@dudousxd/nestjs-authz 0.2.0

package/dist/guard/can.guard.d.ts

@@ -0,0 +1,31 @@
+import { type CanActivate, type ExecutionContext } from '@nestjs/common';
+import { ModuleRef, Reflector } from '@nestjs/core';
+import { Gate } from '../gate.js';
+import type { ResourceResolver } from '../resource-resolver.js';
+/**
+ * Enforces `@Can(ability, Resource?)` on routes.
+ *
+ * - No `@Can` metadata → allow (the guard is inert on un-annotated routes).
+ * - Resource class + not class-level → load instance via {@link ResourceResolver}
+ *   (a missing/undefined instance is a denial).
+ * - Class-level or no resource → dispatch against the class / ad-hoc gate.
+ *
+ * The decision is delegated to {@link Gate.authorize}, which throws
+ * `ForbiddenException` on denial.
+ */
+export declare class CanGuard implements CanActivate {
+    private readonly reflector;
+    private readonly gate;
+    private readonly moduleRef;
+    private readonly resolver?;
+    constructor(reflector: Reflector, gate: Gate, moduleRef: ModuleRef, resolver?: ResourceResolver | undefined);
+    /**
+     * Locate the resource resolver. Prefers the value injected into this module;
+     * falls back to a non-strict {@link ModuleRef} lookup so a resolver provided by
+     * ANY module (e.g. the app root) is found even though the guard lives in the
+     * global AuthzModule.
+     */
+    private resolveResolver;
+    canActivate(ctx: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=can.guard.d.ts.map

package/dist/guard/can.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"can.guard.d.ts","sourceRoot":"","sources":["../../src/guard/can.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EAKtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAGpD,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAClC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAIhE;;;;;;;;;;GAUG;AACH,qBACa,QAAS,YAAW,WAAW;IAExC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAG1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBALT,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,IAAI,EACV,SAAS,EAAE,SAAS,EAGpB,QAAQ,CAAC,EAAE,gBAAgB,YAAA;IAG9C;;;;;OAKG;IACH,OAAO,CAAC,eAAe;IASjB,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CA2B3D"}

package/dist/guard/can.guard.js

@@ -0,0 +1,92 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { ForbiddenException, Inject, Injectable, Optional, } from '@nestjs/common';
+import { ModuleRef, Reflector } from '@nestjs/core';
+import { ResourceResolverMissingException } from '../errors/exceptions.js';
+import { Gate } from '../gate.js';
+import { CAN_METADATA, RESOURCE_RESOLVER } from '../tokens.js';
+/**
+ * Enforces `@Can(ability, Resource?)` on routes.
+ *
+ * - No `@Can` metadata → allow (the guard is inert on un-annotated routes).
+ * - Resource class + not class-level → load instance via {@link ResourceResolver}
+ *   (a missing/undefined instance is a denial).
+ * - Class-level or no resource → dispatch against the class / ad-hoc gate.
+ *
+ * The decision is delegated to {@link Gate.authorize}, which throws
+ * `ForbiddenException` on denial.
+ */
+let CanGuard = class CanGuard {
+    reflector;
+    gate;
+    moduleRef;
+    resolver;
+    constructor(reflector, gate, moduleRef, resolver) {
+        this.reflector = reflector;
+        this.gate = gate;
+        this.moduleRef = moduleRef;
+        this.resolver = resolver;
+    }
+    /**
+     * Locate the resource resolver. Prefers the value injected into this module;
+     * falls back to a non-strict {@link ModuleRef} lookup so a resolver provided by
+     * ANY module (e.g. the app root) is found even though the guard lives in the
+     * global AuthzModule.
+     */
+    resolveResolver() {
+        if (this.resolver)
+            return this.resolver;
+        try {
+            return this.moduleRef.get(RESOURCE_RESOLVER, { strict: false });
+        }
+        catch {
+            return undefined;
+        }
+    }
+    async canActivate(ctx) {
+        const meta = this.reflector.getAllAndOverride(CAN_METADATA, [
+            ctx.getHandler(),
+            ctx.getClass(),
+        ]);
+        if (!meta)
+            return true;
+        // Ad-hoc gate or class-level → no instance to load.
+        if (!meta.resource || meta.classLevel) {
+            const resource = meta.classLevel ? meta.resource : undefined;
+            await this.gate.authorize(meta.ability, resource);
+            return true;
+        }
+        // Instance ability → resolve the resource by route param / app resolver.
+        const resolver = this.resolveResolver();
+        if (!resolver) {
+            throw new ResourceResolverMissingException(meta.ability);
+        }
+        const instance = await resolver.resolve(meta.resource, ctx);
+        if (instance === undefined) {
+            // Not found → deny rather than dispatch a policy with a bogus resource.
+            throw new ForbiddenException(`Unauthorized: ${meta.ability}`);
+        }
+        await this.gate.authorize(meta.ability, instance);
+        return true;
+    }
+};
+CanGuard = __decorate([
+    Injectable(),
+    __param(3, Optional()),
+    __param(3, Inject(RESOURCE_RESOLVER)),
+    __metadata("design:paramtypes", [Reflector,
+        Gate,
+        ModuleRef, Object])
+], CanGuard);
+export { CanGuard };
+//# sourceMappingURL=can.guard.js.map

package/dist/guard/can.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"can.guard.js","sourceRoot":"","sources":["../../src/guard/can.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAGL,kBAAkB,EAClB,MAAM,EACN,UAAU,EACV,QAAQ,GACT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEpD,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAElC,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAG/D;;;;;;;;;;GAUG;AAEI,IAAM,QAAQ,GAAd,MAAM,QAAQ;IAEA;IACA;IACA;IAGA;IANnB,YACmB,SAAoB,EACpB,IAAU,EACV,SAAoB,EAGpB,QAA2B;QAL3B,cAAS,GAAT,SAAS,CAAW;QACpB,SAAI,GAAJ,IAAI,CAAM;QACV,cAAS,GAAT,SAAS,CAAW;QAGpB,aAAQ,GAAR,QAAQ,CAAmB;IAC3C,CAAC;IAEJ;;;;;OAKG;IACK,eAAe;QACrB,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;QACxC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAmB,iBAAiB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACpF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAqB;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAA0B,YAAY,EAAE;YACnF,GAAG,CAAC,UAAU,EAAE;YAChB,GAAG,CAAC,QAAQ,EAAE;SACf,CAAC,CAAC;QACH,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,oDAAoD;QACpD,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAE,IAAI,CAAC,QAAgC,CAAC,CAAC,CAAC,SAAS,CAAC;YACtF,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,yEAAyE;QACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,gCAAgC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3D,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5D,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,wEAAwE;YACxE,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AApDY,QAAQ;IADpB,UAAU,EAAE;IAMR,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,iBAAiB,CAAC,CAAA;qCAJE,SAAS;QACd,IAAI;QACC,SAAS;GAJ5B,QAAQ,CAoDpB"}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+export declare const VERSION = "0.0.0";
+export { Gate, BoundGate } from './gate.js';
+export { PolicyRegistry } from './policy-registry.js';
+export { Policy, getPolicyResource } from './decorator/policy.decorator.js';
+export { Can } from './decorator/can.decorator.js';
+export type { CanMetadata, CanOptions } from './decorator/can.decorator.js';
+export { CanGuard } from './guard/can.guard.js';
+export { AuthzModule } from './module.js';
+export { IdParamResourceResolver } from './resource-resolver.js';
+export type { ResourceResolver } from './resource-resolver.js';
+export type { ContextAccessor, ContextStore, UserRef } from './context-accessor.js';
+export type { PermissionProvider } from './permission-provider.js';
+export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, } from './tokens.js';
+export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
+export type { AuthzModuleOptions, AuthzModuleAsyncOptions, AuthzModuleOptionsFactory, GateFn, PolicyBeforeHook, PolicyInstance, PolicyMethod, Resource, SuperAdminHook, User, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACpF,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,yBAAyB,EACzB,MAAM,EACN,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,cAAc,EACd,IAAI,GACL,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,11 @@
+export const VERSION = '0.0.0';
+export { Gate, BoundGate } from './gate.js';
+export { PolicyRegistry } from './policy-registry.js';
+export { Policy, getPolicyResource } from './decorator/policy.decorator.js';
+export { Can } from './decorator/can.decorator.js';
+export { CanGuard } from './guard/can.guard.js';
+export { AuthzModule } from './module.js';
+export { IdParamResourceResolver } from './resource-resolver.js';
+export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, } from './tokens.js';
+export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAEnD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAIjE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC"}

package/dist/module.d.ts

@@ -0,0 +1,20 @@
+import { type DynamicModule } from '@nestjs/common';
+import type { AuthzModuleAsyncOptions, AuthzModuleOptions } from './types.js';
+export declare class AuthzModule {
+    static forRoot(options?: AuthzModuleOptions): DynamicModule;
+    static forRootAsync(options: AuthzModuleAsyncOptions): DynamicModule;
+    /**
+     * Register a default {@link ResourceResolver} bound to {@link RESOURCE_RESOLVER}
+     * so `@Can('update', Post)` works out-of-the-box on a clean install (no manual
+     * resolver wiring needed). Reads the resolved options so a `resourceResolver`
+     * override / `idParam` knob from forRoot OR forRootAsync is honored.
+     */
+    private static resourceResolverProviders;
+    /**
+     * Provider that populates the {@link PolicyRegistry} on init (explicit policies
+     * + auto-discovered `@Policy` providers). Registered for both forRoot/forRootAsync.
+     */
+    private static bootstrapProviders;
+    private static buildAsyncOptionsProvider;
+}
+//# sourceMappingURL=module.d.ts.map

package/dist/module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,KAAK,EACV,uBAAuB,EACvB,kBAAkB,EAGnB,MAAM,YAAY,CAAC;AAmEpB,qBACa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,kBAAuB,GAAG,aAAa;IA2B/D,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,uBAAuB,GAAG,aAAa;IAoBpE;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAWxC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAIjC,OAAO,CAAC,MAAM,CAAC,yBAAyB;CA2BzC"}

package/dist/module.js

@@ -0,0 +1,194 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var AuthzModule_1;
+import { Inject, Injectable, Module, Optional, } from '@nestjs/common';
+import { APP_GUARD, DiscoveryModule, DiscoveryService, ModuleRef } from '@nestjs/core';
+import { getPolicyResource } from './decorator/policy.decorator.js';
+import { Gate } from './gate.js';
+import { CanGuard } from './guard/can.guard.js';
+import { PolicyRegistry } from './policy-registry.js';
+import { IdParamResourceResolver } from './resource-resolver.js';
+import { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER } from './tokens.js';
+/**
+ * Populates the {@link PolicyRegistry} at boot from explicit `policies: []` and
+ * auto-discovered `@Policy`-decorated providers.
+ *
+ * Explicit policies are read from the RESOLVED {@link AUTHZ_MODULE_OPTIONS} (so a
+ * `forRootAsync` `useFactory`/`useClass` that returns `policies: [...]` registers
+ * them too) and resolved as provider instances via {@link ModuleRef}.
+ */
+let AuthzPolicyBootstrap = class AuthzPolicyBootstrap {
+    registry;
+    discovery;
+    moduleRef;
+    options;
+    constructor(registry, discovery, moduleRef, options) {
+        this.registry = registry;
+        this.discovery = discovery;
+        this.moduleRef = moduleRef;
+        this.options = options;
+    }
+    async onModuleInit() {
+        const seen = new Set();
+        // 1. Explicit `policies: []` from resolved options (forRoot AND forRootAsync).
+        for (const PolicyClass of this.options?.policies ?? []) {
+            if (seen.has(PolicyClass))
+                continue;
+            const instance = await this.resolvePolicyInstance(PolicyClass);
+            if (instance) {
+                seen.add(PolicyClass);
+                this.registry.register(instance);
+            }
+        }
+        // 2. Auto-discovered @Policy-decorated providers.
+        for (const wrapper of this.discovery.getProviders()) {
+            const instance = wrapper.instance;
+            if (!instance || typeof instance !== 'object')
+                continue;
+            const ctor = instance.constructor;
+            if (!ctor || seen.has(ctor))
+                continue;
+            if (getPolicyResource(instance)) {
+                seen.add(ctor);
+                this.registry.register(instance);
+            }
+        }
+    }
+    /**
+     * Resolve a policy class to an instance. Prefers an existing provider (so DI
+     * deps are honored); falls back to instantiating it through the container when
+     * the class was passed via `forRootAsync` options but not registered as a
+     * provider anywhere.
+     */
+    async resolvePolicyInstance(PolicyClass) {
+        try {
+            return this.moduleRef.get(PolicyClass, { strict: false });
+        }
+        catch {
+            // not a registered provider — instantiate via the container.
+        }
+        try {
+            return await this.moduleRef.create(PolicyClass);
+        }
+        catch {
+            return undefined;
+        }
+    }
+};
+AuthzPolicyBootstrap = __decorate([
+    Injectable(),
+    __param(3, Optional()),
+    __param(3, Inject(AUTHZ_MODULE_OPTIONS)),
+    __metadata("design:paramtypes", [PolicyRegistry,
+        DiscoveryService,
+        ModuleRef, Object])
+], AuthzPolicyBootstrap);
+let AuthzModule = AuthzModule_1 = class AuthzModule {
+    static forRoot(options = {}) {
+        const policyProviders = (options.policies ?? []).map((P) => P);
+        return {
+            module: AuthzModule_1,
+            global: true,
+            imports: [DiscoveryModule],
+            providers: [
+                { provide: AUTHZ_MODULE_OPTIONS, useValue: options },
+                ...policyProviders,
+                PolicyRegistry,
+                Gate,
+                CanGuard,
+                { provide: APP_GUARD, useExisting: CanGuard },
+                ...AuthzModule_1.resourceResolverProviders(),
+                ...AuthzModule_1.bootstrapProviders(),
+            ],
+            exports: [
+                Gate,
+                PolicyRegistry,
+                CanGuard,
+                AUTHZ_MODULE_OPTIONS,
+                RESOURCE_RESOLVER,
+                ...(options.policies ?? []),
+            ],
+        };
+    }
+    static forRootAsync(options) {
+        const asyncProvider = AuthzModule_1.buildAsyncOptionsProvider(options);
+        const asyncProviders = Array.isArray(asyncProvider) ? asyncProvider : [asyncProvider];
+        return {
+            module: AuthzModule_1,
+            global: true,
+            imports: [DiscoveryModule, ...(options.imports ?? [])],
+            providers: [
+                ...asyncProviders,
+                PolicyRegistry,
+                Gate,
+                CanGuard,
+                { provide: APP_GUARD, useExisting: CanGuard },
+                ...AuthzModule_1.resourceResolverProviders(),
+                ...AuthzModule_1.bootstrapProviders(),
+            ],
+            exports: [Gate, PolicyRegistry, CanGuard, AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER],
+        };
+    }
+    /**
+     * Register a default {@link ResourceResolver} bound to {@link RESOURCE_RESOLVER}
+     * so `@Can('update', Post)` works out-of-the-box on a clean install (no manual
+     * resolver wiring needed). Reads the resolved options so a `resourceResolver`
+     * override / `idParam` knob from forRoot OR forRootAsync is honored.
+     */
+    static resourceResolverProviders() {
+        return [
+            {
+                provide: RESOURCE_RESOLVER,
+                useFactory: (options) => options?.resourceResolver ?? new IdParamResourceResolver(options?.idParam),
+                inject: [{ token: AUTHZ_MODULE_OPTIONS, optional: true }],
+            },
+        ];
+    }
+    /**
+     * Provider that populates the {@link PolicyRegistry} on init (explicit policies
+     * + auto-discovered `@Policy` providers). Registered for both forRoot/forRootAsync.
+     */
+    static bootstrapProviders() {
+        return [AuthzPolicyBootstrap];
+    }
+    static buildAsyncOptionsProvider(options) {
+        if (options.useFactory) {
+            return {
+                provide: AUTHZ_MODULE_OPTIONS,
+                useFactory: options.useFactory,
+                inject: (options.inject ?? []),
+            };
+        }
+        if (options.useClass) {
+            return [
+                { provide: options.useClass, useClass: options.useClass },
+                {
+                    provide: AUTHZ_MODULE_OPTIONS,
+                    useFactory: async (factory) => factory.createAuthzOptions(),
+                    inject: [options.useClass],
+                },
+            ];
+        }
+        const factoryClass = options.useExisting;
+        return {
+            provide: AUTHZ_MODULE_OPTIONS,
+            useFactory: async (factory) => factory.createAuthzOptions(),
+            inject: [factoryClass],
+        };
+    }
+};
+AuthzModule = AuthzModule_1 = __decorate([
+    Module({})
+], AuthzModule);
+export { AuthzModule };
+//# sourceMappingURL=module.js.map

package/dist/module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAyB,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAQtE;;;;;;;GAOG;AACH,IACM,oBAAoB,GAD1B,MACM,oBAAoB;IAEL;IACA;IACA;IAC0C;IAJ7D,YACmB,QAAwB,EACxB,SAA2B,EAC3B,SAAoB,EACsB,OAA4B;QAHtE,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAkB;QAC3B,cAAS,GAAT,SAAS,CAAW;QACsB,YAAO,GAAP,OAAO,CAAqB;IACtF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAW,CAAC;QAEhC,+EAA+E;QAC/E,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBAAE,SAAS;YACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC/D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAsC,CAAC;YAChE,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACtC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,qBAAqB,CACjC,WAAiC;QAEjC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAiB,WAAW,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;QAC/D,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAiB,WAAW,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;CACF,CAAA;AAtDK,oBAAoB;IADzB,UAAU,EAAE;IAMR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;qCAHd,cAAc;QACb,gBAAgB;QAChB,SAAS;GAJnC,oBAAoB,CAsDzB;AAGM,IAAM,WAAW,mBAAjB,MAAM,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,UAA8B,EAAE;QAC7C,MAAM,eAAe,GAAe,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAa,CAAC,CAAC;QACvF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,CAAC;YAC1B,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD,GAAG,eAAe;gBAClB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,oBAAoB;gBACpB,iBAAiB;gBACjB,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAgC;QAClD,MAAM,aAAa,GAAG,aAAW,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACtF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,EAAE,GAAI,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAqB,CAAC;YAC3E,SAAS,EAAE;gBACT,GAAG,cAAc;gBACjB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE,CAAC,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,oBAAoB,EAAE,iBAAiB,CAAC;SACnF,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,MAAM,CAAC,yBAAyB;QACtC,OAAO;YACL;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,UAAU,EAAE,CAAC,OAA4B,EAAoB,EAAE,CAC7D,OAAO,EAAE,gBAAgB,IAAI,IAAI,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC;gBAC5E,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,kBAAkB;QAC/B,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChC,CAAC;IAEO,MAAM,CAAC,yBAAyB,CACtC,OAAgC;QAEhC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,oBAAoB;gBAC7B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAyB;aACvD,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE;gBACzD;oBACE,OAAO,EAAE,oBAAoB;oBAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;oBACtF,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;iBAC3B;aACF,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,OAAO,CAAC,WAA8C,CAAC;QAC5E,OAAO;YACL,OAAO,EAAE,oBAAoB;YAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;YACtF,MAAM,EAAE,CAAC,YAAY,CAAC;SACvB,CAAC;IACJ,CAAC;CACF,CAAA;AApGY,WAAW;IADvB,MAAM,CAAC,EAAE,CAAC;GACE,WAAW,CAoGvB"}

package/dist/permission-provider.d.ts

@@ -0,0 +1,23 @@
+import type { Resource, User } from './types.js';
+/**
+ * Optional seam that lets a persisted RBAC layer answer named, model-less abilities.
+ *
+ * This is the Laravel/spatie `Gate::before` grant: when the current user holds the
+ * named permission, the ability is allowed regardless of policies/gates. The core
+ * does NOT implement this — `@dudousxd/nestjs-authz-typeorm` (and the other RBAC
+ * adapters) provide an implementation and register it under the shared
+ * {@link PERMISSION_PROVIDER} token. When no provider is registered the Gate is
+ * unaffected.
+ *
+ * Semantics (grant-only, mirroring `Gate::before`):
+ * - `true`  → the user holds the permission → allow (short-circuit).
+ * - `false`/`undefined` → the provider does not grant it → fall through to the
+ *   normal policy/gate resolution.
+ *
+ * `userRef` is the current user (whatever the app's auth layer produced; `undefined`
+ * when anonymous). `permission` is the ability name passed to `gate.allows(...)`.
+ */
+export interface PermissionProvider {
+    hasPermission(user: User, permission: string, resource?: Resource): boolean | undefined | Promise<boolean | undefined>;
+}
+//# sourceMappingURL=permission-provider.d.ts.map

package/dist/permission-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-provider.d.ts","sourceRoot":"","sources":["../src/permission-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEjD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,kBAAkB;IACjC,aAAa,CACX,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;CACvD"}

package/dist/permission-provider.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=permission-provider.js.map

package/dist/permission-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-provider.js","sourceRoot":"","sources":["../src/permission-provider.ts"],"names":[],"mappings":""}

package/dist/policy-registry.d.ts

@@ -0,0 +1,23 @@
+import { type Type } from '@nestjs/common';
+import type { PolicyInstance } from './types.js';
+/**
+ * Maps a resource class → its policy instance. Populated at module init from
+ * explicit `policies: []` and/or auto-discovered `@Policy` providers.
+ */
+export declare class PolicyRegistry {
+    private readonly byResource;
+    /**
+     * Register a policy instance. Throws if the instance's class was not decorated
+     * with `@Policy(Resource)`.
+     */
+    register(policy: PolicyInstance): void;
+    /** Resolve the policy instance for a resource class, or `undefined`. */
+    forResource(resource: Type<unknown>): PolicyInstance | undefined;
+    /** Resolve the policy for the class of a resource instance, or `undefined`. */
+    forInstance(instance: object): PolicyInstance | undefined;
+    /** True when a policy is registered for the resource class. */
+    has(resource: Type<unknown>): boolean;
+    /** All registered policies (for introspection/testing). */
+    all(): PolicyInstance[];
+}
+//# sourceMappingURL=policy-registry.d.ts.map

package/dist/policy-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-registry.d.ts","sourceRoot":"","sources":["../src/policy-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD;;;GAGG;AACH,qBACa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA4C;IAEvE;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI;IAStC,wEAAwE;IACxE,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,cAAc,GAAG,SAAS;IAIhE,+EAA+E;IAC/E,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIzD,+DAA+D;IAC/D,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO;IAIrC,2DAA2D;IAC3D,GAAG,IAAI,cAAc,EAAE;CAGxB"}

package/dist/policy-registry.js

@@ -0,0 +1,49 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { Injectable } from '@nestjs/common';
+import { getPolicyResource } from './decorator/policy.decorator.js';
+import { PolicyNotDecoratedException } from './errors/exceptions.js';
+/**
+ * Maps a resource class → its policy instance. Populated at module init from
+ * explicit `policies: []` and/or auto-discovered `@Policy` providers.
+ */
+let PolicyRegistry = class PolicyRegistry {
+    byResource = new Map();
+    /**
+     * Register a policy instance. Throws if the instance's class was not decorated
+     * with `@Policy(Resource)`.
+     */
+    register(policy) {
+        const resource = getPolicyResource(policy);
+        if (!resource) {
+            const name = policy.constructor?.name ?? 'Policy';
+            throw new PolicyNotDecoratedException(name);
+        }
+        this.byResource.set(resource, policy);
+    }
+    /** Resolve the policy instance for a resource class, or `undefined`. */
+    forResource(resource) {
+        return this.byResource.get(resource);
+    }
+    /** Resolve the policy for the class of a resource instance, or `undefined`. */
+    forInstance(instance) {
+        return this.byResource.get(instance.constructor);
+    }
+    /** True when a policy is registered for the resource class. */
+    has(resource) {
+        return this.byResource.has(resource);
+    }
+    /** All registered policies (for introspection/testing). */
+    all() {
+        return [...this.byResource.values()];
+    }
+};
+PolicyRegistry = __decorate([
+    Injectable()
+], PolicyRegistry);
+export { PolicyRegistry };
+//# sourceMappingURL=policy-registry.js.map

package/dist/policy-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-registry.js","sourceRoot":"","sources":["../src/policy-registry.ts"],"names":[],"mappings":";;;;;;AAAA,OAAO,EAAE,UAAU,EAAa,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAGrE;;;GAGG;AAEI,IAAM,cAAc,GAApB,MAAM,cAAc;IACR,UAAU,GAAG,IAAI,GAAG,EAAiC,CAAC;IAEvE;;;OAGG;IACH,QAAQ,CAAC,MAAsB;QAC7B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,QAAQ,CAAC;YAClD,MAAM,IAAI,2BAA2B,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAED,wEAAwE;IACxE,WAAW,CAAC,QAAuB;QACjC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,+EAA+E;IAC/E,WAAW,CAAC,QAAgB;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,WAA4B,CAAC,CAAC;IACpE,CAAC;IAED,+DAA+D;IAC/D,GAAG,CAAC,QAAuB;QACzB,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,2DAA2D;IAC3D,GAAG;QACD,OAAO,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IACvC,CAAC;CACF,CAAA;AAnCY,cAAc;IAD1B,UAAU,EAAE;GACA,cAAc,CAmC1B"}

package/dist/resource-resolver.d.ts

@@ -0,0 +1,29 @@
+import type { ExecutionContext, Type } from '@nestjs/common';
+/**
+ * Resolves a resource instance for a `@Can(ability, Resource)` route so the guard
+ * can pass it to the policy method. Apps register an implementation (typically
+ * ORM-backed) via `AuthzModule.forRoot({ ... })` or as a provider bound to the
+ * {@link RESOURCE_RESOLVER} token.
+ *
+ * Class-level abilities (no resource class on `@Can`) never call the resolver.
+ */
+export interface ResourceResolver {
+    /**
+     * Load the resource instance for `resource` in the given request context.
+     * Return `undefined` to signal "not found" — the guard treats a missing
+     * resource as a denial.
+     */
+    resolve(resource: Type<unknown>, ctx: ExecutionContext): Promise<object | undefined> | object | undefined;
+}
+/**
+ * Default resolver: reads the route `:id` param and produces a lightweight
+ * `{ id }` shim of the requested resource class. This keeps the guard usable
+ * out-of-the-box (e.g. ownership checks on `resource.id`) without an ORM, while
+ * apps that need real entities register their own {@link ResourceResolver}.
+ */
+export declare class IdParamResourceResolver implements ResourceResolver {
+    private readonly param;
+    constructor(param?: string);
+    resolve(resource: Type<unknown>, ctx: ExecutionContext): object | undefined;
+}
+//# sourceMappingURL=resource-resolver.d.ts.map

package/dist/resource-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-resolver.d.ts","sourceRoot":"","sources":["../src/resource-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE7D;;;;;;;GAOG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,OAAO,CACL,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,EACvB,GAAG,EAAE,gBAAgB,GACpB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,GAAG,MAAM,GAAG,SAAS,CAAC;CACrD;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,YAAW,gBAAgB;IAClD,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,GAAE,MAAa;IAEjD,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,gBAAgB,GAAG,MAAM,GAAG,SAAS;CAU5E"}

package/dist/resource-resolver.js

@@ -0,0 +1,24 @@
+/**
+ * Default resolver: reads the route `:id` param and produces a lightweight
+ * `{ id }` shim of the requested resource class. This keeps the guard usable
+ * out-of-the-box (e.g. ownership checks on `resource.id`) without an ORM, while
+ * apps that need real entities register their own {@link ResourceResolver}.
+ */
+export class IdParamResourceResolver {
+    param;
+    constructor(param = 'id') {
+        this.param = param;
+    }
+    resolve(resource, ctx) {
+        const req = ctx.switchToHttp().getRequest();
+        const id = req?.params?.[this.param];
+        if (id === undefined)
+            return undefined;
+        // Construct a shaped instance so `instance.constructor === resource`, which
+        // is how PolicyRegistry maps an instance back to its policy.
+        const instance = Object.create(resource.prototype);
+        instance.id = id;
+        return instance;
+    }
+}
+//# sourceMappingURL=resource-resolver.js.map

package/dist/resource-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-resolver.js","sourceRoot":"","sources":["../src/resource-resolver.ts"],"names":[],"mappings":"AAsBA;;;;;GAKG;AACH,MAAM,OAAO,uBAAuB;IACL;IAA7B,YAA6B,QAAgB,IAAI;QAApB,UAAK,GAAL,KAAK,CAAe;IAAG,CAAC;IAErD,OAAO,CAAC,QAAuB,EAAE,GAAqB;QACpD,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAwC,CAAC;QAClF,MAAM,EAAE,GAAG,GAAG,EAAE,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,EAAE,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QACvC,4EAA4E;QAC5E,6DAA6D;QAC7D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAA4B,CAAC;QAC9E,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC;QACjB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/tokens.d.ts

@@ -0,0 +1,31 @@
+/** Injection token holding the resolved {@link AuthzModuleOptions}. */
+export declare const AUTHZ_MODULE_OPTIONS: unique symbol;
+/** Injection token for the optional {@link ResourceResolver} registered by the app. */
+export declare const RESOURCE_RESOLVER: unique symbol;
+/** Metadata key for `@Policy(Resource)` — stores the resource class on the policy. */
+export declare const POLICY_RESOURCE_METADATA = "nestjs-authz:policy-resource";
+/** Metadata key for `@Can(ability, Resource?)` — stores the ability descriptor on a route. */
+export declare const CAN_METADATA = "nestjs-authz:can";
+/**
+ * Cross-lib injection token for an optional {@link PermissionProvider} — the seam the
+ * RBAC adapter (`@dudousxd/nestjs-authz-typeorm`) registers so that a model-less,
+ * named ability (`gate.allows('posts.publish')`) is granted when the current user
+ * holds that persisted permission. This is the Laravel/spatie `Gate::before` grant.
+ *
+ * `Symbol.for(key)` uses the global symbol registry so an RBAC package registering
+ * this same key resolves to the SAME symbol instance without importing core internals.
+ * The token is consulted with `@Optional()` — when absent, the Gate behaves exactly
+ * as before (backward-compatible: unknown abilities still throw).
+ */
+export declare const PERMISSION_PROVIDER: unique symbol;
+/**
+ * Cross-lib injection token for the current-request context accessor, owned by
+ * `@dudousxd/nestjs-context`. We do NOT import nestjs-context — instead we share
+ * its well-known token by value so DI resolves the same provider when present.
+ *
+ * `Symbol.for(key)` uses the global symbol registry, so this resolves to the
+ * SAME symbol instance as nestjs-context's `tokens.ts` without any import.
+ * The key MUST stay byte-identical with nestjs-context's export.
+ */
+export declare const CONTEXT_ACCESSOR: unique symbol;
+//# sourceMappingURL=tokens.d.ts.map

package/dist/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,eAAO,MAAM,oBAAoB,eAA+C,CAAC;AAEjF,uFAAuF;AACvF,eAAO,MAAM,iBAAiB,eAAyD,CAAC;AAExF,sFAAsF;AACtF,eAAO,MAAM,wBAAwB,iCAAiC,CAAC;AAEvE,8FAA8F;AAC9F,eAAO,MAAM,YAAY,qBAAqB,CAAC;AAE/C;;;;;;;;;;GAUG;AACH,eAAO,MAAM,mBAAmB,eAA2D,CAAC;AAE5F;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,eAAkD,CAAC"}