ]
+  },
+  MEMBER: {
+    name: "member",
+    description: "Regular organization member",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_CREATE
+    ]
+  },
+  VIEWER: {
+    name: "viewer",
+    description: "Read-only access",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ
+    ]
+  }
+};
+
+class RBACPolicyEngine {
+  roleCache = new Map;
+  bindingCache = new Map;
+  async checkPermission(input, bindings) {
+    const { userId, orgId, permission } = input;
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    if (activeBindings.length === 0) {
+      return {
+        allowed: false,
+        reason: "No active role bindings found"
+      };
+    }
+    for (const binding of activeBindings) {
+      if (binding.role.permissions.includes(permission)) {
+        return {
+          allowed: true,
+          matchedRole: binding.role.name
+        };
+      }
+    }
+    return {
+      allowed: false,
+      reason: `No role grants the "${permission}" permission`
+    };
+  }
+  async getPermissions(userId, orgId, bindings) {
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    const permissions = new Set;
+    const roles = [];
+    for (const binding of activeBindings) {
+      roles.push(binding.role);
+      for (const perm of binding.role.permissions) {
+        permissions.add(perm);
+      }
+    }
+    return { permissions, roles };
+  }
+  async hasAnyPermission(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.some((p) => userPerms.has(p));
+  }
+  async hasAllPermissions(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.every((p) => userPerms.has(p));
+  }
+}
+function createRBACEngine() {
+  return new RBACPolicyEngine;
+}
+export {
+  createRBACEngine,
+  StandardRole,
+  RBACPolicyEngine,
+  Permission
+};

package/dist/contracts/index.d.ts

@@ -1,4 +1,4 @@
-import { CreateUserContract, CreateUserInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, SuccessResultModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel } from "./user.js";
-import { AcceptInviteContract, AcceptInviteInputModel, CreateOrgContract, CreateOrgInputModel, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, RemoveMemberContract, RemoveMemberInputModel, UpdateOrgContract, UpdateOrgInputModel } from "./organization.js";
-import { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel } from "./rbac.js";
-export { AcceptInviteContract, AcceptInviteInputModel, AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateOrgContract, CreateOrgInputModel, CreateRoleContract, CreateRoleInputModel, CreateUserContract, CreateUserInputModel, DeleteRoleContract, DeleteRoleInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListRolesContract, ListRolesOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, PermissionCheckResultModel, PolicyBindingModel, RemoveMemberContract, RemoveMemberInputModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, SuccessResultModel, UpdateOrgContract, UpdateOrgInputModel, UpdateRoleContract, UpdateRoleInputModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel };
+export { UserProfileModel, CreateUserInputModel, UpdateUserInputModel, SuccessResultModel, UserDeletedPayloadModel, ListUsersInputModel, ListUsersOutputModel, DeleteUserInputModel, CreateUserContract, GetCurrentUserContract, UpdateUserContract, DeleteUserContract, ListUsersContract, } from './user';
+export { OrganizationModel, MemberModel, MemberUserModel, InvitationModel, CreateOrgInputModel, GetOrgInputModel, UpdateOrgInputModel, InviteMemberInputModel, AcceptInviteInputModel, RemoveMemberInputModel, MemberRemovedPayloadModel, ListMembersInputModel, ListMembersOutputModel, OrganizationWithRoleModel, ListUserOrgsOutputModel, CreateOrgContract, GetOrgContract, UpdateOrgContract, InviteMemberContract, AcceptInviteContract, RemoveMemberContract, ListMembersContract, ListUserOrgsContract, } from './organization';
+export { RoleModel, PolicyBindingModel, PermissionCheckResultModel, CreateRoleInputModel, UpdateRoleInputModel, DeleteRoleInputModel, ListRolesOutputModel, AssignRoleInputModel, RevokeRoleInputModel, BindingIdPayloadModel, CheckPermissionInputModel, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, CreateRoleContract, UpdateRoleContract, DeleteRoleContract, ListRolesContract, AssignRoleContract, RevokeRoleContract, CheckPermissionContract, ListUserPermissionsContract, } from './rbac';
+//# sourceMappingURL=index.d.ts.map

package/dist/contracts/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/contracts/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,uBAAuB,EACvB,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,QAAQ,CAAC;AAGhB,OAAO,EACL,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,eAAe,EACf,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACtB,sBAAsB,EACtB,sBAAsB,EACtB,yBAAyB,EACzB,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,uBAAuB,EACvB,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,EACnB,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,SAAS,EACT,kBAAkB,EAClB,0BAA0B,EAC1B,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,qBAAqB,EACrB,yBAAyB,EACzB,6BAA6B,EAC7B,8BAA8B,EAC9B,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,QAAQ,CAAC"}