@contractspec/lib.identity-rbac 3.7.17 → 3.7.18

package/dist/browser/policies/engine.js

@@ -1,154 +1 @@
-// src/policies/engine.ts
-var Permission = {
-  USER_CREATE: "user.create",
-  USER_READ: "user.read",
-  USER_UPDATE: "user.update",
-  USER_DELETE: "user.delete",
-  USER_LIST: "user.list",
-  USER_MANAGE: "user.manage",
-  ORG_CREATE: "org.create",
-  ORG_READ: "org.read",
-  ORG_UPDATE: "org.update",
-  ORG_DELETE: "org.delete",
-  ORG_LIST: "org.list",
-  MEMBER_INVITE: "member.invite",
-  MEMBER_REMOVE: "member.remove",
-  MEMBER_UPDATE_ROLE: "member.update_role",
-  MEMBER_LIST: "member.list",
-  MANAGE_MEMBERS: "org.manage_members",
-  TEAM_CREATE: "team.create",
-  TEAM_UPDATE: "team.update",
-  TEAM_DELETE: "team.delete",
-  TEAM_MANAGE: "team.manage",
-  ROLE_CREATE: "role.create",
-  ROLE_UPDATE: "role.update",
-  ROLE_DELETE: "role.delete",
-  ROLE_ASSIGN: "role.assign",
-  ROLE_REVOKE: "role.revoke",
-  BILLING_VIEW: "billing.view",
-  BILLING_MANAGE: "billing.manage",
-  PROJECT_CREATE: "project.create",
-  PROJECT_READ: "project.read",
-  PROJECT_UPDATE: "project.update",
-  PROJECT_DELETE: "project.delete",
-  PROJECT_MANAGE: "project.manage",
-  ADMIN_ACCESS: "admin.access",
-  ADMIN_IMPERSONATE: "admin.impersonate"
-};
-var StandardRole = {
-  OWNER: {
-    name: "owner",
-    description: "Organization owner with full access",
-    permissions: Object.values(Permission)
-  },
-  ADMIN: {
-    name: "admin",
-    description: "Administrator with most permissions",
-    permissions: [
-      Permission.USER_READ,
-      Permission.USER_LIST,
-      Permission.ORG_READ,
-      Permission.ORG_UPDATE,
-      Permission.MEMBER_INVITE,
-      Permission.MEMBER_REMOVE,
-      Permission.MEMBER_UPDATE_ROLE,
-      Permission.MEMBER_LIST,
-      Permission.MANAGE_MEMBERS,
-      Permission.TEAM_CREATE,
-      Permission.TEAM_UPDATE,
-      Permission.TEAM_DELETE,
-      Permission.TEAM_MANAGE,
-      Permission.PROJECT_CREATE,
-      Permission.PROJECT_READ,
-      Permission.PROJECT_UPDATE,
-      Permission.PROJECT_DELETE,
-      Permission.PROJECT_MANAGE,
-      Permission.BILLING_VIEW
-    ]
-  },
-  MEMBER: {
-    name: "member",
-    description: "Regular organization member",
-    permissions: [
-      Permission.USER_READ,
-      Permission.ORG_READ,
-      Permission.MEMBER_LIST,
-      Permission.PROJECT_READ,
-      Permission.PROJECT_CREATE
-    ]
-  },
-  VIEWER: {
-    name: "viewer",
-    description: "Read-only access",
-    permissions: [
-      Permission.USER_READ,
-      Permission.ORG_READ,
-      Permission.MEMBER_LIST,
-      Permission.PROJECT_READ
-    ]
-  }
-};
-
-class RBACPolicyEngine {
-  roleCache = new Map;
-  bindingCache = new Map;
-  async checkPermission(input, bindings) {
-    const { userId, orgId, permission } = input;
-    const now = new Date;
-    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-    const allBindings = [...userBindings, ...orgBindings];
-    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
-    if (activeBindings.length === 0) {
-      return {
-        allowed: false,
-        reason: "No active role bindings found"
-      };
-    }
-    for (const binding of activeBindings) {
-      if (binding.role.permissions.includes(permission)) {
-        return {
-          allowed: true,
-          matchedRole: binding.role.name
-        };
-      }
-    }
-    return {
-      allowed: false,
-      reason: `No role grants the "${permission}" permission`
-    };
-  }
-  async getPermissions(userId, orgId, bindings) {
-    const now = new Date;
-    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-    const allBindings = [...userBindings, ...orgBindings];
-    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
-    const permissions = new Set;
-    const roles = [];
-    for (const binding of activeBindings) {
-      roles.push(binding.role);
-      for (const perm of binding.role.permissions) {
-        permissions.add(perm);
-      }
-    }
-    return { permissions, roles };
-  }
-  async hasAnyPermission(userId, orgId, permissions, bindings) {
-    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-    return permissions.some((p) => userPerms.has(p));
-  }
-  async hasAllPermissions(userId, orgId, permissions, bindings) {
-    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-    return permissions.every((p) => userPerms.has(p));
-  }
-}
-function createRBACEngine() {
-  return new RBACPolicyEngine;
-}
-export {
-  createRBACEngine,
-  StandardRole,
-  RBACPolicyEngine,
-  Permission
-};
+var f={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},M={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(f)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[f.USER_READ,f.USER_LIST,f.ORG_READ,f.ORG_UPDATE,f.MEMBER_INVITE,f.MEMBER_REMOVE,f.MEMBER_UPDATE_ROLE,f.MEMBER_LIST,f.MANAGE_MEMBERS,f.TEAM_CREATE,f.TEAM_UPDATE,f.TEAM_DELETE,f.TEAM_MANAGE,f.PROJECT_CREATE,f.PROJECT_READ,f.PROJECT_UPDATE,f.PROJECT_DELETE,f.PROJECT_MANAGE,f.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[f.USER_READ,f.ORG_READ,f.MEMBER_LIST,f.PROJECT_READ,f.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[f.USER_READ,f.ORG_READ,f.MEMBER_LIST,f.PROJECT_READ]}};class K{roleCache=new Map;bindingCache=new Map;async checkPermission(z,j){let{userId:k,orgId:q,permission:x}=z,D=new Date,J=j.filter((h)=>h.targetType==="user"&&h.targetId===k),G=q?j.filter((h)=>h.targetType==="organization"&&h.targetId===q):[],F=[...J,...G].filter((h)=>!h.expiresAt||h.expiresAt>D);if(F.length===0)return{allowed:!1,reason:"No active role bindings found"};for(let h of F)if(h.role.permissions.includes(x))return{allowed:!0,matchedRole:h.role.name};return{allowed:!1,reason:`No role grants the "${x}" permission`}}async getPermissions(z,j,k){let q=new Date,x=k.filter((h)=>h.targetType==="user"&&h.targetId===z),D=j?k.filter((h)=>h.targetType==="organization"&&h.targetId===j):[],G=[...x,...D].filter((h)=>!h.expiresAt||h.expiresAt>q),H=new Set,F=[];for(let h of G){F.push(h.role);for(let L of h.role.permissions)H.add(L)}return{permissions:H,roles:F}}async hasAnyPermission(z,j,k,q){let{permissions:x}=await this.getPermissions(z,j,q);return k.some((D)=>x.has(D))}async hasAllPermissions(z,j,k,q){let{permissions:x}=await this.getPermissions(z,j,q);return k.every((D)=>x.has(D))}}function N(){return new K}export{N as createRBACEngine,M as StandardRole,K as RBACPolicyEngine,f as Permission};

package/dist/browser/policies/index.js

@@ -1,154 +1 @@
-// src/policies/engine.ts
-var Permission = {
-  USER_CREATE: "user.create",
-  USER_READ: "user.read",
-  USER_UPDATE: "user.update",
-  USER_DELETE: "user.delete",
-  USER_LIST: "user.list",
-  USER_MANAGE: "user.manage",
-  ORG_CREATE: "org.create",
-  ORG_READ: "org.read",
-  ORG_UPDATE: "org.update",
-  ORG_DELETE: "org.delete",
-  ORG_LIST: "org.list",
-  MEMBER_INVITE: "member.invite",
-  MEMBER_REMOVE: "member.remove",
-  MEMBER_UPDATE_ROLE: "member.update_role",
-  MEMBER_LIST: "member.list",
-  MANAGE_MEMBERS: "org.manage_members",
-  TEAM_CREATE: "team.create",
-  TEAM_UPDATE: "team.update",
-  TEAM_DELETE: "team.delete",
-  TEAM_MANAGE: "team.manage",
-  ROLE_CREATE: "role.create",
-  ROLE_UPDATE: "role.update",
-  ROLE_DELETE: "role.delete",
-  ROLE_ASSIGN: "role.assign",
-  ROLE_REVOKE: "role.revoke",
-  BILLING_VIEW: "billing.view",
-  BILLING_MANAGE: "billing.manage",
-  PROJECT_CREATE: "project.create",
-  PROJECT_READ: "project.read",
-  PROJECT_UPDATE: "project.update",
-  PROJECT_DELETE: "project.delete",
-  PROJECT_MANAGE: "project.manage",
-  ADMIN_ACCESS: "admin.access",
-  ADMIN_IMPERSONATE: "admin.impersonate"
-};
-var StandardRole = {
-  OWNER: {
-    name: "owner",
-    description: "Organization owner with full access",
-    permissions: Object.values(Permission)
-  },
-  ADMIN: {
-    name: "admin",
-    description: "Administrator with most permissions",
-    permissions: [
-      Permission.USER_READ,
-      Permission.USER_LIST,
-      Permission.ORG_READ,
-      Permission.ORG_UPDATE,
-      Permission.MEMBER_INVITE,
-      Permission.MEMBER_REMOVE,
-      Permission.MEMBER_UPDATE_ROLE,
-      Permission.MEMBER_LIST,
-      Permission.MANAGE_MEMBERS,
-      Permission.TEAM_CREATE,
-      Permission.TEAM_UPDATE,
-      Permission.TEAM_DELETE,
-      Permission.TEAM_MANAGE,
-      Permission.PROJECT_CREATE,
-      Permission.PROJECT_READ,
-      Permission.PROJECT_UPDATE,
-      Permission.PROJECT_DELETE,
-      Permission.PROJECT_MANAGE,
-      Permission.BILLING_VIEW
-    ]
-  },
-  MEMBER: {
-    name: "member",
-    description: "Regular organization member",
-    permissions: [
-      Permission.USER_READ,
-      Permission.ORG_READ,
-      Permission.MEMBER_LIST,
-      Permission.PROJECT_READ,
-      Permission.PROJECT_CREATE
-    ]
-  },
-  VIEWER: {
-    name: "viewer",
-    description: "Read-only access",
-    permissions: [
-      Permission.USER_READ,
-      Permission.ORG_READ,
-      Permission.MEMBER_LIST,
-      Permission.PROJECT_READ
-    ]
-  }
-};
-
-class RBACPolicyEngine {
-  roleCache = new Map;
-  bindingCache = new Map;
-  async checkPermission(input, bindings) {
-    const { userId, orgId, permission } = input;
-    const now = new Date;
-    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-    const allBindings = [...userBindings, ...orgBindings];
-    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
-    if (activeBindings.length === 0) {
-      return {
-        allowed: false,
-        reason: "No active role bindings found"
-      };
-    }
-    for (const binding of activeBindings) {
-      if (binding.role.permissions.includes(permission)) {
-        return {
-          allowed: true,
-          matchedRole: binding.role.name
-        };
-      }
-    }
-    return {
-      allowed: false,
-      reason: `No role grants the "${permission}" permission`
-    };
-  }
-  async getPermissions(userId, orgId, bindings) {
-    const now = new Date;
-    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-    const allBindings = [...userBindings, ...orgBindings];
-    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
-    const permissions = new Set;
-    const roles = [];
-    for (const binding of activeBindings) {
-      roles.push(binding.role);
-      for (const perm of binding.role.permissions) {
-        permissions.add(perm);
-      }
-    }
-    return { permissions, roles };
-  }
-  async hasAnyPermission(userId, orgId, permissions, bindings) {
-    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-    return permissions.some((p) => userPerms.has(p));
-  }
-  async hasAllPermissions(userId, orgId, permissions, bindings) {
-    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-    return permissions.every((p) => userPerms.has(p));
-  }
-}
-function createRBACEngine() {
-  return new RBACPolicyEngine;
-}
-export {
-  createRBACEngine,
-  StandardRole,
-  RBACPolicyEngine,
-  Permission
-};
+var y={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},q={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(y)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[y.USER_READ,y.USER_LIST,y.ORG_READ,y.ORG_UPDATE,y.MEMBER_INVITE,y.MEMBER_REMOVE,y.MEMBER_UPDATE_ROLE,y.MEMBER_LIST,y.MANAGE_MEMBERS,y.TEAM_CREATE,y.TEAM_UPDATE,y.TEAM_DELETE,y.TEAM_MANAGE,y.PROJECT_CREATE,y.PROJECT_READ,y.PROJECT_UPDATE,y.PROJECT_DELETE,y.PROJECT_MANAGE,y.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[y.USER_READ,y.ORG_READ,y.MEMBER_LIST,y.PROJECT_READ,y.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[y.USER_READ,y.ORG_READ,y.MEMBER_LIST,y.PROJECT_READ]}};class S{roleCache=new Map;bindingCache=new Map;async checkPermission(l,h){let{userId:k,orgId:R,permission:f}=l,x=new Date,W=h.filter((t)=>t.targetType==="user"&&t.targetId===k),F=R?h.filter((t)=>t.targetType==="organization"&&t.targetId===R):[],E=[...W,...F].filter((t)=>!t.expiresAt||t.expiresAt>x);if(E.length===0)return{allowed:!1,reason:"No active role bindings found"};for(let t of E)if(t.role.permissions.includes(f))return{allowed:!0,matchedRole:t.role.name};return{allowed:!1,reason:`No role grants the "${f}" permission`}}async getPermissions(l,h,k){let R=new Date,f=k.filter((t)=>t.targetType==="user"&&t.targetId===l),x=h?k.filter((t)=>t.targetType==="organization"&&t.targetId===h):[],F=[...f,...x].filter((t)=>!t.expiresAt||t.expiresAt>R),K=new Set,E=[];for(let t of F){E.push(t.role);for(let j of t.role.permissions)K.add(j)}return{permissions:K,roles:E}}async hasAnyPermission(l,h,k,R){let{permissions:f}=await this.getPermissions(l,h,R);return k.some((x)=>f.has(x))}async hasAllPermissions(l,h,k,R){let{permissions:f}=await this.getPermissions(l,h,R);return k.every((x)=>f.has(x))}}function z(){return new S}export{z as createRBACEngine,q as StandardRole,S as RBACPolicyEngine,y as Permission};