@dudousxd/nestjs-authz 0.2.0

package/CHANGELOG.md

@@ -0,0 +1,7 @@
+# @dudousxd/nestjs-authz
+
+## 0.2.0
+
+### Minor Changes
+
+- [`51d2fbc`](https://github.com/DavideCarvalho/nestjs-authz/commit/51d2fbc6b966c101a6ff0675c42843f040e02703) - Initial release: Laravel-style authorization for NestJS — gates, `@Policy`/`@Can`, the `Gate` service, a default `:id` resource resolver, `before`/`superAdmin` hooks, optional `nestjs-context` current-user with `resolveUser` hydration, and a `PERMISSION_PROVIDER` seam. The `@dudousxd/nestjs-authz-typeorm` adapter adds opt-in RBAC persistence (roles/permissions store, dialect-correct SQL, identifier allowlist, non-destructive schema auto-manage).

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Davi Carvalho
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/context-accessor.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Local, structural mirror of `@dudousxd/nestjs-context`'s public accessor
+ * (`packages/core/src/accessor.ts`).
+ *
+ * We deliberately do NOT import nestjs-context (it is an OPTIONAL peer). Instead
+ * we declare the same shape here and inject it via the shared
+ * {@link CONTEXT_ACCESSOR} token with `@Optional()`. Any object that structurally
+ * satisfies this interface — including nestjs-context's real accessor — works.
+ *
+ * Kept byte-aligned with nestjs-context's `ContextAccessor`: `traceId()` /
+ * `tenantId()` are REQUIRED (the real accessor always provides them) and `get()`
+ * is included, so a future authz use of `tenantId()`/`get()` is type-safe and
+ * the structural match stays exact.
+ */
+export interface UserRef {
+    type: string;
+    id: string | number;
+}
+/** Opaque shape of the context store. authz never reads it; mirrors the upstream surface. */
+export type ContextStore = Record<string, unknown>;
+export interface ContextAccessor {
+    /** Trace id for the current request, or `undefined` when unavailable. */
+    traceId(): string | undefined;
+    /** Current tenant id, or `undefined` when no multi-tenant context is populated. */
+    tenantId(): string | undefined;
+    /** Reference to the current user, or `undefined` when unauthenticated. */
+    userRef(): UserRef | undefined;
+    /** The raw context store for the current request, or `undefined`. */
+    get(): ContextStore | undefined;
+}
+//# sourceMappingURL=context-accessor.d.ts.map

package/dist/context-accessor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-accessor.d.ts","sourceRoot":"","sources":["../src/context-accessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;CACrB;AAED,6FAA6F;AAC7F,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEnD,MAAM,WAAW,eAAe;IAC9B,yEAAyE;IACzE,OAAO,IAAI,MAAM,GAAG,SAAS,CAAC;IAC9B,mFAAmF;IACnF,QAAQ,IAAI,MAAM,GAAG,SAAS,CAAC;IAC/B,0EAA0E;IAC1E,OAAO,IAAI,OAAO,GAAG,SAAS,CAAC;IAC/B,qEAAqE;IACrE,GAAG,IAAI,YAAY,GAAG,SAAS,CAAC;CACjC"}

package/dist/context-accessor.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=context-accessor.js.map

package/dist/context-accessor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-accessor.js","sourceRoot":"","sources":["../src/context-accessor.ts"],"names":[],"mappings":""}

package/dist/decorator/can.decorator.d.ts

@@ -0,0 +1,29 @@
+import 'reflect-metadata';
+import { type Type } from '@nestjs/common';
+export interface CanOptions {
+    /**
+     * Class-level ability (e.g. `create`): the policy method is keyed to the
+     * resource class but receives NO instance, so the guard skips resource loading.
+     */
+    classLevel?: boolean;
+}
+export interface CanMetadata {
+    ability: string;
+    /** Resource class — to load an instance, or (for class-level) to locate the policy. */
+    resource?: Type<unknown>;
+    /** When true, skip resource loading and dispatch against the resource class. */
+    classLevel?: boolean;
+}
+/**
+ * Guard a route with an authorization check.
+ *
+ * @example
+ *   `@Can('update', Post)`                    // resolve Post by :id, run PostPolicy.update(user, post)
+ *   `@Can('create', Post, { classLevel: true })` // run PostPolicy.create(user) — no instance loaded
+ *   `@Can('access-admin')`                    // ad-hoc gate, no resource
+ *
+ * When a resource class is provided (and not `classLevel`), the guard loads an
+ * instance via the registered `ResourceResolver` (default: by route `:id`).
+ */
+export declare function Can(ability: string, resource?: Type<unknown>, options?: CanOptions): MethodDecorator & ClassDecorator;
+//# sourceMappingURL=can.decorator.d.ts.map

package/dist/decorator/can.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"can.decorator.d.ts","sourceRoot":"","sources":["../../src/decorator/can.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAe,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAGxD,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,uFAAuF;IACvF,QAAQ,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACzB,gFAAgF;IAChF,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,GAAG,CACjB,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,EACxB,OAAO,CAAC,EAAE,UAAU,GACnB,eAAe,GAAG,cAAc,CAKlC"}

package/dist/decorator/can.decorator.js

@@ -0,0 +1,23 @@
+import 'reflect-metadata';
+import { SetMetadata } from '@nestjs/common';
+import { CAN_METADATA } from '../tokens.js';
+/**
+ * Guard a route with an authorization check.
+ *
+ * @example
+ *   `@Can('update', Post)`                    // resolve Post by :id, run PostPolicy.update(user, post)
+ *   `@Can('create', Post, { classLevel: true })` // run PostPolicy.create(user) — no instance loaded
+ *   `@Can('access-admin')`                    // ad-hoc gate, no resource
+ *
+ * When a resource class is provided (and not `classLevel`), the guard loads an
+ * instance via the registered `ResourceResolver` (default: by route `:id`).
+ */
+export function Can(ability, resource, options) {
+    const meta = { ability };
+    if (resource !== undefined)
+        meta.resource = resource;
+    if (options?.classLevel)
+        meta.classLevel = true;
+    return SetMetadata(CAN_METADATA, meta);
+}
+//# sourceMappingURL=can.decorator.js.map

package/dist/decorator/can.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"can.decorator.js","sourceRoot":"","sources":["../../src/decorator/can.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAE,WAAW,EAAa,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAkB5C;;;;;;;;;;GAUG;AACH,MAAM,UAAU,GAAG,CACjB,OAAe,EACf,QAAwB,EACxB,OAAoB;IAEpB,MAAM,IAAI,GAAgB,EAAE,OAAO,EAAE,CAAC;IACtC,IAAI,QAAQ,KAAK,SAAS;QAAE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IACrD,IAAI,OAAO,EAAE,UAAU;QAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IAChD,OAAO,WAAW,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;AACzC,CAAC"}

package/dist/decorator/policy.decorator.d.ts

@@ -0,0 +1,18 @@
+import 'reflect-metadata';
+import { type Type } from '@nestjs/common';
+/**
+ * Marks a class as the policy for `resource`. The class methods become abilities
+ * dispatched by name (e.g. `update(user, post)` answers `gate.authorize('update', post)`).
+ *
+ * Applying `@Policy` also makes the class an `@Injectable()` provider so it can
+ * be auto-discovered and resolved from the Nest container.
+ */
+export declare function Policy(resource: Type<unknown>): ClassDecorator;
+/**
+ * Returns the resource class a policy was declared for, or `undefined`.
+ *
+ * Uses `getMetadata` (not `getOwnMetadata`) so a subclass of a `@Policy`-decorated
+ * class still resolves the inherited resource via the prototype chain.
+ */
+export declare function getPolicyResource(policy: Type<unknown> | object): Type<unknown> | undefined;
+//# sourceMappingURL=policy.decorator.d.ts.map

package/dist/decorator/policy.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.decorator.d.ts","sourceRoot":"","sources":["../../src/decorator/policy.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAIvD;;;;;;GAMG;AACH,wBAAgB,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,cAAc,CAM9D;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,SAAS,CAG3F"}

package/dist/decorator/policy.decorator.js

@@ -0,0 +1,28 @@
+import 'reflect-metadata';
+import { Injectable } from '@nestjs/common';
+import { POLICY_RESOURCE_METADATA } from '../tokens.js';
+/**
+ * Marks a class as the policy for `resource`. The class methods become abilities
+ * dispatched by name (e.g. `update(user, post)` answers `gate.authorize('update', post)`).
+ *
+ * Applying `@Policy` also makes the class an `@Injectable()` provider so it can
+ * be auto-discovered and resolved from the Nest container.
+ */
+export function Policy(resource) {
+    return (target) => {
+        Reflect.defineMetadata(POLICY_RESOURCE_METADATA, resource, target);
+        // Make the policy a provider without forcing the app to add @Injectable().
+        Injectable()(target);
+    };
+}
+/**
+ * Returns the resource class a policy was declared for, or `undefined`.
+ *
+ * Uses `getMetadata` (not `getOwnMetadata`) so a subclass of a `@Policy`-decorated
+ * class still resolves the inherited resource via the prototype chain.
+ */
+export function getPolicyResource(policy) {
+    const ctor = typeof policy === 'function' ? policy : policy.constructor;
+    return Reflect.getMetadata(POLICY_RESOURCE_METADATA, ctor);
+}
+//# sourceMappingURL=policy.decorator.js.map

package/dist/decorator/policy.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.decorator.js","sourceRoot":"","sources":["../../src/decorator/policy.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAa,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAC;AAGxD;;;;;;GAMG;AACH,MAAM,UAAU,MAAM,CAAC,QAAuB;IAC5C,OAAO,CAAC,MAAM,EAAE,EAAE;QAChB,OAAO,CAAC,cAAc,CAAC,wBAAwB,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnE,2EAA2E;QAC3E,UAAU,EAAE,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA8B;IAC9D,MAAM,IAAI,GAAG,OAAO,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAE,MAAyB,CAAC,WAAW,CAAC;IAC5F,OAAO,OAAO,CAAC,WAAW,CAAC,wBAAwB,EAAE,IAAI,CAA8B,CAAC;AAC1F,CAAC"}

package/dist/errors/exceptions.d.ts

@@ -0,0 +1,37 @@
+import { BadRequestException } from '@nestjs/common';
+export declare abstract class AuthzException extends Error {
+    constructor(message: string);
+}
+export declare class PolicyNotDecoratedException extends AuthzException {
+    readonly policyName: string;
+    constructor(policyName: string);
+}
+/**
+ * Thrown when an ability cannot be matched to any policy method or ad-hoc gate.
+ *
+ * This is a *programming* error (typically a typo'd ability name), not an
+ * authorization denial — so it maps to a `400 Bad Request` HttpException rather
+ * than surfacing as a 500. (A genuine denial throws `ForbiddenException` → 403.)
+ */
+export declare class AbilityNotResolvedException extends BadRequestException {
+    readonly ability: string;
+    readonly name = "AbilityNotResolvedException";
+    constructor(ability: string);
+}
+/**
+ * Thrown when a class-level ability (`gate.allows('create')`, no resource) is
+ * ambiguous: more than one registered policy defines a method with that name, so
+ * picking one by Map-insertion order would be a silent, arbitrary choice. Pass an
+ * explicit resource class (`gate.allows('create', Post)`) to disambiguate.
+ */
+export declare class AmbiguousAbilityException extends BadRequestException {
+    readonly ability: string;
+    readonly policyNames: string[];
+    readonly name = "AmbiguousAbilityException";
+    constructor(ability: string, policyNames: string[]);
+}
+export declare class ResourceResolverMissingException extends AuthzException {
+    readonly ability: string;
+    constructor(ability: string);
+}
+//# sourceMappingURL=exceptions.d.ts.map

package/dist/errors/exceptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exceptions.d.ts","sourceRoot":"","sources":["../../src/errors/exceptions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,8BAAsB,cAAe,SAAQ,KAAK;gBACpC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,2BAA4B,SAAQ,cAAc;aACjC,UAAU,EAAE,MAAM;gBAAlB,UAAU,EAAE,MAAM;CAG/C;AAED;;;;;;GAMG;AACH,qBAAa,2BAA4B,SAAQ,mBAAmB;aAEtC,OAAO,EAAE,MAAM;IAD3C,SAAkB,IAAI,iCAAiC;gBAC3B,OAAO,EAAE,MAAM;CAK5C;AAED;;;;;GAKG;AACH,qBAAa,yBAA0B,SAAQ,mBAAmB;aAG9C,OAAO,EAAE,MAAM;aACf,WAAW,EAAE,MAAM,EAAE;IAHvC,SAAkB,IAAI,+BAA+B;gBAEnC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EAAE;CAQxC;AAED,qBAAa,gCAAiC,SAAQ,cAAc;aACtC,OAAO,EAAE,MAAM;gBAAf,OAAO,EAAE,MAAM;CAK5C"}

package/dist/errors/exceptions.js

@@ -0,0 +1,53 @@
+import { BadRequestException } from '@nestjs/common';
+export class AuthzException extends Error {
+    constructor(message) {
+        super(message);
+        this.name = new.target.name;
+    }
+}
+export class PolicyNotDecoratedException extends AuthzException {
+    policyName;
+    constructor(policyName) {
+        super(`${policyName} is missing @Policy(Resource). Decorate it with the resource class.`);
+        this.policyName = policyName;
+    }
+}
+/**
+ * Thrown when an ability cannot be matched to any policy method or ad-hoc gate.
+ *
+ * This is a *programming* error (typically a typo'd ability name), not an
+ * authorization denial — so it maps to a `400 Bad Request` HttpException rather
+ * than surfacing as a 500. (A genuine denial throws `ForbiddenException` → 403.)
+ */
+export class AbilityNotResolvedException extends BadRequestException {
+    ability;
+    name = 'AbilityNotResolvedException';
+    constructor(ability) {
+        super(`Ability "${ability}" could not be resolved. No matching policy method or gate.define('${ability}', ...).`);
+        this.ability = ability;
+    }
+}
+/**
+ * Thrown when a class-level ability (`gate.allows('create')`, no resource) is
+ * ambiguous: more than one registered policy defines a method with that name, so
+ * picking one by Map-insertion order would be a silent, arbitrary choice. Pass an
+ * explicit resource class (`gate.allows('create', Post)`) to disambiguate.
+ */
+export class AmbiguousAbilityException extends BadRequestException {
+    ability;
+    policyNames;
+    name = 'AmbiguousAbilityException';
+    constructor(ability, policyNames) {
+        super(`Ability "${ability}" is ambiguous: it is defined by multiple policies (${policyNames.join(', ')}). Pass the resource class explicitly, e.g. gate.allows('${ability}', Resource).`);
+        this.ability = ability;
+        this.policyNames = policyNames;
+    }
+}
+export class ResourceResolverMissingException extends AuthzException {
+    ability;
+    constructor(ability) {
+        super(`@Can('${ability}', Resource) needs an instance but no ResourceResolver is registered. Register one via AuthzModule.forRoot or pass the resource programmatically.`);
+        this.ability = ability;
+    }
+}
+//# sourceMappingURL=exceptions.js.map

package/dist/errors/exceptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exceptions.js","sourceRoot":"","sources":["../../src/errors/exceptions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,MAAM,OAAgB,cAAe,SAAQ,KAAK;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;IAC9B,CAAC;CACF;AAED,MAAM,OAAO,2BAA4B,SAAQ,cAAc;IACjC;IAA5B,YAA4B,UAAkB;QAC5C,KAAK,CAAC,GAAG,UAAU,qEAAqE,CAAC,CAAC;QADhE,eAAU,GAAV,UAAU,CAAQ;IAE9C,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,2BAA4B,SAAQ,mBAAmB;IAEtC;IADV,IAAI,GAAG,6BAA6B,CAAC;IACvD,YAA4B,OAAe;QACzC,KAAK,CACH,YAAY,OAAO,sEAAsE,OAAO,UAAU,CAC3G,CAAC;QAHwB,YAAO,GAAP,OAAO,CAAQ;IAI3C,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,OAAO,yBAA0B,SAAQ,mBAAmB;IAG9C;IACA;IAHA,IAAI,GAAG,2BAA2B,CAAC;IACrD,YACkB,OAAe,EACf,WAAqB;QAErC,KAAK,CACH,YAAY,OAAO,uDAAuD,WAAW,CAAC,IAAI,CACxF,IAAI,CACL,4DAA4D,OAAO,eAAe,CACpF,CAAC;QAPc,YAAO,GAAP,OAAO,CAAQ;QACf,gBAAW,GAAX,WAAW,CAAU;IAOvC,CAAC;CACF;AAED,MAAM,OAAO,gCAAiC,SAAQ,cAAc;IACtC;IAA5B,YAA4B,OAAe;QACzC,KAAK,CACH,SAAS,OAAO,mJAAmJ,CACpK,CAAC;QAHwB,YAAO,GAAP,OAAO,CAAQ;IAI3C,CAAC;CACF"}

package/dist/gate.d.ts

@@ -0,0 +1,81 @@
+import { ModuleRef } from '@nestjs/core';
+import type { ContextAccessor } from './context-accessor.js';
+import type { PermissionProvider } from './permission-provider.js';
+import { PolicyRegistry } from './policy-registry.js';
+import type { AuthzModuleOptions, GateFn, Resource, User } from './types.js';
+declare const NO_USER: unique symbol;
+type MaybeUser = User | typeof NO_USER;
+/**
+ * Laravel-style authorization Gate.
+ *
+ * Resolves an ability against either a registered `@Policy` method (by ability
+ * name, matched against the resource's policy) or an ad-hoc gate defined via
+ * {@link define}. Applies the global `superAdmin` before-hook and the per-policy
+ * `before` hook with short-circuit semantics.
+ *
+ * The current user comes from the optional {@link ContextAccessor} (nestjs-context)
+ * when present, or is supplied explicitly via {@link forUser}.
+ */
+export declare class Gate {
+    private readonly policies;
+    private readonly context?;
+    private readonly moduleRef?;
+    private readonly permissionProvider?;
+    private readonly gates;
+    private readonly superAdmin;
+    private readonly resolveUser;
+    constructor(policies: PolicyRegistry, options: AuthzModuleOptions | undefined, context?: ContextAccessor | undefined, moduleRef?: ModuleRef | undefined, permissionProvider?: PermissionProvider | undefined);
+    /**
+     * Locate the context accessor. Prefers the value injected into this module;
+     * falls back to a non-strict {@link ModuleRef} lookup so an accessor provided
+     * by ANY module (e.g. a global ContextModule, or the app root) is still found.
+     */
+    private resolveContext;
+    /**
+     * Locate the optional {@link PermissionProvider} (the RBAC seam). Prefers the value
+     * injected into this module; falls back to a non-strict {@link ModuleRef} lookup so a
+     * provider registered by ANY module (e.g. the RBAC adapter's global module) is found.
+     */
+    private resolvePermissionProvider;
+    /** Register an ad-hoc, model-less gate resolved by `ability` name. */
+    define(ability: string, fn: GateFn): this;
+    /** True when an ad-hoc gate is registered for `ability`. */
+    hasGate(ability: string): boolean;
+    /**
+     * Bind an explicit user, bypassing the context accessor. Use when no
+     * nestjs-context is wired, or to check a user other than the current one.
+     *
+     * A nullish user (`forUser(undefined)` / `forUser(null)`) is an explicit
+     * anonymous request: it maps to the same deny path as an unauthenticated
+     * context (`NO_USER`), so policies/gates are never invoked with `undefined` and
+     * never throw. The `resolveUser` hook is NOT applied to `forUser` — the value
+     * you pass is used verbatim.
+     */
+    forUser(user: User): BoundGate;
+    /**
+     * Resolve the current user from the context accessor, or `NO_USER`.
+     * When a `resolveUser` hook is configured, hydrate the full entity from the
+     * context's {@link UserRef}; a hook returning nullish maps to `NO_USER`.
+     */
+    private currentUser;
+    allows(ability: string, resource?: Resource): Promise<boolean>;
+    denies(ability: string, resource?: Resource): Promise<boolean>;
+    authorize(ability: string, resource?: Resource): Promise<void>;
+    /** @internal */
+    allowsForUser(user: MaybeUser, ability: string, resource?: Resource): Promise<boolean>;
+    private check;
+    private resolvePolicy;
+}
+/**
+ * A {@link Gate} bound to an explicit user. Returned by {@link Gate.forUser}.
+ */
+export declare class BoundGate {
+    private readonly gate;
+    private readonly user;
+    constructor(gate: Gate, user: MaybeUser);
+    allows(ability: string, resource?: Resource): Promise<boolean>;
+    denies(ability: string, resource?: Resource): Promise<boolean>;
+    authorize(ability: string, resource?: Resource): Promise<void>;
+}
+export {};
+//# sourceMappingURL=gate.d.ts.map

package/dist/gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,KAAK,EAAE,eAAe,EAAW,MAAM,uBAAuB,CAAC;AAEtE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,KAAK,EACV,kBAAkB,EAClB,MAAM,EAGN,QAAQ,EAER,IAAI,EACL,MAAM,YAAY,CAAC;AAIpB,QAAA,MAAM,OAAO,eAA0B,CAAC;AACxC,KAAK,SAAS,GAAG,IAAI,GAAG,OAAO,OAAO,CAAC;AAEvC;;;;;;;;;;GAUG;AACH,qBACa,IAAI;IAMb,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAMzB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;IAEzB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;IAG3B,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;IAhBtC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA6B;IACnD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;IACxD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAoC;gBAG7C,QAAQ,EAAE,cAAc,EAGzC,OAAO,EAAE,kBAAkB,GAAG,SAAS,EAGtB,OAAO,CAAC,EAAE,eAAe,YAAA,EAEzB,SAAS,CAAC,EAAE,SAAS,YAAA,EAGrB,kBAAkB,CAAC,EAAE,kBAAkB,YAAA;IAM1D;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAUtB;;;;OAIG;IACH,OAAO,CAAC,yBAAyB;IAUjC,sEAAsE;IACtE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,IAAI;IAKzC,4DAA4D;IAC5D,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAIjC;;;;;;;;;OASG;IACH,OAAO,CAAC,IAAI,EAAE,IAAI,GAAG,SAAS;IAI9B;;;;OAIG;YACW,WAAW;IAcnB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAI9D,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAI9D,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAQpE,gBAAgB;IAChB,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;YAIxE,KAAK;IAsDnB,OAAO,CAAC,aAAa;CAwBtB;AAED;;GAEG;AACH,qBAAa,SAAS;IAElB,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,IAAI;gBADJ,IAAI,EAAE,IAAI,EACV,IAAI,EAAE,SAAS;IAGlC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAIxD,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAI9D,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAKrE"}

package/dist/gate.js

@@ -0,0 +1,247 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { ForbiddenException, Inject, Injectable, Optional } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
+import { AbilityNotResolvedException, AmbiguousAbilityException } from './errors/exceptions.js';
+import { PolicyRegistry } from './policy-registry.js';
+import { AUTHZ_MODULE_OPTIONS, CONTEXT_ACCESSOR, PERMISSION_PROVIDER } from './tokens.js';
+// A sentinel marking "no user resolved" distinct from a legitimately-`undefined`
+// user. `forUser(undefined)` explicitly authorizes an anonymous user.
+const NO_USER = Symbol('authz:no-user');
+/**
+ * Laravel-style authorization Gate.
+ *
+ * Resolves an ability against either a registered `@Policy` method (by ability
+ * name, matched against the resource's policy) or an ad-hoc gate defined via
+ * {@link define}. Applies the global `superAdmin` before-hook and the per-policy
+ * `before` hook with short-circuit semantics.
+ *
+ * The current user comes from the optional {@link ContextAccessor} (nestjs-context)
+ * when present, or is supplied explicitly via {@link forUser}.
+ */
+let Gate = class Gate {
+    policies;
+    context;
+    moduleRef;
+    permissionProvider;
+    gates = new Map();
+    superAdmin;
+    resolveUser;
+    constructor(policies, options, context, moduleRef, permissionProvider) {
+        this.policies = policies;
+        this.context = context;
+        this.moduleRef = moduleRef;
+        this.permissionProvider = permissionProvider;
+        this.superAdmin = options?.superAdmin;
+        this.resolveUser = options?.resolveUser;
+    }
+    /**
+     * Locate the context accessor. Prefers the value injected into this module;
+     * falls back to a non-strict {@link ModuleRef} lookup so an accessor provided
+     * by ANY module (e.g. a global ContextModule, or the app root) is still found.
+     */
+    resolveContext() {
+        if (this.context)
+            return this.context;
+        if (!this.moduleRef)
+            return undefined;
+        try {
+            return this.moduleRef.get(CONTEXT_ACCESSOR, { strict: false });
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Locate the optional {@link PermissionProvider} (the RBAC seam). Prefers the value
+     * injected into this module; falls back to a non-strict {@link ModuleRef} lookup so a
+     * provider registered by ANY module (e.g. the RBAC adapter's global module) is found.
+     */
+    resolvePermissionProvider() {
+        if (this.permissionProvider)
+            return this.permissionProvider;
+        if (!this.moduleRef)
+            return undefined;
+        try {
+            return this.moduleRef.get(PERMISSION_PROVIDER, { strict: false });
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /** Register an ad-hoc, model-less gate resolved by `ability` name. */
+    define(ability, fn) {
+        this.gates.set(ability, fn);
+        return this;
+    }
+    /** True when an ad-hoc gate is registered for `ability`. */
+    hasGate(ability) {
+        return this.gates.has(ability);
+    }
+    /**
+     * Bind an explicit user, bypassing the context accessor. Use when no
+     * nestjs-context is wired, or to check a user other than the current one.
+     *
+     * A nullish user (`forUser(undefined)` / `forUser(null)`) is an explicit
+     * anonymous request: it maps to the same deny path as an unauthenticated
+     * context (`NO_USER`), so policies/gates are never invoked with `undefined` and
+     * never throw. The `resolveUser` hook is NOT applied to `forUser` — the value
+     * you pass is used verbatim.
+     */
+    forUser(user) {
+        return new BoundGate(this, user == null ? NO_USER : user);
+    }
+    /**
+     * Resolve the current user from the context accessor, or `NO_USER`.
+     * When a `resolveUser` hook is configured, hydrate the full entity from the
+     * context's {@link UserRef}; a hook returning nullish maps to `NO_USER`.
+     */
+    async currentUser() {
+        const context = this.resolveContext();
+        if (!context)
+            return NO_USER;
+        const ref = context.userRef();
+        if (ref === undefined)
+            return NO_USER;
+        if (this.resolveUser) {
+            const hydrated = await this.resolveUser(ref);
+            return hydrated == null ? NO_USER : hydrated;
+        }
+        return ref;
+    }
+    // --- public API (operates on the current/context user) ---
+    async allows(ability, resource) {
+        return this.check(await this.currentUser(), ability, resource);
+    }
+    async denies(ability, resource) {
+        return !(await this.allows(ability, resource));
+    }
+    async authorize(ability, resource) {
+        if (!(await this.allows(ability, resource))) {
+            throw new ForbiddenException(`Unauthorized: ${ability}`);
+        }
+    }
+    // --- internal: used by BoundGate too ---
+    /** @internal */
+    allowsForUser(user, ability, resource) {
+        return this.check(user, ability, resource);
+    }
+    async check(maybeUser, ability, resource) {
+        const user = maybeUser === NO_USER ? undefined : maybeUser;
+        // Global super-admin hook first.
+        const sa = await this.superAdmin?.(user, ability);
+        if (sa === true)
+            return true;
+        if (sa === false)
+            return false;
+        // RBAC seam (Laravel/spatie `Gate::before` grant): if a PermissionProvider is
+        // registered and the (authenticated) user holds the named permission, grant it.
+        // Grant-only — a `false`/`undefined` result falls through to normal resolution,
+        // so this never *denies* an ability a policy/gate would otherwise allow.
+        if (maybeUser !== NO_USER) {
+            const provider = this.resolvePermissionProvider();
+            if (provider) {
+                const granted = await provider.hasPermission(user, ability, resource);
+                if (granted === true)
+                    return true;
+            }
+        }
+        const policy = this.resolvePolicy(ability, resource);
+        if (policy) {
+            const method = policy[ability];
+            // The `before` hook may only answer abilities the policy actually defines.
+            // Gate it on method existence FIRST so a policy with a `before` but no
+            // matching method falls through to AbilityNotResolved instead of letting
+            // `before` grant/deny an ability the policy never declared.
+            if (typeof method === 'function') {
+                const before = policy.before;
+                if (typeof before === 'function') {
+                    const result = await before.call(policy, user, ability);
+                    if (result === true)
+                        return true;
+                    if (result === false)
+                        return false;
+                }
+                // Anonymous users are denied unless a hook granted access above.
+                if (maybeUser === NO_USER)
+                    return false;
+                return Boolean(await method.call(policy, user, resource));
+            }
+        }
+        // Fall back to an ad-hoc gate.
+        const gate = this.gates.get(ability);
+        if (gate) {
+            if (maybeUser === NO_USER)
+                return false;
+            return Boolean(await gate(user, resource));
+        }
+        throw new AbilityNotResolvedException(ability);
+    }
+    resolvePolicy(ability, resource) {
+        if (resource === undefined) {
+            // Class-level ability with no resource: scan registered policies for the
+            // method. If MORE THAN ONE policy defines it, picking by Map-insertion
+            // order would be a silent, arbitrary (and likely wrong) choice — throw so
+            // the caller disambiguates by passing the resource class explicitly.
+            const matches = this.policies
+                .all()
+                .filter((policy) => typeof policy[ability] === 'function');
+            if (matches.length === 0)
+                return undefined;
+            if (matches.length > 1) {
+                throw new AmbiguousAbilityException(ability, matches.map((p) => p.constructor?.name ?? 'Policy'));
+            }
+            return matches[0];
+        }
+        // Resource may be an instance or a class (for class-level abilities passed as Type).
+        if (typeof resource === 'function') {
+            return this.policies.forResource(resource);
+        }
+        return this.policies.forInstance(resource);
+    }
+};
+Gate = __decorate([
+    Injectable(),
+    __param(1, Optional()),
+    __param(1, Inject(AUTHZ_MODULE_OPTIONS)),
+    __param(2, Optional()),
+    __param(2, Inject(CONTEXT_ACCESSOR)),
+    __param(3, Optional()),
+    __param(4, Optional()),
+    __param(4, Inject(PERMISSION_PROVIDER)),
+    __metadata("design:paramtypes", [PolicyRegistry, Object, Object, ModuleRef, Object])
+], Gate);
+export { Gate };
+/**
+ * A {@link Gate} bound to an explicit user. Returned by {@link Gate.forUser}.
+ */
+export class BoundGate {
+    gate;
+    user;
+    constructor(gate, user) {
+        this.gate = gate;
+        this.user = user;
+    }
+    allows(ability, resource) {
+        return this.gate.allowsForUser(this.user, ability, resource);
+    }
+    async denies(ability, resource) {
+        return !(await this.allows(ability, resource));
+    }
+    async authorize(ability, resource) {
+        if (!(await this.allows(ability, resource))) {
+            throw new ForbiddenException(`Unauthorized: ${ability}`);
+        }
+    }
+}
+//# sourceMappingURL=gate.js.map

package/dist/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAa,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,2BAA2B,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAEhG,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAW1F,iFAAiF;AACjF,sEAAsE;AACtE,MAAM,OAAO,GAAG,MAAM,CAAC,eAAe,CAAC,CAAC;AAGxC;;;;;;;;;;GAUG;AAEI,IAAM,IAAI,GAAV,MAAM,IAAI;IAMI;IAMA;IAEA;IAGA;IAhBF,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAClC,UAAU,CAA6B;IACvC,WAAW,CAAoC;IAEhE,YACmB,QAAwB,EAGzC,OAAuC,EAGtB,OAAyB,EAEzB,SAAqB,EAGrB,kBAAuC;QAXvC,aAAQ,GAAR,QAAQ,CAAgB;QAMxB,YAAO,GAAP,OAAO,CAAkB;QAEzB,cAAS,GAAT,SAAS,CAAY;QAGrB,uBAAkB,GAAlB,kBAAkB,CAAqB;QAExD,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,UAAU,CAAC;QACtC,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACK,cAAc;QACpB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAkB,gBAAgB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,yBAAyB;QAC/B,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAqB,mBAAmB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,sEAAsE;IACtE,MAAM,CAAC,OAAe,EAAE,EAAU;QAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4DAA4D;IAC5D,OAAO,CAAC,OAAe;QACrB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;;;OASG;IACH,OAAO,CAAC,IAAU;QAChB,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC5D,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,WAAW;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO;YAAE,OAAO,OAAO,CAAC;QAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9B,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC;QACtC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAc,CAAC,CAAC;YACxD,OAAO,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC/C,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,4DAA4D;IAE5D,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,0CAA0C;IAE1C,gBAAgB;IAChB,aAAa,CAAC,IAAe,EAAE,OAAe,EAAE,QAAmB;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAEO,KAAK,CAAC,KAAK,CACjB,SAAoB,EACpB,OAAe,EACf,QAAmB;QAEnB,MAAM,IAAI,GAAS,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAEjE,iCAAiC;QACjC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC7B,IAAI,EAAE,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;QAE/B,8EAA8E;QAC9E,gFAAgF;QAChF,gFAAgF;QAChF,yEAAyE;QACzE,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACtE,IAAI,OAAO,KAAK,IAAI;oBAAE,OAAO,IAAI,CAAC;YACpC,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,MAAM,GAAI,MAAkC,CAAC,OAAO,CAAC,CAAC;YAC5D,2EAA2E;YAC3E,uEAAuE;YACvE,yEAAyE;YACzE,4DAA4D;YAC5D,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,MAAM,MAAM,GAAI,MAAyB,CAAC,MAAsC,CAAC;gBACjF,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;oBACjC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;oBACxD,IAAI,MAAM,KAAK,IAAI;wBAAE,OAAO,IAAI,CAAC;oBACjC,IAAI,MAAM,KAAK,KAAK;wBAAE,OAAO,KAAK,CAAC;gBACrC,CAAC;gBACD,iEAAiE;gBACjE,IAAI,SAAS,KAAK,OAAO;oBAAE,OAAO,KAAK,CAAC;gBACxC,OAAO,OAAO,CAAC,MAAO,MAAuC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,SAAS,KAAK,OAAO;gBAAE,OAAO,KAAK,CAAC;YACxC,OAAO,OAAO,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,IAAI,2BAA2B,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,QAAmB;QACxD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,yEAAyE;YACzE,uEAAuE;YACvE,0EAA0E;YAC1E,qEAAqE;YACrE,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ;iBAC1B,GAAG,EAAE;iBACL,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,OAAQ,MAAkC,CAAC,OAAO,CAAC,KAAK,UAAU,CAAC,CAAC;YAC1F,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC3C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,yBAAyB,CACjC,OAAO,EACP,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAoB,CAAC,WAAW,EAAE,IAAI,IAAI,QAAQ,CAAC,CACxE,CAAC;YACJ,CAAC;YACD,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,qFAAqF;QACrF,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAyB,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;CACF,CAAA;AApMY,IAAI;IADhB,UAAU,EAAE;IAQR,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;IAE5B,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,gBAAgB,CAAC,CAAA;IAExB,WAAA,QAAQ,EAAE,CAAA;IAEV,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,mBAAmB,CAAC,CAAA;qCAVD,cAAc,kBAQZ,SAAS;GAd7B,IAAI,CAoMhB;;AAED;;GAEG;AACH,MAAM,OAAO,SAAS;IAED;IACA;IAFnB,YACmB,IAAU,EACV,IAAe;QADf,SAAI,GAAJ,IAAI,CAAM;QACV,SAAI,GAAJ,IAAI,CAAW;IAC/B,CAAC;IAEJ,MAAM,CAAC,OAAe,EAAE,QAAmB;QACzC,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;CACF"}