@cullet/erp-core 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (166) hide show
  1. package/KIT_CONTEXT.md +5 -3
  2. package/README.md +160 -0
  3. package/dist/abac/index.cjs +7 -0
  4. package/dist/abac/index.d.cts +2 -0
  5. package/dist/abac/index.d.ts +2 -0
  6. package/dist/abac/index.js +2 -0
  7. package/dist/app-error.cjs +193 -0
  8. package/dist/app-error.cjs.map +1 -0
  9. package/dist/app-error.js +170 -0
  10. package/dist/app-error.js.map +1 -0
  11. package/dist/application/index.cjs +2 -1
  12. package/dist/application/index.d.cts +2 -1
  13. package/dist/application/index.d.ts +2 -1
  14. package/dist/application/index.js +2 -1
  15. package/dist/authorization-error.cjs +157 -0
  16. package/dist/authorization-error.cjs.map +1 -0
  17. package/dist/authorization-error.d.cts +113 -0
  18. package/dist/authorization-error.d.ts +113 -0
  19. package/dist/authorization-error.js +152 -0
  20. package/dist/authorization-error.js.map +1 -0
  21. package/dist/authorizer.port.d.cts +130 -0
  22. package/dist/authorizer.port.d.ts +130 -0
  23. package/dist/composite-authorizer.d.cts +216 -0
  24. package/dist/composite-authorizer.d.ts +216 -0
  25. package/dist/condition-evaluator.cjs +565 -0
  26. package/dist/condition-evaluator.cjs.map +1 -0
  27. package/dist/condition-evaluator.js +536 -0
  28. package/dist/condition-evaluator.js.map +1 -0
  29. package/dist/{gate-types.d.ts → core-config.d.cts} +78 -77
  30. package/dist/{gate-types.d.cts → core-config.d.ts} +78 -77
  31. package/dist/domain/index.cjs +2 -1
  32. package/dist/domain/index.d.cts +2 -1
  33. package/dist/domain/index.d.ts +2 -1
  34. package/dist/domain/index.js +2 -1
  35. package/dist/domain-event-contracts.cjs +3 -2
  36. package/dist/domain-event-contracts.cjs.map +1 -1
  37. package/dist/domain-event-contracts.js +2 -1
  38. package/dist/domain-event-contracts.js.map +1 -1
  39. package/dist/entity.cjs +126 -0
  40. package/dist/entity.cjs.map +1 -0
  41. package/dist/entity.js +115 -0
  42. package/dist/entity.js.map +1 -0
  43. package/dist/errors/index.cjs +8 -6
  44. package/dist/errors/index.d.cts +2 -1
  45. package/dist/errors/index.d.ts +2 -1
  46. package/dist/errors/index.js +4 -2
  47. package/dist/gate-engine-registry.cjs +5 -4
  48. package/dist/gate-engine-registry.cjs.map +1 -1
  49. package/dist/gate-engine-registry.d.cts +3 -2
  50. package/dist/gate-engine-registry.d.ts +3 -2
  51. package/dist/gate-engine-registry.js +2 -1
  52. package/dist/gate-engine-registry.js.map +1 -1
  53. package/dist/gate-v1-payload.schema.cjs +0 -562
  54. package/dist/gate-v1-payload.schema.cjs.map +1 -1
  55. package/dist/gate-v1-payload.schema.js +1 -533
  56. package/dist/gate-v1-payload.schema.js.map +1 -1
  57. package/dist/index.cjs +34 -16
  58. package/dist/index.cjs.map +1 -1
  59. package/dist/index.d.cts +19 -12
  60. package/dist/index.d.ts +19 -12
  61. package/dist/index.js +15 -9
  62. package/dist/index.js.map +1 -1
  63. package/dist/not-found-error.cjs +5 -5
  64. package/dist/not-found-error.cjs.map +1 -1
  65. package/dist/not-found-error.js +1 -1
  66. package/dist/outcome.d.cts +1 -83
  67. package/dist/outcome.d.ts +1 -83
  68. package/dist/parse-gate-payload.d.cts +2 -2
  69. package/dist/parse-gate-payload.d.ts +2 -2
  70. package/dist/path.d.cts +2 -2
  71. package/dist/path.d.ts +2 -2
  72. package/dist/policies/engines/index.d.cts +1 -1
  73. package/dist/policies/engines/index.d.ts +1 -1
  74. package/dist/policies/engines/v1/gate/index.cjs +5 -4
  75. package/dist/policies/engines/v1/gate/index.cjs.map +1 -1
  76. package/dist/policies/engines/v1/gate/index.d.cts +2 -2
  77. package/dist/policies/engines/v1/gate/index.d.ts +2 -2
  78. package/dist/policies/engines/v1/gate/index.js +2 -1
  79. package/dist/policies/engines/v1/gate/index.js.map +1 -1
  80. package/dist/policies/index.cjs +5 -5
  81. package/dist/policies/index.d.cts +3 -2
  82. package/dist/policies/index.d.ts +3 -2
  83. package/dist/policies/index.js +2 -2
  84. package/dist/policy-bridge.cjs +437 -0
  85. package/dist/policy-bridge.cjs.map +1 -0
  86. package/dist/policy-bridge.d.cts +185 -0
  87. package/dist/policy-bridge.d.ts +185 -0
  88. package/dist/policy-bridge.js +396 -0
  89. package/dist/policy-bridge.js.map +1 -0
  90. package/dist/policy-service.cjs +239 -239
  91. package/dist/policy-service.cjs.map +1 -1
  92. package/dist/policy-service.d.cts +2 -2
  93. package/dist/policy-service.d.ts +2 -2
  94. package/dist/policy-service.js +239 -239
  95. package/dist/policy-service.js.map +1 -1
  96. package/dist/rbac/index.cjs +9 -0
  97. package/dist/rbac/index.d.cts +3 -0
  98. package/dist/rbac/index.d.ts +3 -0
  99. package/dist/rbac/index.js +2 -0
  100. package/dist/requested-by.cjs +54 -0
  101. package/dist/requested-by.cjs.map +1 -0
  102. package/dist/requested-by.d.cts +25 -0
  103. package/dist/requested-by.d.ts +25 -0
  104. package/dist/requested-by.js +49 -0
  105. package/dist/requested-by.js.map +1 -0
  106. package/dist/result/index.d.cts +2 -1
  107. package/dist/result/index.d.ts +2 -1
  108. package/dist/result.d.cts +84 -0
  109. package/dist/result.d.ts +84 -0
  110. package/dist/rule.cjs +327 -0
  111. package/dist/rule.cjs.map +1 -0
  112. package/dist/rule.js +298 -0
  113. package/dist/rule.js.map +1 -0
  114. package/dist/temporal-use-case.cjs +1 -53
  115. package/dist/temporal-use-case.cjs.map +1 -1
  116. package/dist/temporal-use-case.d.cts +5 -27
  117. package/dist/temporal-use-case.d.ts +5 -27
  118. package/dist/temporal-use-case.js +2 -48
  119. package/dist/temporal-use-case.js.map +1 -1
  120. package/dist/unexpected-error.cjs +3 -192
  121. package/dist/unexpected-error.cjs.map +1 -1
  122. package/dist/unexpected-error.js +2 -167
  123. package/dist/unexpected-error.js.map +1 -1
  124. package/dist/uuid-identifier.d.cts +2 -85
  125. package/dist/uuid-identifier.d.ts +2 -85
  126. package/dist/validation-error.cjs +33 -166
  127. package/dist/validation-error.cjs.map +1 -1
  128. package/dist/validation-error.d.cts +2 -98
  129. package/dist/validation-error.d.ts +2 -98
  130. package/dist/validation-error.js +7 -134
  131. package/dist/validation-error.js.map +1 -1
  132. package/dist/value-object.cjs +0 -123
  133. package/dist/value-object.cjs.map +1 -1
  134. package/dist/value-object.d.cts +89 -0
  135. package/dist/value-object.d.ts +89 -0
  136. package/dist/value-object.js +1 -112
  137. package/dist/value-object.js.map +1 -1
  138. package/meta.json +18 -4
  139. package/package.json +27 -1
  140. package/src/abac/index.ts +1 -0
  141. package/src/core/abac/abac-request.ts +29 -0
  142. package/src/core/abac/attributes.ts +39 -0
  143. package/src/core/abac/authorizer.ts +108 -0
  144. package/src/core/abac/combining.ts +63 -0
  145. package/src/core/abac/composite-authorizer.ts +45 -0
  146. package/src/core/abac/domain/policy-set.ts +52 -0
  147. package/src/core/abac/domain/rule.ts +197 -0
  148. package/src/core/abac/index.ts +21 -0
  149. package/src/core/application/ports/abac-authorizer.port.ts +20 -0
  150. package/src/core/application/ports/authorizer.port.ts +22 -0
  151. package/src/core/errors/authorization-error.ts +26 -0
  152. package/src/core/errors/error-codes.ts +1 -0
  153. package/src/core/index.ts +7 -0
  154. package/src/core/rbac/access-request.ts +32 -0
  155. package/src/core/rbac/authorizer.ts +91 -0
  156. package/src/core/rbac/domain/grant.ts +96 -0
  157. package/src/core/rbac/domain/permission-set.ts +67 -0
  158. package/src/core/rbac/domain/permission.ts +119 -0
  159. package/src/core/rbac/domain/role.ts +101 -0
  160. package/src/core/rbac/domain/scope.ts +84 -0
  161. package/src/core/rbac/index.ts +15 -0
  162. package/src/core/rbac/policy-bridge.ts +44 -0
  163. package/src/examples/application/authorize-cancel-order-abac.example.ts +107 -0
  164. package/src/examples/application/authorize-cancel-order.example.ts +101 -0
  165. package/src/rbac/index.ts +1 -0
  166. package/src/version.ts +1 -1
@@ -1,5 +1,6 @@
1
1
  Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
2
2
  const require_use_case = require("../use-case.cjs");
3
+ const require_requested_by = require("../requested-by.cjs");
3
4
  const require_temporal_use_case = require("../temporal-use-case.cjs");
4
5
  Object.defineProperty(exports, "Command", {
5
6
  enumerable: true,
@@ -13,7 +14,7 @@ Object.defineProperty(exports, "Query", {
13
14
  return require_temporal_use_case.Query;
14
15
  }
15
16
  });
16
- exports.RequestedBy = require_temporal_use_case.RequestedBy;
17
+ exports.RequestedBy = require_requested_by.RequestedBy;
17
18
  exports.TemporalUseCase = require_temporal_use_case.TemporalUseCase;
18
19
  Object.defineProperty(exports, "UseCase", {
19
20
  enumerable: true,
@@ -1,2 +1,3 @@
1
- import { A as MetricLabels, C as RequestedByKind, D as TraceAttributeValue, E as UseCaseObservability, M as LogPayload, N as LoggerPort, O as TraceSpan, S as RequestedBy, T as UseCase, _ as PolicyEvaluationOutput, a as TemporalContext, b as Command, c as CacheStrategy, d as mapPolicyEvaluationError, f as TemporalHistory, g as PolicyEvaluationInput, h as ResultRepository, i as CreateTemporalContextInput, j as MetricsPort, k as TracerPort, l as Page, m as Repository, n as TemporalUseCaseInput, o as assertTemporalContext, p as TemporalRepository, r as TemporalizedContextSeed, s as createTemporalContext, t as TemporalUseCase, u as Query, v as PolicyPort, w as MaybePromise, x as CommandInput, y as PolicyPortError } from "../temporal-use-case.cjs";
1
+ import { n as RequestedByKind, t as RequestedBy } from "../requested-by.cjs";
2
+ import { A as LogPayload, C as UseCase, D as TracerPort, E as TraceSpan, O as MetricLabels, S as MaybePromise, T as TraceAttributeValue, _ as PolicyEvaluationOutput, a as TemporalContext, b as Command, c as CacheStrategy, d as mapPolicyEvaluationError, f as TemporalHistory, g as PolicyEvaluationInput, h as ResultRepository, i as CreateTemporalContextInput, j as LoggerPort, k as MetricsPort, l as Page, m as Repository, n as TemporalUseCaseInput, o as assertTemporalContext, p as TemporalRepository, r as TemporalizedContextSeed, s as createTemporalContext, t as TemporalUseCase, u as Query, v as PolicyPort, w as UseCaseObservability, x as CommandInput, y as PolicyPortError } from "../temporal-use-case.cjs";
2
3
  export { CacheStrategy, Command, CommandInput, CreateTemporalContextInput, LogPayload, LoggerPort, MaybePromise, MetricLabels, MetricsPort, Page, PolicyEvaluationInput, PolicyEvaluationOutput, PolicyPort, PolicyPortError, Query, Repository, RequestedBy, RequestedByKind, ResultRepository, TemporalContext, TemporalHistory, TemporalRepository, TemporalUseCase, TemporalUseCaseInput, TemporalizedContextSeed, TraceAttributeValue, TraceSpan, TracerPort, UseCase, UseCaseObservability, assertTemporalContext, createTemporalContext, mapPolicyEvaluationError };
@@ -1,2 +1,3 @@
1
- import { A as MetricLabels, C as RequestedByKind, D as TraceAttributeValue, E as UseCaseObservability, M as LogPayload, N as LoggerPort, O as TraceSpan, S as RequestedBy, T as UseCase, _ as PolicyEvaluationOutput, a as TemporalContext, b as Command, c as CacheStrategy, d as mapPolicyEvaluationError, f as TemporalHistory, g as PolicyEvaluationInput, h as ResultRepository, i as CreateTemporalContextInput, j as MetricsPort, k as TracerPort, l as Page, m as Repository, n as TemporalUseCaseInput, o as assertTemporalContext, p as TemporalRepository, r as TemporalizedContextSeed, s as createTemporalContext, t as TemporalUseCase, u as Query, v as PolicyPort, w as MaybePromise, x as CommandInput, y as PolicyPortError } from "../temporal-use-case.js";
1
+ import { n as RequestedByKind, t as RequestedBy } from "../requested-by.js";
2
+ import { A as LogPayload, C as UseCase, D as TracerPort, E as TraceSpan, O as MetricLabels, S as MaybePromise, T as TraceAttributeValue, _ as PolicyEvaluationOutput, a as TemporalContext, b as Command, c as CacheStrategy, d as mapPolicyEvaluationError, f as TemporalHistory, g as PolicyEvaluationInput, h as ResultRepository, i as CreateTemporalContextInput, j as LoggerPort, k as MetricsPort, l as Page, m as Repository, n as TemporalUseCaseInput, o as assertTemporalContext, p as TemporalRepository, r as TemporalizedContextSeed, s as createTemporalContext, t as TemporalUseCase, u as Query, v as PolicyPort, w as UseCaseObservability, x as CommandInput, y as PolicyPortError } from "../temporal-use-case.js";
2
3
  export { CacheStrategy, Command, CommandInput, CreateTemporalContextInput, LogPayload, LoggerPort, MaybePromise, MetricLabels, MetricsPort, Page, PolicyEvaluationInput, PolicyEvaluationOutput, PolicyPort, PolicyPortError, Query, Repository, RequestedBy, RequestedByKind, ResultRepository, TemporalContext, TemporalHistory, TemporalRepository, TemporalUseCase, TemporalUseCaseInput, TemporalizedContextSeed, TraceAttributeValue, TraceSpan, TracerPort, UseCase, UseCaseObservability, assertTemporalContext, createTemporalContext, mapPolicyEvaluationError };
@@ -1,3 +1,4 @@
1
1
  import { t as UseCase } from "../use-case.js";
2
- import { a as mapPolicyEvaluationError, i as Query, n as assertTemporalContext, o as Command, r as createTemporalContext, s as RequestedBy, t as TemporalUseCase } from "../temporal-use-case.js";
2
+ import { t as RequestedBy } from "../requested-by.js";
3
+ import { a as mapPolicyEvaluationError, i as Query, n as assertTemporalContext, o as Command, r as createTemporalContext, t as TemporalUseCase } from "../temporal-use-case.js";
3
4
  export { Command, Query, RequestedBy, TemporalUseCase, UseCase, assertTemporalContext, createTemporalContext, mapPolicyEvaluationError };
@@ -0,0 +1,157 @@
1
+ const require_app_error = require("./app-error.cjs");
2
+ //#region src/core/errors/authorization-error.ts
3
+ /**
4
+ * Raised when an authenticated actor is not allowed to perform a business
5
+ * action — the "you may not" error, distinct from authentication ("who are
6
+ * you"). Maps to an HTTP 403 at the edge.
7
+ *
8
+ * The discriminating {@link reason} records *why* access was denied (a flat
9
+ * forbid, a missing role/capability, an out-of-scope target, or a policy
10
+ * decision) so the boundary can shape the response without re-deriving it. The
11
+ * metadata is deliberately built around a stable business `action` and a
12
+ * type/id resource reference rather than an HTTP route or full payload, keeping
13
+ * sensitive data out of logs. Instances are frozen. Construct through the
14
+ * static factories, never directly.
15
+ */
16
+ var AuthorizationError = class AuthorizationError extends require_app_error.AppError {
17
+ constructor(params) {
18
+ super(params.message, params.code, {
19
+ cause: params.cause,
20
+ metadata: params.metadata,
21
+ type: params.type,
22
+ severity: params.severity,
23
+ correlationId: params.correlationId,
24
+ requestId: params.requestId,
25
+ commandId: params.commandId,
26
+ createdAtIso: params.createdAtIso,
27
+ publicMessage: params.publicMessage
28
+ });
29
+ this.reason = params.reason;
30
+ Object.freeze(this);
31
+ }
32
+ /**
33
+ * A flat denial with no more specific reason — the actor simply may not
34
+ * perform this action. Reach for a more precise factory
35
+ * ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},
36
+ * {@link AuthorizationError.policyDenied}) when the cause is known.
37
+ */
38
+ static forbidden(input) {
39
+ return new AuthorizationError({
40
+ message: "Action not allowed",
41
+ code: require_app_error.ErrorCodes.authorization.forbidden,
42
+ reason: "forbidden",
43
+ metadata: {
44
+ reason: "forbidden",
45
+ ...extractMetadataOnly(input)
46
+ },
47
+ ...extractAppErrorOptions(input)
48
+ });
49
+ }
50
+ /**
51
+ * The action was denied by an evaluated policy. Captures the deciding
52
+ * policy's id, version, and evaluation instant into the metadata (with
53
+ * `decision: "deny"`) so the denial is auditable back to the exact policy
54
+ * that produced it.
55
+ *
56
+ * @param input - Factory options plus the required `policyId`,
57
+ * `policyVersion`, and `evaluatedAtIso` of the deciding policy.
58
+ */
59
+ static policyDenied(input) {
60
+ return new AuthorizationError({
61
+ message: "Action denied by policy",
62
+ code: require_app_error.ErrorCodes.authorization.policyDenied,
63
+ reason: "policy_denied",
64
+ metadata: {
65
+ reason: "policy_denied",
66
+ ...extractMetadataOnly(input),
67
+ decision: "deny"
68
+ },
69
+ ...extractAppErrorOptions(input)
70
+ });
71
+ }
72
+ /**
73
+ * The actor holds no role at all that bears on the action — the most basic
74
+ * denial, distinct from {@link AuthorizationError.missingCapability} (which
75
+ * means the actor *has* roles, just none granting the required capability).
76
+ * The expected {@link AuthorizationRequirement} is recorded so the boundary
77
+ * can tell the caller what grant is missing.
78
+ *
79
+ * @param input - Factory options plus the `required` role/capability/scope.
80
+ */
81
+ static missingRole(input) {
82
+ return new AuthorizationError({
83
+ message: "Missing required role to perform the action",
84
+ code: require_app_error.ErrorCodes.authorization.missingRole,
85
+ reason: "missing_role",
86
+ metadata: {
87
+ reason: "missing_role",
88
+ ...extractMetadataOnly(input)
89
+ },
90
+ ...extractAppErrorOptions(input)
91
+ });
92
+ }
93
+ /**
94
+ * The actor lacks a required role or capability. The expected
95
+ * {@link AuthorizationRequirement} is recorded so the boundary can tell the
96
+ * caller precisely what grant is missing.
97
+ *
98
+ * @param input - Factory options plus the `required` role/capability/scope.
99
+ */
100
+ static missingCapability(input) {
101
+ return new AuthorizationError({
102
+ message: "Insufficient capability to perform the action",
103
+ code: require_app_error.ErrorCodes.authorization.missingCapability,
104
+ reason: "missing_capability",
105
+ metadata: {
106
+ reason: "missing_capability",
107
+ ...extractMetadataOnly(input)
108
+ },
109
+ ...extractAppErrorOptions(input)
110
+ });
111
+ }
112
+ /**
113
+ * The actor may perform the action in general, but not on *this* target —
114
+ * the resource falls outside the actor's permitted scope (e.g. a different
115
+ * school or tenant than the one they are bound to).
116
+ *
117
+ * @param input - Factory options plus the optional `required` scope that the
118
+ * target failed to satisfy.
119
+ */
120
+ static outOfScope(input) {
121
+ return new AuthorizationError({
122
+ message: "Action outside the allowed scope",
123
+ code: require_app_error.ErrorCodes.authorization.outOfScope,
124
+ reason: "out_of_scope",
125
+ metadata: {
126
+ reason: "out_of_scope",
127
+ ...extractMetadataOnly(input)
128
+ },
129
+ ...extractAppErrorOptions(input)
130
+ });
131
+ }
132
+ };
133
+ function extractAppErrorOptions(options) {
134
+ return {
135
+ cause: options?.cause,
136
+ type: options?.type,
137
+ severity: options?.severity,
138
+ correlationId: options?.correlationId,
139
+ requestId: options?.requestId,
140
+ commandId: options?.commandId,
141
+ createdAtIso: options?.createdAtIso,
142
+ publicMessage: options?.publicMessage
143
+ };
144
+ }
145
+ function extractMetadataOnly(input) {
146
+ const { cause, type, severity, correlationId, requestId, commandId, createdAtIso, publicMessage, ...metadata } = input;
147
+ return metadata;
148
+ }
149
+ //#endregion
150
+ Object.defineProperty(exports, "AuthorizationError", {
151
+ enumerable: true,
152
+ get: function() {
153
+ return AuthorizationError;
154
+ }
155
+ });
156
+
157
+ //# sourceMappingURL=authorization-error.cjs.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"authorization-error.cjs","names":["AppError","ErrorCodes"],"sources":["../src/core/errors/authorization-error.ts"],"sourcesContent":["import { AppError } from \"./app-error.js\";\nimport { ErrorCodes } from \"./error-codes.js\";\nimport type { AppErrorOptions, ErrorSeverity } from \"./types.js\";\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Types\n// ─────────────────────────────────────────────────────────────────────────────\n\ntype AuthorizationErrorReason =\n | \"forbidden\"\n | \"missing_role\"\n | \"missing_capability\"\n | \"out_of_scope\"\n | \"outside_time_window\"\n | \"policy_denied\"\n | \"unknown\";\n\ntype AuthorizationRequirement = {\n role?: string;\n capability?: string;\n scope?: string; // e.g.: \"school:{id}\" or \"class:{id}\"\n};\n\ntype AuthorizationErrorMetadata = {\n reason: AuthorizationErrorReason;\n\n /** Stable action you evaluated (not an HTTP route — a \"business action\") */\n action: string;\n\n /** Resource identification (without leaking the full payload) */\n resource?: { type: string; id?: string };\n\n /** Optional: actor (do not include sensitive data) */\n actor?: { userId: string; role?: string };\n\n /** Optional: expected requirement */\n required?: AuthorizationRequirement;\n\n /** Optional: policy (when you already have PolicyEvaluation or similar) */\n policyId?: string;\n policyVersion?: number;\n evaluatedAtIso?: string;\n decision?: \"allow\" | \"deny\";\n reasonCode?: string;\n\n /** Optional: additional non-sensitive info */\n details?: string;\n};\n\n/**\n * Options for AuthorizationError factory methods.\n * Combines metadata fields (except 'reason') with common AppError options.\n */\ntype AuthorizationErrorFactoryOptions = Omit<\n AuthorizationErrorMetadata,\n \"reason\"\n> &\n Omit<AppErrorOptions, \"metadata\">;\n\n// ─────────────────────────────────────────────────────────────────────────────\n// AuthorizationError\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Raised when an authenticated actor is not allowed to perform a business\n * action — the \"you may not\" error, distinct from authentication (\"who are\n * you\"). Maps to an HTTP 403 at the edge.\n *\n * The discriminating {@link reason} records *why* access was denied (a flat\n * forbid, a missing role/capability, an out-of-scope target, or a policy\n * decision) so the boundary can shape the response without re-deriving it. The\n * metadata is deliberately built around a stable business `action` and a\n * type/id resource reference rather than an HTTP route or full payload, keeping\n * sensitive data out of logs. Instances are frozen. Construct through the\n * static factories, never directly.\n */\nclass AuthorizationError extends AppError {\n public readonly reason: AuthorizationErrorReason;\n\n private constructor(params: {\n message: string;\n code: string;\n reason: AuthorizationErrorReason;\n metadata: AuthorizationErrorMetadata;\n cause?: unknown;\n type?: string;\n severity?: ErrorSeverity;\n correlationId?: string;\n requestId?: string;\n commandId?: string;\n createdAtIso?: string;\n publicMessage?: string;\n }) {\n super(params.message, params.code, {\n cause: params.cause,\n metadata: params.metadata,\n type: params.type,\n severity: params.severity,\n correlationId: params.correlationId,\n requestId: params.requestId,\n commandId: params.commandId,\n createdAtIso: params.createdAtIso,\n publicMessage: params.publicMessage,\n });\n\n this.reason = params.reason;\n Object.freeze(this);\n }\n\n // ─────────────────────────────────────────────────────────────────────────\n // Factories\n // ─────────────────────────────────────────────────────────────────────────\n\n /**\n * A flat denial with no more specific reason — the actor simply may not\n * perform this action. Reach for a more precise factory\n * ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},\n * {@link AuthorizationError.policyDenied}) when the cause is known.\n */\n static forbidden(\n input: AuthorizationErrorFactoryOptions,\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Action not allowed\",\n code: ErrorCodes.authorization.forbidden,\n reason: \"forbidden\",\n metadata: { reason: \"forbidden\", ...extractMetadataOnly(input) },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The action was denied by an evaluated policy. Captures the deciding\n * policy's id, version, and evaluation instant into the metadata (with\n * `decision: \"deny\"`) so the denial is auditable back to the exact policy\n * that produced it.\n *\n * @param input - Factory options plus the required `policyId`,\n * `policyVersion`, and `evaluatedAtIso` of the deciding policy.\n */\n static policyDenied(\n input: AuthorizationErrorFactoryOptions & {\n policyId: string;\n policyVersion: number;\n evaluatedAtIso: string;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Action denied by policy\",\n code: ErrorCodes.authorization.policyDenied,\n reason: \"policy_denied\",\n metadata: {\n reason: \"policy_denied\",\n ...extractMetadataOnly(input),\n decision: \"deny\",\n },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The actor holds no role at all that bears on the action — the most basic\n * denial, distinct from {@link AuthorizationError.missingCapability} (which\n * means the actor *has* roles, just none granting the required capability).\n * The expected {@link AuthorizationRequirement} is recorded so the boundary\n * can tell the caller what grant is missing.\n *\n * @param input - Factory options plus the `required` role/capability/scope.\n */\n static missingRole(\n input: AuthorizationErrorFactoryOptions & {\n required: AuthorizationRequirement;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Missing required role to perform the action\",\n code: ErrorCodes.authorization.missingRole,\n reason: \"missing_role\",\n metadata: {\n reason: \"missing_role\",\n ...extractMetadataOnly(input),\n },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The actor lacks a required role or capability. The expected\n * {@link AuthorizationRequirement} is recorded so the boundary can tell the\n * caller precisely what grant is missing.\n *\n * @param input - Factory options plus the `required` role/capability/scope.\n */\n static missingCapability(\n input: AuthorizationErrorFactoryOptions & {\n required: AuthorizationRequirement;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Insufficient capability to perform the action\",\n code: ErrorCodes.authorization.missingCapability,\n reason: \"missing_capability\",\n metadata: {\n reason: \"missing_capability\",\n ...extractMetadataOnly(input),\n },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The actor may perform the action in general, but not on *this* target —\n * the resource falls outside the actor's permitted scope (e.g. a different\n * school or tenant than the one they are bound to).\n *\n * @param input - Factory options plus the optional `required` scope that the\n * target failed to satisfy.\n */\n static outOfScope(\n input: AuthorizationErrorFactoryOptions & {\n required?: AuthorizationRequirement;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Action outside the allowed scope\",\n code: ErrorCodes.authorization.outOfScope,\n reason: \"out_of_scope\",\n metadata: { reason: \"out_of_scope\", ...extractMetadataOnly(input) },\n ...extractAppErrorOptions(input),\n });\n }\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Helpers\n// ─────────────────────────────────────────────────────────────────────────────\n\nfunction extractAppErrorOptions(options?: Partial<AppErrorOptions>) {\n return {\n cause: options?.cause,\n type: options?.type,\n severity: options?.severity,\n correlationId: options?.correlationId,\n requestId: options?.requestId,\n commandId: options?.commandId,\n createdAtIso: options?.createdAtIso,\n publicMessage: options?.publicMessage,\n };\n}\n\nfunction extractMetadataOnly(\n input: AuthorizationErrorFactoryOptions,\n): Omit<AuthorizationErrorMetadata, \"reason\"> {\n const {\n cause,\n type,\n severity,\n correlationId,\n requestId,\n commandId,\n createdAtIso,\n publicMessage,\n ...metadata\n } = input;\n return metadata;\n}\n\nexport { AuthorizationError };\nexport type {\n AuthorizationErrorMetadata,\n AuthorizationErrorReason,\n AuthorizationRequirement,\n};\n"],"mappings":";;;;;;;;;;;;;;;AA4EA,IAAM,qBAAN,MAAM,2BAA2BA,kBAAAA,SAAS;CAGtC,YAAoB,QAajB;EACC,MAAM,OAAO,SAAS,OAAO,MAAM;GAC/B,OAAO,OAAO;GACd,UAAU,OAAO;GACjB,MAAM,OAAO;GACb,UAAU,OAAO;GACjB,eAAe,OAAO;GACtB,WAAW,OAAO;GAClB,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,eAAe,OAAO;EAC1B,CAAC;EAED,KAAK,SAAS,OAAO;EACrB,OAAO,OAAO,IAAI;CACtB;;;;;;;CAYA,OAAO,UACH,OACkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAMC,kBAAAA,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IAAE,QAAQ;IAAa,GAAG,oBAAoB,KAAK;GAAE;GAC/D,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;;;CAWA,OAAO,aACH,OAKkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAMA,kBAAAA,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IACN,QAAQ;IACR,GAAG,oBAAoB,KAAK;IAC5B,UAAU;GACd;GACA,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;;;CAWA,OAAO,YACH,OAGkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAMA,kBAAAA,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IACN,QAAQ;IACR,GAAG,oBAAoB,KAAK;GAChC;GACA,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;CASA,OAAO,kBACH,OAGkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAMA,kBAAAA,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IACN,QAAQ;IACR,GAAG,oBAAoB,KAAK;GAChC;GACA,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;;CAUA,OAAO,WACH,OAGkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAMA,kBAAAA,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IAAE,QAAQ;IAAgB,GAAG,oBAAoB,KAAK;GAAE;GAClE,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;AACJ;AAMA,SAAS,uBAAuB,SAAoC;CAChE,OAAO;EACH,OAAO,SAAS;EAChB,MAAM,SAAS;EACf,UAAU,SAAS;EACnB,eAAe,SAAS;EACxB,WAAW,SAAS;EACpB,WAAW,SAAS;EACpB,cAAc,SAAS;EACvB,eAAe,SAAS;CAC5B;AACJ;AAEA,SAAS,oBACL,OAC0C;CAC1C,MAAM,EACF,OACA,MACA,UACA,eACA,WACA,WACA,cACA,eACA,GAAG,aACH;CACJ,OAAO;AACX"}
@@ -0,0 +1,113 @@
1
+ import { n as AppErrorOptions, t as AppError } from "./app-error.cjs";
2
+
3
+ //#region src/core/errors/authorization-error.d.ts
4
+ type AuthorizationErrorReason = "forbidden" | "missing_role" | "missing_capability" | "out_of_scope" | "outside_time_window" | "policy_denied" | "unknown";
5
+ type AuthorizationRequirement = {
6
+ role?: string;
7
+ capability?: string;
8
+ scope?: string;
9
+ };
10
+ type AuthorizationErrorMetadata = {
11
+ reason: AuthorizationErrorReason;
12
+ /** Stable action you evaluated (not an HTTP route — a "business action") */
13
+ action: string;
14
+ /** Resource identification (without leaking the full payload) */
15
+ resource?: {
16
+ type: string;
17
+ id?: string;
18
+ };
19
+ /** Optional: actor (do not include sensitive data) */
20
+ actor?: {
21
+ userId: string;
22
+ role?: string;
23
+ };
24
+ /** Optional: expected requirement */
25
+ required?: AuthorizationRequirement;
26
+ /** Optional: policy (when you already have PolicyEvaluation or similar) */
27
+ policyId?: string;
28
+ policyVersion?: number;
29
+ evaluatedAtIso?: string;
30
+ decision?: "allow" | "deny";
31
+ reasonCode?: string;
32
+ /** Optional: additional non-sensitive info */
33
+ details?: string;
34
+ };
35
+ /**
36
+ * Options for AuthorizationError factory methods.
37
+ * Combines metadata fields (except 'reason') with common AppError options.
38
+ */
39
+ type AuthorizationErrorFactoryOptions = Omit<AuthorizationErrorMetadata, "reason"> & Omit<AppErrorOptions, "metadata">;
40
+ /**
41
+ * Raised when an authenticated actor is not allowed to perform a business
42
+ * action — the "you may not" error, distinct from authentication ("who are
43
+ * you"). Maps to an HTTP 403 at the edge.
44
+ *
45
+ * The discriminating {@link reason} records *why* access was denied (a flat
46
+ * forbid, a missing role/capability, an out-of-scope target, or a policy
47
+ * decision) so the boundary can shape the response without re-deriving it. The
48
+ * metadata is deliberately built around a stable business `action` and a
49
+ * type/id resource reference rather than an HTTP route or full payload, keeping
50
+ * sensitive data out of logs. Instances are frozen. Construct through the
51
+ * static factories, never directly.
52
+ */
53
+ declare class AuthorizationError extends AppError {
54
+ readonly reason: AuthorizationErrorReason;
55
+ private constructor();
56
+ /**
57
+ * A flat denial with no more specific reason — the actor simply may not
58
+ * perform this action. Reach for a more precise factory
59
+ * ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},
60
+ * {@link AuthorizationError.policyDenied}) when the cause is known.
61
+ */
62
+ static forbidden(input: AuthorizationErrorFactoryOptions): AuthorizationError;
63
+ /**
64
+ * The action was denied by an evaluated policy. Captures the deciding
65
+ * policy's id, version, and evaluation instant into the metadata (with
66
+ * `decision: "deny"`) so the denial is auditable back to the exact policy
67
+ * that produced it.
68
+ *
69
+ * @param input - Factory options plus the required `policyId`,
70
+ * `policyVersion`, and `evaluatedAtIso` of the deciding policy.
71
+ */
72
+ static policyDenied(input: AuthorizationErrorFactoryOptions & {
73
+ policyId: string;
74
+ policyVersion: number;
75
+ evaluatedAtIso: string;
76
+ }): AuthorizationError;
77
+ /**
78
+ * The actor holds no role at all that bears on the action — the most basic
79
+ * denial, distinct from {@link AuthorizationError.missingCapability} (which
80
+ * means the actor *has* roles, just none granting the required capability).
81
+ * The expected {@link AuthorizationRequirement} is recorded so the boundary
82
+ * can tell the caller what grant is missing.
83
+ *
84
+ * @param input - Factory options plus the `required` role/capability/scope.
85
+ */
86
+ static missingRole(input: AuthorizationErrorFactoryOptions & {
87
+ required: AuthorizationRequirement;
88
+ }): AuthorizationError;
89
+ /**
90
+ * The actor lacks a required role or capability. The expected
91
+ * {@link AuthorizationRequirement} is recorded so the boundary can tell the
92
+ * caller precisely what grant is missing.
93
+ *
94
+ * @param input - Factory options plus the `required` role/capability/scope.
95
+ */
96
+ static missingCapability(input: AuthorizationErrorFactoryOptions & {
97
+ required: AuthorizationRequirement;
98
+ }): AuthorizationError;
99
+ /**
100
+ * The actor may perform the action in general, but not on *this* target —
101
+ * the resource falls outside the actor's permitted scope (e.g. a different
102
+ * school or tenant than the one they are bound to).
103
+ *
104
+ * @param input - Factory options plus the optional `required` scope that the
105
+ * target failed to satisfy.
106
+ */
107
+ static outOfScope(input: AuthorizationErrorFactoryOptions & {
108
+ required?: AuthorizationRequirement;
109
+ }): AuthorizationError;
110
+ }
111
+ //#endregion
112
+ export { AuthorizationRequirement as i, AuthorizationErrorMetadata as n, AuthorizationErrorReason as r, AuthorizationError as t };
113
+ //# sourceMappingURL=authorization-error.d.cts.map
@@ -0,0 +1,113 @@
1
+ import { n as AppErrorOptions, t as AppError } from "./app-error.js";
2
+
3
+ //#region src/core/errors/authorization-error.d.ts
4
+ type AuthorizationErrorReason = "forbidden" | "missing_role" | "missing_capability" | "out_of_scope" | "outside_time_window" | "policy_denied" | "unknown";
5
+ type AuthorizationRequirement = {
6
+ role?: string;
7
+ capability?: string;
8
+ scope?: string;
9
+ };
10
+ type AuthorizationErrorMetadata = {
11
+ reason: AuthorizationErrorReason;
12
+ /** Stable action you evaluated (not an HTTP route — a "business action") */
13
+ action: string;
14
+ /** Resource identification (without leaking the full payload) */
15
+ resource?: {
16
+ type: string;
17
+ id?: string;
18
+ };
19
+ /** Optional: actor (do not include sensitive data) */
20
+ actor?: {
21
+ userId: string;
22
+ role?: string;
23
+ };
24
+ /** Optional: expected requirement */
25
+ required?: AuthorizationRequirement;
26
+ /** Optional: policy (when you already have PolicyEvaluation or similar) */
27
+ policyId?: string;
28
+ policyVersion?: number;
29
+ evaluatedAtIso?: string;
30
+ decision?: "allow" | "deny";
31
+ reasonCode?: string;
32
+ /** Optional: additional non-sensitive info */
33
+ details?: string;
34
+ };
35
+ /**
36
+ * Options for AuthorizationError factory methods.
37
+ * Combines metadata fields (except 'reason') with common AppError options.
38
+ */
39
+ type AuthorizationErrorFactoryOptions = Omit<AuthorizationErrorMetadata, "reason"> & Omit<AppErrorOptions, "metadata">;
40
+ /**
41
+ * Raised when an authenticated actor is not allowed to perform a business
42
+ * action — the "you may not" error, distinct from authentication ("who are
43
+ * you"). Maps to an HTTP 403 at the edge.
44
+ *
45
+ * The discriminating {@link reason} records *why* access was denied (a flat
46
+ * forbid, a missing role/capability, an out-of-scope target, or a policy
47
+ * decision) so the boundary can shape the response without re-deriving it. The
48
+ * metadata is deliberately built around a stable business `action` and a
49
+ * type/id resource reference rather than an HTTP route or full payload, keeping
50
+ * sensitive data out of logs. Instances are frozen. Construct through the
51
+ * static factories, never directly.
52
+ */
53
+ declare class AuthorizationError extends AppError {
54
+ readonly reason: AuthorizationErrorReason;
55
+ private constructor();
56
+ /**
57
+ * A flat denial with no more specific reason — the actor simply may not
58
+ * perform this action. Reach for a more precise factory
59
+ * ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},
60
+ * {@link AuthorizationError.policyDenied}) when the cause is known.
61
+ */
62
+ static forbidden(input: AuthorizationErrorFactoryOptions): AuthorizationError;
63
+ /**
64
+ * The action was denied by an evaluated policy. Captures the deciding
65
+ * policy's id, version, and evaluation instant into the metadata (with
66
+ * `decision: "deny"`) so the denial is auditable back to the exact policy
67
+ * that produced it.
68
+ *
69
+ * @param input - Factory options plus the required `policyId`,
70
+ * `policyVersion`, and `evaluatedAtIso` of the deciding policy.
71
+ */
72
+ static policyDenied(input: AuthorizationErrorFactoryOptions & {
73
+ policyId: string;
74
+ policyVersion: number;
75
+ evaluatedAtIso: string;
76
+ }): AuthorizationError;
77
+ /**
78
+ * The actor holds no role at all that bears on the action — the most basic
79
+ * denial, distinct from {@link AuthorizationError.missingCapability} (which
80
+ * means the actor *has* roles, just none granting the required capability).
81
+ * The expected {@link AuthorizationRequirement} is recorded so the boundary
82
+ * can tell the caller what grant is missing.
83
+ *
84
+ * @param input - Factory options plus the `required` role/capability/scope.
85
+ */
86
+ static missingRole(input: AuthorizationErrorFactoryOptions & {
87
+ required: AuthorizationRequirement;
88
+ }): AuthorizationError;
89
+ /**
90
+ * The actor lacks a required role or capability. The expected
91
+ * {@link AuthorizationRequirement} is recorded so the boundary can tell the
92
+ * caller precisely what grant is missing.
93
+ *
94
+ * @param input - Factory options plus the `required` role/capability/scope.
95
+ */
96
+ static missingCapability(input: AuthorizationErrorFactoryOptions & {
97
+ required: AuthorizationRequirement;
98
+ }): AuthorizationError;
99
+ /**
100
+ * The actor may perform the action in general, but not on *this* target —
101
+ * the resource falls outside the actor's permitted scope (e.g. a different
102
+ * school or tenant than the one they are bound to).
103
+ *
104
+ * @param input - Factory options plus the optional `required` scope that the
105
+ * target failed to satisfy.
106
+ */
107
+ static outOfScope(input: AuthorizationErrorFactoryOptions & {
108
+ required?: AuthorizationRequirement;
109
+ }): AuthorizationError;
110
+ }
111
+ //#endregion
112
+ export { AuthorizationRequirement as i, AuthorizationErrorMetadata as n, AuthorizationErrorReason as r, AuthorizationError as t };
113
+ //# sourceMappingURL=authorization-error.d.ts.map
@@ -0,0 +1,152 @@
1
+ import { r as ErrorCodes, t as AppError } from "./app-error.js";
2
+ //#region src/core/errors/authorization-error.ts
3
+ /**
4
+ * Raised when an authenticated actor is not allowed to perform a business
5
+ * action — the "you may not" error, distinct from authentication ("who are
6
+ * you"). Maps to an HTTP 403 at the edge.
7
+ *
8
+ * The discriminating {@link reason} records *why* access was denied (a flat
9
+ * forbid, a missing role/capability, an out-of-scope target, or a policy
10
+ * decision) so the boundary can shape the response without re-deriving it. The
11
+ * metadata is deliberately built around a stable business `action` and a
12
+ * type/id resource reference rather than an HTTP route or full payload, keeping
13
+ * sensitive data out of logs. Instances are frozen. Construct through the
14
+ * static factories, never directly.
15
+ */
16
+ var AuthorizationError = class AuthorizationError extends AppError {
17
+ constructor(params) {
18
+ super(params.message, params.code, {
19
+ cause: params.cause,
20
+ metadata: params.metadata,
21
+ type: params.type,
22
+ severity: params.severity,
23
+ correlationId: params.correlationId,
24
+ requestId: params.requestId,
25
+ commandId: params.commandId,
26
+ createdAtIso: params.createdAtIso,
27
+ publicMessage: params.publicMessage
28
+ });
29
+ this.reason = params.reason;
30
+ Object.freeze(this);
31
+ }
32
+ /**
33
+ * A flat denial with no more specific reason — the actor simply may not
34
+ * perform this action. Reach for a more precise factory
35
+ * ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},
36
+ * {@link AuthorizationError.policyDenied}) when the cause is known.
37
+ */
38
+ static forbidden(input) {
39
+ return new AuthorizationError({
40
+ message: "Action not allowed",
41
+ code: ErrorCodes.authorization.forbidden,
42
+ reason: "forbidden",
43
+ metadata: {
44
+ reason: "forbidden",
45
+ ...extractMetadataOnly(input)
46
+ },
47
+ ...extractAppErrorOptions(input)
48
+ });
49
+ }
50
+ /**
51
+ * The action was denied by an evaluated policy. Captures the deciding
52
+ * policy's id, version, and evaluation instant into the metadata (with
53
+ * `decision: "deny"`) so the denial is auditable back to the exact policy
54
+ * that produced it.
55
+ *
56
+ * @param input - Factory options plus the required `policyId`,
57
+ * `policyVersion`, and `evaluatedAtIso` of the deciding policy.
58
+ */
59
+ static policyDenied(input) {
60
+ return new AuthorizationError({
61
+ message: "Action denied by policy",
62
+ code: ErrorCodes.authorization.policyDenied,
63
+ reason: "policy_denied",
64
+ metadata: {
65
+ reason: "policy_denied",
66
+ ...extractMetadataOnly(input),
67
+ decision: "deny"
68
+ },
69
+ ...extractAppErrorOptions(input)
70
+ });
71
+ }
72
+ /**
73
+ * The actor holds no role at all that bears on the action — the most basic
74
+ * denial, distinct from {@link AuthorizationError.missingCapability} (which
75
+ * means the actor *has* roles, just none granting the required capability).
76
+ * The expected {@link AuthorizationRequirement} is recorded so the boundary
77
+ * can tell the caller what grant is missing.
78
+ *
79
+ * @param input - Factory options plus the `required` role/capability/scope.
80
+ */
81
+ static missingRole(input) {
82
+ return new AuthorizationError({
83
+ message: "Missing required role to perform the action",
84
+ code: ErrorCodes.authorization.missingRole,
85
+ reason: "missing_role",
86
+ metadata: {
87
+ reason: "missing_role",
88
+ ...extractMetadataOnly(input)
89
+ },
90
+ ...extractAppErrorOptions(input)
91
+ });
92
+ }
93
+ /**
94
+ * The actor lacks a required role or capability. The expected
95
+ * {@link AuthorizationRequirement} is recorded so the boundary can tell the
96
+ * caller precisely what grant is missing.
97
+ *
98
+ * @param input - Factory options plus the `required` role/capability/scope.
99
+ */
100
+ static missingCapability(input) {
101
+ return new AuthorizationError({
102
+ message: "Insufficient capability to perform the action",
103
+ code: ErrorCodes.authorization.missingCapability,
104
+ reason: "missing_capability",
105
+ metadata: {
106
+ reason: "missing_capability",
107
+ ...extractMetadataOnly(input)
108
+ },
109
+ ...extractAppErrorOptions(input)
110
+ });
111
+ }
112
+ /**
113
+ * The actor may perform the action in general, but not on *this* target —
114
+ * the resource falls outside the actor's permitted scope (e.g. a different
115
+ * school or tenant than the one they are bound to).
116
+ *
117
+ * @param input - Factory options plus the optional `required` scope that the
118
+ * target failed to satisfy.
119
+ */
120
+ static outOfScope(input) {
121
+ return new AuthorizationError({
122
+ message: "Action outside the allowed scope",
123
+ code: ErrorCodes.authorization.outOfScope,
124
+ reason: "out_of_scope",
125
+ metadata: {
126
+ reason: "out_of_scope",
127
+ ...extractMetadataOnly(input)
128
+ },
129
+ ...extractAppErrorOptions(input)
130
+ });
131
+ }
132
+ };
133
+ function extractAppErrorOptions(options) {
134
+ return {
135
+ cause: options?.cause,
136
+ type: options?.type,
137
+ severity: options?.severity,
138
+ correlationId: options?.correlationId,
139
+ requestId: options?.requestId,
140
+ commandId: options?.commandId,
141
+ createdAtIso: options?.createdAtIso,
142
+ publicMessage: options?.publicMessage
143
+ };
144
+ }
145
+ function extractMetadataOnly(input) {
146
+ const { cause, type, severity, correlationId, requestId, commandId, createdAtIso, publicMessage, ...metadata } = input;
147
+ return metadata;
148
+ }
149
+ //#endregion
150
+ export { AuthorizationError as t };
151
+
152
+ //# sourceMappingURL=authorization-error.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"authorization-error.js","names":[],"sources":["../src/core/errors/authorization-error.ts"],"sourcesContent":["import { AppError } from \"./app-error.js\";\nimport { ErrorCodes } from \"./error-codes.js\";\nimport type { AppErrorOptions, ErrorSeverity } from \"./types.js\";\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Types\n// ─────────────────────────────────────────────────────────────────────────────\n\ntype AuthorizationErrorReason =\n | \"forbidden\"\n | \"missing_role\"\n | \"missing_capability\"\n | \"out_of_scope\"\n | \"outside_time_window\"\n | \"policy_denied\"\n | \"unknown\";\n\ntype AuthorizationRequirement = {\n role?: string;\n capability?: string;\n scope?: string; // e.g.: \"school:{id}\" or \"class:{id}\"\n};\n\ntype AuthorizationErrorMetadata = {\n reason: AuthorizationErrorReason;\n\n /** Stable action you evaluated (not an HTTP route — a \"business action\") */\n action: string;\n\n /** Resource identification (without leaking the full payload) */\n resource?: { type: string; id?: string };\n\n /** Optional: actor (do not include sensitive data) */\n actor?: { userId: string; role?: string };\n\n /** Optional: expected requirement */\n required?: AuthorizationRequirement;\n\n /** Optional: policy (when you already have PolicyEvaluation or similar) */\n policyId?: string;\n policyVersion?: number;\n evaluatedAtIso?: string;\n decision?: \"allow\" | \"deny\";\n reasonCode?: string;\n\n /** Optional: additional non-sensitive info */\n details?: string;\n};\n\n/**\n * Options for AuthorizationError factory methods.\n * Combines metadata fields (except 'reason') with common AppError options.\n */\ntype AuthorizationErrorFactoryOptions = Omit<\n AuthorizationErrorMetadata,\n \"reason\"\n> &\n Omit<AppErrorOptions, \"metadata\">;\n\n// ─────────────────────────────────────────────────────────────────────────────\n// AuthorizationError\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Raised when an authenticated actor is not allowed to perform a business\n * action — the \"you may not\" error, distinct from authentication (\"who are\n * you\"). Maps to an HTTP 403 at the edge.\n *\n * The discriminating {@link reason} records *why* access was denied (a flat\n * forbid, a missing role/capability, an out-of-scope target, or a policy\n * decision) so the boundary can shape the response without re-deriving it. The\n * metadata is deliberately built around a stable business `action` and a\n * type/id resource reference rather than an HTTP route or full payload, keeping\n * sensitive data out of logs. Instances are frozen. Construct through the\n * static factories, never directly.\n */\nclass AuthorizationError extends AppError {\n public readonly reason: AuthorizationErrorReason;\n\n private constructor(params: {\n message: string;\n code: string;\n reason: AuthorizationErrorReason;\n metadata: AuthorizationErrorMetadata;\n cause?: unknown;\n type?: string;\n severity?: ErrorSeverity;\n correlationId?: string;\n requestId?: string;\n commandId?: string;\n createdAtIso?: string;\n publicMessage?: string;\n }) {\n super(params.message, params.code, {\n cause: params.cause,\n metadata: params.metadata,\n type: params.type,\n severity: params.severity,\n correlationId: params.correlationId,\n requestId: params.requestId,\n commandId: params.commandId,\n createdAtIso: params.createdAtIso,\n publicMessage: params.publicMessage,\n });\n\n this.reason = params.reason;\n Object.freeze(this);\n }\n\n // ─────────────────────────────────────────────────────────────────────────\n // Factories\n // ─────────────────────────────────────────────────────────────────────────\n\n /**\n * A flat denial with no more specific reason — the actor simply may not\n * perform this action. Reach for a more precise factory\n * ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},\n * {@link AuthorizationError.policyDenied}) when the cause is known.\n */\n static forbidden(\n input: AuthorizationErrorFactoryOptions,\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Action not allowed\",\n code: ErrorCodes.authorization.forbidden,\n reason: \"forbidden\",\n metadata: { reason: \"forbidden\", ...extractMetadataOnly(input) },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The action was denied by an evaluated policy. Captures the deciding\n * policy's id, version, and evaluation instant into the metadata (with\n * `decision: \"deny\"`) so the denial is auditable back to the exact policy\n * that produced it.\n *\n * @param input - Factory options plus the required `policyId`,\n * `policyVersion`, and `evaluatedAtIso` of the deciding policy.\n */\n static policyDenied(\n input: AuthorizationErrorFactoryOptions & {\n policyId: string;\n policyVersion: number;\n evaluatedAtIso: string;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Action denied by policy\",\n code: ErrorCodes.authorization.policyDenied,\n reason: \"policy_denied\",\n metadata: {\n reason: \"policy_denied\",\n ...extractMetadataOnly(input),\n decision: \"deny\",\n },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The actor holds no role at all that bears on the action — the most basic\n * denial, distinct from {@link AuthorizationError.missingCapability} (which\n * means the actor *has* roles, just none granting the required capability).\n * The expected {@link AuthorizationRequirement} is recorded so the boundary\n * can tell the caller what grant is missing.\n *\n * @param input - Factory options plus the `required` role/capability/scope.\n */\n static missingRole(\n input: AuthorizationErrorFactoryOptions & {\n required: AuthorizationRequirement;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Missing required role to perform the action\",\n code: ErrorCodes.authorization.missingRole,\n reason: \"missing_role\",\n metadata: {\n reason: \"missing_role\",\n ...extractMetadataOnly(input),\n },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The actor lacks a required role or capability. The expected\n * {@link AuthorizationRequirement} is recorded so the boundary can tell the\n * caller precisely what grant is missing.\n *\n * @param input - Factory options plus the `required` role/capability/scope.\n */\n static missingCapability(\n input: AuthorizationErrorFactoryOptions & {\n required: AuthorizationRequirement;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Insufficient capability to perform the action\",\n code: ErrorCodes.authorization.missingCapability,\n reason: \"missing_capability\",\n metadata: {\n reason: \"missing_capability\",\n ...extractMetadataOnly(input),\n },\n ...extractAppErrorOptions(input),\n });\n }\n\n /**\n * The actor may perform the action in general, but not on *this* target —\n * the resource falls outside the actor's permitted scope (e.g. a different\n * school or tenant than the one they are bound to).\n *\n * @param input - Factory options plus the optional `required` scope that the\n * target failed to satisfy.\n */\n static outOfScope(\n input: AuthorizationErrorFactoryOptions & {\n required?: AuthorizationRequirement;\n },\n ): AuthorizationError {\n return new AuthorizationError({\n message: \"Action outside the allowed scope\",\n code: ErrorCodes.authorization.outOfScope,\n reason: \"out_of_scope\",\n metadata: { reason: \"out_of_scope\", ...extractMetadataOnly(input) },\n ...extractAppErrorOptions(input),\n });\n }\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Helpers\n// ─────────────────────────────────────────────────────────────────────────────\n\nfunction extractAppErrorOptions(options?: Partial<AppErrorOptions>) {\n return {\n cause: options?.cause,\n type: options?.type,\n severity: options?.severity,\n correlationId: options?.correlationId,\n requestId: options?.requestId,\n commandId: options?.commandId,\n createdAtIso: options?.createdAtIso,\n publicMessage: options?.publicMessage,\n };\n}\n\nfunction extractMetadataOnly(\n input: AuthorizationErrorFactoryOptions,\n): Omit<AuthorizationErrorMetadata, \"reason\"> {\n const {\n cause,\n type,\n severity,\n correlationId,\n requestId,\n commandId,\n createdAtIso,\n publicMessage,\n ...metadata\n } = input;\n return metadata;\n}\n\nexport { AuthorizationError };\nexport type {\n AuthorizationErrorMetadata,\n AuthorizationErrorReason,\n AuthorizationRequirement,\n};\n"],"mappings":";;;;;;;;;;;;;;;AA4EA,IAAM,qBAAN,MAAM,2BAA2B,SAAS;CAGtC,YAAoB,QAajB;EACC,MAAM,OAAO,SAAS,OAAO,MAAM;GAC/B,OAAO,OAAO;GACd,UAAU,OAAO;GACjB,MAAM,OAAO;GACb,UAAU,OAAO;GACjB,eAAe,OAAO;GACtB,WAAW,OAAO;GAClB,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,eAAe,OAAO;EAC1B,CAAC;EAED,KAAK,SAAS,OAAO;EACrB,OAAO,OAAO,IAAI;CACtB;;;;;;;CAYA,OAAO,UACH,OACkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAM,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IAAE,QAAQ;IAAa,GAAG,oBAAoB,KAAK;GAAE;GAC/D,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;;;CAWA,OAAO,aACH,OAKkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAM,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IACN,QAAQ;IACR,GAAG,oBAAoB,KAAK;IAC5B,UAAU;GACd;GACA,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;;;CAWA,OAAO,YACH,OAGkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAM,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IACN,QAAQ;IACR,GAAG,oBAAoB,KAAK;GAChC;GACA,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;CASA,OAAO,kBACH,OAGkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAM,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IACN,QAAQ;IACR,GAAG,oBAAoB,KAAK;GAChC;GACA,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;;;;;;;;;CAUA,OAAO,WACH,OAGkB;EAClB,OAAO,IAAI,mBAAmB;GAC1B,SAAS;GACT,MAAM,WAAW,cAAc;GAC/B,QAAQ;GACR,UAAU;IAAE,QAAQ;IAAgB,GAAG,oBAAoB,KAAK;GAAE;GAClE,GAAG,uBAAuB,KAAK;EACnC,CAAC;CACL;AACJ;AAMA,SAAS,uBAAuB,SAAoC;CAChE,OAAO;EACH,OAAO,SAAS;EAChB,MAAM,SAAS;EACf,UAAU,SAAS;EACnB,eAAe,SAAS;EACxB,WAAW,SAAS;EACpB,WAAW,SAAS;EACpB,cAAc,SAAS;EACvB,eAAe,SAAS;CAC5B;AACJ;AAEA,SAAS,oBACL,OAC0C;CAC1C,MAAM,EACF,OACA,MACA,UACA,eACA,WACA,WACA,cACA,eACA,GAAG,aACH;CACJ,OAAO;AACX"}