@cullet/erp-core 1.3.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/KIT_CONTEXT.md +11 -3
- package/README.md +160 -0
- package/dist/abac/index.cjs +7 -0
- package/dist/abac/index.d.cts +2 -0
- package/dist/abac/index.d.ts +2 -0
- package/dist/abac/index.js +2 -0
- package/dist/app-error.cjs +201 -0
- package/dist/app-error.cjs.map +1 -0
- package/dist/app-error.js +178 -0
- package/dist/app-error.js.map +1 -0
- package/dist/application/index.cjs +2 -1
- package/dist/application/index.d.cts +2 -1
- package/dist/application/index.d.ts +2 -1
- package/dist/application/index.js +2 -1
- package/dist/authorization-error.cjs +157 -0
- package/dist/authorization-error.cjs.map +1 -0
- package/dist/authorization-error.d.cts +113 -0
- package/dist/authorization-error.d.ts +113 -0
- package/dist/authorization-error.js +152 -0
- package/dist/authorization-error.js.map +1 -0
- package/dist/authorizer.port.d.cts +130 -0
- package/dist/authorizer.port.d.ts +130 -0
- package/dist/composite-authorizer.d.cts +216 -0
- package/dist/composite-authorizer.d.ts +216 -0
- package/dist/condition-evaluator.cjs +579 -0
- package/dist/condition-evaluator.cjs.map +1 -0
- package/dist/condition-evaluator.js +550 -0
- package/dist/condition-evaluator.js.map +1 -0
- package/dist/{gate-types.d.ts → core-config.d.cts} +78 -77
- package/dist/{gate-types.d.cts → core-config.d.ts} +78 -77
- package/dist/domain/index.cjs +2 -1
- package/dist/domain/index.d.cts +2 -1
- package/dist/domain/index.d.ts +2 -1
- package/dist/domain/index.js +2 -1
- package/dist/domain-event-contracts.cjs +3 -2
- package/dist/domain-event-contracts.cjs.map +1 -1
- package/dist/domain-event-contracts.js +2 -1
- package/dist/domain-event-contracts.js.map +1 -1
- package/dist/entity.cjs +122 -0
- package/dist/entity.cjs.map +1 -0
- package/dist/entity.js +111 -0
- package/dist/entity.js.map +1 -0
- package/dist/errors/index.cjs +10 -7
- package/dist/errors/index.d.cts +2 -1
- package/dist/errors/index.d.ts +2 -1
- package/dist/errors/index.js +6 -3
- package/dist/gate-engine-registry.cjs +5 -4
- package/dist/gate-engine-registry.cjs.map +1 -1
- package/dist/gate-engine-registry.d.cts +3 -2
- package/dist/gate-engine-registry.d.ts +3 -2
- package/dist/gate-engine-registry.js +2 -1
- package/dist/gate-engine-registry.js.map +1 -1
- package/dist/gate-v1-payload.schema.cjs +0 -562
- package/dist/gate-v1-payload.schema.cjs.map +1 -1
- package/dist/gate-v1-payload.schema.js +1 -533
- package/dist/gate-v1-payload.schema.js.map +1 -1
- package/dist/hashing.cjs +2 -44
- package/dist/hashing.cjs.map +1 -1
- package/dist/hashing.js +2 -38
- package/dist/hashing.js.map +1 -1
- package/dist/index.cjs +36 -17
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +19 -12
- package/dist/index.d.ts +19 -12
- package/dist/index.js +17 -10
- package/dist/index.js.map +1 -1
- package/dist/not-found-error.cjs +5 -5
- package/dist/not-found-error.cjs.map +1 -1
- package/dist/not-found-error.js +1 -1
- package/dist/outcome.d.cts +1 -83
- package/dist/outcome.d.ts +1 -83
- package/dist/parse-gate-payload.d.cts +2 -2
- package/dist/parse-gate-payload.d.ts +2 -2
- package/dist/path.d.cts +2 -2
- package/dist/path.d.ts +2 -2
- package/dist/policies/engines/index.d.cts +1 -1
- package/dist/policies/engines/index.d.ts +1 -1
- package/dist/policies/engines/v1/gate/index.cjs +5 -4
- package/dist/policies/engines/v1/gate/index.cjs.map +1 -1
- package/dist/policies/engines/v1/gate/index.d.cts +4 -2
- package/dist/policies/engines/v1/gate/index.d.ts +4 -2
- package/dist/policies/engines/v1/gate/index.js +2 -1
- package/dist/policies/engines/v1/gate/index.js.map +1 -1
- package/dist/policies/index.cjs +5 -5
- package/dist/policies/index.d.cts +3 -2
- package/dist/policies/index.d.ts +3 -2
- package/dist/policies/index.js +2 -2
- package/dist/policy-bridge.cjs +437 -0
- package/dist/policy-bridge.cjs.map +1 -0
- package/dist/policy-bridge.d.cts +185 -0
- package/dist/policy-bridge.d.ts +185 -0
- package/dist/policy-bridge.js +396 -0
- package/dist/policy-bridge.js.map +1 -0
- package/dist/policy-service.cjs +241 -240
- package/dist/policy-service.cjs.map +1 -1
- package/dist/policy-service.d.cts +2 -2
- package/dist/policy-service.d.ts +2 -2
- package/dist/policy-service.js +240 -239
- package/dist/policy-service.js.map +1 -1
- package/dist/rbac/index.cjs +9 -0
- package/dist/rbac/index.d.cts +3 -0
- package/dist/rbac/index.d.ts +3 -0
- package/dist/rbac/index.js +2 -0
- package/dist/requested-by.cjs +54 -0
- package/dist/requested-by.cjs.map +1 -0
- package/dist/requested-by.d.cts +25 -0
- package/dist/requested-by.d.ts +25 -0
- package/dist/requested-by.js +49 -0
- package/dist/requested-by.js.map +1 -0
- package/dist/result/index.d.cts +2 -1
- package/dist/result/index.d.ts +2 -1
- package/dist/result.d.cts +84 -0
- package/dist/result.d.ts +84 -0
- package/dist/rule.cjs +327 -0
- package/dist/rule.cjs.map +1 -0
- package/dist/rule.js +298 -0
- package/dist/rule.js.map +1 -0
- package/dist/stable-stringify.cjs +47 -0
- package/dist/stable-stringify.cjs.map +1 -0
- package/dist/stable-stringify.js +42 -0
- package/dist/stable-stringify.js.map +1 -0
- package/dist/temporal-use-case.cjs +6 -53
- package/dist/temporal-use-case.cjs.map +1 -1
- package/dist/temporal-use-case.d.cts +11 -28
- package/dist/temporal-use-case.d.ts +11 -28
- package/dist/temporal-use-case.js +7 -48
- package/dist/temporal-use-case.js.map +1 -1
- package/dist/unexpected-error.cjs +3 -192
- package/dist/unexpected-error.cjs.map +1 -1
- package/dist/unexpected-error.js +2 -167
- package/dist/unexpected-error.js.map +1 -1
- package/dist/use-case.cjs +2 -6
- package/dist/use-case.cjs.map +1 -1
- package/dist/use-case.js +2 -6
- package/dist/use-case.js.map +1 -1
- package/dist/uuid-identifier.cjs +2 -7
- package/dist/uuid-identifier.cjs.map +1 -1
- package/dist/uuid-identifier.d.cts +2 -85
- package/dist/uuid-identifier.d.ts +2 -85
- package/dist/uuid-identifier.js +1 -6
- package/dist/uuid-identifier.js.map +1 -1
- package/dist/uuid.cjs +18 -0
- package/dist/uuid.cjs.map +1 -0
- package/dist/uuid.js +13 -0
- package/dist/uuid.js.map +1 -0
- package/dist/validation-error.cjs +33 -166
- package/dist/validation-error.cjs.map +1 -1
- package/dist/validation-error.d.cts +12 -103
- package/dist/validation-error.d.ts +12 -103
- package/dist/validation-error.js +7 -134
- package/dist/validation-error.js.map +1 -1
- package/dist/value-object.cjs +12 -126
- package/dist/value-object.cjs.map +1 -1
- package/dist/value-object.d.cts +97 -0
- package/dist/value-object.d.ts +97 -0
- package/dist/value-object.js +13 -115
- package/dist/value-object.js.map +1 -1
- package/meta.json +20 -4
- package/package.json +27 -1
- package/src/abac/index.ts +1 -0
- package/src/core/abac/abac-request.ts +29 -0
- package/src/core/abac/attributes.ts +39 -0
- package/src/core/abac/authorizer.ts +108 -0
- package/src/core/abac/combining.ts +63 -0
- package/src/core/abac/composite-authorizer.ts +45 -0
- package/src/core/abac/domain/policy-set.ts +52 -0
- package/src/core/abac/domain/rule.ts +197 -0
- package/src/core/abac/index.ts +21 -0
- package/src/core/application/commands/requested-by.ts +3 -4
- package/src/core/application/ports/abac-authorizer.port.ts +20 -0
- package/src/core/application/ports/authorizer.port.ts +22 -0
- package/src/core/application/queries/query.ts +6 -1
- package/src/core/application/use-case.ts +1 -1
- package/src/core/domain/entity.ts +1 -1
- package/src/core/domain/uuid-identifier.ts +1 -8
- package/src/core/domain/value-object.ts +12 -3
- package/src/core/errors/authorization-error.ts +26 -0
- package/src/core/errors/error-codes.ts +1 -0
- package/src/core/errors/utils/json-safe.ts +20 -11
- package/src/core/index.ts +7 -0
- package/src/core/policies/engines/v1/condition-evaluator.ts +56 -1
- package/src/core/rbac/access-request.ts +32 -0
- package/src/core/rbac/authorizer.ts +91 -0
- package/src/core/rbac/domain/grant.ts +96 -0
- package/src/core/rbac/domain/permission-set.ts +67 -0
- package/src/core/rbac/domain/permission.ts +119 -0
- package/src/core/rbac/domain/role.ts +101 -0
- package/src/core/rbac/domain/scope.ts +84 -0
- package/src/core/rbac/index.ts +15 -0
- package/src/core/rbac/policy-bridge.ts +44 -0
- package/src/core/shared/hashing.ts +1 -55
- package/src/core/shared/stable-stringify.ts +57 -0
- package/src/core/shared/uuid.ts +11 -0
- package/src/examples/application/authorize-cancel-order-abac.example.ts +107 -0
- package/src/examples/application/authorize-cancel-order.example.ts +101 -0
- package/src/rbac/index.ts +1 -0
- package/src/version.ts +1 -1
|
@@ -13,6 +13,7 @@ declare const ErrorCodes: {
|
|
|
13
13
|
readonly authorization: {
|
|
14
14
|
readonly forbidden: "sec.authz.forbidden";
|
|
15
15
|
readonly policyDenied: "sec.authz.policy_denied";
|
|
16
|
+
readonly missingRole: "sec.authz.missing_role";
|
|
16
17
|
readonly missingCapability: "sec.authz.missing_capability";
|
|
17
18
|
readonly outOfScope: "sec.authz.out_of_scope";
|
|
18
19
|
};
|
|
@@ -53,11 +54,14 @@ declare function serializationErrorCode(direction: SerializationCodeDirection, c
|
|
|
53
54
|
/**
|
|
54
55
|
* Ensures metadata is JSON-serializable.
|
|
55
56
|
*
|
|
56
|
-
* **Allowed:**
|
|
57
|
+
* **Allowed:** finite number, string, boolean, null, arrays, and plain objects.
|
|
58
|
+
*
|
|
59
|
+
* **Dropped (mirroring `JSON.stringify`):** object properties whose value is
|
|
60
|
+
* `undefined` (the key is omitted); an `undefined` array item becomes `null`.
|
|
57
61
|
*
|
|
58
62
|
* **Converted to placeholder:** Date, BigInt, class instances, functions,
|
|
59
|
-
* symbols,
|
|
60
|
-
* `JSON.stringify` throw).
|
|
63
|
+
* symbols, non-finite numbers (`NaN`/`Infinity`), and circular references
|
|
64
|
+
* (which would otherwise make `JSON.stringify` throw).
|
|
61
65
|
*
|
|
62
66
|
* @throws {TypeError} If `input` is not a plain object at the root level.
|
|
63
67
|
*/
|
|
@@ -88,103 +92,6 @@ declare class AuthenticationError extends AppError {
|
|
|
88
92
|
static invalidCredentials(options?: Pick<AuthenticationErrorFactoryOptions, "correlationId" | "requestId" | "type" | "severity" | "createdAtIso" | "publicMessage">): AuthenticationError;
|
|
89
93
|
}
|
|
90
94
|
//#endregion
|
|
91
|
-
//#region src/core/errors/authorization-error.d.ts
|
|
92
|
-
type AuthorizationErrorReason = "forbidden" | "missing_role" | "missing_capability" | "out_of_scope" | "outside_time_window" | "policy_denied" | "unknown";
|
|
93
|
-
type AuthorizationRequirement = {
|
|
94
|
-
role?: string;
|
|
95
|
-
capability?: string;
|
|
96
|
-
scope?: string;
|
|
97
|
-
};
|
|
98
|
-
type AuthorizationErrorMetadata = {
|
|
99
|
-
reason: AuthorizationErrorReason;
|
|
100
|
-
/** Stable action you evaluated (not an HTTP route — a "business action") */
|
|
101
|
-
action: string;
|
|
102
|
-
/** Resource identification (without leaking the full payload) */
|
|
103
|
-
resource?: {
|
|
104
|
-
type: string;
|
|
105
|
-
id?: string;
|
|
106
|
-
};
|
|
107
|
-
/** Optional: actor (do not include sensitive data) */
|
|
108
|
-
actor?: {
|
|
109
|
-
userId: string;
|
|
110
|
-
role?: string;
|
|
111
|
-
};
|
|
112
|
-
/** Optional: expected requirement */
|
|
113
|
-
required?: AuthorizationRequirement;
|
|
114
|
-
/** Optional: policy (when you already have PolicyEvaluation or similar) */
|
|
115
|
-
policyId?: string;
|
|
116
|
-
policyVersion?: number;
|
|
117
|
-
evaluatedAtIso?: string;
|
|
118
|
-
decision?: "allow" | "deny";
|
|
119
|
-
reasonCode?: string;
|
|
120
|
-
/** Optional: additional non-sensitive info */
|
|
121
|
-
details?: string;
|
|
122
|
-
};
|
|
123
|
-
/**
|
|
124
|
-
* Options for AuthorizationError factory methods.
|
|
125
|
-
* Combines metadata fields (except 'reason') with common AppError options.
|
|
126
|
-
*/
|
|
127
|
-
type AuthorizationErrorFactoryOptions = Omit<AuthorizationErrorMetadata, "reason"> & Omit<AppErrorOptions, "metadata">;
|
|
128
|
-
/**
|
|
129
|
-
* Raised when an authenticated actor is not allowed to perform a business
|
|
130
|
-
* action — the "you may not" error, distinct from authentication ("who are
|
|
131
|
-
* you"). Maps to an HTTP 403 at the edge.
|
|
132
|
-
*
|
|
133
|
-
* The discriminating {@link reason} records *why* access was denied (a flat
|
|
134
|
-
* forbid, a missing role/capability, an out-of-scope target, or a policy
|
|
135
|
-
* decision) so the boundary can shape the response without re-deriving it. The
|
|
136
|
-
* metadata is deliberately built around a stable business `action` and a
|
|
137
|
-
* type/id resource reference rather than an HTTP route or full payload, keeping
|
|
138
|
-
* sensitive data out of logs. Instances are frozen. Construct through the
|
|
139
|
-
* static factories, never directly.
|
|
140
|
-
*/
|
|
141
|
-
declare class AuthorizationError extends AppError {
|
|
142
|
-
readonly reason: AuthorizationErrorReason;
|
|
143
|
-
private constructor();
|
|
144
|
-
/**
|
|
145
|
-
* A flat denial with no more specific reason — the actor simply may not
|
|
146
|
-
* perform this action. Reach for a more precise factory
|
|
147
|
-
* ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},
|
|
148
|
-
* {@link AuthorizationError.policyDenied}) when the cause is known.
|
|
149
|
-
*/
|
|
150
|
-
static forbidden(input: AuthorizationErrorFactoryOptions): AuthorizationError;
|
|
151
|
-
/**
|
|
152
|
-
* The action was denied by an evaluated policy. Captures the deciding
|
|
153
|
-
* policy's id, version, and evaluation instant into the metadata (with
|
|
154
|
-
* `decision: "deny"`) so the denial is auditable back to the exact policy
|
|
155
|
-
* that produced it.
|
|
156
|
-
*
|
|
157
|
-
* @param input - Factory options plus the required `policyId`,
|
|
158
|
-
* `policyVersion`, and `evaluatedAtIso` of the deciding policy.
|
|
159
|
-
*/
|
|
160
|
-
static policyDenied(input: AuthorizationErrorFactoryOptions & {
|
|
161
|
-
policyId: string;
|
|
162
|
-
policyVersion: number;
|
|
163
|
-
evaluatedAtIso: string;
|
|
164
|
-
}): AuthorizationError;
|
|
165
|
-
/**
|
|
166
|
-
* The actor lacks a required role or capability. The expected
|
|
167
|
-
* {@link AuthorizationRequirement} is recorded so the boundary can tell the
|
|
168
|
-
* caller precisely what grant is missing.
|
|
169
|
-
*
|
|
170
|
-
* @param input - Factory options plus the `required` role/capability/scope.
|
|
171
|
-
*/
|
|
172
|
-
static missingCapability(input: AuthorizationErrorFactoryOptions & {
|
|
173
|
-
required: AuthorizationRequirement;
|
|
174
|
-
}): AuthorizationError;
|
|
175
|
-
/**
|
|
176
|
-
* The actor may perform the action in general, but not on *this* target —
|
|
177
|
-
* the resource falls outside the actor's permitted scope (e.g. a different
|
|
178
|
-
* school or tenant than the one they are bound to).
|
|
179
|
-
*
|
|
180
|
-
* @param input - Factory options plus the optional `required` scope that the
|
|
181
|
-
* target failed to satisfy.
|
|
182
|
-
*/
|
|
183
|
-
static outOfScope(input: AuthorizationErrorFactoryOptions & {
|
|
184
|
-
required?: AuthorizationRequirement;
|
|
185
|
-
}): AuthorizationError;
|
|
186
|
-
}
|
|
187
|
-
//#endregion
|
|
188
95
|
//#region src/core/errors/business-rule-violation-error.d.ts
|
|
189
96
|
declare class BusinessRuleViolationError extends AppError {
|
|
190
97
|
constructor(rule: string, message: string, detail?: Record<string, unknown>, options?: AppErrorOptions);
|
|
@@ -362,8 +269,7 @@ declare function translateUniqueViolationToDuplicate(input: {
|
|
|
362
269
|
cause?: unknown;
|
|
363
270
|
}): DuplicateError;
|
|
364
271
|
//#endregion
|
|
365
|
-
//#region src/core/shared/
|
|
366
|
-
declare function sha256Hex(value: string): string;
|
|
272
|
+
//#region src/core/shared/stable-stringify.d.ts
|
|
367
273
|
/**
|
|
368
274
|
* Deterministic JSON string with object keys sorted recursively, so key order
|
|
369
275
|
* does not affect the output.
|
|
@@ -378,6 +284,9 @@ declare function sha256Hex(value: string): string;
|
|
|
378
284
|
* @throws {TypeError} On circular references (mirroring `JSON.stringify`).
|
|
379
285
|
*/
|
|
380
286
|
declare function stableStringify(value: unknown): string;
|
|
287
|
+
//#endregion
|
|
288
|
+
//#region src/core/shared/hashing.d.ts
|
|
289
|
+
declare function sha256Hex(value: string): string;
|
|
381
290
|
declare function payloadHash(value: unknown): string;
|
|
382
291
|
//#endregion
|
|
383
292
|
//#region src/core/errors/idempotency-error.d.ts
|
|
@@ -773,5 +682,5 @@ declare class ValidationError extends AppError {
|
|
|
773
682
|
constructor(field: ValidationField, code: ValidationCode, message: string, options?: AppErrorOptions);
|
|
774
683
|
}
|
|
775
684
|
//#endregion
|
|
776
|
-
export {
|
|
685
|
+
export { IdempotencyPayloadMismatchError as A, UniqueConstraintViolation as B, IntegrationErrorMetadata as C, IdempotencyFailureKind as D, IdempotencyErrorMetadata as E, AlreadyExistsError as F, AuthenticationErrorMetadata as G, translateUniqueViolationToDuplicate as H, ConflictError as I, ErrorCodes as J, AuthenticationErrorReason as K, ConflictErrorMetadata as L, payloadHash as M, sha256Hex as N, IdempotencyInProgressError as O, stableStringify as P, ConflictKind as R, IntegrationError as S, IdempotencyError as T, BusinessRuleViolationError as U, UniqueConstraintViolationError as V, AuthenticationError as W, serializationErrorCode as Y, SerializationMessages as _, TemporalError as a, NotFoundError as b, TemporalPrecision as c, SerializationCodes as d, SerializationDirection as f, SerializationInError as g, SerializationFailureCategory as h, NotYetValidError as i, IdempotencyReplayNotSupportedError as j, IdempotencyKeyMissingError as k, evaluateTemporalWindow as l, SerializationErrorMetadata as m, UnexpectedError as n, TemporalErrorMetadata as o, SerializationError as p, assertJsonSafeMetadata as q, ExpiredError as r, TemporalKind as s, ValidationError as t, SerializationBoundary as u, SerializationOutError as v, IntegrationErrorReason as w, LegacyIncompatibleError as x, safePreview as y, DuplicateError as z };
|
|
777
686
|
//# sourceMappingURL=validation-error.d.ts.map
|
package/dist/validation-error.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { i as serializationErrorCode, r as ErrorCodes, t as AppError } from "./app-error.js";
|
|
2
2
|
//#region src/core/errors/authentication-error.ts
|
|
3
3
|
var AuthenticationError = class AuthenticationError extends AppError {
|
|
4
4
|
constructor(params) {
|
|
@@ -25,7 +25,7 @@ var AuthenticationError = class AuthenticationError extends AppError {
|
|
|
25
25
|
code: ErrorCodes.authentication.missingToken,
|
|
26
26
|
reason: "missing_token",
|
|
27
27
|
metadata: compactMetadata$1(options),
|
|
28
|
-
...extractAppErrorOptions
|
|
28
|
+
...extractAppErrorOptions(options)
|
|
29
29
|
});
|
|
30
30
|
}
|
|
31
31
|
static invalidToken(options) {
|
|
@@ -40,7 +40,7 @@ var AuthenticationError = class AuthenticationError extends AppError {
|
|
|
40
40
|
correlationId: options?.correlationId,
|
|
41
41
|
requestId: options?.requestId
|
|
42
42
|
}),
|
|
43
|
-
...extractAppErrorOptions
|
|
43
|
+
...extractAppErrorOptions(options)
|
|
44
44
|
});
|
|
45
45
|
}
|
|
46
46
|
static expiredToken(options) {
|
|
@@ -49,7 +49,7 @@ var AuthenticationError = class AuthenticationError extends AppError {
|
|
|
49
49
|
code: ErrorCodes.authentication.expiredToken,
|
|
50
50
|
reason: "expired_token",
|
|
51
51
|
metadata: compactMetadata$1(options),
|
|
52
|
-
...extractAppErrorOptions
|
|
52
|
+
...extractAppErrorOptions(options)
|
|
53
53
|
});
|
|
54
54
|
}
|
|
55
55
|
static invalidCredentials(options) {
|
|
@@ -58,11 +58,11 @@ var AuthenticationError = class AuthenticationError extends AppError {
|
|
|
58
58
|
code: ErrorCodes.authentication.invalidCredentials,
|
|
59
59
|
reason: "invalid_credentials",
|
|
60
60
|
metadata: compactMetadata$1(options),
|
|
61
|
-
...extractAppErrorOptions
|
|
61
|
+
...extractAppErrorOptions(options)
|
|
62
62
|
});
|
|
63
63
|
}
|
|
64
64
|
};
|
|
65
|
-
function extractAppErrorOptions
|
|
65
|
+
function extractAppErrorOptions(options) {
|
|
66
66
|
return {
|
|
67
67
|
cause: options?.cause,
|
|
68
68
|
type: options?.type,
|
|
@@ -79,133 +79,6 @@ function compactMetadata$1(input) {
|
|
|
79
79
|
return Object.fromEntries(Object.entries(input).filter(([, value]) => value !== void 0));
|
|
80
80
|
}
|
|
81
81
|
//#endregion
|
|
82
|
-
//#region src/core/errors/authorization-error.ts
|
|
83
|
-
/**
|
|
84
|
-
* Raised when an authenticated actor is not allowed to perform a business
|
|
85
|
-
* action — the "you may not" error, distinct from authentication ("who are
|
|
86
|
-
* you"). Maps to an HTTP 403 at the edge.
|
|
87
|
-
*
|
|
88
|
-
* The discriminating {@link reason} records *why* access was denied (a flat
|
|
89
|
-
* forbid, a missing role/capability, an out-of-scope target, or a policy
|
|
90
|
-
* decision) so the boundary can shape the response without re-deriving it. The
|
|
91
|
-
* metadata is deliberately built around a stable business `action` and a
|
|
92
|
-
* type/id resource reference rather than an HTTP route or full payload, keeping
|
|
93
|
-
* sensitive data out of logs. Instances are frozen. Construct through the
|
|
94
|
-
* static factories, never directly.
|
|
95
|
-
*/
|
|
96
|
-
var AuthorizationError = class AuthorizationError extends AppError {
|
|
97
|
-
constructor(params) {
|
|
98
|
-
super(params.message, params.code, {
|
|
99
|
-
cause: params.cause,
|
|
100
|
-
metadata: params.metadata,
|
|
101
|
-
type: params.type,
|
|
102
|
-
severity: params.severity,
|
|
103
|
-
correlationId: params.correlationId,
|
|
104
|
-
requestId: params.requestId,
|
|
105
|
-
commandId: params.commandId,
|
|
106
|
-
createdAtIso: params.createdAtIso,
|
|
107
|
-
publicMessage: params.publicMessage
|
|
108
|
-
});
|
|
109
|
-
this.reason = params.reason;
|
|
110
|
-
Object.freeze(this);
|
|
111
|
-
}
|
|
112
|
-
/**
|
|
113
|
-
* A flat denial with no more specific reason — the actor simply may not
|
|
114
|
-
* perform this action. Reach for a more precise factory
|
|
115
|
-
* ({@link AuthorizationError.missingCapability}, {@link AuthorizationError.outOfScope},
|
|
116
|
-
* {@link AuthorizationError.policyDenied}) when the cause is known.
|
|
117
|
-
*/
|
|
118
|
-
static forbidden(input) {
|
|
119
|
-
return new AuthorizationError({
|
|
120
|
-
message: "Action not allowed",
|
|
121
|
-
code: ErrorCodes.authorization.forbidden,
|
|
122
|
-
reason: "forbidden",
|
|
123
|
-
metadata: {
|
|
124
|
-
reason: "forbidden",
|
|
125
|
-
...extractMetadataOnly(input)
|
|
126
|
-
},
|
|
127
|
-
...extractAppErrorOptions(input)
|
|
128
|
-
});
|
|
129
|
-
}
|
|
130
|
-
/**
|
|
131
|
-
* The action was denied by an evaluated policy. Captures the deciding
|
|
132
|
-
* policy's id, version, and evaluation instant into the metadata (with
|
|
133
|
-
* `decision: "deny"`) so the denial is auditable back to the exact policy
|
|
134
|
-
* that produced it.
|
|
135
|
-
*
|
|
136
|
-
* @param input - Factory options plus the required `policyId`,
|
|
137
|
-
* `policyVersion`, and `evaluatedAtIso` of the deciding policy.
|
|
138
|
-
*/
|
|
139
|
-
static policyDenied(input) {
|
|
140
|
-
return new AuthorizationError({
|
|
141
|
-
message: "Action denied by policy",
|
|
142
|
-
code: ErrorCodes.authorization.policyDenied,
|
|
143
|
-
reason: "policy_denied",
|
|
144
|
-
metadata: {
|
|
145
|
-
reason: "policy_denied",
|
|
146
|
-
...extractMetadataOnly(input),
|
|
147
|
-
decision: "deny"
|
|
148
|
-
},
|
|
149
|
-
...extractAppErrorOptions(input)
|
|
150
|
-
});
|
|
151
|
-
}
|
|
152
|
-
/**
|
|
153
|
-
* The actor lacks a required role or capability. The expected
|
|
154
|
-
* {@link AuthorizationRequirement} is recorded so the boundary can tell the
|
|
155
|
-
* caller precisely what grant is missing.
|
|
156
|
-
*
|
|
157
|
-
* @param input - Factory options plus the `required` role/capability/scope.
|
|
158
|
-
*/
|
|
159
|
-
static missingCapability(input) {
|
|
160
|
-
return new AuthorizationError({
|
|
161
|
-
message: "Insufficient capability to perform the action",
|
|
162
|
-
code: ErrorCodes.authorization.missingCapability,
|
|
163
|
-
reason: "missing_capability",
|
|
164
|
-
metadata: {
|
|
165
|
-
reason: "missing_capability",
|
|
166
|
-
...extractMetadataOnly(input)
|
|
167
|
-
},
|
|
168
|
-
...extractAppErrorOptions(input)
|
|
169
|
-
});
|
|
170
|
-
}
|
|
171
|
-
/**
|
|
172
|
-
* The actor may perform the action in general, but not on *this* target —
|
|
173
|
-
* the resource falls outside the actor's permitted scope (e.g. a different
|
|
174
|
-
* school or tenant than the one they are bound to).
|
|
175
|
-
*
|
|
176
|
-
* @param input - Factory options plus the optional `required` scope that the
|
|
177
|
-
* target failed to satisfy.
|
|
178
|
-
*/
|
|
179
|
-
static outOfScope(input) {
|
|
180
|
-
return new AuthorizationError({
|
|
181
|
-
message: "Action outside the allowed scope",
|
|
182
|
-
code: ErrorCodes.authorization.outOfScope,
|
|
183
|
-
reason: "out_of_scope",
|
|
184
|
-
metadata: {
|
|
185
|
-
reason: "out_of_scope",
|
|
186
|
-
...extractMetadataOnly(input)
|
|
187
|
-
},
|
|
188
|
-
...extractAppErrorOptions(input)
|
|
189
|
-
});
|
|
190
|
-
}
|
|
191
|
-
};
|
|
192
|
-
function extractAppErrorOptions(options) {
|
|
193
|
-
return {
|
|
194
|
-
cause: options?.cause,
|
|
195
|
-
type: options?.type,
|
|
196
|
-
severity: options?.severity,
|
|
197
|
-
correlationId: options?.correlationId,
|
|
198
|
-
requestId: options?.requestId,
|
|
199
|
-
commandId: options?.commandId,
|
|
200
|
-
createdAtIso: options?.createdAtIso,
|
|
201
|
-
publicMessage: options?.publicMessage
|
|
202
|
-
};
|
|
203
|
-
}
|
|
204
|
-
function extractMetadataOnly(input) {
|
|
205
|
-
const { cause, type, severity, correlationId, requestId, commandId, createdAtIso, publicMessage, ...metadata } = input;
|
|
206
|
-
return metadata;
|
|
207
|
-
}
|
|
208
|
-
//#endregion
|
|
209
82
|
//#region src/core/errors/conflict-error.ts
|
|
210
83
|
/**
|
|
211
84
|
* Base for errors that signal a state conflict — the request collides with data
|
|
@@ -866,6 +739,6 @@ var ValidationError = class extends AppError {
|
|
|
866
739
|
}
|
|
867
740
|
};
|
|
868
741
|
//#endregion
|
|
869
|
-
export { translateUniqueViolationToDuplicate as C, UniqueConstraintViolationError as S,
|
|
742
|
+
export { translateUniqueViolationToDuplicate as C, UniqueConstraintViolationError as S, IdempotencyPayloadMismatchError as _, evaluateTemporalWindow as a, ConflictError as b, SerializationInError as c, safePreview as d, LegacyIncompatibleError as f, IdempotencyKeyMissingError as g, IdempotencyInProgressError as h, TemporalError as i, SerializationMessages as l, IdempotencyError as m, ExpiredError as n, SerializationCodes as o, IntegrationError as p, NotYetValidError as r, SerializationError as s, ValidationError as t, SerializationOutError as u, IdempotencyReplayNotSupportedError as v, AuthenticationError as w, DuplicateError as x, AlreadyExistsError as y };
|
|
870
743
|
|
|
871
744
|
//# sourceMappingURL=validation-error.js.map
|