@dudousxd/nestjs-authz-mikro-orm 0.2.0

package/CHANGELOG.md

@@ -0,0 +1,13 @@
+# @dudousxd/nestjs-authz-mikro-orm
+
+## 0.2.0
+
+### Minor Changes
+
+- [#4](https://github.com/DavideCarvalho/nestjs-authz/pull/4) [`8b7711d`](https://github.com/DavideCarvalho/nestjs-authz/commit/8b7711d11bdb25b3407fea742f6c1158afb36296) Thanks [@DavideCarvalho](https://github.com/DavideCarvalho)! - New package: `@dudousxd/nestjs-authz-mikro-orm` — a MikroORM RBAC persistence adapter
+  mirroring `@dudousxd/nestjs-authz-typeorm`. Ships Role/Permission/RolePermission/UserRole
+  entities (user referenced by id only), a `MikroOrmAuthzStore` POJO with the same method
+  surface, `AuthzRbacModule.forRoot/forRootAsync` registering the core `ROLE_PROVIDER` +
+  `PERMISSION_PROVIDER` seams, and non-destructive `ensureAuthzSchema` (native
+  `updateSchema({ safe: true })`) with an `authzSchemaSql` migration helper. `autoCreateSchema`
+  defaults to true.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Davi Carvalho
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,93 @@
+# @dudousxd/nestjs-authz-mikro-orm
+
+MikroORM RBAC persistence for [`@dudousxd/nestjs-authz`](https://github.com/DavideCarvalho/nestjs-authz) —
+roles, permissions, and a Gate seam, with **zero connection ownership** (your app owns the
+`EntityManager`; this package never opens a connection).
+
+This is the MikroORM sibling of `@dudousxd/nestjs-authz-typeorm`: identical store surface
+and `AuthzRbacModule`, backed by MikroORM entities.
+
+## Install
+
+```bash
+pnpm add @dudousxd/nestjs-authz-mikro-orm @dudousxd/nestjs-authz @mikro-orm/core @mikro-orm/nestjs
+```
+
+## Entities
+
+The package ships four entities (referencing the user **by id only** — it never owns a
+users table):
+
+- `RoleEntity` → `authz_roles`
+- `PermissionEntity` → `authz_permissions`
+- `RolePermissionEntity` → `authz_role_permission` (pivot)
+- `UserRoleEntity` → `authz_user_role` (pivot, keyed by `userType` + `userId`)
+
+Register them with your ORM so MikroORM can discover them:
+
+```ts
+import { AUTHZ_ENTITIES } from '@dudousxd/nestjs-authz-mikro-orm';
+
+await MikroORM.init({ entities: [...AUTHZ_ENTITIES /* , your entities */] });
+```
+
+> BYO table names: MikroORM resolves table names from entity metadata at discovery time,
+> so override them by re-decorating these entities with your own `@Entity({ tableName })`;
+> the store + schema helpers operate purely through the `EntityManager` and never assume a
+> literal name.
+
+## Usage
+
+```ts
+import {
+  AuthzRbacModule,
+  MikroOrmAuthzStore,
+} from '@dudousxd/nestjs-authz-mikro-orm';
+import { EntityManager } from '@mikro-orm/core';
+
+@Module({
+  imports: [
+    AuthzRbacModule.forRootAsync({
+      inject: [EntityManager],
+      useFactory: (em: EntityManager) => ({
+        store: new MikroOrmAuthzStore(em),
+        // autoCreateSchema defaults to true (non-destructive `updateSchema({ safe: true })`)
+      }),
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+Once wired, the Gate consults persisted RBAC:
+
+```ts
+await store.givePermissionToRole('editor', 'posts.publish');
+await store.assignRole({ type: 'user', id: 7 }, 'editor');
+
+gate.forUser(user).allows('posts.publish'); // true (PERMISSION_PROVIDER seam)
+gate.forUser(user).hasRole('editor');       // true (ROLE_PROVIDER seam)
+```
+
+## Schema
+
+`autoCreateSchema` (default `true`) runs `ensureAuthzSchema` on `onModuleInit` via MikroORM's
+native **`updateSchema({ safe: true })`** — it creates missing tables and ADDs missing columns,
+but never drops/alters/renames existing ones, so it is safe to run on every boot.
+
+To manage the schema with MikroORM migrations instead, set `autoCreateSchema: false` and use
+the SQL helper:
+
+```ts
+import { authzSchemaSql } from '@dudousxd/nestjs-authz-mikro-orm';
+
+export class AddAuthz extends Migration {
+  async up() {
+    this.addSql(await authzSchemaSql(this.getEntityManager().getOrm()));
+  }
+}
+```
+
+## License
+
+MIT

package/dist/authz-rbac.module.d.ts

@@ -0,0 +1,46 @@
+import { type DynamicModule } from '@nestjs/common';
+import type { MikroOrmAuthzStore } from './mikro-orm-authz.store.js';
+import type { UserRef } from './types.js';
+/** Injection token holding the {@link MikroOrmAuthzStore} the RBAC module manages. */
+export declare const AUTHZ_RBAC_STORE: unique symbol;
+/** Injection token holding the resolved {@link AuthzRbacModuleOptions}. */
+export declare const AUTHZ_RBAC_OPTIONS: unique symbol;
+/**
+ * Map the Gate's current user (whatever the app's auth layer produced) to a
+ * {@link UserRef} the store can key on. Defaults to reading `{ type, id }` / `{ id }`.
+ */
+export type UserRefMapper = (user: unknown) => UserRef | undefined;
+export interface AuthzRbacModuleOptions {
+    /** The MikroORM RBAC store (built with the app-provided EntityManager). */
+    store: MikroOrmAuthzStore;
+    /**
+     * Run `ensureAuthzSchema` on bootstrap (default `true`, non-destructive). Set `false`
+     * to manage the schema via MikroORM migrations (`authzSchemaSql` helper).
+     */
+    autoCreateSchema?: boolean;
+    /**
+     * Derive a {@link UserRef} from the Gate's current user. Defaults to
+     * {@link defaultUserRefMapper} (`{ type, id }` or `{ id }`).
+     */
+    userRefFrom?: UserRefMapper;
+}
+export interface AuthzRbacModuleAsyncOptions {
+    imports?: unknown[];
+    inject?: unknown[];
+    useFactory: (...args: unknown[]) => Promise<AuthzRbacModuleOptions> | AuthzRbacModuleOptions;
+}
+/** Default mapping: accept a `{ type, id }` ref, a `{ id }` object, or a bare id. */
+export declare function defaultUserRefMapper(user: unknown): UserRef | undefined;
+/**
+ * Wires persisted RBAC into the core authz Gate. The app provides the `EntityManager`
+ * (via `inject`/`useFactory`) and constructs the {@link MikroOrmAuthzStore} — this module
+ * NEVER hardcodes a connection token. On init it registers the RBAC permission check into
+ * the Gate via the {@link PERMISSION_PROVIDER} seam, so `gate.allows('some.permission')`
+ * consults persisted permissions, and (by default) ensures the schema exists.
+ */
+export declare class AuthzRbacModule {
+    static forRoot(options: AuthzRbacModuleOptions): DynamicModule;
+    static forRootAsync(options: AuthzRbacModuleAsyncOptions): DynamicModule;
+    private static commonProviders;
+}
+//# sourceMappingURL=authz-rbac.module.d.ts.map

package/dist/authz-rbac.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-rbac.module.d.ts","sourceRoot":"","sources":["../src/authz-rbac.module.ts"],"names":[],"mappings":"AAMA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C,sFAAsF;AACtF,eAAO,MAAM,gBAAgB,eAAuD,CAAC;AACrF,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB,eAAyD,CAAC;AAEzF;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,GAAG,SAAS,CAAC;AAEnE,MAAM,WAAW,sBAAsB;IACrC,2EAA2E;IAC3E,KAAK,EAAE,kBAAkB,CAAC;IAC1B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B;;;OAGG;IACH,WAAW,CAAC,EAAE,aAAa,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC;IACnB,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,sBAAsB,CAAC,GAAG,sBAAsB,CAAC;CAC9F;AAED,qFAAqF;AACrF,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,GAAG,SAAS,CAOvE;AAuDD;;;;;;GAMG;AACH,qBACa,eAAe;IAC1B,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,sBAAsB,GAAG,aAAa;IAa9D,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,2BAA2B,GAAG,aAAa;IAsBxE,OAAO,CAAC,MAAM,CAAC,eAAe;CAS/B"}

package/dist/authz-rbac.module.js

@@ -0,0 +1,158 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var AuthzRbacModule_1;
+import { PERMISSION_PROVIDER, ROLE_PROVIDER, } from '@dudousxd/nestjs-authz';
+import { Inject, Injectable, Module, Optional, } from '@nestjs/common';
+/** Injection token holding the {@link MikroOrmAuthzStore} the RBAC module manages. */
+export const AUTHZ_RBAC_STORE = Symbol.for('@dudousxd/nestjs-authz-mikro-orm:store');
+/** Injection token holding the resolved {@link AuthzRbacModuleOptions}. */
+export const AUTHZ_RBAC_OPTIONS = Symbol.for('@dudousxd/nestjs-authz-mikro-orm:options');
+/** Default mapping: accept a `{ type, id }` ref, a `{ id }` object, or a bare id. */
+export function defaultUserRefMapper(user) {
+    if (user == null)
+        return undefined;
+    if (typeof user === 'string' || typeof user === 'number')
+        return user;
+    const u = user;
+    if (u.id == null)
+        return undefined;
+    const id = u.id;
+    return typeof u.type === 'string' ? { type: u.type, id } : { id };
+}
+/**
+ * The RBAC {@link PermissionProvider} the Gate consults (via the shared
+ * {@link PERMISSION_PROVIDER} token). Grants a named ability when the current user holds
+ * the matching persisted permission — the Laravel/spatie `Gate::before` grant.
+ */
+let RbacPermissionProvider = class RbacPermissionProvider {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    // The core `PermissionProvider` interface passes an optional `resource` (3rd
+    // arg); it is intentionally ignored here. RBAC grants are model-less,
+    // named-ability grants (the Laravel/spatie `Gate::before` grant), so the
+    // verdict never depends on a specific resource instance.
+    async hasPermission(user, permission) {
+        const map = this.options.userRefFrom ?? defaultUserRefMapper;
+        const ref = map(user);
+        if (ref === undefined)
+            return undefined;
+        return this.options.store.userHasPermission(ref, permission);
+    }
+};
+RbacPermissionProvider = __decorate([
+    Injectable(),
+    __param(0, Inject(AUTHZ_RBAC_OPTIONS)),
+    __metadata("design:paramtypes", [Object])
+], RbacPermissionProvider);
+/**
+ * The RBAC {@link RoleProvider} the Gate consults (via the shared {@link ROLE_PROVIDER}
+ * token) for coarse role-checks (`gate.hasRole('teacher')`, `@Roles('admin')`). Returns
+ * the role names the current user holds in the persisted store. Core unions these with
+ * any roles read off the user object by the default `RoleResolver`.
+ */
+let RbacRoleProvider = class RbacRoleProvider {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    async getRoles(user) {
+        const map = this.options.userRefFrom ?? defaultUserRefMapper;
+        const ref = map(user);
+        if (ref === undefined)
+            return undefined;
+        return this.options.store.getRolesForUser(ref);
+    }
+};
+RbacRoleProvider = __decorate([
+    Injectable(),
+    __param(0, Inject(AUTHZ_RBAC_OPTIONS)),
+    __metadata("design:paramtypes", [Object])
+], RbacRoleProvider);
+/** Runs `ensureAuthzSchema` on bootstrap when `autoCreateSchema` is not disabled. */
+let AuthzRbacBootstrap = class AuthzRbacBootstrap {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    async onModuleInit() {
+        if (!this.options)
+            return;
+        if (this.options.autoCreateSchema === false)
+            return;
+        await this.options.store.ensureSchema();
+    }
+};
+AuthzRbacBootstrap = __decorate([
+    Injectable(),
+    __param(0, Optional()),
+    __param(0, Inject(AUTHZ_RBAC_OPTIONS)),
+    __metadata("design:paramtypes", [Object])
+], AuthzRbacBootstrap);
+/**
+ * Wires persisted RBAC into the core authz Gate. The app provides the `EntityManager`
+ * (via `inject`/`useFactory`) and constructs the {@link MikroOrmAuthzStore} — this module
+ * NEVER hardcodes a connection token. On init it registers the RBAC permission check into
+ * the Gate via the {@link PERMISSION_PROVIDER} seam, so `gate.allows('some.permission')`
+ * consults persisted permissions, and (by default) ensures the schema exists.
+ */
+let AuthzRbacModule = AuthzRbacModule_1 = class AuthzRbacModule {
+    static forRoot(options) {
+        return {
+            module: AuthzRbacModule_1,
+            global: true,
+            providers: [
+                { provide: AUTHZ_RBAC_OPTIONS, useValue: options },
+                { provide: AUTHZ_RBAC_STORE, useValue: options.store },
+                ...AuthzRbacModule_1.commonProviders(),
+            ],
+            exports: [AUTHZ_RBAC_STORE, PERMISSION_PROVIDER, ROLE_PROVIDER],
+        };
+    }
+    static forRootAsync(options) {
+        return {
+            module: AuthzRbacModule_1,
+            global: true,
+            imports: (options.imports ?? []),
+            providers: [
+                {
+                    provide: AUTHZ_RBAC_OPTIONS,
+                    useFactory: options.useFactory,
+                    inject: (options.inject ?? []),
+                },
+                {
+                    provide: AUTHZ_RBAC_STORE,
+                    useFactory: (opts) => opts.store,
+                    inject: [AUTHZ_RBAC_OPTIONS],
+                },
+                ...AuthzRbacModule_1.commonProviders(),
+            ],
+            exports: [AUTHZ_RBAC_STORE, PERMISSION_PROVIDER, ROLE_PROVIDER],
+        };
+    }
+    static commonProviders() {
+        return [
+            RbacPermissionProvider,
+            { provide: PERMISSION_PROVIDER, useExisting: RbacPermissionProvider },
+            RbacRoleProvider,
+            { provide: ROLE_PROVIDER, useExisting: RbacRoleProvider },
+            AuthzRbacBootstrap,
+        ];
+    }
+};
+AuthzRbacModule = AuthzRbacModule_1 = __decorate([
+    Module({})
+], AuthzRbacModule);
+export { AuthzRbacModule };
+//# sourceMappingURL=authz-rbac.module.js.map

package/dist/authz-rbac.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-rbac.module.js","sourceRoot":"","sources":["../src/authz-rbac.module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EACL,mBAAmB,EAEnB,aAAa,GAEd,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AAIxB,sFAAsF;AACtF,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;AACrF,2EAA2E;AAC3E,MAAM,CAAC,MAAM,kBAAkB,GAAG,MAAM,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;AA6BzF,qFAAqF;AACrF,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,IAAI,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IACnC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACtE,MAAM,CAAC,GAAG,IAAwC,CAAC;IACnD,IAAI,CAAC,CAAC,EAAE,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IACnC,MAAM,EAAE,GAAG,CAAC,CAAC,EAAqB,CAAC;IACnC,OAAO,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC;AACpE,CAAC;AAED;;;;GAIG;AACH,IACM,sBAAsB,GAD5B,MACM,sBAAsB;IAC+B;IAAzD,YAAyD,OAA+B;QAA/B,YAAO,GAAP,OAAO,CAAwB;IAAG,CAAC;IAE5F,6EAA6E;IAC7E,sEAAsE;IACtE,yEAAyE;IACzE,yDAAyD;IACzD,KAAK,CAAC,aAAa,CAAC,IAAa,EAAE,UAAkB;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QACxC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAC/D,CAAC;CACF,CAAA;AAbK,sBAAsB;IAD3B,UAAU,EAAE;IAEE,WAAA,MAAM,CAAC,kBAAkB,CAAC,CAAA;;GADnC,sBAAsB,CAa3B;AAED;;;;;GAKG;AACH,IACM,gBAAgB,GADtB,MACM,gBAAgB;IACqC;IAAzD,YAAyD,OAA+B;QAA/B,YAAO,GAAP,OAAO,CAAwB;IAAG,CAAC;IAE5F,KAAK,CAAC,QAAQ,CAAC,IAAa;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QACxC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACjD,CAAC;CACF,CAAA;AATK,gBAAgB;IADrB,UAAU,EAAE;IAEE,WAAA,MAAM,CAAC,kBAAkB,CAAC,CAAA;;GADnC,gBAAgB,CASrB;AAED,qFAAqF;AACrF,IACM,kBAAkB,GADxB,MACM,kBAAkB;IAEqC;IAD3D,YAC2D,OAAgC;QAAhC,YAAO,GAAP,OAAO,CAAyB;IACxF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAC1B,IAAI,IAAI,CAAC,OAAO,CAAC,gBAAgB,KAAK,KAAK;YAAE,OAAO;QACpD,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;IAC1C,CAAC;CACF,CAAA;AAVK,kBAAkB;IADvB,UAAU,EAAE;IAGR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,kBAAkB,CAAC,CAAA;;GAFrC,kBAAkB,CAUvB;AAED;;;;;;GAMG;AAEI,IAAM,eAAe,uBAArB,MAAM,eAAe;IAC1B,MAAM,CAAC,OAAO,CAAC,OAA+B;QAC5C,OAAO;YACL,MAAM,EAAE,iBAAe;YACvB,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBAClD,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE;gBACtD,GAAG,iBAAe,CAAC,eAAe,EAAE;aACrC;YACD,OAAO,EAAE,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,aAAa,CAAC;SAChE,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAoC;QACtD,OAAO;YACL,MAAM,EAAE,iBAAe;YACvB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAoB;YACnD,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,kBAAkB;oBAC3B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAyB;iBACvD;gBACD;oBACE,OAAO,EAAE,gBAAgB;oBACzB,UAAU,EAAE,CAAC,IAA4B,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK;oBACxD,MAAM,EAAE,CAAC,kBAAkB,CAAC;iBAC7B;gBACD,GAAG,iBAAe,CAAC,eAAe,EAAE;aACrC;YACD,OAAO,EAAE,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,aAAa,CAAC;SAChE,CAAC;IACJ,CAAC;IAEO,MAAM,CAAC,eAAe;QAC5B,OAAO;YACL,sBAAsB;YACtB,EAAE,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,sBAAsB,EAAE;YACrE,gBAAgB;YAChB,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,gBAAgB,EAAE;YACzD,kBAAkB;SACnB,CAAC;IACJ,CAAC;CACF,CAAA;AA7CY,eAAe;IAD3B,MAAM,CAAC,EAAE,CAAC;GACE,eAAe,CA6C3B"}

package/dist/entities.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Default table names — the entities below carry these as their `tableName`. MikroORM
+ * resolves the physical table from the entity metadata (not at runtime), so an app that
+ * wants different names re-decorates these entities; the store + schema helpers operate
+ * purely through the EntityManager and never assume a literal name.
+ */
+export declare const DEFAULT_TABLE_NAMES: {
+    readonly roles: "authz_roles";
+    readonly permissions: "authz_permissions";
+    readonly rolePermission: "authz_role_permission";
+    readonly userRole: "authz_user_role";
+};
+/**
+ * A named role (e.g. `editor`). Permissions are attached via {@link RolePermissionEntity};
+ * users are attached via {@link UserRoleEntity}.
+ *
+ * Every column declares an explicit `type` instead of relying on `emitDecoratorMetadata`
+ * reflection, so the entity discovers correctly even when the consuming app compiles with
+ * SWC/esbuild/Vite (which don't emit decorator metadata).
+ *
+ * Forward-compat rule: any column added to these entities AFTER v1 MUST be nullable or
+ * carry a default — `ensureAuthzSchema` only ever runs the non-destructive `safe` diff
+ * (create table + add-missing-column), and `ADD COLUMN NOT NULL` without a default fails
+ * on a populated table.
+ */
+export declare class RoleEntity {
+    id: string;
+    name: string;
+    guard?: string | null;
+    createdAt: Date;
+}
+/** A named permission (e.g. `posts.publish`). Granted to roles via {@link RolePermissionEntity}. */
+export declare class PermissionEntity {
+    id: string;
+    name: string;
+    guard?: string | null;
+    createdAt: Date;
+}
+/** Pivot: role ↔ permission. Composite PK `(roleId, permissionId)`. */
+export declare class RolePermissionEntity {
+    roleId: string;
+    permissionId: string;
+}
+/**
+ * Pivot: user ↔ role. References the user BY ID ONLY — this package NEVER defines or
+ * owns a users table. `userType` lets the same table key polymorphic principals
+ * (mirrors nestjs-context's `UserRef` shape).
+ */
+export declare class UserRoleEntity {
+    userType: string;
+    userId: string;
+    roleId: string;
+}
+/** All entities, in dependency order — convenient for `entities: [...]` registration. */
+export declare const AUTHZ_ENTITIES: readonly [typeof RoleEntity, typeof PermissionEntity, typeof RolePermissionEntity, typeof UserRoleEntity];
+//# sourceMappingURL=entities.d.ts.map

package/dist/entities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.d.ts","sourceRoot":"","sources":["../src/entities.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAEX;;;;;;;;;;;;GAYG;AACH,qBACa,UAAU;IAErB,EAAE,EAAG,MAAM,CAAC;IAIZ,IAAI,EAAG,MAAM,CAAC;IAGd,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAGtB,SAAS,EAAG,IAAI,CAAC;CAClB;AAED,oGAAoG;AACpG,qBACa,gBAAgB;IAE3B,EAAE,EAAG,MAAM,CAAC;IAIZ,IAAI,EAAG,MAAM,CAAC;IAGd,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAGtB,SAAS,EAAG,IAAI,CAAC;CAClB;AAED,uEAAuE;AACvE,qBACa,oBAAoB;IAE/B,MAAM,EAAG,MAAM,CAAC;IAGhB,YAAY,EAAG,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,qBAEa,cAAc;IAEzB,QAAQ,EAAG,MAAM,CAAC;IAGlB,MAAM,EAAG,MAAM,CAAC;IAGhB,MAAM,EAAG,MAAM,CAAC;CACjB;AAED,yFAAyF;AACzF,eAAO,MAAM,cAAc,2GAKjB,CAAC"}

package/dist/entities.js

@@ -0,0 +1,142 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Entity, Index, PrimaryKey, Property } from '@mikro-orm/core';
+/**
+ * Default table names — the entities below carry these as their `tableName`. MikroORM
+ * resolves the physical table from the entity metadata (not at runtime), so an app that
+ * wants different names re-decorates these entities; the store + schema helpers operate
+ * purely through the EntityManager and never assume a literal name.
+ */
+export const DEFAULT_TABLE_NAMES = {
+    roles: 'authz_roles',
+    permissions: 'authz_permissions',
+    rolePermission: 'authz_role_permission',
+    userRole: 'authz_user_role',
+};
+/**
+ * A named role (e.g. `editor`). Permissions are attached via {@link RolePermissionEntity};
+ * users are attached via {@link UserRoleEntity}.
+ *
+ * Every column declares an explicit `type` instead of relying on `emitDecoratorMetadata`
+ * reflection, so the entity discovers correctly even when the consuming app compiles with
+ * SWC/esbuild/Vite (which don't emit decorator metadata).
+ *
+ * Forward-compat rule: any column added to these entities AFTER v1 MUST be nullable or
+ * carry a default — `ensureAuthzSchema` only ever runs the non-destructive `safe` diff
+ * (create table + add-missing-column), and `ADD COLUMN NOT NULL` without a default fails
+ * on a populated table.
+ */
+let RoleEntity = class RoleEntity {
+    id;
+    name;
+    guard;
+    createdAt;
+};
+__decorate([
+    PrimaryKey({ type: 'string', length: 191 }),
+    __metadata("design:type", String)
+], RoleEntity.prototype, "id", void 0);
+__decorate([
+    Index({ name: 'authz_roles_name_uniq' }),
+    Property({ type: 'string', length: 191, unique: true }),
+    __metadata("design:type", String)
+], RoleEntity.prototype, "name", void 0);
+__decorate([
+    Property({ type: 'string', nullable: true }),
+    __metadata("design:type", Object)
+], RoleEntity.prototype, "guard", void 0);
+__decorate([
+    Property({ type: 'datetime' }),
+    __metadata("design:type", Date)
+], RoleEntity.prototype, "createdAt", void 0);
+RoleEntity = __decorate([
+    Entity({ tableName: DEFAULT_TABLE_NAMES.roles })
+], RoleEntity);
+export { RoleEntity };
+/** A named permission (e.g. `posts.publish`). Granted to roles via {@link RolePermissionEntity}. */
+let PermissionEntity = class PermissionEntity {
+    id;
+    name;
+    guard;
+    createdAt;
+};
+__decorate([
+    PrimaryKey({ type: 'string', length: 191 }),
+    __metadata("design:type", String)
+], PermissionEntity.prototype, "id", void 0);
+__decorate([
+    Index({ name: 'authz_permissions_name_uniq' }),
+    Property({ type: 'string', length: 191, unique: true }),
+    __metadata("design:type", String)
+], PermissionEntity.prototype, "name", void 0);
+__decorate([
+    Property({ type: 'string', nullable: true }),
+    __metadata("design:type", Object)
+], PermissionEntity.prototype, "guard", void 0);
+__decorate([
+    Property({ type: 'datetime' }),
+    __metadata("design:type", Date)
+], PermissionEntity.prototype, "createdAt", void 0);
+PermissionEntity = __decorate([
+    Entity({ tableName: DEFAULT_TABLE_NAMES.permissions })
+], PermissionEntity);
+export { PermissionEntity };
+/** Pivot: role ↔ permission. Composite PK `(roleId, permissionId)`. */
+let RolePermissionEntity = class RolePermissionEntity {
+    roleId;
+    permissionId;
+};
+__decorate([
+    PrimaryKey({ type: 'string', length: 191 }),
+    __metadata("design:type", String)
+], RolePermissionEntity.prototype, "roleId", void 0);
+__decorate([
+    PrimaryKey({ type: 'string', length: 191 }),
+    __metadata("design:type", String)
+], RolePermissionEntity.prototype, "permissionId", void 0);
+RolePermissionEntity = __decorate([
+    Entity({ tableName: DEFAULT_TABLE_NAMES.rolePermission })
+], RolePermissionEntity);
+export { RolePermissionEntity };
+/**
+ * Pivot: user ↔ role. References the user BY ID ONLY — this package NEVER defines or
+ * owns a users table. `userType` lets the same table key polymorphic principals
+ * (mirrors nestjs-context's `UserRef` shape).
+ */
+let UserRoleEntity = class UserRoleEntity {
+    userType;
+    userId;
+    roleId;
+};
+__decorate([
+    PrimaryKey({ type: 'string', length: 191 }),
+    __metadata("design:type", String)
+], UserRoleEntity.prototype, "userType", void 0);
+__decorate([
+    PrimaryKey({ type: 'string', length: 191 }),
+    __metadata("design:type", String)
+], UserRoleEntity.prototype, "userId", void 0);
+__decorate([
+    PrimaryKey({ type: 'string', length: 191 }),
+    __metadata("design:type", String)
+], UserRoleEntity.prototype, "roleId", void 0);
+UserRoleEntity = __decorate([
+    Entity({ tableName: DEFAULT_TABLE_NAMES.userRole }),
+    Index({ name: 'authz_user_role_user_idx', properties: ['userType', 'userId'] })
+], UserRoleEntity);
+export { UserRoleEntity };
+/** All entities, in dependency order — convenient for `entities: [...]` registration. */
+export const AUTHZ_ENTITIES = [
+    RoleEntity,
+    PermissionEntity,
+    RolePermissionEntity,
+    UserRoleEntity,
+];
+//# sourceMappingURL=entities.js.map

package/dist/entities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.js","sourceRoot":"","sources":["../src/entities.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAEtE;;;;;GAKG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,KAAK,EAAE,aAAa;IACpB,WAAW,EAAE,mBAAmB;IAChC,cAAc,EAAE,uBAAuB;IACvC,QAAQ,EAAE,iBAAiB;CACnB,CAAC;AAEX;;;;;;;;;;;;GAYG;AAEI,IAAM,UAAU,GAAhB,MAAM,UAAU;IAErB,EAAE,CAAU;IAIZ,IAAI,CAAU;IAGd,KAAK,CAAiB;IAGtB,SAAS,CAAQ;CAClB,CAAA;AAXC;IADC,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;;sCAChC;AAIZ;IAFC,KAAK,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,CAAC;IACxC,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;;wCAC1C;AAGd;IADC,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;yCACvB;AAGtB;IADC,QAAQ,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;8BACnB,IAAI;6CAAC;AAZN,UAAU;IADtB,MAAM,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,KAAK,EAAE,CAAC;GACpC,UAAU,CAatB;;AAED,oGAAoG;AAE7F,IAAM,gBAAgB,GAAtB,MAAM,gBAAgB;IAE3B,EAAE,CAAU;IAIZ,IAAI,CAAU;IAGd,KAAK,CAAiB;IAGtB,SAAS,CAAQ;CAClB,CAAA;AAXC;IADC,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;;4CAChC;AAIZ;IAFC,KAAK,CAAC,EAAE,IAAI,EAAE,6BAA6B,EAAE,CAAC;IAC9C,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;;8CAC1C;AAGd;IADC,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;+CACvB;AAGtB;IADC,QAAQ,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;8BACnB,IAAI;mDAAC;AAZN,gBAAgB;IAD5B,MAAM,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,WAAW,EAAE,CAAC;GAC1C,gBAAgB,CAa5B;;AAED,uEAAuE;AAEhE,IAAM,oBAAoB,GAA1B,MAAM,oBAAoB;IAE/B,MAAM,CAAU;IAGhB,YAAY,CAAU;CACvB,CAAA;AAJC;IADC,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;;oDAC5B;AAGhB;IADC,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;;0DACtB;AALX,oBAAoB;IADhC,MAAM,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,cAAc,EAAE,CAAC;GAC7C,oBAAoB,CAMhC;;AAED;;;;GAIG;AAGI,IAAM,cAAc,GAApB,MAAM,cAAc;IAEzB,QAAQ,CAAU;IAGlB,MAAM,CAAU;IAGhB,MAAM,CAAU;CACjB,CAAA;AAPC;IADC,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;;gDAC1B;AAGlB;IADC,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;;8CAC5B;AAGhB;IADC,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;;8CAC5B;AARL,cAAc;IAF1B,MAAM,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,QAAQ,EAAE,CAAC;IACnD,KAAK,CAAC,EAAE,IAAI,EAAE,0BAA0B,EAAE,UAAU,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;GACnE,cAAc,CAS1B;;AAED,yFAAyF;AACzF,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,UAAU;IACV,gBAAgB;IAChB,oBAAoB;IACpB,cAAc;CACN,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export { AUTHZ_ENTITIES, DEFAULT_TABLE_NAMES, PermissionEntity, RoleEntity, RolePermissionEntity, UserRoleEntity, } from './entities.js';
+export { authzSchemaSql, ensureAuthzSchema } from './schema.js';
+export { MikroOrmAuthzStore } from './mikro-orm-authz.store.js';
+export type { UserAuthz } from './mikro-orm-authz.store.js';
+export { AUTHZ_RBAC_OPTIONS, AUTHZ_RBAC_STORE, AuthzRbacModule, defaultUserRefMapper, } from './authz-rbac.module.js';
+export type { AuthzRbacModuleAsyncOptions, AuthzRbacModuleOptions, UserRefMapper, } from './authz-rbac.module.js';
+export type { AuthzStoreOptions, UserRef, UserRefInput } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,gBAAgB,EAChB,UAAU,EACV,oBAAoB,EACpB,cAAc,GACf,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,YAAY,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,2BAA2B,EAC3B,sBAAsB,EACtB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,iBAAiB,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,5 @@
+export { AUTHZ_ENTITIES, DEFAULT_TABLE_NAMES, PermissionEntity, RoleEntity, RolePermissionEntity, UserRoleEntity, } from './entities.js';
+export { authzSchemaSql, ensureAuthzSchema } from './schema.js';
+export { MikroOrmAuthzStore } from './mikro-orm-authz.store.js';
+export { AUTHZ_RBAC_OPTIONS, AUTHZ_RBAC_STORE, AuthzRbacModule, defaultUserRefMapper, } from './authz-rbac.module.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,gBAAgB,EAChB,UAAU,EACV,oBAAoB,EACpB,cAAc,GACf,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAEhE,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,oBAAoB,GACrB,MAAM,wBAAwB,CAAC"}

package/dist/mikro-orm-authz.store.d.ts

@@ -0,0 +1,51 @@
+import type { EntityManager } from '@mikro-orm/core';
+import type { UserRef } from './types.js';
+/**
+ * A user's effective permissions: the role names they hold and the flattened set of
+ * permission names granted by those roles.
+ */
+export interface UserAuthz {
+    roles: string[];
+    permissions: string[];
+}
+/**
+ * MikroORM-backed RBAC store. A plain POJO that receives the `EntityManager` in its
+ * constructor — NOT `@Injectable`, no internal connection token (the app owns the
+ * connection and plugs it via DI; see the persistence contract).
+ *
+ * The store works purely through the EntityManager + the registered entities, so it never
+ * assumes a literal table name — names are owned by the entity metadata. Every read forks
+ * the EM (`this.em.fork()`) so it is request-safe under MikroORM's identity-map rules.
+ */
+export declare class MikroOrmAuthzStore {
+    private readonly em;
+    constructor(em: EntityManager, _opts?: Record<string, never>);
+    /** Create/upgrade the RBAC tables (non-destructive, delegates to {@link ensureAuthzSchema}). */
+    ensureSchema(): Promise<void>;
+    /**
+     * Create the role if absent; returns its id. Idempotent and race-tolerant: it re-reads
+     * by the unique `name` after a create so two concurrent creators converge on the same row.
+     */
+    createRole(name: string): Promise<string>;
+    /** Create the permission if absent; returns its id. Idempotent and race-tolerant. */
+    createPermission(name: string): Promise<string>;
+    private findRoleId;
+    private findPermissionId;
+    /** Grant a permission to a role (creating both by name if needed). Idempotent. */
+    givePermissionToRole(roleName: string, permissionName: string): Promise<void>;
+    /** Revoke a permission from a role. No-op if either is absent or not linked. */
+    revokePermissionFromRole(roleName: string, permissionName: string): Promise<void>;
+    /** Assign a role to a user (creating the role by name if needed). Idempotent. */
+    assignRole(user: UserRef, roleName: string): Promise<void>;
+    /** Remove a role from a user. No-op if the role or assignment is absent. */
+    removeRole(user: UserRef, roleName: string): Promise<void>;
+    /** The role names a user holds. */
+    getRolesForUser(user: UserRef): Promise<string[]>;
+    /** The flattened, distinct permission names a user has via their roles. */
+    getPermissionsForUser(user: UserRef): Promise<string[]>;
+    /** A user's roles + effective permissions in one shot. */
+    getUserAuthz(user: UserRef): Promise<UserAuthz>;
+    /** True when the user holds `permission` through any of their roles. */
+    userHasPermission(user: UserRef, permission: string): Promise<boolean>;
+}
+//# sourceMappingURL=mikro-orm-authz.store.d.ts.map

package/dist/mikro-orm-authz.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mikro-orm-authz.store.d.ts","sourceRoot":"","sources":["../src/mikro-orm-authz.store.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAY,MAAM,iBAAiB,CAAC;AAG/D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAU1C;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;;;;;;;GAQG;AACH,qBAAa,kBAAkB;IAI3B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,aAAa,EAClC,KAAK,GAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAM;IAGnC,gGAAgG;IAChG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAM7B;;;OAGG;IACG,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAoB/C,qFAAqF;IAC/E,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAoBvC,UAAU;YAKV,gBAAgB;IAO9B,kFAAkF;IAC5E,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUnF,gFAAgF;IAC1E,wBAAwB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASvF,iFAAiF;IAC3E,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUhE,4EAA4E;IACtE,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAShE,mCAAmC;IAC7B,eAAe,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAUvD,2EAA2E;IACrE,qBAAqB,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAa7D,0DAA0D;IACpD,YAAY,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC;IAQrD,wEAAwE;IAClE,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAI7E"}

package/dist/mikro-orm-authz.store.js

@@ -0,0 +1,170 @@
+import { randomUUID } from 'node:crypto';
+import { PermissionEntity, RoleEntity, RolePermissionEntity, UserRoleEntity } from './entities.js';
+import { ensureAuthzSchema } from './schema.js';
+/** Normalize a {@link UserRef} to `{ type, id }` with `id` stringified. */
+function normalizeUserRef(ref) {
+    if (typeof ref === 'string' || typeof ref === 'number') {
+        return { type: 'user', id: String(ref) };
+    }
+    return { type: ref.type ?? 'user', id: String(ref.id) };
+}
+/**
+ * MikroORM-backed RBAC store. A plain POJO that receives the `EntityManager` in its
+ * constructor — NOT `@Injectable`, no internal connection token (the app owns the
+ * connection and plugs it via DI; see the persistence contract).
+ *
+ * The store works purely through the EntityManager + the registered entities, so it never
+ * assumes a literal table name — names are owned by the entity metadata. Every read forks
+ * the EM (`this.em.fork()`) so it is request-safe under MikroORM's identity-map rules.
+ */
+export class MikroOrmAuthzStore {
+    em;
+    // `opts` is reserved for forward-compat (parity with the TypeORM adapter's options); it is
+    // accepted but not yet consumed since MikroORM owns table names via entity metadata.
+    constructor(em, _opts = {}) {
+        this.em = em;
+    }
+    /** Create/upgrade the RBAC tables (non-destructive, delegates to {@link ensureAuthzSchema}). */
+    ensureSchema() {
+        return ensureAuthzSchema(this.em);
+    }
+    // --- roles & permissions (idempotent upserts by name) ---
+    /**
+     * Create the role if absent; returns its id. Idempotent and race-tolerant: it re-reads
+     * by the unique `name` after a create so two concurrent creators converge on the same row.
+     */
+    async createRole(name) {
+        const existing = await this.findRoleId(name);
+        if (existing)
+            return existing;
+        const em = this.em.fork();
+        const entity = em.create(RoleEntity, {
+            id: randomUUID(),
+            name,
+            guard: null,
+            createdAt: new Date(),
+        });
+        try {
+            await em.persist(entity).flush();
+        }
+        catch {
+            // A concurrent insert won the race on the unique `name`; fall through to re-read.
+        }
+        const id = await this.findRoleId(name);
+        if (!id)
+            throw new Error(`Failed to create or resolve role "${name}".`);
+        return id;
+    }
+    /** Create the permission if absent; returns its id. Idempotent and race-tolerant. */
+    async createPermission(name) {
+        const existing = await this.findPermissionId(name);
+        if (existing)
+            return existing;
+        const em = this.em.fork();
+        const entity = em.create(PermissionEntity, {
+            id: randomUUID(),
+            name,
+            guard: null,
+            createdAt: new Date(),
+        });
+        try {
+            await em.persist(entity).flush();
+        }
+        catch {
+            // A concurrent insert won the race on the unique `name`; fall through to re-read.
+        }
+        const id = await this.findPermissionId(name);
+        if (!id)
+            throw new Error(`Failed to create or resolve permission "${name}".`);
+        return id;
+    }
+    async findRoleId(name) {
+        const row = await this.em.fork().findOne(RoleEntity, { name });
+        return row?.id;
+    }
+    async findPermissionId(name) {
+        const row = await this.em.fork().findOne(PermissionEntity, { name });
+        return row?.id;
+    }
+    // --- role ↔ permission ---
+    /** Grant a permission to a role (creating both by name if needed). Idempotent. */
+    async givePermissionToRole(roleName, permissionName) {
+        const roleId = await this.createRole(roleName);
+        const permissionId = await this.createPermission(permissionName);
+        const em = this.em.fork();
+        const existing = await em.findOne(RolePermissionEntity, { roleId, permissionId });
+        if (existing)
+            return;
+        em.create(RolePermissionEntity, { roleId, permissionId });
+        await em.flush();
+    }
+    /** Revoke a permission from a role. No-op if either is absent or not linked. */
+    async revokePermissionFromRole(roleName, permissionName) {
+        const roleId = await this.findRoleId(roleName);
+        const permissionId = await this.findPermissionId(permissionName);
+        if (!roleId || !permissionId)
+            return;
+        await this.em.fork().nativeDelete(RolePermissionEntity, { roleId, permissionId });
+    }
+    // --- user ↔ role ---
+    /** Assign a role to a user (creating the role by name if needed). Idempotent. */
+    async assignRole(user, roleName) {
+        const { type, id } = normalizeUserRef(user);
+        const roleId = await this.createRole(roleName);
+        const em = this.em.fork();
+        const existing = await em.findOne(UserRoleEntity, { userType: type, userId: id, roleId });
+        if (existing)
+            return;
+        em.create(UserRoleEntity, { userType: type, userId: id, roleId });
+        await em.flush();
+    }
+    /** Remove a role from a user. No-op if the role or assignment is absent. */
+    async removeRole(user, roleName) {
+        const { type, id } = normalizeUserRef(user);
+        const roleId = await this.findRoleId(roleName);
+        if (!roleId)
+            return;
+        await this.em.fork().nativeDelete(UserRoleEntity, { userType: type, userId: id, roleId });
+    }
+    // --- queries ---
+    /** The role names a user holds. */
+    async getRolesForUser(user) {
+        const { type, id } = normalizeUserRef(user);
+        const em = this.em.fork();
+        const assignments = await em.find(UserRoleEntity, { userType: type, userId: id });
+        if (assignments.length === 0)
+            return [];
+        const roleIds = assignments.map((a) => a.roleId);
+        const roles = await em.find(RoleEntity, { id: { $in: roleIds } });
+        return roles.map((r) => r.name);
+    }
+    /** The flattened, distinct permission names a user has via their roles. */
+    async getPermissionsForUser(user) {
+        const { type, id } = normalizeUserRef(user);
+        const em = this.em.fork();
+        const assignments = await em.find(UserRoleEntity, { userType: type, userId: id });
+        if (assignments.length === 0)
+            return [];
+        const roleIds = assignments.map((a) => a.roleId);
+        const links = await em.find(RolePermissionEntity, { roleId: { $in: roleIds } });
+        if (links.length === 0)
+            return [];
+        const permissionIds = [...new Set(links.map((l) => l.permissionId))];
+        const permissions = await em.find(PermissionEntity, { id: { $in: permissionIds } });
+        return [...new Set(permissions.map((p) => p.name))];
+    }
+    /** A user's roles + effective permissions in one shot. */
+    async getUserAuthz(user) {
+        const [roles, permissions] = await Promise.all([
+            this.getRolesForUser(user),
+            this.getPermissionsForUser(user),
+        ]);
+        return { roles, permissions };
+    }
+    /** True when the user holds `permission` through any of their roles. */
+    async userHasPermission(user, permission) {
+        const permissions = await this.getPermissionsForUser(user);
+        return permissions.includes(permission);
+    }
+}
+//# sourceMappingURL=mikro-orm-authz.store.js.map

package/dist/mikro-orm-authz.store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mikro-orm-authz.store.js","sourceRoot":"","sources":["../src/mikro-orm-authz.store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AACnG,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGhD,2EAA2E;AAC3E,SAAS,gBAAgB,CAAC,GAAY;IACpC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACvD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;AAC1D,CAAC;AAWD;;;;;;;;GAQG;AACH,MAAM,OAAO,kBAAkB;IAIV;IAHnB,2FAA2F;IAC3F,qFAAqF;IACrF,YACmB,EAAiB,EAClC,QAA+B,EAAE;QADhB,OAAE,GAAF,EAAE,CAAe;IAEjC,CAAC;IAEJ,gGAAgG;IAChG,YAAY;QACV,OAAO,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,2DAA2D;IAE3D;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,IAAY;QAC3B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE;YACnC,EAAE,EAAE,UAAU,EAAE;YAChB,IAAI;YACJ,KAAK,EAAE,IAAI;YACX,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,kFAAkF;QACpF,CAAC;QACD,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,IAAI,CAAC,CAAC;QACxE,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,qFAAqF;IACrF,KAAK,CAAC,gBAAgB,CAAC,IAAY;QACjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,gBAAgB,EAAE;YACzC,EAAE,EAAE,UAAU,EAAE;YAChB,IAAI;YACJ,KAAK,EAAE,IAAI;YACX,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,kFAAkF;QACpF,CAAC;QACD,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,IAAI,IAAI,CAAC,CAAC;QAC9E,OAAO,EAAE,CAAC;IACZ,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,IAAY;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,OAAO,GAAG,EAAE,EAAE,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAY;QACzC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,OAAO,GAAG,EAAE,EAAE,CAAC;IACjB,CAAC;IAED,4BAA4B;IAE5B,kFAAkF;IAClF,KAAK,CAAC,oBAAoB,CAAC,QAAgB,EAAE,cAAsB;QACjE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;QACjE,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;QAClF,IAAI,QAAQ;YAAE,OAAO;QACrB,EAAE,CAAC,MAAM,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;IACnB,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,wBAAwB,CAAC,QAAgB,EAAE,cAAsB;QACrE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,IAAI,CAAC,YAAY;YAAE,OAAO;QACrC,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,YAAY,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,sBAAsB;IAEtB,iFAAiF;IACjF,KAAK,CAAC,UAAU,CAAC,IAAa,EAAE,QAAgB;QAC9C,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1F,IAAI,QAAQ;YAAE,OAAO;QACrB,EAAE,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAClE,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;IACnB,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,UAAU,CAAC,IAAa,EAAE,QAAgB;QAC9C,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,YAAY,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5F,CAAC;IAED,kBAAkB;IAElB,mCAAmC;IACnC,KAAK,CAAC,eAAe,CAAC,IAAa;QACjC,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QAClF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAClE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,2EAA2E;IAC3E,KAAK,CAAC,qBAAqB,CAAC,IAAa;QACvC,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QAClF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAChF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAClC,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrE,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;QACpF,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,YAAY,CAAC,IAAa;QAC9B,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC7C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;YAC1B,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC;SACjC,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;IAChC,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,iBAAiB,CAAC,IAAa,EAAE,UAAkB;QACvD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;QAC3D,OAAO,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;CACF"}

package/dist/schema.d.ts

@@ -0,0 +1,28 @@
+import type { EntityManager, MikroORM } from '@mikro-orm/core';
+/**
+ * Returns the non-destructive SQL needed to bring only the authz RBAC tables up to date
+ * (creates them / adds missing columns). Mirrors the TypeORM adapter's migration helper —
+ * call it inside a MikroORM migration when you disable `autoCreateSchema`:
+ *
+ * ```ts
+ * import { authzSchemaSql } from '@dudousxd/nestjs-authz-mikro-orm';
+ * export class AddAuthz extends Migration {
+ *   async up() { this.addSql(await authzSchemaSql(this.getEntityManager())); }
+ * }
+ * ```
+ */
+export declare function authzSchemaSql(ormOrEm: MikroORM | EntityManager): Promise<string>;
+/**
+ * Ensure the RBAC schema is up to date (used by the store's `ensureSchema` on bootstrap).
+ *
+ * Runs MikroORM's native non-destructive `safe` diff: it creates missing tables and ADDs
+ * missing columns, but never drops/alters/renames existing ones, so it is safe to run on
+ * every boot. Only statements touching the authz tables are applied. Accepts a
+ * {@link MikroORM} or an {@link EntityManager}.
+ *
+ * Forward-compat rule: any column added to an authz entity after v1 MUST be nullable or
+ * have a default — `ADD COLUMN` of a NOT NULL column without a default fails on a populated
+ * table, and the `safe` diff never recreates the table.
+ */
+export declare function ensureAuthzSchema(ormOrEm: MikroORM | EntityManager): Promise<void>;
+//# sourceMappingURL=schema.d.ts.map

package/dist/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAiC/D;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,QAAQ,GAAG,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAGvF;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,QAAQ,GAAG,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAQxF"}

package/dist/schema.js

@@ -0,0 +1,65 @@
+/** The four authz table names — used to filter the schema diff down to our tables. */
+const AUTHZ_TABLES = [
+    'authz_roles',
+    'authz_permissions',
+    'authz_role_permission',
+    'authz_user_role',
+];
+/** Resolve an {@link EntityManager} from a {@link MikroORM} or an EM. */
+function toEm(ormOrEm) {
+    return isOrm(ormOrEm) ? ormOrEm.em : ormOrEm;
+}
+function isOrm(value) {
+    return 'em' in value && typeof value.getSchemaGenerator === 'function';
+}
+/** The platform's schema generator for a given EM (driver + EM bound). */
+function generatorFor(em) {
+    return em.getPlatform().getSchemaGenerator(em.getDriver(), em);
+}
+/** Statements (split, trimmed) from the non-destructive schema diff that touch our tables. */
+async function authzStatements(em) {
+    const sql = await generatorFor(em).getUpdateSchemaSQL({ safe: true, wrap: false });
+    return sql
+        .split(';')
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0 && AUTHZ_TABLES.some((t) => new RegExp(`\\b${t}\\b`, 'i').test(s)));
+}
+/**
+ * Returns the non-destructive SQL needed to bring only the authz RBAC tables up to date
+ * (creates them / adds missing columns). Mirrors the TypeORM adapter's migration helper —
+ * call it inside a MikroORM migration when you disable `autoCreateSchema`:
+ *
+ * ```ts
+ * import { authzSchemaSql } from '@dudousxd/nestjs-authz-mikro-orm';
+ * export class AddAuthz extends Migration {
+ *   async up() { this.addSql(await authzSchemaSql(this.getEntityManager())); }
+ * }
+ * ```
+ */
+export async function authzSchemaSql(ormOrEm) {
+    const statements = await authzStatements(toEm(ormOrEm));
+    return statements.length ? `${statements.join(';\n')};` : '';
+}
+/**
+ * Ensure the RBAC schema is up to date (used by the store's `ensureSchema` on bootstrap).
+ *
+ * Runs MikroORM's native non-destructive `safe` diff: it creates missing tables and ADDs
+ * missing columns, but never drops/alters/renames existing ones, so it is safe to run on
+ * every boot. Only statements touching the authz tables are applied. Accepts a
+ * {@link MikroORM} or an {@link EntityManager}.
+ *
+ * Forward-compat rule: any column added to an authz entity after v1 MUST be nullable or
+ * have a default — `ADD COLUMN` of a NOT NULL column without a default fails on a populated
+ * table, and the `safe` diff never recreates the table.
+ */
+export async function ensureAuthzSchema(ormOrEm) {
+    const em = toEm(ormOrEm);
+    const statements = await authzStatements(em);
+    if (statements.length === 0)
+        return;
+    const connection = em.getConnection();
+    for (const statement of statements) {
+        await connection.execute(statement);
+    }
+}
+//# sourceMappingURL=schema.js.map

package/dist/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAEA,sFAAsF;AACtF,MAAM,YAAY,GAAG;IACnB,aAAa;IACb,mBAAmB;IACnB,uBAAuB;IACvB,iBAAiB;CAClB,CAAC;AAEF,yEAAyE;AACzE,SAAS,IAAI,CAAC,OAAiC;IAC7C,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAE,OAAO,CAAC,EAA+B,CAAC,CAAC,CAAC,OAAO,CAAC;AAC7E,CAAC;AAED,SAAS,KAAK,CAAC,KAA+B;IAC5C,OAAO,IAAI,IAAK,KAAgB,IAAI,OAAQ,KAAkB,CAAC,kBAAkB,KAAK,UAAU,CAAC;AACnG,CAAC;AAED,0EAA0E;AAC1E,SAAS,YAAY,CAAC,EAAiB;IACrC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC,kBAAkB,CAAC,EAAE,CAAC,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,8FAA8F;AAC9F,KAAK,UAAU,eAAe,CAAC,EAAiB;IAC9C,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,EAAE,CAAC,CAAC,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnF,OAAO,GAAG;SACP,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACpG,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAiC;IACpE,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAiC;IACvE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;IACzB,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,EAAE,CAAC,CAAC;IAC7C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACpC,MAAM,UAAU,GAAG,EAAE,CAAC,aAAa,EAAE,CAAC;IACtC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;AACH,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,18 @@
+/**
+ * A reference to a user. Matches nestjs-context's `UserRef` shape (`{ type, id }`),
+ * but the store accepts either a full ref or a bare id (defaulting `type` to `'user'`).
+ */
+export interface UserRefInput {
+    type?: string;
+    id: string | number;
+}
+/** A user reference, or just its id (treated as `{ type: 'user', id }`). */
+export type UserRef = UserRefInput | string | number;
+/**
+ * Options for the MikroORM RBAC store. Reserved for forward-compatibility — MikroORM
+ * derives table names from the registered entities (`@Entity({ tableName })`), so BYO
+ * names are configured by re-decorating the entities, not at runtime.
+ */
+export interface AuthzStoreOptions {
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;CACrB;AAED,4EAA4E;AAC5E,MAAM,MAAM,OAAO,GAAG,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC;AAErD;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;CAAG"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@dudousxd/nestjs-authz-mikro-orm",
+  "version": "0.2.0",
+  "description": "MikroORM RBAC persistence for @dudousxd/nestjs-authz — roles, permissions, and a Gate seam (zero connection ownership).",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/DavideCarvalho/nestjs-authz.git",
+    "directory": "packages/mikro-orm"
+  },
+  "author": "Davi Carvalho <davi@goflip.ai>",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist/",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "peerDependencies": {
+    "@dudousxd/nestjs-authz": ">=0.1.0",
+    "@mikro-orm/core": "^6.0.0",
+    "@mikro-orm/nestjs": "^5.0.0 || ^6.0.0",
+    "@nestjs/common": ">=10.0.0",
+    "@nestjs/core": ">=10.0.0",
+    "reflect-metadata": ">=0.1.13"
+  },
+  "peerDependenciesMeta": {
+    "@mikro-orm/nestjs": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@mikro-orm/better-sqlite": "6.6.15",
+    "@mikro-orm/core": "6.6.15",
+    "@mikro-orm/nestjs": "^6.0.0",
+    "@nestjs/common": "^11.0.0",
+    "@nestjs/core": "^11.0.0",
+    "@nestjs/testing": "^11.0.0",
+    "@types/node": "^20.0.0",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.1",
+    "typescript": "^5.4.0",
+    "vitest": "^3.0.0",
+    "@dudousxd/nestjs-authz": "^0.4.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "keywords": [
+    "nestjs",
+    "authorization",
+    "authz",
+    "rbac",
+    "roles",
+    "permissions",
+    "mikro-orm"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run --passWithNoTests",
+    "test:watch": "vitest",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  }
+}