@edgebasejs/adapter-d1 0.1.0

package/dist/core/src/access-rules/column-security.js

@@ -0,0 +1,191 @@
+/**
+ * Column-level security for field access control
+ * Supports role-based visibility and selective field encryption
+ */
+/**
+ * Column-level security manager
+ */
+export class ColumnSecurityManager {
+    constructor() {
+        this.rules = new Map();
+    }
+    /**
+     * Register column security rules for an entity
+     */
+    registerRules(entityName, rules) {
+        this.rules.set(entityName, rules);
+    }
+    /**
+     * Get rules for an entity
+     */
+    getRules(entityName) {
+        return this.rules.get(entityName);
+    }
+    /**
+     * Check if a user can read a specific column
+     */
+    async canReadColumn(entityName, columnName, user, record) {
+        const rules = this.rules.get(entityName);
+        if (!rules) {
+            return true; // No rules = allow all
+        }
+        const columnRule = rules.columns.get(columnName);
+        if (!columnRule) {
+            return rules.defaultReadable ?? true; // Use default or allow
+        }
+        // Check role requirements
+        if (columnRule.roles && columnRule.roles.length > 0) {
+            const userRoles = user.roles || [];
+            const hasRole = columnRule.roles.some((role) => userRoles.includes(role));
+            if (!hasRole) {
+                return false;
+            }
+        }
+        // Check readable predicate
+        if (columnRule.readable !== undefined) {
+            if (typeof columnRule.readable === 'function') {
+                const context = {
+                    user,
+                    operation: 'read',
+                    record,
+                    column: columnName,
+                    value: record?.[columnName],
+                };
+                return await columnRule.readable(context);
+            }
+            return columnRule.readable;
+        }
+        // Check visible predicate
+        if (columnRule.visible !== undefined) {
+            if (typeof columnRule.visible === 'function') {
+                const context = {
+                    user,
+                    operation: 'read',
+                    record,
+                    column: columnName,
+                };
+                return await columnRule.visible(context);
+            }
+            return columnRule.visible;
+        }
+        return true;
+    }
+    /**
+     * Check if a user can write to a specific column
+     */
+    async canWriteColumn(entityName, columnName, user, value, record) {
+        const rules = this.rules.get(entityName);
+        if (!rules) {
+            return true; // No rules = allow all
+        }
+        const columnRule = rules.columns.get(columnName);
+        if (!columnRule) {
+            return rules.defaultWritable ?? true; // Use default or allow
+        }
+        // Check role requirements
+        if (columnRule.roles && columnRule.roles.length > 0) {
+            const userRoles = user.roles || [];
+            const hasRole = columnRule.roles.some((role) => userRoles.includes(role));
+            if (!hasRole) {
+                return false;
+            }
+        }
+        // Check writable predicate
+        if (columnRule.writable !== undefined) {
+            if (typeof columnRule.writable === 'function') {
+                const context = {
+                    user,
+                    operation: 'write',
+                    record,
+                    column: columnName,
+                    value,
+                };
+                return await columnRule.writable(context);
+            }
+            return columnRule.writable;
+        }
+        return true;
+    }
+    /**
+     * Filter record columns based on read permissions
+     * Returns a new record with only accessible columns
+     */
+    async filterReadableColumns(entityName, record, user) {
+        const rules = this.rules.get(entityName);
+        if (!rules) {
+            return record; // No rules = return all columns
+        }
+        const filtered = {};
+        for (const [columnName, value] of Object.entries(record)) {
+            const canRead = await this.canReadColumn(entityName, columnName, user, record);
+            if (canRead) {
+                filtered[columnName] = value;
+            }
+            else {
+                // Apply mask value if defined
+                const columnRule = rules.columns.get(columnName);
+                if (columnRule?.maskValue !== undefined) {
+                    filtered[columnName] = columnRule.maskValue;
+                }
+                // Otherwise, omit the column entirely
+            }
+        }
+        return filtered;
+    }
+    /**
+     * Filter write data based on write permissions
+     * Returns a new object with only writable columns
+     */
+    async filterWritableColumns(entityName, data, user, existingRecord) {
+        const rules = this.rules.get(entityName);
+        if (!rules) {
+            return { filtered: data, rejected: [] }; // No rules = allow all
+        }
+        const filtered = {};
+        const rejected = [];
+        for (const [columnName, value] of Object.entries(data)) {
+            const canWrite = await this.canWriteColumn(entityName, columnName, user, value, existingRecord);
+            if (canWrite) {
+                filtered[columnName] = value;
+            }
+            else {
+                rejected.push(columnName);
+            }
+        }
+        return { filtered, rejected };
+    }
+    /**
+     * Get list of encrypted columns for an entity
+     */
+    getEncryptedColumns(entityName) {
+        const rules = this.rules.get(entityName);
+        if (!rules) {
+            return [];
+        }
+        const encrypted = [];
+        for (const [columnName, rule] of rules.columns.entries()) {
+            if (rule.encrypted) {
+                encrypted.push(columnName);
+            }
+        }
+        return encrypted;
+    }
+    /**
+     * Get all column rules for an entity
+     */
+    getAllColumnRules(entityName) {
+        const rules = this.rules.get(entityName);
+        return rules?.columns;
+    }
+    /**
+     * Clear all rules
+     */
+    clear() {
+        this.rules.clear();
+    }
+}
+/**
+ * Global column security manager instance
+ */
+export const columnSecurityManager = new ColumnSecurityManager();
+//# sourceMappingURL=column-security.js.map

package/dist/core/src/access-rules/column-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"column-security.js","sourceRoot":"","sources":["../../../../../core/src/access-rules/column-security.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA8BH;;GAEG;AACH,MAAM,OAAO,qBAAqB;IAAlC;QACU,UAAK,GAAqC,IAAI,GAAG,EAAE,CAAC;IA6N9D,CAAC;IA3NC;;OAEG;IACH,aAAa,CAAC,UAAkB,EAAE,KAA0B;QAC1D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,UAAkB;QACzB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,UAAkB,EAClB,UAAkB,EAClB,IAAU,EACV,MAA4B;QAE5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,uBAAuB;QACtC,CAAC;QAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,KAAK,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC,uBAAuB;QAC/D,CAAC;QAED,0BAA0B;QAC1B,IAAI,UAAU,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpD,MAAM,SAAS,GAAI,IAAY,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC1E,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACtC,IAAI,OAAO,UAAU,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;gBAC9C,MAAM,OAAO,GAAwB;oBACnC,IAAI;oBACJ,SAAS,EAAE,MAAM;oBACjB,MAAM;oBACN,MAAM,EAAE,UAAU;oBAClB,KAAK,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC;iBAC5B,CAAC;gBACF,OAAO,MAAM,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC5C,CAAC;YACD,OAAO,UAAU,CAAC,QAAQ,CAAC;QAC7B,CAAC;QAED,0BAA0B;QAC1B,IAAI,UAAU,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YACrC,IAAI,OAAO,UAAU,CAAC,OAAO,KAAK,UAAU,EAAE,CAAC;gBAC7C,MAAM,OAAO,GAAwB;oBACnC,IAAI;oBACJ,SAAS,EAAE,MAAM;oBACjB,MAAM;oBACN,MAAM,EAAE,UAAU;iBACnB,CAAC;gBACF,OAAO,MAAM,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,UAAU,CAAC,OAAO,CAAC;QAC5B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAClB,UAAkB,EAClB,UAAkB,EAClB,IAAU,EACV,KAAW,EACX,MAA4B;QAE5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,uBAAuB;QACtC,CAAC;QAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,KAAK,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC,uBAAuB;QAC/D,CAAC;QAED,0BAA0B;QAC1B,IAAI,UAAU,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpD,MAAM,SAAS,GAAI,IAAY,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC1E,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACtC,IAAI,OAAO,UAAU,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;gBAC9C,MAAM,OAAO,GAAwB;oBACnC,IAAI;oBACJ,SAAS,EAAE,OAAO;oBAClB,MAAM;oBACN,MAAM,EAAE,UAAU;oBAClB,KAAK;iBACN,CAAC;gBACF,OAAO,MAAM,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC5C,CAAC;YACD,OAAO,UAAU,CAAC,QAAQ,CAAC;QAC7B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,qBAAqB,CACzB,UAAkB,EAClB,MAA2B,EAC3B,IAAU;QAEV,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,MAAM,CAAC,CAAC,gCAAgC;QACjD,CAAC;QAED,MAAM,QAAQ,GAAwB,EAAE,CAAC;QAEzC,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAE/E,IAAI,OAAO,EAAE,CAAC;gBACZ,QAAQ,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,8BAA8B;gBAC9B,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBACjD,IAAI,UAAU,EAAE,SAAS,KAAK,SAAS,EAAE,CAAC;oBACxC,QAAQ,CAAC,UAAU,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC;gBAC9C,CAAC;gBACD,sCAAsC;YACxC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,qBAAqB,CACzB,UAAkB,EAClB,IAAyB,EACzB,IAAU,EACV,cAAoC;QAEpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,uBAAuB;QAClE,CAAC;QAED,MAAM,QAAQ,GAAwB,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACvD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;YAEhG,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,UAAkB;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YACzD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,UAAkB;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzC,OAAO,KAAK,EAAE,OAAO,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,qBAAqB,EAAE,CAAC"}

package/dist/core/src/access-rules/engine.d.ts

@@ -0,0 +1,26 @@
+import type { User, AccessRules } from '@edgebasejs/types';
+export interface AccessContext {
+    user: User;
+    operation: 'create' | 'read' | 'update' | 'delete';
+    data: Record<string, any>;
+    existingData?: Record<string, any>;
+}
+export interface AccessDecision {
+    allowed: boolean;
+    reason?: string;
+}
+/**
+ * Access rules engine
+ */
+export declare class AccessRulesEngine {
+    /**
+     * Evaluate access rules for an operation
+     */
+    static evaluate(context: AccessContext, rules?: AccessRules): Promise<AccessDecision>;
+    /**
+     * Batch evaluate access for multiple records
+     */
+    static evaluateBatch(contexts: AccessContext[], rules?: AccessRules): Promise<Map<string, AccessDecision>>;
+}
+export default AccessRulesEngine;
+//# sourceMappingURL=engine.d.ts.map

package/dist/core/src/access-rules/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../../../core/src/access-rules/engine.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAE3D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,IAAI,CAAC;IACX,SAAS,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACnD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;OAEG;WACU,QAAQ,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC;IA4D3F;;OAEG;WACU,aAAa,CACxB,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,CAAC,EAAE,WAAW,GAClB,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAWxC;AAED,eAAe,iBAAiB,CAAC"}

package/dist/core/src/access-rules/engine.js

@@ -0,0 +1,76 @@
+// Access rules evaluation engine
+/**
+ * Access rules engine
+ */
+export class AccessRulesEngine {
+    /**
+     * Evaluate access rules for an operation
+     */
+    static async evaluate(context, rules) {
+        if (!rules) {
+            // No rules = allow all access
+            return { allowed: true };
+        }
+        try {
+            switch (context.operation) {
+                case 'create':
+                    if (!rules.create) {
+                        return { allowed: true }; // No rule = allow
+                    }
+                    const createAllowed = await Promise.resolve(rules.create(context.user, context.data));
+                    return {
+                        allowed: createAllowed,
+                        reason: createAllowed ? undefined : 'Create denied by access rules',
+                    };
+                case 'read':
+                    if (!rules.read) {
+                        return { allowed: true };
+                    }
+                    const readAllowed = await Promise.resolve(rules.read(context.user, context.data));
+                    return {
+                        allowed: readAllowed,
+                        reason: readAllowed ? undefined : 'Read denied by access rules',
+                    };
+                case 'update':
+                    if (!rules.update) {
+                        return { allowed: true };
+                    }
+                    const updateAllowed = await Promise.resolve(rules.update(context.user, context.existingData || {}, context.data));
+                    return {
+                        allowed: updateAllowed,
+                        reason: updateAllowed ? undefined : 'Update denied by access rules',
+                    };
+                case 'delete':
+                    if (!rules.delete) {
+                        return { allowed: true };
+                    }
+                    const deleteData = context.existingData || context.data;
+                    const deleteAllowed = await Promise.resolve(rules.delete(context.user, deleteData));
+                    return {
+                        allowed: deleteAllowed,
+                        reason: deleteAllowed ? undefined : 'Delete denied by access rules',
+                    };
+                default:
+                    return { allowed: false, reason: 'Unknown operation' };
+            }
+        }
+        catch (error) {
+            console.error('Access rule evaluation error:', error);
+            return { allowed: false, reason: 'Access rule evaluation failed' };
+        }
+    }
+    /**
+     * Batch evaluate access for multiple records
+     */
+    static async evaluateBatch(contexts, rules) {
+        const results = new Map();
+        for (const context of contexts) {
+            const recordKey = `${context.operation}:${context.data.id || 'unknown'}`;
+            const decision = await this.evaluate(context, rules);
+            results.set(recordKey, decision);
+        }
+        return results;
+    }
+}
+export default AccessRulesEngine;
+//# sourceMappingURL=engine.js.map

package/dist/core/src/access-rules/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../../../core/src/access-rules/engine.ts"],"names":[],"mappings":"AAAA,iCAAiC;AAgBjC;;GAEG;AACH,MAAM,OAAO,iBAAiB;IAC5B;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAsB,EAAE,KAAmB;QAC/D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,8BAA8B;YAC9B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,IAAI,CAAC;YACH,QAAQ,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC1B,KAAK,QAAQ;oBACX,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;wBAClB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,kBAAkB;oBAC9C,CAAC;oBACD,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;oBACtF,OAAO;wBACL,OAAO,EAAE,aAAa;wBACtB,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,+BAA+B;qBACpE,CAAC;gBAEJ,KAAK,MAAM;oBACT,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;wBAChB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;oBAC3B,CAAC;oBACD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;oBAClF,OAAO;wBACL,OAAO,EAAE,WAAW;wBACpB,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,6BAA6B;qBAChE,CAAC;gBAEJ,KAAK,QAAQ;oBACX,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;wBAClB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;oBAC3B,CAAC;oBACD,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,OAAO,CACzC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,YAAY,IAAI,EAAE,EAAE,OAAO,CAAC,IAAI,CAAC,CACrE,CAAC;oBACF,OAAO;wBACL,OAAO,EAAE,aAAa;wBACtB,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,+BAA+B;qBACpE,CAAC;gBAEJ,KAAK,QAAQ;oBACX,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;wBAClB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;oBAC3B,CAAC;oBACD,MAAM,UAAU,GAAG,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;oBACxD,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;oBACpF,OAAO;wBACL,OAAO,EAAE,aAAa;wBACtB,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,+BAA+B;qBACpE,CAAC;gBAEJ;oBACE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;YAC3D,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YACtD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACrE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,aAAa,CACxB,QAAyB,EACzB,KAAmB;QAEnB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA0B,CAAC;QAElD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,SAAS,EAAE,CAAC;YACzE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,eAAe,iBAAiB,CAAC"}

package/dist/core/src/access-rules/index.d.ts

@@ -0,0 +1,3 @@
+export * from './engine';
+export { default as AccessRulesEngine } from './engine';
+//# sourceMappingURL=index.d.ts.map

package/dist/core/src/access-rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../core/src/access-rules/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,UAAU,CAAC"}

package/dist/core/src/access-rules/index.js

@@ -0,0 +1,3 @@
+export * from './engine';
+export { default as AccessRulesEngine } from './engine';
+//# sourceMappingURL=index.js.map

package/dist/core/src/access-rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../core/src/access-rules/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,UAAU,CAAC"}

package/dist/core/src/audit/audit-manager.d.ts

@@ -0,0 +1,108 @@
+/**
+ * Audit trail manager for change tracking and compliance
+ * Tracks all data changes with user attribution and timestamps
+ */
+import type { User } from '@edgebasejs/types';
+export interface AuditLog {
+    id: string;
+    userId: string;
+    entity: string;
+    recordId: string;
+    operation: 'create' | 'update' | 'delete';
+    before?: Record<string, any>;
+    after?: Record<string, any>;
+    changes?: Array<{
+        field: string;
+        before: any;
+        after: any;
+    }>;
+    metadata?: Record<string, any>;
+    createdAt: number;
+}
+export interface AuditQuery {
+    entity?: string;
+    recordId?: string;
+    userId?: string;
+    operation?: 'create' | 'update' | 'delete';
+    startDate?: number;
+    endDate?: number;
+    limit?: number;
+    offset?: number;
+}
+export interface AuditResponse {
+    logs: AuditLog[];
+    total: number;
+    hasMore: boolean;
+}
+export interface AuditDatabase {
+    run(sql: string, params: any[]): Promise<any>;
+    getOne(sql: string, params: any[]): Promise<any>;
+    getAll(sql: string, params: any[]): Promise<any[]>;
+}
+export interface AuditOptions {
+    trackBefore?: boolean;
+    trackAfter?: boolean;
+    trackChanges?: boolean;
+    excludeFields?: string[];
+    maxRetentionDays?: number;
+}
+/**
+ * Audit manager for tracking data changes
+ */
+export declare class AuditManager {
+    private db;
+    private options;
+    constructor(db: AuditDatabase, options?: AuditOptions);
+    /**
+     * Log a data change
+     */
+    logChange(user: User, entity: string, recordId: string, operation: 'create' | 'update' | 'delete', before?: Record<string, any>, after?: Record<string, any>, metadata?: Record<string, any>): Promise<AuditLog>;
+    /**
+     * Query audit logs
+     */
+    queryLogs(query: AuditQuery): Promise<AuditResponse>;
+    /**
+     * Get audit log by ID
+     */
+    getLog(auditId: string): Promise<AuditLog | null>;
+    /**
+     * Get audit history for a specific record
+     */
+    getRecordHistory(entity: string, recordId: string): Promise<AuditLog[]>;
+    /**
+     * Get summary statistics for audit logs
+     */
+    getStatistics(options?: {
+        entity?: string;
+        userId?: string;
+        startDate?: number;
+        endDate?: number;
+    }): Promise<{
+        totalChanges: number;
+        changesByOperation: {
+            operation: string;
+            count: number;
+        }[];
+        changesByEntity: {
+            entity: string;
+            count: number;
+        }[];
+        changesByUser: {
+            userId: string;
+            count: number;
+        }[];
+    }>;
+    /**
+     * Clean up old audit logs based on retention policy
+     */
+    cleanupOldLogs(): Promise<number>;
+    /**
+     * Filter sensitive fields from data
+     */
+    private filterSensitiveFields;
+    /**
+     * Calculate field-level changes between before and after states
+     */
+    private calculateChanges;
+}
+//# sourceMappingURL=audit-manager.d.ts.map

package/dist/core/src/audit/audit-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-manager.d.ts","sourceRoot":"","sources":["../../../../../core/src/audit/audit-manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAE9C,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,OAAO,CAAC,EAAE,KAAK,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,GAAG,CAAC;QACZ,KAAK,EAAE,GAAG,CAAC;KACZ,CAAC,CAAC;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACjD,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;CACpD;AAED,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,EAAE,CAAgB;IAC1B,OAAO,CAAC,OAAO,CAAyB;gBAE5B,EAAE,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,YAAY;IAWrD;;OAEG;IACG,SAAS,CACb,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,EACzC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC5B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAgDpB;;OAEG;IACG,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC;IA+E1D;;OAEG;IACG,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAqBvD;;OAEG;IACG,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;IAoB7E;;OAEG;IACG,aAAa,CAAC,OAAO,CAAC,EAAE;QAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC;QACV,YAAY,EAAE,MAAM,CAAC;QACrB,kBAAkB,EAAE;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QAC3D,eAAe,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QACrD,aAAa,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;KACpD,CAAC;IAoEF;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAavC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAY7B;;OAEG;IACH,OAAO,CAAC,gBAAgB;CAyBzB"}