@dudousxd/nestjs-authz-prisma 0.2.0

package/CHANGELOG.md

@@ -0,0 +1,14 @@
+# @dudousxd/nestjs-authz-prisma
+
+## 0.2.0
+
+### Minor Changes
+
+- [#4](https://github.com/DavideCarvalho/nestjs-authz/pull/4) [`8b7711d`](https://github.com/DavideCarvalho/nestjs-authz/commit/8b7711d11bdb25b3407fea742f6c1158afb36296) Thanks [@DavideCarvalho](https://github.com/DavideCarvalho)! - New package: `@dudousxd/nestjs-authz-prisma` — a Prisma RBAC persistence adapter mirroring
+  `@dudousxd/nestjs-authz-typeorm`. Exposes a `PRISMA_CLIENT` DI token plus a minimal
+  **structural** `PrismaAuthzClientLike` interface (no `@prisma/client` import / no
+  `prisma generate` step), a `PrismaAuthzStore` with the same method surface, and
+  `AuthzRbacModule.forRoot/forRootAsync` registering the core `ROLE_PROVIDER` +
+  `PERMISSION_PROVIDER` seams. The schema is consumer-managed (the required `Role`/
+  `Permission`/`RolePermission`/`UserRole` models are documented in the README);
+  `ensureSchema` is a no-op.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Davi Carvalho
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,107 @@
+# @dudousxd/nestjs-authz-prisma
+
+Prisma RBAC persistence for [`@dudousxd/nestjs-authz`](https://github.com/DavideCarvalho/nestjs-authz) —
+roles, permissions, and a Gate seam, with **zero connection ownership** (your app owns the
+`PrismaClient`; this package never opens a connection and never imports `@prisma/client`).
+
+This is the Prisma sibling of `@dudousxd/nestjs-authz-typeorm`: identical store surface and
+`AuthzRbacModule`, consuming a **structural** Prisma client interface.
+
+## Install
+
+```bash
+pnpm add @dudousxd/nestjs-authz-prisma @dudousxd/nestjs-authz
+```
+
+No `@prisma/client` is required by this package — it depends only on the structural
+`PrismaAuthzClientLike` interface, which a real `PrismaClient` satisfies. There is **no
+`prisma generate` step** introduced by this adapter.
+
+## Schema (consumer-managed)
+
+Prisma is schema-first: add the four RBAC models to your `schema.prisma` and apply them with
+`prisma migrate` / `prisma db push`. The user is referenced **by id only** — this package
+never owns a users table.
+
+```prisma
+model Role {
+  id        String   @id
+  name      String   @unique
+  guard     String?
+  createdAt DateTime @default(now())
+
+  @@map("authz_roles")
+}
+
+model Permission {
+  id        String   @id
+  name      String   @unique
+  guard     String?
+  createdAt DateTime @default(now())
+
+  @@map("authz_permissions")
+}
+
+model RolePermission {
+  roleId       String
+  permissionId String
+
+  @@id([roleId, permissionId])
+  @@map("authz_role_permission")
+}
+
+model UserRole {
+  userType String
+  userId   String
+  roleId   String
+
+  @@id([userType, userId, roleId])
+  @@index([userType, userId])
+  @@map("authz_user_role")
+}
+```
+
+> Unlike the TypeORM/MikroORM adapters there is **no auto-create** — `store.ensureSchema()`
+> is a no-op. Manage the schema with Prisma migrations.
+
+## Usage
+
+```ts
+import { AuthzRbacModule } from '@dudousxd/nestjs-authz-prisma';
+import { PrismaClient } from '@prisma/client';
+
+const prisma = new PrismaClient();
+
+@Module({
+  imports: [
+    // Pass the client directly — the module builds the store. (Or pass a pre-built `store`.)
+    AuthzRbacModule.forRoot({ client: prisma }),
+  ],
+})
+export class AppModule {}
+```
+
+Or build the store yourself and inject the client via the `PRISMA_CLIENT` token:
+
+```ts
+import { PRISMA_CLIENT, PrismaAuthzStore } from '@dudousxd/nestjs-authz-prisma';
+
+AuthzRbacModule.forRootAsync({
+  inject: [PRISMA_CLIENT],
+  useFactory: (client) => ({ store: new PrismaAuthzStore(client) }),
+});
+```
+
+Once wired, the Gate consults persisted RBAC:
+
+```ts
+await store.givePermissionToRole('editor', 'posts.publish');
+await store.assignRole({ type: 'user', id: 7 }, 'editor');
+
+gate.forUser(user).allows('posts.publish'); // true (PERMISSION_PROVIDER seam)
+gate.forUser(user).hasRole('editor');       // true (ROLE_PROVIDER seam)
+```
+
+## License
+
+MIT

package/dist/authz-rbac.module.d.ts

@@ -0,0 +1,53 @@
+import { type DynamicModule } from '@nestjs/common';
+import { PrismaAuthzStore } from './prisma-authz.store.js';
+import { type PrismaAuthzClientLike } from './prisma-client.js';
+import type { UserRef } from './types.js';
+/** Injection token holding the {@link PrismaAuthzStore} the RBAC module manages. */
+export declare const AUTHZ_RBAC_STORE: unique symbol;
+/** Injection token holding the resolved {@link AuthzRbacModuleOptions}. */
+export declare const AUTHZ_RBAC_OPTIONS: unique symbol;
+/**
+ * Map the Gate's current user (whatever the app's auth layer produced) to a
+ * {@link UserRef} the store can key on. Defaults to reading `{ type, id }` / `{ id }`.
+ */
+export type UserRefMapper = (user: unknown) => UserRef | undefined;
+export interface AuthzRbacModuleOptions {
+    /**
+     * The Prisma RBAC store, OR the raw Prisma client. Pass `store` if you already built a
+     * {@link PrismaAuthzStore}; pass `client` to let the module build one (a real
+     * `PrismaClient` structurally satisfies {@link PrismaAuthzClientLike}).
+     */
+    store?: PrismaAuthzStore;
+    /** The app-owned Prisma client; used to build the store when `store` is omitted. */
+    client?: PrismaAuthzClientLike;
+    /**
+     * Prisma is consumer-managed (schema-first) — there is no auto-create. This flag exists
+     * for parity; the store's `ensureSchema` is a no-op regardless. Default `false`.
+     */
+    autoCreateSchema?: boolean;
+    /**
+     * Derive a {@link UserRef} from the Gate's current user. Defaults to
+     * {@link defaultUserRefMapper} (`{ type, id }` or `{ id }`).
+     */
+    userRefFrom?: UserRefMapper;
+}
+export interface AuthzRbacModuleAsyncOptions {
+    imports?: unknown[];
+    inject?: unknown[];
+    useFactory: (...args: unknown[]) => Promise<AuthzRbacModuleOptions> | AuthzRbacModuleOptions;
+}
+/** Default mapping: accept a `{ type, id }` ref, a `{ id }` object, or a bare id. */
+export declare function defaultUserRefMapper(user: unknown): UserRef | undefined;
+/**
+ * Wires persisted RBAC into the core authz Gate. The app provides the Prisma client (via
+ * `client`, or a pre-built `store`, through `inject`/`useFactory`) — this module NEVER
+ * hardcodes a connection token. On init it registers the RBAC permission check into the
+ * Gate via the {@link PERMISSION_PROVIDER} seam, so `gate.allows('some.permission')`
+ * consults persisted permissions. Prisma's schema is consumer-managed (no auto-create).
+ */
+export declare class AuthzRbacModule {
+    static forRoot(options: AuthzRbacModuleOptions): DynamicModule;
+    static forRootAsync(options: AuthzRbacModuleAsyncOptions): DynamicModule;
+    private static commonProviders;
+}
+//# sourceMappingURL=authz-rbac.module.d.ts.map

package/dist/authz-rbac.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-rbac.module.d.ts","sourceRoot":"","sources":["../src/authz-rbac.module.ts"],"names":[],"mappings":"AAMA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAiB,KAAK,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C,oFAAoF;AACpF,eAAO,MAAM,gBAAgB,eAAoD,CAAC;AAClF,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB,eAAsD,CAAC;AAEtF;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,GAAG,SAAS,CAAC;AAEnE,MAAM,WAAW,sBAAsB;IACrC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,oFAAoF;IACpF,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B;;;OAGG;IACH,WAAW,CAAC,EAAE,aAAa,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC;IACnB,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,sBAAsB,CAAC,GAAG,sBAAsB,CAAC;CAC9F;AAED,qFAAqF;AACrF,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,GAAG,SAAS,CAOvE;AAuED;;;;;;GAMG;AACH,qBACa,eAAe;IAC1B,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,sBAAsB,GAAG,aAAa;IAa9D,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,2BAA2B,GAAG,aAAa;IAsBxE,OAAO,CAAC,MAAM,CAAC,eAAe;CAS/B"}

package/dist/authz-rbac.module.js

@@ -0,0 +1,174 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var AuthzRbacModule_1;
+import { PERMISSION_PROVIDER, ROLE_PROVIDER, } from '@dudousxd/nestjs-authz';
+import { Inject, Injectable, Module, Optional, } from '@nestjs/common';
+import { PrismaAuthzStore } from './prisma-authz.store.js';
+/** Injection token holding the {@link PrismaAuthzStore} the RBAC module manages. */
+export const AUTHZ_RBAC_STORE = Symbol.for('@dudousxd/nestjs-authz-prisma:store');
+/** Injection token holding the resolved {@link AuthzRbacModuleOptions}. */
+export const AUTHZ_RBAC_OPTIONS = Symbol.for('@dudousxd/nestjs-authz-prisma:options');
+/** Default mapping: accept a `{ type, id }` ref, a `{ id }` object, or a bare id. */
+export function defaultUserRefMapper(user) {
+    if (user == null)
+        return undefined;
+    if (typeof user === 'string' || typeof user === 'number')
+        return user;
+    const u = user;
+    if (u.id == null)
+        return undefined;
+    const id = u.id;
+    return typeof u.type === 'string' ? { type: u.type, id } : { id };
+}
+/** Resolve a concrete store from the options (building one from `client` when needed). */
+function resolveStore(options) {
+    if (options.store)
+        return options.store;
+    if (options.client)
+        return new PrismaAuthzStore(options.client);
+    throw new Error('AuthzRbacModule (prisma): provide either `store` or `client` in the options.');
+}
+/**
+ * The RBAC {@link PermissionProvider} the Gate consults (via the shared
+ * {@link PERMISSION_PROVIDER} token). Grants a named ability when the current user holds
+ * the matching persisted permission — the Laravel/spatie `Gate::before` grant.
+ */
+let RbacPermissionProvider = class RbacPermissionProvider {
+    options;
+    store;
+    constructor(options) {
+        this.options = options;
+        this.store = resolveStore(options);
+    }
+    // The core `PermissionProvider` interface passes an optional `resource` (3rd
+    // arg); it is intentionally ignored here. RBAC grants are model-less,
+    // named-ability grants (the Laravel/spatie `Gate::before` grant), so the
+    // verdict never depends on a specific resource instance.
+    async hasPermission(user, permission) {
+        const map = this.options.userRefFrom ?? defaultUserRefMapper;
+        const ref = map(user);
+        if (ref === undefined)
+            return undefined;
+        return this.store.userHasPermission(ref, permission);
+    }
+};
+RbacPermissionProvider = __decorate([
+    Injectable(),
+    __param(0, Inject(AUTHZ_RBAC_OPTIONS)),
+    __metadata("design:paramtypes", [Object])
+], RbacPermissionProvider);
+/**
+ * The RBAC {@link RoleProvider} the Gate consults (via the shared {@link ROLE_PROVIDER}
+ * token) for coarse role-checks (`gate.hasRole('teacher')`, `@Roles('admin')`). Returns
+ * the role names the current user holds in the persisted store. Core unions these with
+ * any roles read off the user object by the default `RoleResolver`.
+ */
+let RbacRoleProvider = class RbacRoleProvider {
+    options;
+    store;
+    constructor(options) {
+        this.options = options;
+        this.store = resolveStore(options);
+    }
+    async getRoles(user) {
+        const map = this.options.userRefFrom ?? defaultUserRefMapper;
+        const ref = map(user);
+        if (ref === undefined)
+            return undefined;
+        return this.store.getRolesForUser(ref);
+    }
+};
+RbacRoleProvider = __decorate([
+    Injectable(),
+    __param(0, Inject(AUTHZ_RBAC_OPTIONS)),
+    __metadata("design:paramtypes", [Object])
+], RbacRoleProvider);
+/**
+ * Runs `ensureSchema` on bootstrap when `autoCreateSchema` is enabled. For Prisma this is
+ * a no-op (schema is consumer-managed) — kept for parity with the other adapters.
+ */
+let AuthzRbacBootstrap = class AuthzRbacBootstrap {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    async onModuleInit() {
+        if (!this.options)
+            return;
+        if (this.options.autoCreateSchema !== true)
+            return;
+        await resolveStore(this.options).ensureSchema();
+    }
+};
+AuthzRbacBootstrap = __decorate([
+    Injectable(),
+    __param(0, Optional()),
+    __param(0, Inject(AUTHZ_RBAC_OPTIONS)),
+    __metadata("design:paramtypes", [Object])
+], AuthzRbacBootstrap);
+/**
+ * Wires persisted RBAC into the core authz Gate. The app provides the Prisma client (via
+ * `client`, or a pre-built `store`, through `inject`/`useFactory`) — this module NEVER
+ * hardcodes a connection token. On init it registers the RBAC permission check into the
+ * Gate via the {@link PERMISSION_PROVIDER} seam, so `gate.allows('some.permission')`
+ * consults persisted permissions. Prisma's schema is consumer-managed (no auto-create).
+ */
+let AuthzRbacModule = AuthzRbacModule_1 = class AuthzRbacModule {
+    static forRoot(options) {
+        return {
+            module: AuthzRbacModule_1,
+            global: true,
+            providers: [
+                { provide: AUTHZ_RBAC_OPTIONS, useValue: options },
+                { provide: AUTHZ_RBAC_STORE, useFactory: () => resolveStore(options) },
+                ...AuthzRbacModule_1.commonProviders(),
+            ],
+            exports: [AUTHZ_RBAC_STORE, PERMISSION_PROVIDER, ROLE_PROVIDER],
+        };
+    }
+    static forRootAsync(options) {
+        return {
+            module: AuthzRbacModule_1,
+            global: true,
+            imports: (options.imports ?? []),
+            providers: [
+                {
+                    provide: AUTHZ_RBAC_OPTIONS,
+                    useFactory: options.useFactory,
+                    inject: (options.inject ?? []),
+                },
+                {
+                    provide: AUTHZ_RBAC_STORE,
+                    useFactory: (opts) => resolveStore(opts),
+                    inject: [AUTHZ_RBAC_OPTIONS],
+                },
+                ...AuthzRbacModule_1.commonProviders(),
+            ],
+            exports: [AUTHZ_RBAC_STORE, PERMISSION_PROVIDER, ROLE_PROVIDER],
+        };
+    }
+    static commonProviders() {
+        return [
+            RbacPermissionProvider,
+            { provide: PERMISSION_PROVIDER, useExisting: RbacPermissionProvider },
+            RbacRoleProvider,
+            { provide: ROLE_PROVIDER, useExisting: RbacRoleProvider },
+            AuthzRbacBootstrap,
+        ];
+    }
+};
+AuthzRbacModule = AuthzRbacModule_1 = __decorate([
+    Module({})
+], AuthzRbacModule);
+export { AuthzRbacModule };
+//# sourceMappingURL=authz-rbac.module.js.map

package/dist/authz-rbac.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-rbac.module.js","sourceRoot":"","sources":["../src/authz-rbac.module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EACL,mBAAmB,EAEnB,aAAa,GAEd,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAI3D,oFAAoF;AACpF,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;AAClF,2EAA2E;AAC3E,MAAM,CAAC,MAAM,kBAAkB,GAAG,MAAM,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;AAmCtF,qFAAqF;AACrF,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,IAAI,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IACnC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACtE,MAAM,CAAC,GAAG,IAAwC,CAAC;IACnD,IAAI,CAAC,CAAC,EAAE,IAAI,IAAI;QAAE,OAAO,SAAS,CAAC;IACnC,MAAM,EAAE,GAAG,CAAC,CAAC,EAAqB,CAAC;IACnC,OAAO,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC;AACpE,CAAC;AAED,0FAA0F;AAC1F,SAAS,YAAY,CAAC,OAA+B;IACnD,IAAI,OAAO,CAAC,KAAK;QAAE,OAAO,OAAO,CAAC,KAAK,CAAC;IACxC,IAAI,OAAO,CAAC,MAAM;QAAE,OAAO,IAAI,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChE,MAAM,IAAI,KAAK,CAAC,8EAA8E,CAAC,CAAC;AAClG,CAAC;AAED;;;;GAIG;AACH,IACM,sBAAsB,GAD5B,MACM,sBAAsB;IAE+B;IADxC,KAAK,CAAmB;IACzC,YAAyD,OAA+B;QAA/B,YAAO,GAAP,OAAO,CAAwB;QACtF,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,6EAA6E;IAC7E,sEAAsE;IACtE,yEAAyE;IACzE,yDAAyD;IACzD,KAAK,CAAC,aAAa,CAAC,IAAa,EAAE,UAAkB;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QACxC,OAAO,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACvD,CAAC;CACF,CAAA;AAhBK,sBAAsB;IAD3B,UAAU,EAAE;IAGE,WAAA,MAAM,CAAC,kBAAkB,CAAC,CAAA;;GAFnC,sBAAsB,CAgB3B;AAED;;;;;GAKG;AACH,IACM,gBAAgB,GADtB,MACM,gBAAgB;IAEqC;IADxC,KAAK,CAAmB;IACzC,YAAyD,OAA+B;QAA/B,YAAO,GAAP,OAAO,CAAwB;QACtF,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAAa;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QACxC,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;CACF,CAAA;AAZK,gBAAgB;IADrB,UAAU,EAAE;IAGE,WAAA,MAAM,CAAC,kBAAkB,CAAC,CAAA;;GAFnC,gBAAgB,CAYrB;AAED;;;GAGG;AACH,IACM,kBAAkB,GADxB,MACM,kBAAkB;IAEqC;IAD3D,YAC2D,OAAgC;QAAhC,YAAO,GAAP,OAAO,CAAyB;IACxF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAC1B,IAAI,IAAI,CAAC,OAAO,CAAC,gBAAgB,KAAK,IAAI;YAAE,OAAO;QACnD,MAAM,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,CAAC;IAClD,CAAC;CACF,CAAA;AAVK,kBAAkB;IADvB,UAAU,EAAE;IAGR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,kBAAkB,CAAC,CAAA;;GAFrC,kBAAkB,CAUvB;AAED;;;;;;GAMG;AAEI,IAAM,eAAe,uBAArB,MAAM,eAAe;IAC1B,MAAM,CAAC,OAAO,CAAC,OAA+B;QAC5C,OAAO;YACL,MAAM,EAAE,iBAAe;YACvB,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBAClD,EAAE,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE;gBACtE,GAAG,iBAAe,CAAC,eAAe,EAAE;aACrC;YACD,OAAO,EAAE,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,aAAa,CAAC;SAChE,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAoC;QACtD,OAAO;YACL,MAAM,EAAE,iBAAe;YACvB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAoB;YACnD,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,kBAAkB;oBAC3B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAyB;iBACvD;gBACD;oBACE,OAAO,EAAE,gBAAgB;oBACzB,UAAU,EAAE,CAAC,IAA4B,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC;oBAChE,MAAM,EAAE,CAAC,kBAAkB,CAAC;iBAC7B;gBACD,GAAG,iBAAe,CAAC,eAAe,EAAE;aACrC;YACD,OAAO,EAAE,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,aAAa,CAAC;SAChE,CAAC;IACJ,CAAC;IAEO,MAAM,CAAC,eAAe;QAC5B,OAAO;YACL,sBAAsB;YACtB,EAAE,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,sBAAsB,EAAE;YACrE,gBAAgB;YAChB,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,gBAAgB,EAAE;YACzD,kBAAkB;SACnB,CAAC;IACJ,CAAC;CACF,CAAA;AA7CY,eAAe;IAD3B,MAAM,CAAC,EAAE,CAAC;GACE,eAAe,CA6C3B"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { PRISMA_CLIENT, type PrismaAuthzClientLike, type PrismaModelDelegate, } from './prisma-client.js';
+export { PrismaAuthzStore } from './prisma-authz.store.js';
+export type { UserAuthz } from './prisma-authz.store.js';
+export { AUTHZ_RBAC_OPTIONS, AUTHZ_RBAC_STORE, AuthzRbacModule, defaultUserRefMapper, } from './authz-rbac.module.js';
+export type { AuthzRbacModuleAsyncOptions, AuthzRbacModuleOptions, UserRefMapper, } from './authz-rbac.module.js';
+export type { UserRef, UserRefInput } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,YAAY,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,2BAA2B,EAC3B,sBAAsB,EACtB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { PRISMA_CLIENT, } from './prisma-client.js';
+export { PrismaAuthzStore } from './prisma-authz.store.js';
+export { AUTHZ_RBAC_OPTIONS, AUTHZ_RBAC_STORE, AuthzRbacModule, defaultUserRefMapper, } from './authz-rbac.module.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,GAGd,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,oBAAoB,GACrB,MAAM,wBAAwB,CAAC"}

package/dist/prisma-authz.store.d.ts

@@ -0,0 +1,52 @@
+import { type PrismaAuthzClientLike } from './prisma-client.js';
+import type { UserRef } from './types.js';
+/**
+ * A user's effective permissions: the role names they hold and the flattened set of
+ * permission names granted by those roles.
+ */
+export interface UserAuthz {
+    roles: string[];
+    permissions: string[];
+}
+/**
+ * Prisma-backed RBAC store. Receives the app-owned Prisma client via the
+ * {@link PRISMA_CLIENT} DI token — NO internal connection ownership, NO `@prisma/client`
+ * import (it consumes the structural {@link PrismaAuthzClientLike}).
+ *
+ * Same method surface as the TypeORM/MikroORM adapters. The user is referenced BY ID ONLY
+ * — this package never owns a users table.
+ */
+export declare class PrismaAuthzStore {
+    private readonly client;
+    constructor(client: PrismaAuthzClientLike);
+    /**
+     * No-op: Prisma is schema-first / consumer-managed. Declare the RBAC models in your
+     * `schema.prisma` (see {@link PrismaAuthzClientLike}) and apply them with
+     * `prisma migrate` / `prisma db push` — this adapter never runs DDL. Present for parity
+     * with the other adapters' store surface.
+     */
+    ensureSchema(): Promise<void>;
+    /** Create the role if absent; returns its id. Idempotent and race-tolerant. */
+    createRole(name: string): Promise<string>;
+    /** Create the permission if absent; returns its id. Idempotent and race-tolerant. */
+    createPermission(name: string): Promise<string>;
+    private findRoleId;
+    private findPermissionId;
+    /** Grant a permission to a role (creating both by name if needed). Idempotent. */
+    givePermissionToRole(roleName: string, permissionName: string): Promise<void>;
+    /** Revoke a permission from a role. No-op if either is absent or not linked. */
+    revokePermissionFromRole(roleName: string, permissionName: string): Promise<void>;
+    /** Assign a role to a user (creating the role by name if needed). Idempotent. */
+    assignRole(user: UserRef, roleName: string): Promise<void>;
+    /** Remove a role from a user. No-op if the role or assignment is absent. */
+    removeRole(user: UserRef, roleName: string): Promise<void>;
+    /** The role names a user holds. */
+    getRolesForUser(user: UserRef): Promise<string[]>;
+    /** The flattened, distinct permission names a user has via their roles. */
+    getPermissionsForUser(user: UserRef): Promise<string[]>;
+    /** A user's roles + effective permissions in one shot. */
+    getUserAuthz(user: UserRef): Promise<UserAuthz>;
+    /** True when the user holds `permission` through any of their roles. */
+    userHasPermission(user: UserRef, permission: string): Promise<boolean>;
+}
+//# sourceMappingURL=prisma-authz.store.d.ts.map

package/dist/prisma-authz.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma-authz.store.d.ts","sourceRoot":"","sources":["../src/prisma-authz.store.ts"],"names":[],"mappings":"AACA,OAAO,EAAiB,KAAK,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAe1C;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;;;;;;GAOG;AACH,qBACa,gBAAgB;IAGzB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,qBAAqB;IAGhD;;;;;OAKG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAMnC,+EAA+E;IACzE,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAgB/C,qFAAqF;IAC/E,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAevC,UAAU;YAKV,gBAAgB;IAO9B,kFAAkF;IAC5E,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUnF,gFAAgF;IAC1E,wBAAwB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASvF,iFAAiF;IAC3E,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUhE,4EAA4E;IACtE,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAShE,mCAAmC;IAC7B,eAAe,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAWvD,2EAA2E;IACrE,qBAAqB,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkB7D,0DAA0D;IACpD,YAAY,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC;IAQrD,wEAAwE;IAClE,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAI7E"}

package/dist/prisma-authz.store.js

@@ -0,0 +1,187 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { randomUUID } from 'node:crypto';
+import { PRISMA_CLIENT } from './prisma-client.js';
+// Optional Nest DI decorators — declared structurally so this package does not need a
+// hard runtime dependency on @nestjs/common for the POJO store (the module supplies the
+// real Inject token). The store is usable as a plain POJO: `new PrismaAuthzStore(client)`.
+import { Inject, Injectable } from '@nestjs/common';
+/** Normalize a {@link UserRef} to `{ type, id }` with `id` stringified. */
+function normalizeUserRef(ref) {
+    if (typeof ref === 'string' || typeof ref === 'number') {
+        return { type: 'user', id: String(ref) };
+    }
+    return { type: ref.type ?? 'user', id: String(ref.id) };
+}
+/**
+ * Prisma-backed RBAC store. Receives the app-owned Prisma client via the
+ * {@link PRISMA_CLIENT} DI token — NO internal connection ownership, NO `@prisma/client`
+ * import (it consumes the structural {@link PrismaAuthzClientLike}).
+ *
+ * Same method surface as the TypeORM/MikroORM adapters. The user is referenced BY ID ONLY
+ * — this package never owns a users table.
+ */
+let PrismaAuthzStore = class PrismaAuthzStore {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * No-op: Prisma is schema-first / consumer-managed. Declare the RBAC models in your
+     * `schema.prisma` (see {@link PrismaAuthzClientLike}) and apply them with
+     * `prisma migrate` / `prisma db push` — this adapter never runs DDL. Present for parity
+     * with the other adapters' store surface.
+     */
+    async ensureSchema() {
+        // Intentionally empty — see the doc comment.
+    }
+    // --- roles & permissions (idempotent upserts by name) ---
+    /** Create the role if absent; returns its id. Idempotent and race-tolerant. */
+    async createRole(name) {
+        const existing = await this.findRoleId(name);
+        if (existing)
+            return existing;
+        try {
+            const row = await this.client.role.create({
+                data: { id: randomUUID(), name, guard: null, createdAt: new Date() },
+            });
+            return row.id;
+        }
+        catch {
+            // A concurrent insert won the race on the unique `name`; re-read.
+            const id = await this.findRoleId(name);
+            if (!id)
+                throw new Error(`Failed to create or resolve role "${name}".`);
+            return id;
+        }
+    }
+    /** Create the permission if absent; returns its id. Idempotent and race-tolerant. */
+    async createPermission(name) {
+        const existing = await this.findPermissionId(name);
+        if (existing)
+            return existing;
+        try {
+            const row = await this.client.permission.create({
+                data: { id: randomUUID(), name, guard: null, createdAt: new Date() },
+            });
+            return row.id;
+        }
+        catch {
+            const id = await this.findPermissionId(name);
+            if (!id)
+                throw new Error(`Failed to create or resolve permission "${name}".`);
+            return id;
+        }
+    }
+    async findRoleId(name) {
+        const row = await this.client.role.findFirst({ where: { name } });
+        return row?.id;
+    }
+    async findPermissionId(name) {
+        const row = await this.client.permission.findFirst({ where: { name } });
+        return row?.id;
+    }
+    // --- role ↔ permission ---
+    /** Grant a permission to a role (creating both by name if needed). Idempotent. */
+    async givePermissionToRole(roleName, permissionName) {
+        const roleId = await this.createRole(roleName);
+        const permissionId = await this.createPermission(permissionName);
+        const existing = await this.client.rolePermission.findFirst({
+            where: { roleId, permissionId },
+        });
+        if (existing)
+            return;
+        await this.client.rolePermission.create({ data: { roleId, permissionId } });
+    }
+    /** Revoke a permission from a role. No-op if either is absent or not linked. */
+    async revokePermissionFromRole(roleName, permissionName) {
+        const roleId = await this.findRoleId(roleName);
+        const permissionId = await this.findPermissionId(permissionName);
+        if (!roleId || !permissionId)
+            return;
+        await this.client.rolePermission.deleteMany({ where: { roleId, permissionId } });
+    }
+    // --- user ↔ role ---
+    /** Assign a role to a user (creating the role by name if needed). Idempotent. */
+    async assignRole(user, roleName) {
+        const { type, id } = normalizeUserRef(user);
+        const roleId = await this.createRole(roleName);
+        const existing = await this.client.userRole.findFirst({
+            where: { userType: type, userId: id, roleId },
+        });
+        if (existing)
+            return;
+        await this.client.userRole.create({ data: { userType: type, userId: id, roleId } });
+    }
+    /** Remove a role from a user. No-op if the role or assignment is absent. */
+    async removeRole(user, roleName) {
+        const { type, id } = normalizeUserRef(user);
+        const roleId = await this.findRoleId(roleName);
+        if (!roleId)
+            return;
+        await this.client.userRole.deleteMany({ where: { userType: type, userId: id, roleId } });
+    }
+    // --- queries ---
+    /** The role names a user holds. */
+    async getRolesForUser(user) {
+        const { type, id } = normalizeUserRef(user);
+        const assignments = await this.client.userRole.findMany({
+            where: { userType: type, userId: id },
+        });
+        if (assignments.length === 0)
+            return [];
+        const roleIds = assignments.map((a) => a.roleId);
+        const roles = await this.client.role.findMany({ where: { id: { in: roleIds } } });
+        return roles.map((r) => r.name);
+    }
+    /** The flattened, distinct permission names a user has via their roles. */
+    async getPermissionsForUser(user) {
+        const { type, id } = normalizeUserRef(user);
+        const assignments = await this.client.userRole.findMany({
+            where: { userType: type, userId: id },
+        });
+        if (assignments.length === 0)
+            return [];
+        const roleIds = assignments.map((a) => a.roleId);
+        const links = await this.client.rolePermission.findMany({
+            where: { roleId: { in: roleIds } },
+        });
+        if (links.length === 0)
+            return [];
+        const permissionIds = [...new Set(links.map((l) => l.permissionId))];
+        const permissions = await this.client.permission.findMany({
+            where: { id: { in: permissionIds } },
+        });
+        return [...new Set(permissions.map((p) => p.name))];
+    }
+    /** A user's roles + effective permissions in one shot. */
+    async getUserAuthz(user) {
+        const [roles, permissions] = await Promise.all([
+            this.getRolesForUser(user),
+            this.getPermissionsForUser(user),
+        ]);
+        return { roles, permissions };
+    }
+    /** True when the user holds `permission` through any of their roles. */
+    async userHasPermission(user, permission) {
+        const permissions = await this.getPermissionsForUser(user);
+        return permissions.includes(permission);
+    }
+};
+PrismaAuthzStore = __decorate([
+    Injectable(),
+    __param(0, Inject(PRISMA_CLIENT)),
+    __metadata("design:paramtypes", [Object])
+], PrismaAuthzStore);
+export { PrismaAuthzStore };
+//# sourceMappingURL=prisma-authz.store.js.map

package/dist/prisma-authz.store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma-authz.store.js","sourceRoot":"","sources":["../src/prisma-authz.store.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAA8B,MAAM,oBAAoB,CAAC;AAG/E,sFAAsF;AACtF,wFAAwF;AACxF,2FAA2F;AAC3F,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEpD,2EAA2E;AAC3E,SAAS,gBAAgB,CAAC,GAAY;IACpC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACvD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;AAC1D,CAAC;AAWD;;;;;;;GAOG;AAEI,IAAM,gBAAgB,GAAtB,MAAM,gBAAgB;IAGR;IAFnB,YAEmB,MAA6B;QAA7B,WAAM,GAAN,MAAM,CAAuB;IAC7C,CAAC;IAEJ;;;;;OAKG;IACH,KAAK,CAAC,YAAY;QAChB,6CAA6C;IAC/C,CAAC;IAED,2DAA2D;IAE3D,+EAA+E;IAC/E,KAAK,CAAC,UAAU,CAAC,IAAY;QAC3B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;gBACxC,IAAI,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;aACrE,CAAC,CAAC;YACH,OAAO,GAAG,CAAC,EAAY,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,IAAI,CAAC,CAAC;YACxE,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,qFAAqF;IACrF,KAAK,CAAC,gBAAgB,CAAC,IAAY;QACjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;gBAC9C,IAAI,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;aACrE,CAAC,CAAC;YACH,OAAO,GAAG,CAAC,EAAY,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;YAC7C,IAAI,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,IAAI,IAAI,CAAC,CAAC;YAC9E,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,IAAY;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;QAClE,OAAO,GAAG,EAAE,EAAwB,CAAC;IACvC,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAY;QACzC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;QACxE,OAAO,GAAG,EAAE,EAAwB,CAAC;IACvC,CAAC;IAED,4BAA4B;IAE5B,kFAAkF;IAClF,KAAK,CAAC,oBAAoB,CAAC,QAAgB,EAAE,cAAsB;QACjE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;QACjE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC;YAC1D,KAAK,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;SAChC,CAAC,CAAC;QACH,IAAI,QAAQ;YAAE,OAAO;QACrB,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,wBAAwB,CAAC,QAAgB,EAAE,cAAsB;QACrE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,IAAI,CAAC,YAAY;YAAE,OAAO;QACrC,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,sBAAsB;IAEtB,iFAAiF;IACjF,KAAK,CAAC,UAAU,CAAC,IAAa,EAAE,QAAgB;QAC9C,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;YACpD,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE;SAC9C,CAAC,CAAC;QACH,IAAI,QAAQ;YAAE,OAAO;QACrB,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,UAAU,CAAC,IAAa,EAAE,QAAgB;QAC9C,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,kBAAkB;IAElB,mCAAmC;IACnC,KAAK,CAAC,eAAe,CAAC,IAAa;QACjC,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACtD,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;SACtC,CAAC,CAAC;QACH,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAgB,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;QAClF,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAc,CAAC,CAAC;IAC5C,CAAC;IAED,2EAA2E;IAC3E,KAAK,CAAC,qBAAqB,CAAC,IAAa;QACvC,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACtD,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;SACtC,CAAC,CAAC;QACH,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAgB,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC;YACtD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE;SACnC,CAAC,CAAC;QACH,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAClC,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAsB,CAAC,CAAC,CAAC,CAAC;QAC/E,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC;YACxD,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE;SACrC,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,YAAY,CAAC,IAAa;QAC9B,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC7C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;YAC1B,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC;SACjC,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;IAChC,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,iBAAiB,CAAC,IAAa,EAAE,UAAkB;QACvD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;QAC3D,OAAO,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;CACF,CAAA;AAtJY,gBAAgB;IAD5B,UAAU,EAAE;IAGR,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;;GAFb,gBAAgB,CAsJ5B"}

package/dist/prisma-client.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Structural typings + DI token for the Prisma client consumed by
+ * {@link PrismaAuthzStore}.
+ *
+ * The adapter deliberately does NOT import a generated `@prisma/client` type.
+ * Instead it depends on a minimal structural interface describing only the model
+ * delegate methods it uses. This keeps the package free of any `prisma generate`
+ * step and decouples it from the consumer's generated client location/version — a
+ * real `PrismaClient` instance structurally satisfies {@link PrismaAuthzClientLike},
+ * so you can inject it directly.
+ *
+ * ## Required Prisma models
+ *
+ * The consumer's `schema.prisma` must declare these models (the user is referenced
+ * **by id only** — this package never owns a users table):
+ *
+ * ```prisma
+ * model Role {
+ *   id        String   @id
+ *   name      String   @unique
+ *   guard     String?
+ *   createdAt DateTime @default(now())
+ *
+ *   @@map("authz_roles")
+ * }
+ *
+ * model Permission {
+ *   id        String   @id
+ *   name      String   @unique
+ *   guard     String?
+ *   createdAt DateTime @default(now())
+ *
+ *   @@map("authz_permissions")
+ * }
+ *
+ * model RolePermission {
+ *   roleId       String
+ *   permissionId String
+ *
+ *   @@id([roleId, permissionId])
+ *   @@map("authz_role_permission")
+ * }
+ *
+ * model UserRole {
+ *   userType String
+ *   userId   String
+ *   roleId   String
+ *
+ *   @@id([userType, userId, roleId])
+ *   @@index([userType, userId])
+ *   @@map("authz_user_role")
+ * }
+ * ```
+ *
+ * Apply it with `prisma migrate` / `prisma db push` — this adapter is
+ * consumer-managed and never runs DDL.
+ */
+/**
+ * Minimal structural view of a Prisma model delegate (the methods the store calls).
+ *
+ * The arg/return types are intentionally `any`: a generated Prisma delegate's method
+ * signatures are far narrower (model-specific), and a structural `unknown`/`Record` here
+ * would make a real `PrismaClient` *not* assignable to this interface (arg positions are
+ * contravariant). `any` keeps a concrete client structurally compatible without pulling in
+ * `@prisma/client`.
+ */
+export interface PrismaModelDelegate {
+    create(args: {
+        data: any;
+    }): Promise<any>;
+    findFirst(args: {
+        where: any;
+    }): Promise<any>;
+    findMany(args: {
+        where: any;
+    }): Promise<any[]>;
+    deleteMany(args: {
+        where: any;
+    }): Promise<{
+        count: number;
+    }>;
+}
+/** Minimal structural view of a Prisma client exposing the four RBAC models. */
+export interface PrismaAuthzClientLike {
+    role: PrismaModelDelegate;
+    permission: PrismaModelDelegate;
+    rolePermission: PrismaModelDelegate;
+    userRole: PrismaModelDelegate;
+}
+/**
+ * DI token for the app-provided Prisma client ({@link PrismaAuthzClientLike})
+ * injected into {@link PrismaAuthzStore}.
+ */
+export declare const PRISMA_CLIENT: unique symbol;
+//# sourceMappingURL=prisma-client.d.ts.map

package/dist/prisma-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma-client.d.ts","sourceRoot":"","sources":["../src/prisma-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwDG;AAEH;;;;;;;;GAQG;AACH,MAAM,WAAW,mBAAmB;IAElC,MAAM,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAE1C,SAAS,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAE9C,QAAQ,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAE/C,UAAU,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC9D;AAED,gFAAgF;AAChF,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,mBAAmB,CAAC;IAC1B,UAAU,EAAE,mBAAmB,CAAC;IAChC,cAAc,EAAE,mBAAmB,CAAC;IACpC,QAAQ,EAAE,mBAAmB,CAAC;CAC/B;AAED;;;GAGG;AACH,eAAO,MAAM,aAAa,eAAqD,CAAC"}

package/dist/prisma-client.js

@@ -0,0 +1,63 @@
+/**
+ * Structural typings + DI token for the Prisma client consumed by
+ * {@link PrismaAuthzStore}.
+ *
+ * The adapter deliberately does NOT import a generated `@prisma/client` type.
+ * Instead it depends on a minimal structural interface describing only the model
+ * delegate methods it uses. This keeps the package free of any `prisma generate`
+ * step and decouples it from the consumer's generated client location/version — a
+ * real `PrismaClient` instance structurally satisfies {@link PrismaAuthzClientLike},
+ * so you can inject it directly.
+ *
+ * ## Required Prisma models
+ *
+ * The consumer's `schema.prisma` must declare these models (the user is referenced
+ * **by id only** — this package never owns a users table):
+ *
+ * ```prisma
+ * model Role {
+ *   id        String   @id
+ *   name      String   @unique
+ *   guard     String?
+ *   createdAt DateTime @default(now())
+ *
+ *   @@map("authz_roles")
+ * }
+ *
+ * model Permission {
+ *   id        String   @id
+ *   name      String   @unique
+ *   guard     String?
+ *   createdAt DateTime @default(now())
+ *
+ *   @@map("authz_permissions")
+ * }
+ *
+ * model RolePermission {
+ *   roleId       String
+ *   permissionId String
+ *
+ *   @@id([roleId, permissionId])
+ *   @@map("authz_role_permission")
+ * }
+ *
+ * model UserRole {
+ *   userType String
+ *   userId   String
+ *   roleId   String
+ *
+ *   @@id([userType, userId, roleId])
+ *   @@index([userType, userId])
+ *   @@map("authz_user_role")
+ * }
+ * ```
+ *
+ * Apply it with `prisma migrate` / `prisma db push` — this adapter is
+ * consumer-managed and never runs DDL.
+ */
+/**
+ * DI token for the app-provided Prisma client ({@link PrismaAuthzClientLike})
+ * injected into {@link PrismaAuthzStore}.
+ */
+export const PRISMA_CLIENT = Symbol.for('@dudousxd/nestjs-authz-prisma:client');
+//# sourceMappingURL=prisma-client.js.map

package/dist/prisma-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma-client.js","sourceRoot":"","sources":["../src/prisma-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwDG;AA8BH;;;GAGG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,11 @@
+/**
+ * A reference to a user. Matches nestjs-context's `UserRef` shape (`{ type, id }`),
+ * but the store accepts either a full ref or a bare id (defaulting `type` to `'user'`).
+ */
+export interface UserRefInput {
+    type?: string;
+    id: string | number;
+}
+/** A user reference, or just its id (treated as `{ type: 'user', id }`). */
+export type UserRef = UserRefInput | string | number;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;CACrB;AAED,4EAA4E;AAC5E,MAAM,MAAM,OAAO,GAAG,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "@dudousxd/nestjs-authz-prisma",
+  "version": "0.2.0",
+  "description": "Prisma RBAC persistence for @dudousxd/nestjs-authz — roles, permissions, and a Gate seam (zero connection ownership, structural client).",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/DavideCarvalho/nestjs-authz.git",
+    "directory": "packages/prisma"
+  },
+  "author": "Davi Carvalho <davi@goflip.ai>",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist/",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "peerDependencies": {
+    "@dudousxd/nestjs-authz": ">=0.1.0",
+    "@nestjs/common": ">=10.0.0",
+    "@nestjs/core": ">=10.0.0",
+    "reflect-metadata": ">=0.1.13"
+  },
+  "devDependencies": {
+    "@nestjs/common": "^11.0.0",
+    "@nestjs/core": "^11.0.0",
+    "@nestjs/testing": "^11.0.0",
+    "@types/node": "^20.0.0",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.1",
+    "typescript": "^5.4.0",
+    "vitest": "^3.0.0",
+    "@dudousxd/nestjs-authz": "^0.4.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "keywords": [
+    "nestjs",
+    "authorization",
+    "authz",
+    "rbac",
+    "roles",
+    "permissions",
+    "prisma"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run --passWithNoTests",
+    "test:watch": "vitest",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  }
+}