@develit-services/rbac 0.3.0 → 0.5.0

package/dist/export/worker.cjs

@@ -5,7 +5,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
 const backendSdk = require('@develit-io/backend-sdk');
 const database_schema = require('../shared/rbac.Cra1T2nC.cjs');
 const drizzleOrm = require('drizzle-orm');
-const verifyScope = require('../shared/rbac.BZDCYlSt.cjs');
+const verifyScope = require('../shared/rbac.JCf4hSCf.cjs');
 const zod = require('zod');
 const cloudflare_workers = require('cloudflare:workers');
 const d1 = require('drizzle-orm/d1');
@@ -480,8 +480,15 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
       { successMessage: "Scope successfully granted to user." },
       async ({ userId, scope, resourceId }) => {
         this.validateScope(scope);
-        const userScope = await getScopesByUserQuery({ db: this.db, userId });
-        if (userScope.some((s) => s.scope === scope)) {
+        const userScopes = await getScopesByUserQuery({ db: this.db, userId });
+        const matchingScopes = userScopes.filter((s) => s.scope === scope);
+        if (!resourceId && matchingScopes.find((s) => !s.resourceId)) {
+          throw backendSdk.createInternalError(null, {
+            message: "Scope already assigned to user.",
+            status: 409
+          });
+        }
+        if (resourceId && matchingScopes.some((s) => s.resourceId === resourceId)) {
           throw backendSdk.createInternalError(null, {
             message: "Scope already assigned to user.",
             status: 409
@@ -506,7 +513,16 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
         for (const scope of scopes) {
           this.validateScope(scope.scope);
           const userScopes = await getScopesByUserQuery({ db: this.db, userId });
-          if (userScopes.some((s) => s.scope === scope.scope)) {
+          const matchingScopes = userScopes.filter(
+            (s) => s.scope === scope.scope
+          );
+          if (!scope.resourceId && matchingScopes.find((s) => !s.resourceId)) {
+            throw backendSdk.createInternalError(null, {
+              message: "Scope already assigned to user.",
+              status: 409
+            });
+          }
+          if (scope.resourceId && matchingScopes.some((s) => s.resourceId === scope.resourceId)) {
             throw backendSdk.createInternalError(null, {
               message: "Scope already assigned to user.",
               status: 409
@@ -661,10 +677,24 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
       { data: input, schema: verifyScope.verifyAccessInputSchema },
       { successMessage: "Access verification completed." },
       async ({ userId, accessRequests, jwt }) => {
-        for (const requestGroup of accessRequests) {
-          for (const request of requestGroup) {
-            this.validateScope(request.scope);
+        const collectScopes = (condition) => {
+          if (verifyScope.isScopeObject(condition)) {
+            return [condition];
+          }
+          if (verifyScope.isOrCondition(condition)) {
+            return condition.or.flatMap(collectScopes);
+          }
+          if (verifyScope.isAndCondition(condition)) {
+            return condition.and.flatMap(collectScopes);
           }
+          if (verifyScope.isImplicitAndCondition(condition)) {
+            return condition.flatMap(collectScopes);
+          }
+          return [];
+        };
+        const allScopeObjects = collectScopes(accessRequests);
+        for (const scopeObj of allScopeObjects) {
+          this.validateScope(scopeObj.scope);
         }
         const userPermissionsResponse = await this.getUserPermissions({
           userId
@@ -679,59 +709,71 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
           ...userPermissionsResponse.data.roleScopes,
           ...userPermissionsResponse.data.scopes
         ];
-        if (accessRequests.length === 0) {
+        if (allScopeObjects.length === 0) {
           return {
             isVerified: true
           };
         }
-        const anyGroupSatisfied = accessRequests.some((requestGroup) => {
-          return requestGroup.every((request) => {
-            const placeholders = parseScopeTemplate(request.scope);
-            return allScopes.some((userScope) => {
-              const scopesMatch = userScope.scope === request.scope;
-              let resourceMatches = false;
-              if (placeholders.length > 0) {
-                if (!request.resourcePath) {
-                  throw backendSdk.createInternalError(null, {
-                    message: `Resource path is required when scope '${request.scope}' contains placeholders`,
-                    status: 400,
-                    code: "RESOURCE_PATH_REQUIRED"
-                  });
-                }
-                const extractedResources = extractResourcesFromPath(
-                  request.scope,
-                  request.resourcePath
-                );
-                const allPlaceholdersMatch = placeholders.every(
-                  (placeholder) => {
-                    const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
-                    const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
-                    const expectedValue = getValueByKey(
-                      placeholder.type,
-                      placeholder.path,
-                      jwtParam
-                    );
-                    if (expectedValue === void 0) {
-                      return false;
-                    }
-                    return String(extractedValue) === String(expectedValue);
-                  }
-                );
-                const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
-                resourceMatches = allPlaceholdersMatch && resourceIdMatches;
-              } else {
-                resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
-              }
-              return scopesMatch && resourceMatches;
-            });
-          });
-        });
+        const evaluateCondition = (condition) => {
+          if (verifyScope.isScopeObject(condition)) {
+            return this.verifySingleScope(condition, allScopes, jwt);
+          }
+          if (verifyScope.isOrCondition(condition)) {
+            return condition.or.some(evaluateCondition);
+          }
+          if (verifyScope.isAndCondition(condition)) {
+            return condition.and.every(evaluateCondition);
+          }
+          if (verifyScope.isImplicitAndCondition(condition)) {
+            return condition.every(evaluateCondition);
+          }
+          return false;
+        };
+        const isVerified = evaluateCondition(accessRequests);
         return {
-          isVerified: anyGroupSatisfied
+          isVerified
         };
       }
     );
   }
+  verifySingleScope(request, allScopes, jwt) {
+    const placeholders = parseScopeTemplate(request.scope);
+    return allScopes.some((userScope) => {
+      const scopesMatch = userScope.scope === request.scope;
+      let resourceMatches = false;
+      if (placeholders.length > 0) {
+        if (!request.resourcePath) {
+          throw backendSdk.createInternalError(null, {
+            message: `Resource path is required when scope '${request.scope}' contains placeholders`,
+            status: 400,
+            code: "RESOURCE_PATH_REQUIRED"
+          });
+        }
+        const extractedResources = extractResourcesFromPath(
+          request.scope,
+          request.resourcePath
+        );
+        const allPlaceholdersMatch = placeholders.every((placeholder) => {
+          const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
+          const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
+          const expectedValue = getValueByKey(
+            placeholder.type,
+            placeholder.path,
+            jwtParam
+          );
+          if (expectedValue === void 0) {
+            return false;
+          }
+          return String(extractedValue) === String(expectedValue);
+        });
+        const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
+        resourceMatches = allPlaceholdersMatch && resourceIdMatches;
+      } else {
+        resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
+      }
+      return scopesMatch && resourceMatches;
+    });
+  }
   async deleteRole(input) {
     return this.handleAction(
       { data: input, schema: verifyScope.deleteRoleInputSchema },
@@ -816,6 +858,7 @@ const organizationScopedKeys = (scopes) => {
   return out;
 };
 const TEST_SCOPES = [
+  "test.admin",
   "test.read",
   "test.edit",
   "test.delete",
@@ -1016,6 +1059,7 @@ const LABELED_SCOPES = [
   { label: "Smazat logy rol\xED", value: "roles.logs.delete" },
   { label: "Zobrazit u\u017Eivatele p\u0159i\u0159azen\xE9 k rol\xEDm", value: "roles.users.read" },
   // Test scopes
+  { label: "Test: Admin", value: "test.admin" },
   { label: "Test: Read", value: "test.read" },
   { label: "Test: Edit", value: "test.edit" },
   { label: "Test: Delete", value: "test.delete" },

package/dist/export/worker.d.cts

@@ -1,6 +1,6 @@
 import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
 import { IRPCResponse } from '@develit-io/backend-sdk';
-import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.B4wUvd3l.cjs';
+import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DBpIRbd3.cjs';
 import { WorkerEntrypoint } from 'cloudflare:workers';
 import { DrizzleD1Database } from 'drizzle-orm/d1';
 import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
 import '../shared/rbac.CqpxM3E5.cjs';
 import 'drizzle-orm/sqlite-core';
 
+type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
+    scope: TScopes[number]['value'];
+    resourceId?: string;
+    resourcePath?: string;
+};
+type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
+    or: TypedScopeCondition<TScopes>[];
+} | {
+    and: TypedScopeCondition<TScopes>[];
+} | TypedScopeCondition<TScopes>[];
 declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
 declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
     readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
     getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
     getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
     verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
-        accessRequests: Array<Array<{
-            scope: TScopes[number]['value'];
-            resourceId?: string;
-            resourcePath?: string;
-        }>>;
+        accessRequests: TypedScopeCondition<TScopes>;
     }): Promise<IRPCResponse<VerifyAccessOutput>>;
+    private verifySingleScope;
     deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
     updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
 }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
     scopes: TScopes;
 }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
 
-declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
+declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
 type LabeledScope = {
     label: string;
     value: (typeof SCOPES)[number];

package/dist/export/worker.d.mts

@@ -1,6 +1,6 @@
 import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
 import { IRPCResponse } from '@develit-io/backend-sdk';
-import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DbnJpvqK.mjs';
+import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.CG3CtEwh.mjs';
 import { WorkerEntrypoint } from 'cloudflare:workers';
 import { DrizzleD1Database } from 'drizzle-orm/d1';
 import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
 import '../shared/rbac.CqpxM3E5.mjs';
 import 'drizzle-orm/sqlite-core';
 
+type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
+    scope: TScopes[number]['value'];
+    resourceId?: string;
+    resourcePath?: string;
+};
+type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
+    or: TypedScopeCondition<TScopes>[];
+} | {
+    and: TypedScopeCondition<TScopes>[];
+} | TypedScopeCondition<TScopes>[];
 declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
 declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
     readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
     getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
     getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
     verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
-        accessRequests: Array<Array<{
-            scope: TScopes[number]['value'];
-            resourceId?: string;
-            resourcePath?: string;
-        }>>;
+        accessRequests: TypedScopeCondition<TScopes>;
     }): Promise<IRPCResponse<VerifyAccessOutput>>;
+    private verifySingleScope;
     deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
     updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
 }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
     scopes: TScopes;
 }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
 
-declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
+declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
 type LabeledScope = {
     label: string;
     value: (typeof SCOPES)[number];

package/dist/export/worker.d.ts

@@ -1,6 +1,6 @@
 import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
 import { IRPCResponse } from '@develit-io/backend-sdk';
-import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DrhiDe1P.js';
+import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.BrefTsLW.js';
 import { WorkerEntrypoint } from 'cloudflare:workers';
 import { DrizzleD1Database } from 'drizzle-orm/d1';
 import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
 import '../shared/rbac.CqpxM3E5.js';
 import 'drizzle-orm/sqlite-core';
 
+type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
+    scope: TScopes[number]['value'];
+    resourceId?: string;
+    resourcePath?: string;
+};
+type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
+    or: TypedScopeCondition<TScopes>[];
+} | {
+    and: TypedScopeCondition<TScopes>[];
+} | TypedScopeCondition<TScopes>[];
 declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
 declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
     readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
     getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
     getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
     verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
-        accessRequests: Array<Array<{
-            scope: TScopes[number]['value'];
-            resourceId?: string;
-            resourcePath?: string;
-        }>>;
+        accessRequests: TypedScopeCondition<TScopes>;
     }): Promise<IRPCResponse<VerifyAccessOutput>>;
+    private verifySingleScope;
     deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
     updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
 }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
     scopes: TScopes;
 }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
 
-declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
+declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
 type LabeledScope = {
     label: string;
     value: (typeof SCOPES)[number];

package/dist/export/worker.mjs

@@ -1,7 +1,7 @@
 import { uuidv4, first, createInternalError, develitWorker, action, service } from '@develit-io/backend-sdk';
 import { s as schema } from '../shared/rbac.D5OV7UPA.mjs';
 import { eq, and, count, inArray } from 'drizzle-orm';
-import { c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema } from '../shared/rbac.ihzxYB9Z.mjs';
+import { c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema, l as isScopeObject, m as isOrCondition, n as isAndCondition, o as isImplicitAndCondition } from '../shared/rbac.2_i8g_mW.mjs';
 import { z } from 'zod';
 import { WorkerEntrypoint } from 'cloudflare:workers';
 import { drizzle } from 'drizzle-orm/d1';
@@ -476,8 +476,15 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
       { successMessage: "Scope successfully granted to user." },
       async ({ userId, scope, resourceId }) => {
         this.validateScope(scope);
-        const userScope = await getScopesByUserQuery({ db: this.db, userId });
-        if (userScope.some((s) => s.scope === scope)) {
+        const userScopes = await getScopesByUserQuery({ db: this.db, userId });
+        const matchingScopes = userScopes.filter((s) => s.scope === scope);
+        if (!resourceId && matchingScopes.find((s) => !s.resourceId)) {
+          throw createInternalError(null, {
+            message: "Scope already assigned to user.",
+            status: 409
+          });
+        }
+        if (resourceId && matchingScopes.some((s) => s.resourceId === resourceId)) {
           throw createInternalError(null, {
             message: "Scope already assigned to user.",
             status: 409
@@ -502,7 +509,16 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
         for (const scope of scopes) {
           this.validateScope(scope.scope);
           const userScopes = await getScopesByUserQuery({ db: this.db, userId });
-          if (userScopes.some((s) => s.scope === scope.scope)) {
+          const matchingScopes = userScopes.filter(
+            (s) => s.scope === scope.scope
+          );
+          if (!scope.resourceId && matchingScopes.find((s) => !s.resourceId)) {
+            throw createInternalError(null, {
+              message: "Scope already assigned to user.",
+              status: 409
+            });
+          }
+          if (scope.resourceId && matchingScopes.some((s) => s.resourceId === scope.resourceId)) {
             throw createInternalError(null, {
               message: "Scope already assigned to user.",
               status: 409
@@ -657,10 +673,24 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
       { data: input, schema: verifyAccessInputSchema },
       { successMessage: "Access verification completed." },
       async ({ userId, accessRequests, jwt }) => {
-        for (const requestGroup of accessRequests) {
-          for (const request of requestGroup) {
-            this.validateScope(request.scope);
+        const collectScopes = (condition) => {
+          if (isScopeObject(condition)) {
+            return [condition];
+          }
+          if (isOrCondition(condition)) {
+            return condition.or.flatMap(collectScopes);
+          }
+          if (isAndCondition(condition)) {
+            return condition.and.flatMap(collectScopes);
           }
+          if (isImplicitAndCondition(condition)) {
+            return condition.flatMap(collectScopes);
+          }
+          return [];
+        };
+        const allScopeObjects = collectScopes(accessRequests);
+        for (const scopeObj of allScopeObjects) {
+          this.validateScope(scopeObj.scope);
         }
         const userPermissionsResponse = await this.getUserPermissions({
           userId
@@ -675,59 +705,71 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
           ...userPermissionsResponse.data.roleScopes,
           ...userPermissionsResponse.data.scopes
         ];
-        if (accessRequests.length === 0) {
+        if (allScopeObjects.length === 0) {
           return {
             isVerified: true
           };
         }
-        const anyGroupSatisfied = accessRequests.some((requestGroup) => {
-          return requestGroup.every((request) => {
-            const placeholders = parseScopeTemplate(request.scope);
-            return allScopes.some((userScope) => {
-              const scopesMatch = userScope.scope === request.scope;
-              let resourceMatches = false;
-              if (placeholders.length > 0) {
-                if (!request.resourcePath) {
-                  throw createInternalError(null, {
-                    message: `Resource path is required when scope '${request.scope}' contains placeholders`,
-                    status: 400,
-                    code: "RESOURCE_PATH_REQUIRED"
-                  });
-                }
-                const extractedResources = extractResourcesFromPath(
-                  request.scope,
-                  request.resourcePath
-                );
-                const allPlaceholdersMatch = placeholders.every(
-                  (placeholder) => {
-                    const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
-                    const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
-                    const expectedValue = getValueByKey(
-                      placeholder.type,
-                      placeholder.path,
-                      jwtParam
-                    );
-                    if (expectedValue === void 0) {
-                      return false;
-                    }
-                    return String(extractedValue) === String(expectedValue);
-                  }
-                );
-                const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
-                resourceMatches = allPlaceholdersMatch && resourceIdMatches;
-              } else {
-                resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
-              }
-              return scopesMatch && resourceMatches;
-            });
-          });
-        });
+        const evaluateCondition = (condition) => {
+          if (isScopeObject(condition)) {
+            return this.verifySingleScope(condition, allScopes, jwt);
+          }
+          if (isOrCondition(condition)) {
+            return condition.or.some(evaluateCondition);
+          }
+          if (isAndCondition(condition)) {
+            return condition.and.every(evaluateCondition);
+          }
+          if (isImplicitAndCondition(condition)) {
+            return condition.every(evaluateCondition);
+          }
+          return false;
+        };
+        const isVerified = evaluateCondition(accessRequests);
         return {
-          isVerified: anyGroupSatisfied
+          isVerified
         };
       }
     );
   }
+  verifySingleScope(request, allScopes, jwt) {
+    const placeholders = parseScopeTemplate(request.scope);
+    return allScopes.some((userScope) => {
+      const scopesMatch = userScope.scope === request.scope;
+      let resourceMatches = false;
+      if (placeholders.length > 0) {
+        if (!request.resourcePath) {
+          throw createInternalError(null, {
+            message: `Resource path is required when scope '${request.scope}' contains placeholders`,
+            status: 400,
+            code: "RESOURCE_PATH_REQUIRED"
+          });
+        }
+        const extractedResources = extractResourcesFromPath(
+          request.scope,
+          request.resourcePath
+        );
+        const allPlaceholdersMatch = placeholders.every((placeholder) => {
+          const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
+          const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
+          const expectedValue = getValueByKey(
+            placeholder.type,
+            placeholder.path,
+            jwtParam
+          );
+          if (expectedValue === void 0) {
+            return false;
+          }
+          return String(extractedValue) === String(expectedValue);
+        });
+        const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
+        resourceMatches = allPlaceholdersMatch && resourceIdMatches;
+      } else {
+        resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
+      }
+      return scopesMatch && resourceMatches;
+    });
+  }
   async deleteRole(input) {
     return this.handleAction(
       { data: input, schema: deleteRoleInputSchema },
@@ -812,6 +854,7 @@ const organizationScopedKeys = (scopes) => {
   return out;
 };
 const TEST_SCOPES = [
+  "test.admin",
   "test.read",
   "test.edit",
   "test.delete",
@@ -1012,6 +1055,7 @@ const LABELED_SCOPES = [
   { label: "Smazat logy rol\xED", value: "roles.logs.delete" },
   { label: "Zobrazit u\u017Eivatele p\u0159i\u0159azen\xE9 k rol\xEDm", value: "roles.users.read" },
   // Test scopes
+  { label: "Test: Admin", value: "test.admin" },
   { label: "Test: Read", value: "test.read" },
   { label: "Test: Edit", value: "test.edit" },
   { label: "Test: Delete", value: "test.delete" },

package/dist/export/wrangler.cjs

@@ -10,10 +10,15 @@ function defineRbacServiceWrangler(config) {
       name
     }),
     vars: {
-      // Variables
       ...envs.local.vars,
       ENVIRONMENT: "localhost"
     },
+    services: [
+      {
+        binding: "SECRETS_STORE",
+        service: `${project}-secrets-store`
+      }
+    ],
     d1_databases: [
       {
         binding: "RBAC_D1",

package/dist/export/wrangler.d.cts

@@ -5,6 +5,10 @@ declare function defineRbacServiceWrangler(config: RbacServiceWranglerConfig): {
         ENVIRONMENT: string;
         SERVICE_CONFIG_INCLUDE_CONFIRMATION: boolean;
     };
+    services: {
+        binding: string;
+        service: string;
+    }[];
     d1_databases: {
         binding: string;
         database_name: string;

package/dist/export/wrangler.d.mts

@@ -5,6 +5,10 @@ declare function defineRbacServiceWrangler(config: RbacServiceWranglerConfig): {
         ENVIRONMENT: string;
         SERVICE_CONFIG_INCLUDE_CONFIRMATION: boolean;
     };
+    services: {
+        binding: string;
+        service: string;
+    }[];
     d1_databases: {
         binding: string;
         database_name: string;

package/dist/export/wrangler.d.ts

@@ -5,6 +5,10 @@ declare function defineRbacServiceWrangler(config: RbacServiceWranglerConfig): {
         ENVIRONMENT: string;
         SERVICE_CONFIG_INCLUDE_CONFIRMATION: boolean;
     };
+    services: {
+        binding: string;
+        service: string;
+    }[];
     d1_databases: {
         binding: string;
         database_name: string;

package/dist/export/wrangler.mjs

@@ -8,10 +8,15 @@ function defineRbacServiceWrangler(config) {
       name
     }),
     vars: {
-      // Variables
       ...envs.local.vars,
       ENVIRONMENT: "localhost"
     },
+    services: [
+      {
+        binding: "SECRETS_STORE",
+        service: `${project}-secrets-store`
+      }
+    ],
     d1_databases: [
       {
         binding: "RBAC_D1",

package/dist/shared/{rbac.ihzxYB9Z.mjs → rbac.2_i8g_mW.mjs}

@@ -135,19 +135,36 @@ const coercedUserSchema = jwtUserSchema.extend({
 const coercedJwtPayloadSchema = jwtPayloadSchema.extend({
   user: coercedUserSchema
 });
+const scopeObjectSchema = z.object({
+  scope: z.string(),
+  resourceId: z.string().optional(),
+  resourcePath: z.string().optional()
+});
+const scopeConditionSchema = z.lazy(
+  () => z.union([
+    scopeObjectSchema,
+    z.object({ or: z.array(scopeConditionSchema) }),
+    z.object({ and: z.array(scopeConditionSchema) }),
+    z.array(scopeConditionSchema)
+  ])
+);
 const verifyAccessInputSchema = z.object({
   userId: z.uuid(),
-  accessRequests: z.array(
-    z.array(
-      z.object({
-        scope: z.string(),
-        resourceId: z.string().optional(),
-        resourcePath: z.string().optional()
-      })
-    )
-  ),
+  accessRequests: scopeConditionSchema,
   jwt: coercedJwtPayloadSchema.optional()
 });
+function isScopeObject(condition) {
+  return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "scope" in condition && !("or" in condition) && !("and" in condition);
+}
+function isOrCondition(condition) {
+  return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "or" in condition;
+}
+function isAndCondition(condition) {
+  return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "and" in condition;
+}
+function isImplicitAndCondition(condition) {
+  return Array.isArray(condition);
+}
 
 const verifyScopeInputSchema = z.object({
   scopes: z.array(z.string()),
@@ -163,4 +180,4 @@ const verifyScopeOutputSchema = z.object({
   isVerified: z.boolean().default(false)
 });
 
-export { assignRoleToUserInputSchema as a, assignRolesToUserInputSchema as b, createRoleInputSchema as c, deleteRoleInputSchema as d, grantScopeToRoleInputSchema as e, grantScopeToUserInputSchema as f, getUserPermissionsInputSchema as g, grantScopesToUserInputSchema as h, revokeScopeFromRoleInputSchema as i, revokeScopeFromUserInputSchema as j, verifyScopeInputSchema as k, verifyScopeOutputSchema as l, revokeRoleFromUserInputSchema as r, updateRoleInputSchema as u, verifyAccessInputSchema as v };
+export { assignRoleToUserInputSchema as a, assignRolesToUserInputSchema as b, createRoleInputSchema as c, deleteRoleInputSchema as d, grantScopeToRoleInputSchema as e, grantScopeToUserInputSchema as f, getUserPermissionsInputSchema as g, grantScopesToUserInputSchema as h, revokeScopeFromRoleInputSchema as i, revokeScopeFromUserInputSchema as j, scopeConditionSchema as k, isScopeObject as l, isOrCondition as m, isAndCondition as n, isImplicitAndCondition as o, verifyScopeInputSchema as p, verifyScopeOutputSchema as q, revokeRoleFromUserInputSchema as r, scopeObjectSchema as s, updateRoleInputSchema as u, verifyAccessInputSchema as v };

package/dist/shared/{rbac.DrhiDe1P.d.ts → rbac.BrefTsLW.d.ts}

@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
 interface UpdateRoleOutput {
 }
 
+declare const scopeObjectSchema: z.ZodObject<{
+    scope: z.ZodString;
+    resourceId: z.ZodOptional<z.ZodString>;
+    resourcePath: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+type ScopeObject = z.infer<typeof scopeObjectSchema>;
+type ScopeCondition = ScopeObject | {
+    or: ScopeCondition[];
+} | {
+    and: ScopeCondition[];
+} | ScopeCondition[];
+declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
 declare const verifyAccessInputSchema: z.ZodObject<{
     userId: z.ZodUUID;
-    accessRequests: z.ZodArray<z.ZodArray<z.ZodObject<{
-        scope: z.ZodString;
-        resourceId: z.ZodOptional<z.ZodString>;
-        resourcePath: z.ZodOptional<z.ZodString>;
-    }, z.core.$strip>>>;
+    accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
     jwt: z.ZodOptional<z.ZodObject<{
         sub: z.ZodString;
         iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
 interface VerifyAccessOutput {
     isVerified: boolean;
 }
+declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
+declare function isOrCondition(condition: ScopeCondition): condition is {
+    or: ScopeCondition[];
+};
+declare function isAndCondition(condition: ScopeCondition): condition is {
+    and: ScopeCondition[];
+};
+declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
 
-export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
-export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
+export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
+export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };

package/dist/shared/{rbac.DbnJpvqK.d.mts → rbac.CG3CtEwh.d.mts}

@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
 interface UpdateRoleOutput {
 }
 
+declare const scopeObjectSchema: z.ZodObject<{
+    scope: z.ZodString;
+    resourceId: z.ZodOptional<z.ZodString>;
+    resourcePath: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+type ScopeObject = z.infer<typeof scopeObjectSchema>;
+type ScopeCondition = ScopeObject | {
+    or: ScopeCondition[];
+} | {
+    and: ScopeCondition[];
+} | ScopeCondition[];
+declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
 declare const verifyAccessInputSchema: z.ZodObject<{
     userId: z.ZodUUID;
-    accessRequests: z.ZodArray<z.ZodArray<z.ZodObject<{
-        scope: z.ZodString;
-        resourceId: z.ZodOptional<z.ZodString>;
-        resourcePath: z.ZodOptional<z.ZodString>;
-    }, z.core.$strip>>>;
+    accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
     jwt: z.ZodOptional<z.ZodObject<{
         sub: z.ZodString;
         iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
 interface VerifyAccessOutput {
     isVerified: boolean;
 }
+declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
+declare function isOrCondition(condition: ScopeCondition): condition is {
+    or: ScopeCondition[];
+};
+declare function isAndCondition(condition: ScopeCondition): condition is {
+    and: ScopeCondition[];
+};
+declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
 
-export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
-export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
+export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
+export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };

package/dist/shared/{rbac.B4wUvd3l.d.cts → rbac.DBpIRbd3.d.cts}

@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
 interface UpdateRoleOutput {
 }
 
+declare const scopeObjectSchema: z.ZodObject<{
+    scope: z.ZodString;
+    resourceId: z.ZodOptional<z.ZodString>;
+    resourcePath: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+type ScopeObject = z.infer<typeof scopeObjectSchema>;
+type ScopeCondition = ScopeObject | {
+    or: ScopeCondition[];
+} | {
+    and: ScopeCondition[];
+} | ScopeCondition[];
+declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
 declare const verifyAccessInputSchema: z.ZodObject<{
     userId: z.ZodUUID;
-    accessRequests: z.ZodArray<z.ZodArray<z.ZodObject<{
-        scope: z.ZodString;
-        resourceId: z.ZodOptional<z.ZodString>;
-        resourcePath: z.ZodOptional<z.ZodString>;
-    }, z.core.$strip>>>;
+    accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
     jwt: z.ZodOptional<z.ZodObject<{
         sub: z.ZodString;
         iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
 interface VerifyAccessOutput {
     isVerified: boolean;
 }
+declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
+declare function isOrCondition(condition: ScopeCondition): condition is {
+    or: ScopeCondition[];
+};
+declare function isAndCondition(condition: ScopeCondition): condition is {
+    and: ScopeCondition[];
+};
+declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
 
-export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
-export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
+export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
+export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };

package/dist/shared/{rbac.BZDCYlSt.cjs → rbac.JCf4hSCf.cjs}

@@ -137,19 +137,36 @@ const coercedUserSchema = jwtUserSchema.extend({
 const coercedJwtPayloadSchema = jwtPayloadSchema.extend({
   user: coercedUserSchema
 });
+const scopeObjectSchema = zod.z.object({
+  scope: zod.z.string(),
+  resourceId: zod.z.string().optional(),
+  resourcePath: zod.z.string().optional()
+});
+const scopeConditionSchema = zod.z.lazy(
+  () => zod.z.union([
+    scopeObjectSchema,
+    zod.z.object({ or: zod.z.array(scopeConditionSchema) }),
+    zod.z.object({ and: zod.z.array(scopeConditionSchema) }),
+    zod.z.array(scopeConditionSchema)
+  ])
+);
 const verifyAccessInputSchema = zod.z.object({
   userId: zod.z.uuid(),
-  accessRequests: zod.z.array(
-    zod.z.array(
-      zod.z.object({
-        scope: zod.z.string(),
-        resourceId: zod.z.string().optional(),
-        resourcePath: zod.z.string().optional()
-      })
-    )
-  ),
+  accessRequests: scopeConditionSchema,
   jwt: coercedJwtPayloadSchema.optional()
 });
+function isScopeObject(condition) {
+  return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "scope" in condition && !("or" in condition) && !("and" in condition);
+}
+function isOrCondition(condition) {
+  return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "or" in condition;
+}
+function isAndCondition(condition) {
+  return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "and" in condition;
+}
+function isImplicitAndCondition(condition) {
+  return Array.isArray(condition);
+}
 
 const verifyScopeInputSchema = zod.z.object({
   scopes: zod.z.array(zod.z.string()),
@@ -173,9 +190,15 @@ exports.getUserPermissionsInputSchema = getUserPermissionsInputSchema;
 exports.grantScopeToRoleInputSchema = grantScopeToRoleInputSchema;
 exports.grantScopeToUserInputSchema = grantScopeToUserInputSchema;
 exports.grantScopesToUserInputSchema = grantScopesToUserInputSchema;
+exports.isAndCondition = isAndCondition;
+exports.isImplicitAndCondition = isImplicitAndCondition;
+exports.isOrCondition = isOrCondition;
+exports.isScopeObject = isScopeObject;
 exports.revokeRoleFromUserInputSchema = revokeRoleFromUserInputSchema;
 exports.revokeScopeFromRoleInputSchema = revokeScopeFromRoleInputSchema;
 exports.revokeScopeFromUserInputSchema = revokeScopeFromUserInputSchema;
+exports.scopeConditionSchema = scopeConditionSchema;
+exports.scopeObjectSchema = scopeObjectSchema;
 exports.updateRoleInputSchema = updateRoleInputSchema;
 exports.verifyAccessInputSchema = verifyAccessInputSchema;
 exports.verifyScopeInputSchema = verifyScopeInputSchema;

package/dist/types.cjs

@@ -1,6 +1,6 @@
 'use strict';
 
-const verifyScope = require('./shared/rbac.BZDCYlSt.cjs');
+const verifyScope = require('./shared/rbac.JCf4hSCf.cjs');
 require('zod');
 
 
@@ -13,9 +13,15 @@ exports.getUserPermissionsInputSchema = verifyScope.getUserPermissionsInputSchem
 exports.grantScopeToRoleInputSchema = verifyScope.grantScopeToRoleInputSchema;
 exports.grantScopeToUserInputSchema = verifyScope.grantScopeToUserInputSchema;
 exports.grantScopesToUserInputSchema = verifyScope.grantScopesToUserInputSchema;
+exports.isAndCondition = verifyScope.isAndCondition;
+exports.isImplicitAndCondition = verifyScope.isImplicitAndCondition;
+exports.isOrCondition = verifyScope.isOrCondition;
+exports.isScopeObject = verifyScope.isScopeObject;
 exports.revokeRoleFromUserInputSchema = verifyScope.revokeRoleFromUserInputSchema;
 exports.revokeScopeFromRoleInputSchema = verifyScope.revokeScopeFromRoleInputSchema;
 exports.revokeScopeFromUserInputSchema = verifyScope.revokeScopeFromUserInputSchema;
+exports.scopeConditionSchema = verifyScope.scopeConditionSchema;
+exports.scopeObjectSchema = verifyScope.scopeObjectSchema;
 exports.updateRoleInputSchema = verifyScope.updateRoleInputSchema;
 exports.verifyAccessInputSchema = verifyScope.verifyAccessInputSchema;
 exports.verifyScopeInputSchema = verifyScope.verifyScopeInputSchema;

package/dist/types.d.cts

@@ -1,4 +1,4 @@
-export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.B4wUvd3l.cjs';
+export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.DBpIRbd3.cjs';
 import { z } from 'zod';
 export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.cjs';
 import 'drizzle-orm';

package/dist/types.d.mts

@@ -1,4 +1,4 @@
-export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.DbnJpvqK.mjs';
+export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.CG3CtEwh.mjs';
 import { z } from 'zod';
 export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.mjs';
 import 'drizzle-orm';

package/dist/types.d.ts

@@ -1,4 +1,4 @@
-export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.DrhiDe1P.js';
+export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.BrefTsLW.js';
 import { z } from 'zod';
 export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.js';
 import 'drizzle-orm';

package/dist/types.mjs

@@ -1,2 +1,2 @@
-export { a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, c as createRoleInputSchema, d as deleteRoleInputSchema, g as getUserPermissionsInputSchema, e as grantScopeToRoleInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, r as revokeRoleFromUserInputSchema, i as revokeScopeFromRoleInputSchema, j as revokeScopeFromUserInputSchema, u as updateRoleInputSchema, v as verifyAccessInputSchema, k as verifyScopeInputSchema, l as verifyScopeOutputSchema } from './shared/rbac.ihzxYB9Z.mjs';
+export { a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, c as createRoleInputSchema, d as deleteRoleInputSchema, g as getUserPermissionsInputSchema, e as grantScopeToRoleInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, n as isAndCondition, o as isImplicitAndCondition, m as isOrCondition, l as isScopeObject, r as revokeRoleFromUserInputSchema, i as revokeScopeFromRoleInputSchema, j as revokeScopeFromUserInputSchema, k as scopeConditionSchema, s as scopeObjectSchema, u as updateRoleInputSchema, v as verifyAccessInputSchema, p as verifyScopeInputSchema, q as verifyScopeOutputSchema } from './shared/rbac.2_i8g_mW.mjs';
 import 'zod';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@develit-services/rbac",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "author": "Develit.io s.r.o.",
   "type": "module",
   "exports": {
@@ -30,13 +30,13 @@
     "./dist"
   ],
   "scripts": {
-    "dev": "wrangler dev --port 9237 --persist-to ../../.wrangler/state",
+    "dev": "wrangler dev --port 9237 --persist-to ../../.wrangler/state -c ./wrangler.jsonc -c ../../apps/secrets-store/wrangler.jsonc",
     "wrangler:generate": "bunx develit wrangler:generate --types",
     "db:init": "wrangler d1 execute develit-rbac --local --persist-to ../../.wrangler/state --command=\"SELECT 'Creating database...' AS status;\"",
     "db:generate": "drizzle-kit generate",
     "db:migrate": "drizzle-kit migrate",
     "db:explore": "drizzle-kit studio",
-    "types": "wrangler types --env-interface RbacEnv --include-runtime false",
+    "types": "bash typegen.sh",
     "lint": "biome check",
     "lint:fix": "biome check --fix",
     "test": "vitest",