@dudousxd/nestjs-authz-client 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,20 @@
+# @dudousxd/nestjs-authz-client
+
+## 0.1.0
+
+### Minor Changes
+
+- [#2](https://github.com/DavideCarvalho/nestjs-authz/pull/2) [`2ecb0f4`](https://github.com/DavideCarvalho/nestjs-authz/commit/2ecb0f46342fa4527fc01f1097720f2e7bcf9aa7) Thanks [@DavideCarvalho](https://github.com/DavideCarvalho)! - Extract the framework-neutral ability store into a new `@dudousxd/nestjs-authz-client`
+  package and add a `@dudousxd/nestjs-authz-react` package.
+
+  - **`@dudousxd/nestjs-authz-client`** (new): the canonical home for the in-memory
+    `AbilityStore`, `createCan` (synchronous cache hit; configurable `fallback: 'deny' | 'fetch'`
+    to `POST /authz/can` on a miss), and `hydrateFromInertiaProps` / `hydrateResource`. Pure
+    TypeScript plus an injectable `fetch` — no React/Vue/NestJS/Inertia dependency.
+  - **`@dudousxd/nestjs-authz-react`** (new): `AuthzProvider` (holds a hydrated `AbilityStore`),
+    `useCan(ability, resource?)` (returns `{ allowed, loading }`, synchronous and request-free on a
+    cache hit; honors the store's fallback on a miss), and `<Can ability of fallback>`. A missing
+    provider fails closed (deny).
+  - **`@dudousxd/nestjs-authz-inertia`** (patch): now depends on `@dudousxd/nestjs-authz-client` and
+    re-exports its store instead of carrying a private copy. The
+    `@dudousxd/nestjs-authz-inertia/client` entry point is unchanged for consumers.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Davi Carvalho
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,47 @@
+# @dudousxd/nestjs-authz-client
+
+Framework-neutral, in-memory ability store + `can()` resolver for
+[`@dudousxd/nestjs-authz`](../core). Hydrate a user's decisions once (from Inertia
+shared props, a JSON island, or any source) and answer client-side `can(...)` checks
+**synchronously, with no network request**.
+
+No dependency on React/Vue/NestJS/Inertia — it is pure TypeScript plus an injectable
+`fetch`. The `-react` and `-inertia` packages, and the codegen client, all reuse it.
+
+```ts
+import {
+  AbilityStore,
+  hydrateFromInertiaProps,
+  hydrateResource,
+  createCan,
+} from '@dudousxd/nestjs-authz-client';
+
+const store = new AbilityStore();
+hydrateFromInertiaProps(store, pageProps); // reads props.auth.can
+hydrateResource(store, { type: 'Post', id: post.id }, post.can); // per-instance map
+
+const can = createCan(store);
+can('post.create'); // → boolean, synchronously, no fetch
+can('update', { type: 'Post', id: post.id }); // → boolean
+```
+
+## Fallback on a cache miss
+
+When an ability/resource is not hydrated, `createCan` behaves per `fallback`:
+
+- `'deny'` (default) — returns `false` synchronously.
+- `'fetch'` — `POST { ability, resource }` to `endpoint` (default `'/authz/can'`)
+  and returns a `Promise<boolean>` from the server's `{ allowed }`.
+
+```ts
+const can = createCan(store, { fallback: 'fetch', endpoint: '/authz/can' });
+const allowed = can('rare.ability'); // boolean (hit) | Promise<boolean> (miss → fetch)
+```
+
+## API
+
+- `AbilityStore` — `setClassAbilities` / `mergeClassAbilities` / `setResourceAbilities` /
+  `has` / `peek` / `clear`.
+- `hydrateFromInertiaProps(store, props, propKey?)`
+- `hydrateResource(store, ref, can)`
+- `createCan(store, options?)` → `CanResolver`

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export declare const VERSION = "0.0.0";
+export { AbilityStore, createCan, hydrateFromInertiaProps, hydrateResource, } from './store.js';
+export type { CanMap, ResourceRef, HydratableProps, FallbackMode, AbilityStoreOptions, CanResolver, } from './store.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EACL,YAAY,EACZ,SAAS,EACT,uBAAuB,EACvB,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,MAAM,EACN,WAAW,EACX,eAAe,EACf,YAAY,EACZ,mBAAmB,EACnB,WAAW,GACZ,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,3 @@
+export const VERSION = '0.0.0';
+export { AbilityStore, createCan, hydrateFromInertiaProps, hydrateResource, } from './store.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EACL,YAAY,EACZ,SAAS,EACT,uBAAuB,EACvB,eAAe,GAChB,MAAM,YAAY,CAAC"}

package/dist/store.d.ts

@@ -0,0 +1,105 @@
+/**
+ * Framework-neutral, in-memory ability store + `can()` resolver for the front end.
+ *
+ * The store is hydrated from Inertia shared props (`props.auth.can`) and from any
+ * per-resource `can` maps a controller serialized onto a resource. `can(...)` then
+ * answers SYNCHRONOUSLY from the cache — no network request — and only falls back
+ * (configurable: fetch the `/authz/can` endpoint, or deny) when the ability/resource
+ * is genuinely unknown.
+ *
+ * No dependency on React/Vue/NestJS/Inertia — `-react`, `-inertia`, and the codegen
+ * client can all reuse this.
+ *
+ * @module store
+ */
+/** A flat `ability -> verdict` record. */
+export type CanMap = Record<string, boolean>;
+/** A resource identifiable by `type` + `id` (for keying per-instance maps). */
+export interface ResourceRef {
+    type: string;
+    id?: string | number | null;
+}
+/** Inertia shared-props subset the store reads from. */
+export interface HydratableProps {
+    auth?: {
+        can?: CanMap | null;
+    } | null;
+    [key: string]: unknown;
+}
+/** Strategy when an ability/resource is NOT in the store. */
+export type FallbackMode = 'deny' | 'fetch';
+export interface AbilityStoreOptions {
+    /** Prop key the class-ability map nests under (matches the server's `propKey`). Default `'auth'`. */
+    propKey?: string;
+    /**
+     * What to do when `can(...)` is asked about an ability/resource not in the store.
+     * - `'deny'` (default): return `false` synchronously.
+     * - `'fetch'`: POST to {@link AbilityStoreOptions.endpoint} and resolve a Promise.
+     */
+    fallback?: FallbackMode;
+    /** Endpoint the `'fetch'` fallback POSTs `{ ability, resource }` to. Default `'/authz/can'`. */
+    endpoint?: string;
+    /** Injectable fetch (for tests / non-browser runtimes). Defaults to global `fetch`. */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * In-memory store of class-level abilities + per-resource `can` maps.
+ *
+ * Class abilities are keyed by ability name; per-resource maps are keyed by
+ * `type#id` then ability name.
+ */
+export declare class AbilityStore {
+    private readonly classAbilities;
+    private readonly resourceAbilities;
+    /** Replace the class-level ability map. */
+    setClassAbilities(map: CanMap): this;
+    /** Merge additional class-level abilities (does not clear existing). */
+    mergeClassAbilities(map: CanMap): this;
+    /** Store a per-instance `can` map for a resource. */
+    setResourceAbilities(ref: ResourceRef, map: CanMap): this;
+    /** True when `ability` (optionally on `resource`) has a cached verdict. */
+    has(ability: string, resource?: ResourceRef): boolean;
+    /**
+     * Synchronous lookup. Returns the cached verdict, or `undefined` when unknown.
+     * Never performs I/O.
+     */
+    peek(ability: string, resource?: ResourceRef): boolean | undefined;
+    /** Empty the store. */
+    clear(): this;
+}
+/**
+ * Hydrate `store` from Inertia shared props. Reads `props.<propKey>.can` for the
+ * class-level abilities. Per-resource maps are hydrated separately via
+ * {@link hydrateResource} (a resource's `can` lives on the serialized resource,
+ * whose `type`/`id` only the caller knows).
+ */
+export declare function hydrateFromInertiaProps(store: AbilityStore, props: HydratableProps | undefined | null, propKey?: string): AbilityStore;
+/**
+ * Hydrate a single resource's per-instance `can` map (e.g. from a serialized
+ * `{ ...post, can }`). `ref` identifies the instance (`type#id`).
+ */
+export declare function hydrateResource(store: AbilityStore, ref: ResourceRef, can: CanMap | undefined | null): AbilityStore;
+/**
+ * The resolver function returned by {@link createCan}. When the verdict is cached
+ * it returns a `boolean` SYNCHRONOUSLY; only on a cache miss with `fallback: 'fetch'`
+ * does it return a `Promise<boolean>`.
+ */
+export type CanResolver = (ability: string, resource?: ResourceRef) => boolean | Promise<boolean>;
+/**
+ * Build a `can(ability, resource?)` bound to `store`.
+ *
+ * - **Cache hit** → returns the cached `boolean` synchronously (NO request).
+ * - **Cache miss, `fallback: 'deny'`** (default) → returns `false` synchronously.
+ * - **Cache miss, `fallback: 'fetch'`** → POSTs `{ ability, resource }` to the
+ *   endpoint and returns a `Promise<boolean>` from `{ allowed }`.
+ *
+ * **Resource-bound decisions and the fetch fallback:** per-instance decisions
+ * (`can(ability, { type, id })`) MUST be hydrated via shared props /
+ * `authorizeResource` (tiers 1-2). The `POST /authz/can` fetch fallback only
+ * resolves class-level abilities and ad-hoc gates — the `{ type, id }` shim it
+ * sends never matches a `@Policy` by constructor, so a resource-bound ability
+ * that misses the cache will DENY. On such a miss this logs a one-time
+ * `console.warn` so the silent deny is debuggable.
+ */
+export declare function createCan(store: AbilityStore, options?: AbilityStoreOptions): CanResolver;
+//# sourceMappingURL=store.d.ts.map

package/dist/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,0CAA0C;AAC1C,MAAM,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE7C,+EAA+E;AAC/E,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,wDAAwD;AACxD,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,IAAI,CAAC;IACtC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,6DAA6D;AAC7D,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,CAAC;AAE5C,MAAM,WAAW,mBAAmB;IAClC,qGAAqG;IACrG,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,gGAAgG;IAChG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uFAAuF;IACvF,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAOD;;;;;GAKG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAc;IAC7C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAA6B;IAE/D,2CAA2C;IAC3C,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAMpC,wEAAwE;IACxE,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAKtC,qDAAqD;IACrD,oBAAoB,CAAC,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;IAKzD,2EAA2E;IAC3E,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,WAAW,GAAG,OAAO;IAQrD;;;OAGG;IACH,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,WAAW,GAAG,OAAO,GAAG,SAAS;IAQlE,uBAAuB;IACvB,KAAK,IAAI,IAAI;CAKd;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,YAAY,EACnB,KAAK,EAAE,eAAe,GAAG,SAAS,GAAG,IAAI,EACzC,OAAO,SAAS,GACf,YAAY,CAMd;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,YAAY,EACnB,GAAG,EAAE,WAAW,EAChB,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAC7B,YAAY,CAGd;AAED;;;;GAIG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,WAAW,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAElG;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,YAAY,EAAE,OAAO,GAAE,mBAAwB,GAAG,WAAW,CAoC7F"}

package/dist/store.js

@@ -0,0 +1,142 @@
+/**
+ * Framework-neutral, in-memory ability store + `can()` resolver for the front end.
+ *
+ * The store is hydrated from Inertia shared props (`props.auth.can`) and from any
+ * per-resource `can` maps a controller serialized onto a resource. `can(...)` then
+ * answers SYNCHRONOUSLY from the cache — no network request — and only falls back
+ * (configurable: fetch the `/authz/can` endpoint, or deny) when the ability/resource
+ * is genuinely unknown.
+ *
+ * No dependency on React/Vue/NestJS/Inertia — `-react`, `-inertia`, and the codegen
+ * client can all reuse this.
+ *
+ * @module store
+ */
+/** Build the cache key for a per-instance decision. */
+function resourceKey(ref) {
+    return `${ref.type}#${ref.id ?? ''}`;
+}
+/**
+ * In-memory store of class-level abilities + per-resource `can` maps.
+ *
+ * Class abilities are keyed by ability name; per-resource maps are keyed by
+ * `type#id` then ability name.
+ */
+export class AbilityStore {
+    classAbilities = {};
+    resourceAbilities = new Map();
+    /** Replace the class-level ability map. */
+    setClassAbilities(map) {
+        for (const k of Object.keys(this.classAbilities))
+            delete this.classAbilities[k];
+        Object.assign(this.classAbilities, map);
+        return this;
+    }
+    /** Merge additional class-level abilities (does not clear existing). */
+    mergeClassAbilities(map) {
+        Object.assign(this.classAbilities, map);
+        return this;
+    }
+    /** Store a per-instance `can` map for a resource. */
+    setResourceAbilities(ref, map) {
+        this.resourceAbilities.set(resourceKey(ref), { ...map });
+        return this;
+    }
+    /** True when `ability` (optionally on `resource`) has a cached verdict. */
+    has(ability, resource) {
+        if (resource) {
+            const map = this.resourceAbilities.get(resourceKey(resource));
+            return map !== undefined && map[ability] !== undefined;
+        }
+        return this.classAbilities[ability] !== undefined;
+    }
+    /**
+     * Synchronous lookup. Returns the cached verdict, or `undefined` when unknown.
+     * Never performs I/O.
+     */
+    peek(ability, resource) {
+        if (resource) {
+            const map = this.resourceAbilities.get(resourceKey(resource));
+            return map?.[ability];
+        }
+        return this.classAbilities[ability];
+    }
+    /** Empty the store. */
+    clear() {
+        for (const k of Object.keys(this.classAbilities))
+            delete this.classAbilities[k];
+        this.resourceAbilities.clear();
+        return this;
+    }
+}
+/**
+ * Hydrate `store` from Inertia shared props. Reads `props.<propKey>.can` for the
+ * class-level abilities. Per-resource maps are hydrated separately via
+ * {@link hydrateResource} (a resource's `can` lives on the serialized resource,
+ * whose `type`/`id` only the caller knows).
+ */
+export function hydrateFromInertiaProps(store, props, propKey = 'auth') {
+    const bag = props?.[propKey];
+    if (bag?.can)
+        store.mergeClassAbilities(bag.can);
+    return store;
+}
+/**
+ * Hydrate a single resource's per-instance `can` map (e.g. from a serialized
+ * `{ ...post, can }`). `ref` identifies the instance (`type#id`).
+ */
+export function hydrateResource(store, ref, can) {
+    if (can)
+        store.setResourceAbilities(ref, can);
+    return store;
+}
+/**
+ * Build a `can(ability, resource?)` bound to `store`.
+ *
+ * - **Cache hit** → returns the cached `boolean` synchronously (NO request).
+ * - **Cache miss, `fallback: 'deny'`** (default) → returns `false` synchronously.
+ * - **Cache miss, `fallback: 'fetch'`** → POSTs `{ ability, resource }` to the
+ *   endpoint and returns a `Promise<boolean>` from `{ allowed }`.
+ *
+ * **Resource-bound decisions and the fetch fallback:** per-instance decisions
+ * (`can(ability, { type, id })`) MUST be hydrated via shared props /
+ * `authorizeResource` (tiers 1-2). The `POST /authz/can` fetch fallback only
+ * resolves class-level abilities and ad-hoc gates — the `{ type, id }` shim it
+ * sends never matches a `@Policy` by constructor, so a resource-bound ability
+ * that misses the cache will DENY. On such a miss this logs a one-time
+ * `console.warn` so the silent deny is debuggable.
+ */
+export function createCan(store, options = {}) {
+    const fallback = options.fallback ?? 'deny';
+    const endpoint = options.endpoint ?? '/authz/can';
+    let warnedResourceFetch = false;
+    return (ability, resource) => {
+        const cached = store.peek(ability, resource);
+        if (cached !== undefined)
+            return cached;
+        if (fallback === 'deny')
+            return false;
+        // A resource-bound ability that misses the cache cannot be resolved by the
+        // endpoint fallback (the {type,id} shim never matches a @Policy). Warn once.
+        if (resource && !warnedResourceFetch) {
+            warnedResourceFetch = true;
+            const id = JSON.stringify(resource.id ?? null);
+            console.warn(`[nestjs-authz] can('${ability}', { type: '${resource.type}', id: ${id} }) missed the cache and fell through to the '${endpoint}' fetch fallback, which cannot resolve per-instance policy decisions and will DENY. Hydrate resource decisions via shared props / authorizeResource (tiers 1-2) instead.`);
+        }
+        const doFetch = options.fetchImpl ?? globalThis.fetch;
+        if (typeof doFetch !== 'function')
+            return false;
+        return doFetch(endpoint, {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({
+                ability,
+                resource: resource ? { type: resource.type, id: resource.id ?? null } : null,
+            }),
+        })
+            .then((res) => (res.ok ? res.json() : null))
+            .then((data) => data?.allowed === true)
+            .catch(() => false);
+    };
+}
+//# sourceMappingURL=store.js.map

package/dist/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAmCH,uDAAuD;AACvD,SAAS,WAAW,CAAC,GAAgB;IACnC,OAAO,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,YAAY;IACN,cAAc,GAAW,EAAE,CAAC;IAC5B,iBAAiB,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE/D,2CAA2C;IAC3C,iBAAiB,CAAC,GAAW;QAC3B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC;YAAE,OAAO,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAChF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wEAAwE;IACxE,mBAAmB,CAAC,GAAW;QAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qDAAqD;IACrD,oBAAoB,CAAC,GAAgB,EAAE,GAAW;QAChD,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2EAA2E;IAC3E,GAAG,CAAC,OAAe,EAAE,QAAsB;QACzC,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC9D,OAAO,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,OAAO,CAAC,KAAK,SAAS,CAAC;QACzD,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,SAAS,CAAC;IACpD,CAAC;IAED;;;OAGG;IACH,IAAI,CAAC,OAAe,EAAE,QAAsB;QAC1C,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC9D,OAAO,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,uBAAuB;IACvB,KAAK;QACH,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC;YAAE,OAAO,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAChF,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAmB,EACnB,KAAyC,EACzC,OAAO,GAAG,MAAM;IAEhB,MAAM,GAAG,GAAI,KAAoD,EAAE,CAAC,OAAO,CAE9D,CAAC;IACd,IAAI,GAAG,EAAE,GAAG;QAAE,KAAK,CAAC,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAmB,EACnB,GAAgB,EAChB,GAA8B;IAE9B,IAAI,GAAG;QAAE,KAAK,CAAC,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC9C,OAAO,KAAK,CAAC;AACf,CAAC;AASD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,SAAS,CAAC,KAAmB,EAAE,UAA+B,EAAE;IAC9E,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;IAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,YAAY,CAAC;IAClD,IAAI,mBAAmB,GAAG,KAAK,CAAC;IAEhC,OAAO,CAAC,OAAe,EAAE,QAAsB,EAA8B,EAAE;QAC7E,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC7C,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,MAAM,CAAC;QAExC,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,KAAK,CAAC;QAEtC,2EAA2E;QAC3E,6EAA6E;QAC7E,IAAI,QAAQ,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACrC,mBAAmB,GAAG,IAAI,CAAC;YAC3B,MAAM,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,IAAI,IAAI,CAAC,CAAC;YAC/C,OAAO,CAAC,IAAI,CACV,uBAAuB,OAAO,eAAe,QAAQ,CAAC,IAAI,UAAU,EAAE,iDAAiD,QAAQ,0KAA0K,CAC1S,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;QACtD,IAAI,OAAO,OAAO,KAAK,UAAU;YAAE,OAAO,KAAK,CAAC;QAEhD,OAAO,OAAO,CAAC,QAAQ,EAAE;YACvB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO;gBACP,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI;aAC7E,CAAC;SACH,CAAC;aACC,IAAI,CAAC,CAAC,GAAa,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAE,GAAG,CAAC,IAAI,EAAqC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACzF,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;aACtC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@dudousxd/nestjs-authz-client",
+  "version": "0.1.0",
+  "description": "Framework-neutral, in-memory ability store + can() resolver for @dudousxd/nestjs-authz — hydrate decisions once and answer client checks with no network request.",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/DavideCarvalho/nestjs-authz.git",
+    "directory": "packages/client"
+  },
+  "author": "Davi Carvalho <davi@goflip.ai>",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist/",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "devDependencies": {
+    "typescript": "^5.4.0",
+    "vitest": "^3.0.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "keywords": [
+    "nestjs",
+    "authorization",
+    "authz",
+    "abilities",
+    "can",
+    "client"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run --passWithNoTests",
+    "test:watch": "vitest",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  }
+}