@elsikora/nestjs-crud-automator 1.16.0-dev.1 → 1.17.0-dev.1

package/README.md

@@ -46,6 +46,7 @@ The core philosophy of this library is built on four pillars: being **Declarativ
 - ✨ **Hooks and Subscriber System:** Intercept and extend business logic at both the controller and service level.
 - ✨ **Dynamic and Polymorphic DTOs:** Generate DTOs on-the-fly based on discriminator fields.
 - ✨ **Field-Level RBAC:** Show/hide fields in responses based on user roles using guards.
+- ✨ **🔐 Declarative Authorization Policies:** Subscriber-style policies with automatic guard wiring, scopes, and response transforms.
 - ✨ **Request Tracing:** Built-in `CorrelationIDResponseBodyInterceptor` to correlate requests and logs.
 - ✨ **Convention over Configuration:** Smart defaults for service and DTO naming to reduce boilerplate.
 
@@ -352,6 +353,48 @@ export class UserController {
 }
 ```
 
+### Declarative Authorization Policies
+
+Import `ApiAuthorizationModule` once and describe access rules as policies. The guard is attached to every generated route automatically—no controller configuration required.
+
+```typescript
+// app.module.ts
+import { Module } from "@nestjs/common";
+import { ApiAuthorizationModule } from "@elsikora/nestjs-crud-automator";
+
+@Module({
+	imports: [
+		/* ... */
+		ApiAuthorizationModule,
+	],
+})
+export class AppModule {}
+```
+
+```typescript
+// policies/user-access.policy.ts
+import { ApiAuthorizationPolicy, ApiAuthorizationPolicyBase } from "@elsikora/nestjs-crud-automator";
+import { UserEntity } from "../user.entity";
+
+@ApiAuthorizationPolicy<UserEntity>({ entity: UserEntity, priority: 200 })
+export class UserAccessPolicy extends ApiAuthorizationPolicyBase<UserEntity> {
+	onBeforeGet() {
+		return this.allow({
+			scope: ({ subject }) => ({ where: { id: subject.id } }),
+		});
+	}
+
+	onBeforeDelete() {
+		return this.deny({
+			description: "Only admins can delete users",
+			condition: ({ subject }) => !subject.roles.includes("admin"),
+		});
+	}
+}
+```
+
+Policies can return allow/deny rules, merge scope conditions into generated queries, and transform responses before they are sent back to the client.
+
 ### `CorrelationIDResponseBodyInterceptor`: Request Tracing
 
 To simplify debugging and request tracing in complex systems, the library provides the `CorrelationIDResponseBodyInterceptor`. This interceptor should be registered globally in your `main.ts`.

package/dist/cjs/class/api/authorization/engine.class.d.ts

@@ -0,0 +1,8 @@
+import { IApiBaseEntity } from '../../../interface/api-base-entity.interface';
+import { IApiAuthorizationDecision, IApiAuthorizationEngine, IApiAuthorizationEngineEvaluateOptions } from '../../../interface/authorization/index';
+export declare class ApiAuthorizationEngine implements IApiAuthorizationEngine<IApiBaseEntity> {
+    evaluate<E extends IApiBaseEntity, R>(options: IApiAuthorizationEngineEvaluateOptions<E, R>): Promise<IApiAuthorizationDecision<E, R>>;
+    private buildDecision;
+    private evaluateCondition;
+    private mergeScope;
+}

package/dist/cjs/class/api/authorization/engine.class.js

@@ -0,0 +1,92 @@
+'use strict';
+
+var tslib_es6 = require('../../../external/tslib/tslib.es6.js');
+var effect_enum = require('../../../enum/authorization/effect.enum.js');
+var common = require('@nestjs/common');
+var where_utility = require('../../../utility/authorization/scope/merge/where.utility.js');
+
+exports.ApiAuthorizationEngine = class ApiAuthorizationEngine {
+    async evaluate(options) {
+        const context = {
+            resource: options.resource,
+            subject: options.subject,
+        };
+        const matchedRules = [];
+        let scope;
+        const transforms = [];
+        for (const rule of options.policy.rules) {
+            const isConditionPassed = await this.evaluateCondition(rule, context);
+            if (!isConditionPassed) {
+                continue;
+            }
+            if (rule.effect === effect_enum.EAuthorizationEffect.DENY) {
+                return this.buildDecision(options, {
+                    appliedRules: [rule],
+                    effect: effect_enum.EAuthorizationEffect.DENY,
+                    scope: undefined,
+                    transforms: [],
+                });
+            }
+            matchedRules.push(rule);
+            scope = await this.mergeScope(scope, rule, context);
+            if (rule.resultTransform) {
+                transforms.push(rule.resultTransform);
+            }
+        }
+        if (matchedRules.length === 0) {
+            return this.buildDecision(options, {
+                appliedRules: [],
+                effect: effect_enum.EAuthorizationEffect.DENY,
+                scope: undefined,
+                transforms: [],
+            });
+        }
+        return this.buildDecision(options, {
+            appliedRules: matchedRules,
+            effect: effect_enum.EAuthorizationEffect.ALLOW,
+            scope,
+            transforms,
+        });
+    }
+    buildDecision(options, payload) {
+        return {
+            action: options.action,
+            appliedRules: payload.appliedRules,
+            effect: payload.effect,
+            policyId: options.policy.policyId,
+            resource: options.resource,
+            resourceType: options.policy.entity.name ?? "UnknownResource",
+            scope: payload.scope,
+            subject: options.subject,
+            transforms: payload.transforms,
+        };
+    }
+    async evaluateCondition(rule, context) {
+        if (!rule.condition) {
+            return true;
+        }
+        const result = await rule.condition(context);
+        return result === true;
+    }
+    async mergeScope(currentScope, rule, context) {
+        if (!rule.scope) {
+            return currentScope;
+        }
+        const scopePatch = await rule.scope(context);
+        if (!scopePatch) {
+            return currentScope;
+        }
+        if (!currentScope) {
+            return scopePatch;
+        }
+        return {
+            ...currentScope,
+            ...scopePatch,
+            where: where_utility.AuthorizationScopeMergeWhere(currentScope.where, scopePatch.where),
+        };
+    }
+};
+exports.ApiAuthorizationEngine = tslib_es6.__decorate([
+    common.Injectable()
+], exports.ApiAuthorizationEngine);
+//# sourceMappingURL=engine.class.js.map

package/dist/cjs/class/api/authorization/engine.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.class.js","sources":["../../../../../../src/class/api/authorization/engine.class.ts"],"sourcesContent":[null],"names":["ApiAuthorizationEngine","EAuthorizationEffect","AuthorizationScopeMergeWhere","__decorate","Injectable"],"mappings":";;;;;;;AAWaA,8BAAsB,GAA5B,MAAM,sBAAsB,CAAA;IAC3B,MAAM,QAAQ,CAA8B,OAAqD,EAAA;AACvG,QAAA,MAAM,OAAO,GAAoC;YAChD,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;SACxB;QAED,MAAM,YAAY,GAAuC,EAAE;AAC3D,QAAA,IAAI,KAA4C;QAChD,MAAM,UAAU,GAAuE,EAAE;QAEzF,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE;YACxC,MAAM,iBAAiB,GAAY,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC;YAE9E,IAAI,CAAC,iBAAiB,EAAE;gBACvB;YACD;YAEA,IAAI,IAAI,CAAC,MAAM,KAAKC,gCAAoB,CAAC,IAAI,EAAE;AAC9C,gBAAA,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE;oBAClC,YAAY,EAAE,CAAC,IAAI,CAAC;oBACpB,MAAM,EAAEA,gCAAoB,CAAC,IAAI;AACjC,oBAAA,KAAK,EAAE,SAAS;AAChB,oBAAA,UAAU,EAAE,EAAE;AACd,iBAAA,CAAC;YACH;AAEA,YAAA,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;AACvB,YAAA,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC;AAEnD,YAAA,IAAI,IAAI,CAAC,eAAe,EAAE;AACzB,gBAAA,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC;YACtC;QACD;AAEA,QAAA,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE;AAC9B,YAAA,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE;AAClC,gBAAA,YAAY,EAAE,EAAE;gBAChB,MAAM,EAAEA,gCAAoB,CAAC,IAAI;AACjC,gBAAA,KAAK,EAAE,SAAS;AAChB,gBAAA,UAAU,EAAE,EAAE;AACd,aAAA,CAAC;QACH;AAEA,QAAA,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE;AAClC,YAAA,YAAY,EAAE,YAAY;YAC1B,MAAM,EAAEA,gCAAoB,CAAC,KAAK;YAClC,KAAK;YACL,UAAU;AACV,SAAA,CAAC;IACH;IAEQ,aAAa,CACpB,OAAqD,EACrD,OAKC,EAAA;QAED,OAAO;YACN,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,MAAM,EAAE,OAAO,CAAC,MAAM;AACtB,YAAA,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ;YACjC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,iBAAiB;YAC7D,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,UAAU,EAAE,OAAO,CAAC,UAAU;SAC9B;IACF;AAEQ,IAAA,MAAM,iBAAiB,CAA8B,IAAiC,EAAE,OAAwC,EAAA;AACvI,QAAA,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE;AACpB,YAAA,OAAO,IAAI;QACZ;QAEA,MAAM,MAAM,GAAY,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;QAErD,OAAO,MAAM,KAAK,IAAI;IACvB;AAEQ,IAAA,MAAM,UAAU,CAA8B,YAAmD,EAAE,IAAiC,EAAE,OAAwC,EAAA;AACrL,QAAA,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;AAChB,YAAA,OAAO,YAAY;QACpB;QAEA,MAAM,UAAU,GAA0C,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;QAEnF,IAAI,CAAC,UAAU,EAAE;AAChB,YAAA,OAAO,YAAY;QACpB;QAEA,IAAI,CAAC,YAAY,EAAE;AAClB,YAAA,OAAO,UAAU;QAClB;QAEA,OAAO;AACN,YAAA,GAAG,YAAY;AACf,YAAA,GAAG,UAAU;YACb,KAAK,EAAEC,0CAA4B,CAAC,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;SACzE;IACF;;AAxGYF,8BAAsB,GAAAG,oBAAA,CAAA;AADlC,IAAAC,iBAAU;AACE,CAAA,EAAAJ,8BAAsB,CAyGlC;;"}

package/dist/cjs/class/api/authorization/guard.class.d.ts

@@ -0,0 +1,13 @@
+import type { IApiAuthorizationPolicyRegistry } from '../../../interface/authorization/policy/registry.interface';
+import { ApiAuthorizationEngine } from './engine.class';
+import { CanActivate, ExecutionContext } from "@nestjs/common";
+export declare class ApiAuthorizationGuard implements CanActivate {
+    private readonly policyRegistry;
+    private readonly authorizationEngine;
+    constructor(policyRegistry: IApiAuthorizationPolicyRegistry, authorizationEngine: ApiAuthorizationEngine);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    private attachDecisionToRequest;
+    private isControllerSecurable;
+    private resolveAction;
+    private resolveEntityConstructor;
+}

package/dist/cjs/class/api/authorization/guard.class.js

@@ -0,0 +1,79 @@
+'use strict';
+
+var tslib_es6 = require('../../../external/tslib/tslib.es6.js');
+var engine_class = require('./engine.class.js');
+var decision_constant = require('../../../constant/authorization/metadata/decision.constant.js');
+var registry_constant = require('../../../constant/authorization/token/registry.constant.js');
+var controller_constant = require('../../../constant/decorator/api/controller.constant.js');
+var effect_enum = require('../../../enum/authorization/effect.enum.js');
+var common = require('@nestjs/common');
+var resolveDefaultSubject_utility = require('../../../utility/authorization/subject/resolve-default-subject.utility.js');
+var logger_utility = require('../../../utility/logger.utility.js');
+
+const authorizationGuardLogger = logger_utility.LoggerUtility.getLogger("ApiAuthorizationGuard");
+exports.ApiAuthorizationGuard = class ApiAuthorizationGuard {
+    policyRegistry;
+    authorizationEngine;
+    constructor(policyRegistry, authorizationEngine) {
+        this.policyRegistry = policyRegistry;
+        this.authorizationEngine = authorizationEngine;
+    }
+    async canActivate(context) {
+        if (!this.isControllerSecurable(context)) {
+            authorizationGuardLogger.debug("Controller is not marked as @ApiControllerSecurable, skipping authorization");
+            return true;
+        }
+        const entityConstructor = this.resolveEntityConstructor(context);
+        if (!entityConstructor) {
+            authorizationGuardLogger.debug("No entity constructor found in controller metadata, skipping authorization");
+            return true;
+        }
+        const action = this.resolveAction(context);
+        authorizationGuardLogger.verbose(`Evaluating authorization for entity "${entityConstructor.name}" action "${action}"`);
+        const policy = await this.policyRegistry.buildAggregatedPolicy(entityConstructor, action);
+        if (!policy) {
+            authorizationGuardLogger.debug(`No policy found for entity "${entityConstructor.name}" action "${action}", allowing access`);
+            return true;
+        }
+        authorizationGuardLogger.verbose(`Found policy "${policy.policyId}" with ${policy.rules.length} rules for entity "${entityConstructor.name}" action "${action}"`);
+        const request = context.switchToHttp().getRequest();
+        const subject = resolveDefaultSubject_utility.AuthorizationResolveDefaultSubject(request.user);
+        const decision = await this.authorizationEngine.evaluate({
+            action,
+            policy,
+            resource: undefined,
+            subject,
+        });
+        this.attachDecisionToRequest(request, decision);
+        if (decision.effect === effect_enum.EAuthorizationEffect.DENY) {
+            authorizationGuardLogger.warn(`Access denied for entity "${entityConstructor.name}" action "${action}" subject "${subject.id}"`);
+            throw new common.ForbiddenException("Access denied");
+        }
+        authorizationGuardLogger.verbose(`Access granted for entity "${entityConstructor.name}" action "${action}" subject "${subject.id}"`);
+        return true;
+    }
+    attachDecisionToRequest(request, decision) {
+        request.authorizationDecision = decision;
+        request[decision_constant.AUTHORIZATION_DECISION_METADATA_CONSTANT.REQUEST_KEY] = decision;
+    }
+    isControllerSecurable(context) {
+        return Boolean(Reflect.getMetadata(controller_constant.CONTROLLER_API_DECORATOR_CONSTANT.SECURABLE_METADATA_KEY, context.getClass()));
+    }
+    resolveAction(context) {
+        const handlerName = context.getHandler().name;
+        const prefix = controller_constant.CONTROLLER_API_DECORATOR_CONSTANT.RESERVED_METHOD_PREFIX ?? "";
+        if (handlerName.startsWith(prefix)) {
+            return handlerName.slice(prefix.length);
+        }
+        return handlerName;
+    }
+    resolveEntityConstructor(context) {
+        return Reflect.getMetadata(controller_constant.CONTROLLER_API_DECORATOR_CONSTANT.ENTITY_METADATA_KEY, context.getClass());
+    }
+};
+exports.ApiAuthorizationGuard = tslib_es6.__decorate([
+    common.Injectable(),
+    tslib_es6.__param(0, common.Inject(registry_constant.AUTHORIZATION_POLICY_REGISTRY_TOKEN)),
+    tslib_es6.__metadata("design:paramtypes", [Object, engine_class.ApiAuthorizationEngine])
+], exports.ApiAuthorizationGuard);
+//# sourceMappingURL=guard.class.js.map

package/dist/cjs/class/api/authorization/guard.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.class.js","sources":["../../../../../../src/class/api/authorization/guard.class.ts"],"sourcesContent":[null],"names":["LoggerUtility","ApiAuthorizationGuard","AuthorizationResolveDefaultSubject","EAuthorizationEffect","ForbiddenException","AUTHORIZATION_DECISION_METADATA_CONSTANT","CONTROLLER_API_DECORATOR_CONSTANT","__decorate","Injectable","__param","Inject","AUTHORIZATION_POLICY_REGISTRY_TOKEN","ApiAuthorizationEngine"],"mappings":";;;;;;;;;;;;AAiBA,MAAM,wBAAwB,GAAkBA,4BAAa,CAAC,SAAS,CAAC,uBAAuB,CAAC;AAGnFC,6BAAqB,GAA3B,MAAM,qBAAqB,CAAA;AAE8B,IAAA,cAAA;AAC7C,IAAA,mBAAA;IAFlB,WAAA,CAC+D,cAA+C,EAC5F,mBAA2C,EAAA;QADE,IAAA,CAAA,cAAc,GAAd,cAAc;QAC3D,IAAA,CAAA,mBAAmB,GAAnB,mBAAmB;IAClC;IAEI,MAAM,WAAW,CAAC,OAAyB,EAAA;QACjD,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,EAAE;AACzC,YAAA,wBAAwB,CAAC,KAAK,CAAC,6EAA6E,CAAC;AAE7G,YAAA,OAAO,IAAI;QACZ;QAEA,MAAM,iBAAiB,GAA2C,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC;QAExG,IAAI,CAAC,iBAAiB,EAAE;AACvB,YAAA,wBAAwB,CAAC,KAAK,CAAC,4EAA4E,CAAC;AAE5G,YAAA,OAAO,IAAI;QACZ;QAEA,MAAM,MAAM,GAAW,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC;QAClD,wBAAwB,CAAC,OAAO,CAAC,CAAA,qCAAA,EAAwC,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,CAAA,CAAG,CAAC;AAEtH,QAAA,MAAM,MAAM,GAA+G,MAAM,IAAI,CAAC,cAAc,CAAC,qBAAqB,CAAC,iBAAiB,EAAE,MAAM,CAAC;QAErM,IAAI,CAAC,MAAM,EAAE;YACZ,wBAAwB,CAAC,KAAK,CAAC,CAAA,4BAAA,EAA+B,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,kBAAA,CAAoB,CAAC;AAE5H,YAAA,OAAO,IAAI;QACZ;QAEA,wBAAwB,CAAC,OAAO,CAAC,CAAA,cAAA,EAAiB,MAAM,CAAC,QAAQ,UAAU,MAAM,CAAC,KAAK,CAAC,MAAM,sBAAsB,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,CAAA,CAAG,CAAC;QAEjK,MAAM,OAAO,GAAkC,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAiC;QACjH,MAAM,OAAO,GAA6BC,gEAAkC,CAAC,OAAO,CAAC,IAAI,CAAC;QAE1F,MAAM,QAAQ,GAAqG,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC;YAC1J,MAAM;YACN,MAAM;AACN,YAAA,QAAQ,EAAE,SAAS;YACnB,OAAO;AACP,SAAA,CAAC;AAEF,QAAA,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC;QAE/C,IAAI,QAAQ,CAAC,MAAM,KAAKC,gCAAoB,CAAC,IAAI,EAAE;AAClD,YAAA,wBAAwB,CAAC,IAAI,CAAC,CAAA,0BAAA,EAA6B,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,cAAc,OAAO,CAAC,EAAE,CAAA,CAAA,CAAG,CAAC;AAEhI,YAAA,MAAM,IAAIC,yBAAkB,CAAC,eAAe,CAAC;QAC9C;AAEA,QAAA,wBAAwB,CAAC,OAAO,CAAC,CAAA,2BAAA,EAA8B,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,cAAc,OAAO,CAAC,EAAE,CAAA,CAAA,CAAG,CAAC;AAEpI,QAAA,OAAO,IAAI;IACZ;IAEQ,uBAAuB,CAAC,OAAsC,EAAE,QAA0G,EAAA;AACjL,QAAA,OAAO,CAAC,qBAAqB,GAAG,QAAQ;AACxC,QAAA,OAAO,CAACC,0DAAwC,CAAC,WAAW,CAAC,GAAG,QAAQ;IACzE;AAEQ,IAAA,qBAAqB,CAAC,OAAyB,EAAA;AACtD,QAAA,OAAO,OAAO,CAAC,OAAO,CAAC,WAAW,CAACC,qDAAiC,CAAC,sBAAsB,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAClH;AAEQ,IAAA,aAAa,CAAC,OAAyB,EAAA;QAC9C,MAAM,WAAW,GAAW,OAAO,CAAC,UAAU,EAAE,CAAC,IAAI;AACrD,QAAA,MAAM,MAAM,GAAWA,qDAAiC,CAAC,sBAAsB,IAAI,EAAE;AAErF,QAAA,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE;YACnC,OAAO,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC;QACxC;AAEA,QAAA,OAAO,WAAW;IACnB;AAEQ,IAAA,wBAAwB,CAAC,OAAyB,EAAA;AACzD,QAAA,OAAO,OAAO,CAAC,WAAW,CAACA,qDAAiC,CAAC,mBAAmB,EAAE,OAAO,CAAC,QAAQ,EAAE,CAA2C;IAChJ;;AA/EYL,6BAAqB,GAAAM,oBAAA,CAAA;AADjC,IAAAC,iBAAU,EAAE;AAGV,IAAAC,iBAAA,CAAA,CAAA,EAAAC,aAAM,CAACC,qDAAmC,CAAC,CAAA;uDACNC,mCAAsB,CAAA;AAHjD,CAAA,EAAAX,6BAAqB,CAgFjC;;"}

package/dist/cjs/class/api/authorization/index.d.ts

@@ -0,0 +1,3 @@
+export { ApiAuthorizationEngine } from './engine.class';
+export { ApiAuthorizationGuard } from './guard.class';
+export * from './policy/index';

package/dist/cjs/class/api/authorization/policy/base.class.d.ts

@@ -0,0 +1,37 @@
+import type { IApiBaseEntity } from '../../../../interface/api-base-entity.interface';
+import type { IApiAuthorizationPolicySubscriberRule } from '../../../../interface/authorization/policy/subscriber/index';
+import { ApiSubscriberBase } from '../../subscriber/base.class';
+/**
+ * Base class for all authorization policies. It mirrors ApiFunctionSubscriberBase
+ * and provides helper methods to create allow/deny rules that are later executed by the policy executor.
+ * @template E - Entity type extending IApiBaseEntity
+ */
+export declare abstract class ApiAuthorizationPolicyBase<E extends IApiBaseEntity> extends ApiSubscriberBase {
+    /**
+     * Creates an ALLOW rule with optional overrides.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Rule fields to merge.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule.
+     */
+    protected allow<R>(rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+    /**
+     * Helper that creates an allow rule conditioned on the subject having at least one of the provided roles.
+     * @param {Array<string>} roles - Roles that grant access.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Optional overrides.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule targeting the given roles.
+     */
+    protected allowForRoles<R>(roles: Array<string>, rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+    /**
+     * Creates a DENY rule with optional overrides.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Rule fields to merge.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Deny rule.
+     */
+    protected deny<R>(rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+    /**
+     * Helper that scopes data access to the owner identified by a field.
+     * Automatically handles relations by using nested id structure.
+     * @param {keyof E} [ownerField] - Entity field used to match the subject id, defaults to ownerId.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Optional overrides.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule with owner scope.
+     */
+    protected scopeToOwner<R>(ownerField?: keyof E, rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+}

package/dist/cjs/class/api/authorization/policy/base.class.js

@@ -0,0 +1,68 @@
+'use strict';
+
+var base_class = require('../../subscriber/base.class.js');
+var effect_enum = require('../../../../enum/authorization/effect.enum.js');
+
+/**
+ * Base class for all authorization policies. It mirrors ApiFunctionSubscriberBase
+ * and provides helper methods to create allow/deny rules that are later executed by the policy executor.
+ * @template E - Entity type extending IApiBaseEntity
+ */
+class ApiAuthorizationPolicyBase extends base_class.ApiSubscriberBase {
+    /**
+     * Creates an ALLOW rule with optional overrides.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Rule fields to merge.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule.
+     */
+    allow(rule = {}) {
+        return {
+            effect: effect_enum.EAuthorizationEffect.ALLOW,
+            ...rule,
+        };
+    }
+    /**
+     * Helper that creates an allow rule conditioned on the subject having at least one of the provided roles.
+     * @param {Array<string>} roles - Roles that grant access.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Optional overrides.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule targeting the given roles.
+     */
+    allowForRoles(roles, rule = {}) {
+        return this.allow({
+            condition: ({ subject }) => roles.some((role) => subject.roles.includes(role)),
+            ...rule,
+        });
+    }
+    /**
+     * Creates a DENY rule with optional overrides.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Rule fields to merge.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Deny rule.
+     */
+    deny(rule = {}) {
+        return {
+            effect: effect_enum.EAuthorizationEffect.DENY,
+            ...rule,
+        };
+    }
+    /**
+     * Helper that scopes data access to the owner identified by a field.
+     * Automatically handles relations by using nested id structure.
+     * @param {keyof E} [ownerField] - Entity field used to match the subject id, defaults to ownerId.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Optional overrides.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule with owner scope.
+     */
+    scopeToOwner(ownerField = "ownerId", rule = {}) {
+        return this.allow({
+            scope: ({ subject }) => {
+                return {
+                    where: {
+                        [ownerField]: { id: subject.id },
+                    },
+                };
+            },
+            ...rule,
+        });
+    }
+}
+
+exports.ApiAuthorizationPolicyBase = ApiAuthorizationPolicyBase;
+//# sourceMappingURL=base.class.js.map

package/dist/cjs/class/api/authorization/policy/base.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.class.js","sources":["../../../../../../../src/class/api/authorization/policy/base.class.ts"],"sourcesContent":[null],"names":["ApiSubscriberBase","EAuthorizationEffect"],"mappings":";;;;;AAQA;;;;AAIG;AACG,MAAgB,0BAAqD,SAAQA,4BAAiB,CAAA;AACnG;;;;AAIG;IACO,KAAK,CAAI,OAAoE,EAAiE,EAAA;QACvJ,OAAO;YACN,MAAM,EAAEC,gCAAoB,CAAC,KAAK;AAClC,YAAA,GAAG,IAAI;SACP;IACF;AAEA;;;;;AAKG;AACO,IAAA,aAAa,CAAI,KAAoB,EAAE,IAAA,GAAoE,EAAiE,EAAA;QACrL,OAAO,IAAI,CAAC,KAAK,CAAC;YACjB,SAAS,EAAE,CAAC,EAAE,OAAO,EAAmC,KAAK,KAAK,CAAC,IAAI,CAAC,CAAC,IAAY,KAAK,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACvH,YAAA,GAAG,IAAI;AACP,SAAA,CAAC;IACH;AAEA;;;;AAIG;IACO,IAAI,CAAI,OAAoE,EAAiE,EAAA;QACtJ,OAAO;YACN,MAAM,EAAEA,gCAAoB,CAAC,IAAI;AACjC,YAAA,GAAG,IAAI;SACP;IACF;AAEA;;;;;;AAMG;AACO,IAAA,YAAY,CAAI,UAAA,GAAsB,SAAoB,EAAE,OAAoE,EAAiE,EAAA;QAC1M,OAAO,IAAI,CAAC,KAAK,CAAC;AACjB,YAAA,KAAK,EAAE,CAAC,EAAE,OAAO,EAAmC,KAAI;gBACvD,OAAO;AACN,oBAAA,KAAK,EAAE;wBACN,CAAC,UAAoB,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE;AACnB,qBAAA;iBACxB;YACF,CAAC;AACD,YAAA,GAAG,IAAI;AACP,SAAA,CAAC;IACH;AACA;;;;"}

package/dist/cjs/class/api/authorization/policy/discovery-service.class.d.ts

@@ -0,0 +1,10 @@
+import { OnModuleInit } from "@nestjs/common";
+import { DiscoveryService } from "@nestjs/core";
+import { ApiAuthorizationPolicyRegistry } from './registry.class';
+export declare class ApiAuthorizationPolicyDiscoveryService implements OnModuleInit {
+    private readonly discoveryService;
+    private readonly registry;
+    constructor(discoveryService: DiscoveryService, registry: ApiAuthorizationPolicyRegistry);
+    onModuleInit(): void;
+    private isPolicyWrapper;
+}

package/dist/cjs/class/api/authorization/policy/discovery-service.class.js

@@ -0,0 +1,53 @@
+'use strict';
+
+var tslib_es6 = require('../../../../external/tslib/tslib.es6.js');
+var decorator_constant = require('../../../../constant/authorization/policy/decorator.constant.js');
+var common = require('@nestjs/common');
+var core = require('@nestjs/core');
+var logger_utility = require('../../../../utility/logger.utility.js');
+var base_class = require('./base.class.js');
+var registry_class = require('./registry.class.js');
+
+const policyDiscoveryLogger = logger_utility.LoggerUtility.getLogger("ApiAuthorizationPolicyDiscoveryService");
+exports.ApiAuthorizationPolicyDiscoveryService = class ApiAuthorizationPolicyDiscoveryService {
+    discoveryService;
+    registry;
+    constructor(discoveryService, registry) {
+        this.discoveryService = discoveryService;
+        this.registry = registry;
+    }
+    onModuleInit() {
+        policyDiscoveryLogger.verbose("Starting authorization policy discovery...");
+        const providers = this.discoveryService.getProviders();
+        const policyProviders = providers.filter((wrapper) => this.isPolicyWrapper(wrapper));
+        for (const wrapper of policyProviders) {
+            if (!wrapper.metatype) {
+                continue;
+            }
+            const metadata = Reflect.getMetadata(decorator_constant.AUTHORIZATION_POLICY_DECORATOR_CONSTANT.METADATA_KEY, wrapper.metatype);
+            const properties = metadata;
+            if (!properties) {
+                continue;
+            }
+            const policyId = properties.policyId ?? `${properties.entity.name?.toLowerCase() ?? "unknown"}${decorator_constant.AUTHORIZATION_POLICY_DECORATOR_CONSTANT.DEFAULT_POLICY_ID_SUFFIX}`;
+            this.registry.registerSubscriber({
+                description: properties.description,
+                entity: properties.entity,
+                policyId,
+                priority: properties.priority ?? 0,
+                subscriber: wrapper.instance,
+            });
+            policyDiscoveryLogger.verbose(`Registered authorization policy ${wrapper.name ?? properties.entity.name ?? "UnknownPolicy"} for entity ${properties.entity.name ?? "UnknownEntity"} with priority ${properties.priority ?? 0}`);
+        }
+        policyDiscoveryLogger.verbose(`Authorization policy discovery finished. Registered ${policyProviders.length} providers.`);
+    }
+    isPolicyWrapper(wrapper) {
+        return Boolean(wrapper.instance && wrapper.metatype && wrapper.instance instanceof base_class.ApiAuthorizationPolicyBase && Reflect.hasMetadata(decorator_constant.AUTHORIZATION_POLICY_DECORATOR_CONSTANT.METADATA_KEY, wrapper.metatype));
+    }
+};
+exports.ApiAuthorizationPolicyDiscoveryService = tslib_es6.__decorate([
+    common.Injectable(),
+    tslib_es6.__metadata("design:paramtypes", [core.DiscoveryService,
+        registry_class.ApiAuthorizationPolicyRegistry])
+], exports.ApiAuthorizationPolicyDiscoveryService);
+//# sourceMappingURL=discovery-service.class.js.map

package/dist/cjs/class/api/authorization/policy/discovery-service.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery-service.class.js","sources":["../../../../../../../src/class/api/authorization/policy/discovery-service.class.ts"],"sourcesContent":[null],"names":["LoggerUtility","ApiAuthorizationPolicyDiscoveryService","AUTHORIZATION_POLICY_DECORATOR_CONSTANT","ApiAuthorizationPolicyBase","__decorate","Injectable","DiscoveryService","ApiAuthorizationPolicyRegistry"],"mappings":";;;;;;;;;;AAYA,MAAM,qBAAqB,GAAkBA,4BAAa,CAAC,SAAS,CAAC,wCAAwC,CAAC;AAGjGC,8CAAsC,GAA5C,MAAM,sCAAsC,CAAA;AAEhC,IAAA,gBAAA;AACA,IAAA,QAAA;IAFlB,WAAA,CACkB,gBAAkC,EAClC,QAAwC,EAAA;QADxC,IAAA,CAAA,gBAAgB,GAAhB,gBAAgB;QAChB,IAAA,CAAA,QAAQ,GAAR,QAAQ;IACvB;IAEI,YAAY,GAAA;AAClB,QAAA,qBAAqB,CAAC,OAAO,CAAC,4CAA4C,CAAC;QAC3E,MAAM,SAAS,GAA2B,IAAI,CAAC,gBAAgB,CAAC,YAAY,EAAE;AAC9E,QAAA,MAAM,eAAe,GAA2B,SAAS,CAAC,MAAM,CAAC,CAAC,OAAwB,KAAK,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;AAE7H,QAAA,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE;AACtC,YAAA,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE;gBACtB;YACD;AAEA,YAAA,MAAM,QAAQ,GAAY,OAAO,CAAC,WAAW,CAACC,0DAAuC,CAAC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC;YACrH,MAAM,UAAU,GAA4E,QAAmF;YAE/K,IAAI,CAAC,UAAU,EAAE;gBAChB;YACD;YAEA,MAAM,QAAQ,GAAW,UAAU,CAAC,QAAQ,IAAI,CAAA,EAAG,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,SAAS,GAAGA,0DAAuC,CAAC,wBAAwB,CAAA,CAAE;AAE1K,YAAA,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC;gBAChC,WAAW,EAAE,UAAU,CAAC,WAAW;gBACnC,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,QAAQ;AACR,gBAAA,QAAQ,EAAE,UAAU,CAAC,QAAQ,IAAI,CAAC;gBAClC,UAAU,EAAE,OAAO,CAAC,QAA6D;AACjF,aAAA,CAAC;AAEF,YAAA,qBAAqB,CAAC,OAAO,CAAC,CAAA,gCAAA,EAAmC,OAAO,CAAC,IAAI,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,eAAe,CAAA,YAAA,EAAe,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,eAAe,CAAA,eAAA,EAAkB,UAAU,CAAC,QAAQ,IAAI,CAAC,CAAA,CAAE,CAAC;QAChO;QAEA,qBAAqB,CAAC,OAAO,CAAC,CAAA,oDAAA,EAAuD,eAAe,CAAC,MAAM,CAAA,WAAA,CAAa,CAAC;IAC1H;AAEQ,IAAA,eAAe,CAAC,OAAwB,EAAA;AAC/C,QAAA,OAAO,OAAO,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,YAAYC,qCAA0B,IAAI,OAAO,CAAC,WAAW,CAACD,0DAAuC,CAAC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9M;;AAzCYD,8CAAsC,GAAAG,oBAAA,CAAA;AADlD,IAAAC,iBAAU,EAAE;+CAGwBC,qBAAgB;QACxBC,6CAA8B,CAAA;AAH9C,CAAA,EAAAN,8CAAsC,CA0ClD;;"}

package/dist/cjs/class/api/authorization/policy/executor.class.d.ts

@@ -0,0 +1,8 @@
+import type { IApiBaseEntity } from '../../../../interface/api-base-entity.interface';
+import type { IApiAuthorizationPolicySubscriber, IApiAuthorizationPolicySubscriberContext, IApiAuthorizationPolicySubscriberRule } from '../../../../interface/authorization/policy/subscriber/index';
+import type { TApiAuthorizationPolicyHookResult } from '../../../../type/class/api/authorization/policy/hook/index';
+export declare class ApiAuthorizationPolicyExecutor {
+    static execute<E extends IApiBaseEntity, TAction extends string>(subscriber: IApiAuthorizationPolicySubscriber<E>, action: TAction, context: IApiAuthorizationPolicySubscriberContext<E>): Promise<Array<IApiAuthorizationPolicySubscriberRule<E, TApiAuthorizationPolicyHookResult<TAction, E>>>>;
+    private static normalizeRuleResult;
+    private static resolveRouteType;
+}

package/dist/cjs/class/api/authorization/policy/executor.class.js

@@ -0,0 +1,43 @@
+'use strict';
+
+var onType_enum = require('../../../../enum/authorization/policy/on-type.enum.js');
+var routeType_enum = require('../../../../enum/decorator/api/route-type.enum.js');
+var capitalizeString_utility = require('../../../../utility/capitalize-string.utility.js');
+var logger_utility = require('../../../../utility/logger.utility.js');
+
+const policyExecutorLogger = logger_utility.LoggerUtility.getLogger("ApiAuthorizationPolicyExecutor");
+class ApiAuthorizationPolicyExecutor {
+    static async execute(subscriber, action, context) {
+        const routeType = context.routeType ?? this.resolveRouteType(action);
+        if (routeType) {
+            const hookName = `on${onType_enum.EApiAuthorizationPolicyOnType.BEFORE}${capitalizeString_utility.CapitalizeString(routeType)}`;
+            const hook = subscriber[hookName];
+            if (typeof hook === "function") {
+                policyExecutorLogger.verbose(`Executing authorization policy hook ${hookName} from ${subscriber.constructor.name} for action "${action}"`);
+                const typedHook = hook;
+                const result = typedHook.call(subscriber, context);
+                return this.normalizeRuleResult(await result);
+            }
+            return [];
+        }
+        if (typeof subscriber.getCustomActionRule !== "function") {
+            return [];
+        }
+        const customActionHook = subscriber.getCustomActionRule.bind(subscriber);
+        const customResult = customActionHook(action, context);
+        return this.normalizeRuleResult(await customResult);
+    }
+    static normalizeRuleResult(result) {
+        if (Array.isArray(result)) {
+            return result.filter((rule) => rule != null);
+        }
+        return result ? [result] : [];
+    }
+    static resolveRouteType(action) {
+        const routeTypes = Object.values(routeType_enum.EApiRouteType);
+        return routeTypes.find((routeType) => routeType === action);
+    }
+}
+
+exports.ApiAuthorizationPolicyExecutor = ApiAuthorizationPolicyExecutor;
+//# sourceMappingURL=executor.class.js.map

package/dist/cjs/class/api/authorization/policy/executor.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.class.js","sources":["../../../../../../../src/class/api/authorization/policy/executor.class.ts"],"sourcesContent":[null],"names":["LoggerUtility","EApiAuthorizationPolicyOnType","CapitalizeString","EApiRouteType"],"mappings":";;;;;;;AAUA,MAAM,oBAAoB,GAAkBA,4BAAa,CAAC,SAAS,CAAC,gCAAgC,CAAC;MAIxF,8BAA8B,CAAA;IACnC,aAAa,OAAO,CAAmD,UAAgD,EAAE,MAAe,EAAE,OAAoD,EAAA;AACpM,QAAA,MAAM,SAAS,GAA8B,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC;QAE/F,IAAI,SAAS,EAAE;AACd,YAAA,MAAM,QAAQ,GAAW,CAAA,EAAA,EAAKC,yCAA6B,CAAC,MAAM,CAAA,EAAGC,yCAAgB,CAAC,SAAS,CAAC,CAAA,CAAE;AAClG,YAAA,MAAM,IAAI,GAAY,UAAU,CAAC,QAAsD,CAAC;AAExF,YAAA,IAAI,OAAO,IAAI,KAAK,UAAU,EAAE;AAC/B,gBAAA,oBAAoB,CAAC,OAAO,CAAC,CAAA,oCAAA,EAAuC,QAAQ,CAAA,MAAA,EAAS,UAAU,CAAC,WAAW,CAAC,IAAI,CAAA,aAAA,EAAgB,MAAM,CAAA,CAAA,CAAG,CAAC;gBAC1I,MAAM,SAAS,GAAqH,IAAwH;gBAC5P,MAAM,MAAM,GAA2D,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC;AAE1G,gBAAA,OAAO,IAAI,CAAC,mBAAmB,CAAC,MAAM,MAAM,CAAC;YAC9C;AAEA,YAAA,OAAO,EAAE;QACV;AAEA,QAAA,IAAI,OAAO,UAAU,CAAC,mBAAmB,KAAK,UAAU,EAAE;AACzD,YAAA,OAAO,EAAE;QACV;QAEA,MAAM,gBAAgB,GAA+I,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAA+I;QAElW,MAAM,YAAY,GAA2D,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC;AAE9G,QAAA,OAAO,IAAI,CAAC,mBAAmB,CAAC,MAAM,YAAY,CAAC;IACpD;IAEQ,OAAO,mBAAmB,CAA8B,MAAyD,EAAA;AACxH,QAAA,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE;AAC1B,YAAA,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,IAAoE,KAA0D,IAAI,IAAI,IAAI,CAAC;QAClK;QAEA,OAAO,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE;IAC9B;IAEQ,OAAO,gBAAgB,CAAC,MAAc,EAAA;QAC7C,MAAM,UAAU,GAAkB,MAAM,CAAC,MAAM,CAACC,4BAAa,CAAkB;AAE/E,QAAA,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,SAAiB,KAAK,SAAS,KAAK,MAAM,CAA8B;IACjG;AACA;;;;"}

package/dist/cjs/class/api/authorization/policy/index.d.ts

@@ -0,0 +1,4 @@
+export { ApiAuthorizationPolicyBase } from './base.class';
+export { ApiAuthorizationPolicyDiscoveryService } from './discovery-service.class';
+export { ApiAuthorizationPolicyExecutor } from './executor.class';
+export { ApiAuthorizationPolicyRegistry } from './registry.class';

package/dist/cjs/class/api/authorization/policy/registry.class.d.ts

@@ -0,0 +1,26 @@
+import type { IApiBaseEntity } from '../../../../interface/api-base-entity.interface';
+import type { IApiAuthorizationPolicy, IApiAuthorizationPolicyRegistry, IApiAuthorizationPolicySubscriberRegistration } from '../../../../interface/authorization/index';
+import type { TApiAuthorizationPolicyHookResult } from '../../../../type/class/api/authorization/policy/hook/index';
+type TEntityConstructor<E extends IApiBaseEntity> = new () => E;
+export declare class ApiAuthorizationPolicyRegistry implements IApiAuthorizationPolicyRegistry {
+    private readonly LEGACY_POLICIES;
+    private readonly POLICY_CACHE;
+    private readonly POLICY_REGISTRATIONS_BY_ENTITY;
+    private readonly POLICY_REGISTRATIONS_BY_ID;
+    constructor();
+    buildAggregatedPolicy<E extends IApiBaseEntity, TAction extends string>(entity: TEntityConstructor<E>, action: TAction): Promise<IApiAuthorizationPolicy<E, TApiAuthorizationPolicyHookResult<TAction, E>> | undefined>;
+    clear(): void;
+    registerPolicy<E extends IApiBaseEntity, R>(policy: IApiAuthorizationPolicy<E, R>): void;
+    registerSubscriber<E extends IApiBaseEntity>(registration: IApiAuthorizationPolicySubscriberRegistration<E>): void;
+    private cachePolicy;
+    private createCacheKey;
+    private getEntityName;
+    private invalidateCacheForEntity;
+    private normalizeRule;
+    private resolvePolicyId;
+    private resolveRouteType;
+    private setLegacyPolicy;
+    private toBasePolicy;
+}
+export declare const apiAuthorizationPolicyRegistry: ApiAuthorizationPolicyRegistry;
+export {};