@elsikora/nestjs-crud-automator 1.16.0-dev.1 → 1.17.0-dev.1

package/dist/cjs/type/class/api/subscriber/route/after/get/list-context.type.d.ts

@@ -1,4 +1,5 @@
 import type { IApiBaseEntity } from '../../../../../../../interface/api-base-entity.interface';
 import type { IApiSubscriberRouteExecutionContextDataExtended } from '../../../../../../../interface/class/api/subscriber/route-execution-context-data.interface';
 import type { IApiSubscriberRouteExecutionContext } from '../../../../../../../interface/class/api/subscriber/route-execution-context.interface';
-export type TApiSubscriberRouteAfterGetListContext<E extends IApiBaseEntity> = IApiSubscriberRouteExecutionContext<E, Array<E>, IApiSubscriberRouteExecutionContextDataExtended<E>>;
+import type { IApiGetListResponseResult } from '../../../../../../../interface/decorator/api/get-list-response-result.interface';
+export type TApiSubscriberRouteAfterGetListContext<E extends IApiBaseEntity> = IApiSubscriberRouteExecutionContext<E, IApiGetListResponseResult<E>, IApiSubscriberRouteExecutionContextDataExtended<E, IApiGetListResponseResult<E>>>;

package/dist/cjs/type/class/api/subscriber/route/after/get/many-context.type.d.ts

@@ -1,4 +1,4 @@
 import type { IApiBaseEntity } from '../../../../../../../interface/api-base-entity.interface';
 import type { IApiSubscriberRouteExecutionContextDataExtended } from '../../../../../../../interface/class/api/subscriber/route-execution-context-data.interface';
 import type { IApiSubscriberRouteExecutionContext } from '../../../../../../../interface/class/api/subscriber/route-execution-context.interface';
-export type TApiSubscriberRouteAfterGetManyContext<E extends IApiBaseEntity> = IApiSubscriberRouteExecutionContext<E, Array<E>, IApiSubscriberRouteExecutionContextDataExtended<E>>;
+export type TApiSubscriberRouteAfterGetManyContext<E extends IApiBaseEntity> = IApiSubscriberRouteExecutionContext<E, Array<E>, IApiSubscriberRouteExecutionContextDataExtended<E, Array<E>>>;

package/dist/cjs/type/class/api/subscriber/route/after/update-context.type.d.ts

@@ -1,4 +1,4 @@
 import type { IApiBaseEntity } from '../../../../../../interface/api-base-entity.interface';
 import type { IApiSubscriberRouteExecutionContextDataExtended } from '../../../../../../interface/class/api/subscriber/route-execution-context-data.interface';
 import type { IApiSubscriberRouteExecutionContext } from '../../../../../../interface/class/api/subscriber/route-execution-context.interface';
-export type TApiSubscriberRouteAfterUpdateContext<E extends IApiBaseEntity> = IApiSubscriberRouteExecutionContext<E, E, IApiSubscriberRouteExecutionContextDataExtended<E>>;
+export type TApiSubscriberRouteAfterUpdateContext<E extends IApiBaseEntity> = IApiSubscriberRouteExecutionContext<E, E, IApiSubscriberRouteExecutionContextDataExtended<E, E>>;

package/dist/cjs/type/index.d.ts

@@ -1,5 +1,6 @@
 export { type TApiRequestTransformer } from './api-request-transformer.type';
 export type * from './class/index';
+export type * from './class/api/authorization/index';
 export type * from './decorator/api/controller/index';
 export type * from './decorator/api/filter/index';
 export type * from './decorator/api/function/index';

package/dist/cjs/utility/api/controller/apply-metadata.utility.js

@@ -76,11 +76,9 @@ function ApiControllerApplyMetadata(target, targetPrototype, entity, properties,
     routeArgumentsMetadata = common.assignMetadata(routeArgumentsMetadata, routeParamtypes_enum.RouteParamtypes.IP, parameterIndex);
     parameterTypes.push(Object);
     parameterIndex++;
-    if (routeConfig.authentication) {
-        routeArgumentsMetadata = common.assignMetadata(routeArgumentsMetadata, routeParamtypes_enum.RouteParamtypes.REQUEST, parameterIndex);
-        parameterTypes.push(Object);
-        parameterIndex++;
-    }
+    routeArgumentsMetadata = common.assignMetadata(routeArgumentsMetadata, routeParamtypes_enum.RouteParamtypes.REQUEST, parameterIndex);
+    parameterTypes.push(Object);
+    parameterIndex++;
     Reflect.defineMetadata(constants.ROUTE_ARGS_METADATA, routeArgumentsMetadata, target, methodName);
     Reflect.defineMetadata(constants.PARAMTYPES_METADATA, parameterTypes, targetPrototype, methodName);
 }

package/dist/cjs/utility/api/controller/apply-metadata.utility.js.map

@@ -1 +1 @@
-{"version":3,"file":"apply-metadata.utility.js","sources":["../../../../../../src/utility/api/controller/apply-metadata.utility.ts"],"sourcesContent":[null],"names":["DtoGenerate","EApiDtoType","assignMetadata","RouteParamtypes","ROUTE_ARGS_METADATA","PARAMTYPES_METADATA"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYA;;;;;;;;;;;;AAYG;AACG,SAAU,0BAA0B,CAAI,MAAc,EAAE,eAAuB,EAAE,MAAqB,EAAE,UAAuC,EAAE,MAAqB,EAAE,UAAkB,EAAE,WAA4D,EAAA;IAC7P,IAAI,cAAc,GAAW,CAAC;IAC9B,IAAI,sBAAsB,GAAY,EAAE;IACxC,MAAM,cAAc,GAAmB,EAAE;AAEzC,IAAA,MAAM,UAAU,GAA8B,WAAW,CAAC,GAAG,EAAE,OAAO,IAAIA,4BAAW,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAEC,wBAAW,CAAC,OAAO,EAAE,WAAW,CAAC,OAAO,GAAGA,wBAAW,CAAC,OAAO,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,KAAK,CAAC;AAC5N,IAAA,MAAM,QAAQ,GAA8B,WAAW,CAAC,GAAG,EAAE,KAAK,IAAID,4BAAW,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAEC,wBAAW,CAAC,KAAK,EAAE,WAAW,CAAC,OAAO,GAAGA,wBAAW,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,KAAK,CAAC;AACpN,IAAA,MAAM,OAAO,GAA8B,WAAW,CAAC,GAAG,EAAE,IAAI,IAAID,4BAAW,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAEC,wBAAW,CAAC,IAAI,EAAE,WAAW,CAAC,OAAO,GAAGA,wBAAW,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,KAAK,CAAC;IAEhN,IAAI,UAAU,EAAE;QACf,sBAAsB,GAAGC,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,KAAK,EAAE,cAAc,CAAC;AACtG,QAAA,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC;AAC/B,QAAA,cAAc,EAAE;IACjB;IAEA,IAAI,QAAQ,EAAE;QACb,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,KAAK,EAAE,cAAc,CAAC;AACtG,QAAA,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC;AAC7B,QAAA,cAAc,EAAE;IACjB;IAEA,IAAI,OAAO,EAAE;QACZ,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,IAAI,EAAE,cAAc,CAAC;AACrG,QAAA,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;AAC5B,QAAA,cAAc,EAAE;IACjB;IAEA,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,OAAO,EAAE,cAAc,CAAC;AACxG,IAAA,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC;AAC3B,IAAA,cAAc,EAAE;IAEhB,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,EAAE,EAAE,cAAc,CAAC;AACnG,IAAA,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC;AAC3B,IAAA,cAAc,EAAE;AAEhB,IAAA,IAAI,WAAW,CAAC,cAAc,EAAE;QAC/B,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,OAAO,EAAE,cAAc,CAAC;AACxG,QAAA,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC;AAC3B,QAAA,cAAc,EAAE;IACjB;IAEA,OAAO,CAAC,cAAc,CAACC,6BAAmB,EAAE,sBAAsB,EAAE,MAAM,EAAE,UAAU,CAAC;IACvF,OAAO,CAAC,cAAc,CAACC,6BAAmB,EAAE,cAAc,EAAE,eAAe,EAAE,UAAU,CAAC;AACzF;;;;"}
+{"version":3,"file":"apply-metadata.utility.js","sources":["../../../../../../src/utility/api/controller/apply-metadata.utility.ts"],"sourcesContent":[null],"names":["DtoGenerate","EApiDtoType","assignMetadata","RouteParamtypes","ROUTE_ARGS_METADATA","PARAMTYPES_METADATA"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYA;;;;;;;;;;;;AAYG;AACG,SAAU,0BAA0B,CAAI,MAAc,EAAE,eAAuB,EAAE,MAAqB,EAAE,UAAuC,EAAE,MAAqB,EAAE,UAAkB,EAAE,WAA4D,EAAA;IAC7P,IAAI,cAAc,GAAW,CAAC;IAC9B,IAAI,sBAAsB,GAAY,EAAE;IACxC,MAAM,cAAc,GAAmB,EAAE;AAEzC,IAAA,MAAM,UAAU,GAA8B,WAAW,CAAC,GAAG,EAAE,OAAO,IAAIA,4BAAW,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAEC,wBAAW,CAAC,OAAO,EAAE,WAAW,CAAC,OAAO,GAAGA,wBAAW,CAAC,OAAO,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,KAAK,CAAC;AAC5N,IAAA,MAAM,QAAQ,GAA8B,WAAW,CAAC,GAAG,EAAE,KAAK,IAAID,4BAAW,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAEC,wBAAW,CAAC,KAAK,EAAE,WAAW,CAAC,OAAO,GAAGA,wBAAW,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,KAAK,CAAC;AACpN,IAAA,MAAM,OAAO,GAA8B,WAAW,CAAC,GAAG,EAAE,IAAI,IAAID,4BAAW,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAEC,wBAAW,CAAC,IAAI,EAAE,WAAW,CAAC,OAAO,GAAGA,wBAAW,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,KAAK,CAAC;IAEhN,IAAI,UAAU,EAAE;QACf,sBAAsB,GAAGC,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,KAAK,EAAE,cAAc,CAAC;AACtG,QAAA,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC;AAC/B,QAAA,cAAc,EAAE;IACjB;IAEA,IAAI,QAAQ,EAAE;QACb,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,KAAK,EAAE,cAAc,CAAC;AACtG,QAAA,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC;AAC7B,QAAA,cAAc,EAAE;IACjB;IAEA,IAAI,OAAO,EAAE;QACZ,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,IAAI,EAAE,cAAc,CAAC;AACrG,QAAA,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;AAC5B,QAAA,cAAc,EAAE;IACjB;IAEA,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,OAAO,EAAE,cAAc,CAAC;AACxG,IAAA,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC;AAC3B,IAAA,cAAc,EAAE;IAEhB,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,EAAE,EAAE,cAAc,CAAC;AACnG,IAAA,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC;AAC3B,IAAA,cAAc,EAAE;IAEhB,sBAAsB,GAAGD,qBAAc,CAAC,sBAAsB,EAAEC,oCAAe,CAAC,OAAO,EAAE,cAAc,CAAC;AACxG,IAAA,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC;AAC3B,IAAA,cAAc,EAAE;IAEhB,OAAO,CAAC,cAAc,CAACC,6BAAmB,EAAE,sBAAsB,EAAE,MAAM,EAAE,UAAU,CAAC;IACvF,OAAO,CAAC,cAAc,CAACC,6BAAmB,EAAE,cAAc,EAAE,eAAe,EAAE,UAAU,CAAC;AACzF;;;;"}

package/dist/cjs/utility/authorization/decision/apply-result.utility.d.ts

@@ -0,0 +1,12 @@
+import type { IApiBaseEntity } from '../../../interface/api-base-entity.interface';
+import type { IApiAuthorizationDecision } from '../../../interface/authorization/index';
+import type { TApiAuthorizationRuleTransformPayload } from '../../../type/class/api/authorization/rule/transform-payload.type';
+/**
+ * Applies decision result transforms sequentially to a response payload.
+ * @template E - Entity type
+ * @template R - Result payload type
+ * @param {IApiAuthorizationDecision<E, R> | undefined} decision - Evaluated decision.
+ * @param {R} result - Result to transform.
+ * @returns {Promise<R>} Transformed payload.
+ */
+export declare function AuthorizationDecisionApplyResult<E extends IApiBaseEntity, R extends TApiAuthorizationRuleTransformPayload<E>>(decision: IApiAuthorizationDecision<E, R> | undefined, result: R): Promise<R>;

package/dist/cjs/utility/authorization/decision/apply-result.utility.js

@@ -0,0 +1,27 @@
+'use strict';
+
+/**
+ * Applies decision result transforms sequentially to a response payload.
+ * @template E - Entity type
+ * @template R - Result payload type
+ * @param {IApiAuthorizationDecision<E, R> | undefined} decision - Evaluated decision.
+ * @param {R} result - Result to transform.
+ * @returns {Promise<R>} Transformed payload.
+ */
+async function AuthorizationDecisionApplyResult(decision, result) {
+    if (!decision?.transforms.length) {
+        return result;
+    }
+    let transformedResult = result;
+    const context = {
+        resource: decision.resource,
+        subject: decision.subject,
+    };
+    for (const transform of decision.transforms) {
+        transformedResult = await transform(transformedResult, context);
+    }
+    return transformedResult;
+}
+
+exports.AuthorizationDecisionApplyResult = AuthorizationDecisionApplyResult;
+//# sourceMappingURL=apply-result.utility.js.map

package/dist/cjs/utility/authorization/decision/apply-result.utility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apply-result.utility.js","sources":["../../../../../../src/utility/authorization/decision/apply-result.utility.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAKA;;;;;;;AAOG;AACI,eAAe,gCAAgC,CAA+E,QAAqD,EAAE,MAAS,EAAA;AACpM,IAAA,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,MAAM,EAAE;AACjC,QAAA,OAAO,MAAM;IACd;IAEA,IAAI,iBAAiB,GAAM,MAAM;AAEjC,IAAA,MAAM,OAAO,GAAoC;QAChD,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,OAAO,EAAE,QAAQ,CAAC,OAAO;KACzB;AAED,IAAA,KAAK,MAAM,SAAS,IAAI,QAAQ,CAAC,UAAU,EAAE;QAC5C,iBAAiB,GAAG,MAAM,SAAS,CAAC,iBAAiB,EAAE,OAAO,CAAC;IAChE;AAEA,IAAA,OAAO,iBAAiB;AACzB;;;;"}

package/dist/cjs/utility/authorization/decision/attach-resource.utility.d.ts

@@ -0,0 +1,11 @@
+import type { IApiBaseEntity } from '../../../interface/api-base-entity.interface';
+import type { IApiAuthorizationDecision } from '../../../interface/authorization/index';
+/**
+ * Mutates authorization decision to include the resolved entity resource.
+ * @template E - Entity type
+ * @template R - Result payload type
+ * @param {IApiAuthorizationDecision<E, R> | undefined} decision - Decision to enrich.
+ * @param {E | undefined} resource - Entity instance to attach.
+ * @returns {IApiAuthorizationDecision<E, R> | undefined} Updated decision reference.
+ */
+export declare function AuthorizationDecisionAttachResource<E extends IApiBaseEntity, R>(decision: IApiAuthorizationDecision<E, R> | undefined, resource: E | undefined): IApiAuthorizationDecision<E, R> | undefined;

package/dist/cjs/utility/authorization/decision/attach-resource.utility.js

@@ -0,0 +1,20 @@
+'use strict';
+
+/**
+ * Mutates authorization decision to include the resolved entity resource.
+ * @template E - Entity type
+ * @template R - Result payload type
+ * @param {IApiAuthorizationDecision<E, R> | undefined} decision - Decision to enrich.
+ * @param {E | undefined} resource - Entity instance to attach.
+ * @returns {IApiAuthorizationDecision<E, R> | undefined} Updated decision reference.
+ */
+function AuthorizationDecisionAttachResource(decision, resource) {
+    if (!decision || resource === undefined) {
+        return decision;
+    }
+    decision.resource = resource;
+    return decision;
+}
+
+exports.AuthorizationDecisionAttachResource = AuthorizationDecisionAttachResource;
+//# sourceMappingURL=attach-resource.utility.js.map

package/dist/cjs/utility/authorization/decision/attach-resource.utility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attach-resource.utility.js","sources":["../../../../../../src/utility/authorization/decision/attach-resource.utility.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAGA;;;;;;;AAOG;AACG,SAAU,mCAAmC,CAA8B,QAAqD,EAAE,QAAuB,EAAA;AAC9J,IAAA,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,SAAS,EAAE;AACxC,QAAA,OAAO,QAAQ;IAChB;AAEA,IAAA,QAAQ,CAAC,QAAQ,GAAG,QAAQ;AAE5B,IAAA,OAAO,QAAQ;AAChB;;;;"}

package/dist/cjs/utility/authorization/decision/index.d.ts

@@ -0,0 +1,3 @@
+export { AuthorizationDecisionApplyResult } from './apply-result.utility';
+export { AuthorizationDecisionAttachResource } from './attach-resource.utility';
+export { AuthorizationDecisionResolveFromRequest } from './resolve-from-request.utility';

package/dist/cjs/utility/authorization/decision/resolve-from-request.utility.d.ts

@@ -0,0 +1,12 @@
+import type { IApiAuthenticationRequest } from '../../../interface/api-authentication-request.interface';
+import type { IApiBaseEntity } from '../../../interface/api-base-entity.interface';
+import type { IApiAuthorizationDecision } from '../../../interface/authorization/decision.interface';
+import type { TApiAuthorizationRuleTransformPayload } from '../../../type/class/api/authorization/rule/transform-payload.type';
+/**
+ * Extracts an authorization decision from the authentication request metadata stored on the HTTP request.
+ * @template E - Entity type
+ * @template R - Result payload type
+ * @param {IApiAuthenticationRequest} [authenticationRequest] - Request object bound to the route handler.
+ * @returns {IApiAuthorizationDecision<E, R> | undefined} Authorization decision if present.
+ */
+export declare function AuthorizationDecisionResolveFromRequest<E extends IApiBaseEntity, R extends TApiAuthorizationRuleTransformPayload<E> = TApiAuthorizationRuleTransformPayload<E>>(authenticationRequest?: IApiAuthenticationRequest): IApiAuthorizationDecision<E, R> | undefined;

package/dist/cjs/utility/authorization/decision/resolve-from-request.utility.js

@@ -0,0 +1,22 @@
+'use strict';
+
+var decision_constant = require('../../../constant/authorization/metadata/decision.constant.js');
+
+/**
+ * Extracts an authorization decision from the authentication request metadata stored on the HTTP request.
+ * @template E - Entity type
+ * @template R - Result payload type
+ * @param {IApiAuthenticationRequest} [authenticationRequest] - Request object bound to the route handler.
+ * @returns {IApiAuthorizationDecision<E, R> | undefined} Authorization decision if present.
+ */
+function AuthorizationDecisionResolveFromRequest(authenticationRequest) {
+    if (!authenticationRequest) {
+        return undefined;
+    }
+    const requestRecord = authenticationRequest;
+    const decision = requestRecord[decision_constant.AUTHORIZATION_DECISION_METADATA_CONSTANT.REQUEST_KEY] ?? requestRecord.authorizationDecision;
+    return decision;
+}
+
+exports.AuthorizationDecisionResolveFromRequest = AuthorizationDecisionResolveFromRequest;
+//# sourceMappingURL=resolve-from-request.utility.js.map

package/dist/cjs/utility/authorization/decision/resolve-from-request.utility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-from-request.utility.js","sources":["../../../../../../src/utility/authorization/decision/resolve-from-request.utility.ts"],"sourcesContent":[null],"names":["AUTHORIZATION_DECISION_METADATA_CONSTANT"],"mappings":";;;;AAOA;;;;;;AAMG;AACG,SAAU,uCAAuC,CAA0H,qBAAiD,EAAA;IACjO,IAAI,CAAC,qBAAqB,EAAE;AAC3B,QAAA,OAAO,SAAS;IACjB;IAEA,MAAM,aAAa,GAA4B,qBAA2D;AAC1G,IAAA,MAAM,QAAQ,GAAY,aAAa,CAACA,0DAAwC,CAAC,WAAW,CAAC,IAAI,aAAa,CAAC,qBAAqB;AAEpI,IAAA,OAAO,QAAuD;AAC/D;;;;"}

package/dist/cjs/utility/authorization/index.d.ts

@@ -0,0 +1,3 @@
+export * from './decision/index';
+export * from './scope/index';
+export * from './subject/index';

package/dist/cjs/utility/authorization/scope/index.d.ts

@@ -0,0 +1 @@
+export * from './merge/index';

package/dist/cjs/utility/authorization/scope/merge/index.d.ts

@@ -0,0 +1 @@
+export { AuthorizationScopeMergeWhere } from './where.utility';

package/dist/cjs/utility/authorization/scope/merge/where.utility.d.ts

@@ -0,0 +1,10 @@
+import type { IApiBaseEntity } from '../../../../interface/api-base-entity.interface';
+import type { TApiAuthorizationScopeWhere } from '../../../../type/class/api/authorization/scope-where.type';
+/**
+ * Merges two WHERE expressions by building a Cartesian product of OR branches.
+ * @template E - Entity type
+ * @param {TApiAuthorizationScopeWhere<E>} baseWhere - Existing filter.
+ * @param {TApiAuthorizationScopeWhere<E>} scopedWhere - Additional scope filter.
+ * @returns {TApiAuthorizationScopeWhere<E>} Combined filter.
+ */
+export declare function AuthorizationScopeMergeWhere<E extends IApiBaseEntity>(baseWhere: TApiAuthorizationScopeWhere<E>, scopedWhere: TApiAuthorizationScopeWhere<E>): TApiAuthorizationScopeWhere<E>;

package/dist/cjs/utility/authorization/scope/merge/where.utility.js

@@ -0,0 +1,32 @@
+'use strict';
+
+/**
+ * Merges two WHERE expressions by building a Cartesian product of OR branches.
+ * @template E - Entity type
+ * @param {TApiAuthorizationScopeWhere<E>} baseWhere - Existing filter.
+ * @param {TApiAuthorizationScopeWhere<E>} scopedWhere - Additional scope filter.
+ * @returns {TApiAuthorizationScopeWhere<E>} Combined filter.
+ */
+function AuthorizationScopeMergeWhere(baseWhere, scopedWhere) {
+    if (!baseWhere) {
+        return scopedWhere;
+    }
+    if (!scopedWhere) {
+        return baseWhere;
+    }
+    const baseVariants = Array.isArray(baseWhere) ? baseWhere : [baseWhere];
+    const scopedVariants = Array.isArray(scopedWhere) ? scopedWhere : [scopedWhere];
+    const mergedVariants = [];
+    for (const baseVariant of baseVariants) {
+        for (const scopedVariant of scopedVariants) {
+            mergedVariants.push({
+                ...baseVariant,
+                ...scopedVariant,
+            });
+        }
+    }
+    return mergedVariants.length === 1 ? mergedVariants[0] : mergedVariants;
+}
+
+exports.AuthorizationScopeMergeWhere = AuthorizationScopeMergeWhere;
+//# sourceMappingURL=where.utility.js.map

package/dist/cjs/utility/authorization/scope/merge/where.utility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"where.utility.js","sources":["../../../../../../../src/utility/authorization/scope/merge/where.utility.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAIA;;;;;;AAMG;AACG,SAAU,4BAA4B,CAA2B,SAAyC,EAAE,WAA2C,EAAA;IAC5J,IAAI,CAAC,SAAS,EAAE;AACf,QAAA,OAAO,WAAW;IACnB;IAEA,IAAI,CAAC,WAAW,EAAE;AACjB,QAAA,OAAO,SAAS;IACjB;AAEA,IAAA,MAAM,YAAY,GAA+B,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,SAAS,GAAG,CAAC,SAAS,CAAC;AACnG,IAAA,MAAM,cAAc,GAA+B,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,WAAW,GAAG,CAAC,WAAW,CAAC;IAC3G,MAAM,cAAc,GAA+B,EAAE;AAErD,IAAA,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE;AACvC,QAAA,KAAK,MAAM,aAAa,IAAI,cAAc,EAAE;YAC3C,cAAc,CAAC,IAAI,CAAC;AACnB,gBAAA,GAAG,WAAW;AACd,gBAAA,GAAG,aAAa;AAChB,aAAA,CAAC;QACH;IACD;AAEA,IAAA,OAAO,cAAc,CAAC,MAAM,KAAK,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,GAAG,cAAc;AACxE;;;;"}

package/dist/cjs/utility/authorization/subject/index.d.ts

@@ -0,0 +1 @@
+export { AuthorizationResolveDefaultSubject } from './resolve-default-subject.utility';

package/dist/cjs/utility/authorization/subject/resolve-default-subject.utility.d.ts

@@ -0,0 +1,7 @@
+import type { IApiAuthorizationSubject } from '../../../interface/authorization/subject.interface';
+/**
+ * Resolves a subject from request.user with smart fallbacks.
+ * @param {unknown} user - Request user payload.
+ * @returns {IApiAuthorizationSubject} Normalized authorization subject.
+ */
+export declare function AuthorizationResolveDefaultSubject(user: unknown): IApiAuthorizationSubject;

package/dist/cjs/utility/authorization/subject/resolve-default-subject.utility.js

@@ -0,0 +1,52 @@
+'use strict';
+
+/**
+ * Resolves a subject from request.user with smart fallbacks.
+ * @param {unknown} user - Request user payload.
+ * @returns {IApiAuthorizationSubject} Normalized authorization subject.
+ */
+function AuthorizationResolveDefaultSubject(user) {
+    const baseSubject = {
+        attributes: {},
+        id: "anonymous",
+        permissions: [],
+        roles: [],
+    };
+    if (!user || typeof user !== "object") {
+        return baseSubject;
+    }
+    const record = user;
+    const idFields = ["id", "uuid", "email"];
+    for (const field of idFields) {
+        const value = record[field];
+        if (typeof value === "string" && value.length > 0) {
+            baseSubject.id = value;
+            break;
+        }
+    }
+    baseSubject.roles = resolveStringArray(record, ["roles", "role"]);
+    baseSubject.permissions = resolveStringArray(record, ["permissions", "permission"]);
+    baseSubject.attributes = record;
+    return baseSubject;
+}
+/**
+ * Resolves the first string array found in the provided record for the given field candidates.
+ * @param {Record<string, unknown>} record - Object containing candidate fields.
+ * @param {Array<string>} fields - Candidate field names to inspect in order.
+ * @returns {Array<string>} Normalized array of string values.
+ */
+function resolveStringArray(record, fields) {
+    for (const field of fields) {
+        const value = record[field];
+        if (typeof value === "string") {
+            return [value];
+        }
+        if (Array.isArray(value)) {
+            return value.filter((item) => typeof item === "string");
+        }
+    }
+    return [];
+}
+
+exports.AuthorizationResolveDefaultSubject = AuthorizationResolveDefaultSubject;
+//# sourceMappingURL=resolve-default-subject.utility.js.map

package/dist/cjs/utility/authorization/subject/resolve-default-subject.utility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-default-subject.utility.js","sources":["../../../../../../src/utility/authorization/subject/resolve-default-subject.utility.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAEA;;;;AAIG;AACG,SAAU,kCAAkC,CAAC,IAAa,EAAA;AAC/D,IAAA,MAAM,WAAW,GAA6B;AAC7C,QAAA,UAAU,EAAE,EAAE;AACd,QAAA,EAAE,EAAE,WAAW;AACf,QAAA,WAAW,EAAE,EAAE;AACf,QAAA,KAAK,EAAE,EAAE;KACT;IAED,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;AACtC,QAAA,OAAO,WAAW;IACnB;IAEA,MAAM,MAAM,GAA4B,IAA+B;IACvE,MAAM,QAAQ,GAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC;AAEvD,IAAA,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE;AAC7B,QAAA,MAAM,KAAK,GAAY,MAAM,CAAC,KAAK,CAAC;QAEpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE;AAClD,YAAA,WAAW,CAAC,EAAE,GAAG,KAAK;YAEtB;QACD;IACD;AAEA,IAAA,WAAW,CAAC,KAAK,GAAG,kBAAkB,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjE,IAAA,WAAW,CAAC,WAAW,GAAG,kBAAkB,CAAC,MAAM,EAAE,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;AACnF,IAAA,WAAW,CAAC,UAAU,GAAG,MAAM;AAE/B,IAAA,OAAO,WAAW;AACnB;AAEA;;;;;AAKG;AACH,SAAS,kBAAkB,CAAC,MAA+B,EAAE,MAAqB,EAAA;AACjF,IAAA,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE;AAC3B,QAAA,MAAM,KAAK,GAAY,MAAM,CAAC,KAAK,CAAC;AAEpC,QAAA,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YAC9B,OAAO,CAAC,KAAK,CAAC;QACf;AAEA,QAAA,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;AACzB,YAAA,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAa,KAAqB,OAAO,IAAI,KAAK,QAAQ,CAAC;QACjF;IACD;AAEA,IAAA,OAAO,EAAE;AACV;;;;"}

package/dist/cjs/utility/index.d.ts

@@ -1,4 +1,5 @@
 export * from './api/index';
+export * from './authorization/index';
 export { CamelCaseString } from './camel-case-string.utility';
 export { CapitalizeString } from './capitalize-string.utility';
 export * from './dto/index';

package/dist/esm/class/api/authorization/engine.class.d.ts

@@ -0,0 +1,8 @@
+import { IApiBaseEntity } from '../../../interface/api-base-entity.interface';
+import { IApiAuthorizationDecision, IApiAuthorizationEngine, IApiAuthorizationEngineEvaluateOptions } from '../../../interface/authorization/index';
+export declare class ApiAuthorizationEngine implements IApiAuthorizationEngine<IApiBaseEntity> {
+    evaluate<E extends IApiBaseEntity, R>(options: IApiAuthorizationEngineEvaluateOptions<E, R>): Promise<IApiAuthorizationDecision<E, R>>;
+    private buildDecision;
+    private evaluateCondition;
+    private mergeScope;
+}

package/dist/esm/class/api/authorization/engine.class.js

@@ -0,0 +1,92 @@
+import { __decorate } from '../../../external/tslib/tslib.es6.js';
+import { EAuthorizationEffect } from '../../../enum/authorization/effect.enum.js';
+import { Injectable } from '@nestjs/common';
+import { AuthorizationScopeMergeWhere } from '../../../utility/authorization/scope/merge/where.utility.js';
+
+let ApiAuthorizationEngine = class ApiAuthorizationEngine {
+    async evaluate(options) {
+        const context = {
+            resource: options.resource,
+            subject: options.subject,
+        };
+        const matchedRules = [];
+        let scope;
+        const transforms = [];
+        for (const rule of options.policy.rules) {
+            const isConditionPassed = await this.evaluateCondition(rule, context);
+            if (!isConditionPassed) {
+                continue;
+            }
+            if (rule.effect === EAuthorizationEffect.DENY) {
+                return this.buildDecision(options, {
+                    appliedRules: [rule],
+                    effect: EAuthorizationEffect.DENY,
+                    scope: undefined,
+                    transforms: [],
+                });
+            }
+            matchedRules.push(rule);
+            scope = await this.mergeScope(scope, rule, context);
+            if (rule.resultTransform) {
+                transforms.push(rule.resultTransform);
+            }
+        }
+        if (matchedRules.length === 0) {
+            return this.buildDecision(options, {
+                appliedRules: [],
+                effect: EAuthorizationEffect.DENY,
+                scope: undefined,
+                transforms: [],
+            });
+        }
+        return this.buildDecision(options, {
+            appliedRules: matchedRules,
+            effect: EAuthorizationEffect.ALLOW,
+            scope,
+            transforms,
+        });
+    }
+    buildDecision(options, payload) {
+        return {
+            action: options.action,
+            appliedRules: payload.appliedRules,
+            effect: payload.effect,
+            policyId: options.policy.policyId,
+            resource: options.resource,
+            resourceType: options.policy.entity.name ?? "UnknownResource",
+            scope: payload.scope,
+            subject: options.subject,
+            transforms: payload.transforms,
+        };
+    }
+    async evaluateCondition(rule, context) {
+        if (!rule.condition) {
+            return true;
+        }
+        const result = await rule.condition(context);
+        return result === true;
+    }
+    async mergeScope(currentScope, rule, context) {
+        if (!rule.scope) {
+            return currentScope;
+        }
+        const scopePatch = await rule.scope(context);
+        if (!scopePatch) {
+            return currentScope;
+        }
+        if (!currentScope) {
+            return scopePatch;
+        }
+        return {
+            ...currentScope,
+            ...scopePatch,
+            where: AuthorizationScopeMergeWhere(currentScope.where, scopePatch.where),
+        };
+    }
+};
+ApiAuthorizationEngine = __decorate([
+    Injectable()
+], ApiAuthorizationEngine);
+
+export { ApiAuthorizationEngine };
+//# sourceMappingURL=engine.class.js.map

package/dist/esm/class/api/authorization/engine.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.class.js","sources":["../../../../../../src/class/api/authorization/engine.class.ts"],"sourcesContent":[null],"names":[],"mappings":";;;;;AAWO,IAAM,sBAAsB,GAA5B,MAAM,sBAAsB,CAAA;IAC3B,MAAM,QAAQ,CAA8B,OAAqD,EAAA;AACvG,QAAA,MAAM,OAAO,GAAoC;YAChD,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;SACxB;QAED,MAAM,YAAY,GAAuC,EAAE;AAC3D,QAAA,IAAI,KAA4C;QAChD,MAAM,UAAU,GAAuE,EAAE;QAEzF,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE;YACxC,MAAM,iBAAiB,GAAY,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC;YAE9E,IAAI,CAAC,iBAAiB,EAAE;gBACvB;YACD;YAEA,IAAI,IAAI,CAAC,MAAM,KAAK,oBAAoB,CAAC,IAAI,EAAE;AAC9C,gBAAA,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE;oBAClC,YAAY,EAAE,CAAC,IAAI,CAAC;oBACpB,MAAM,EAAE,oBAAoB,CAAC,IAAI;AACjC,oBAAA,KAAK,EAAE,SAAS;AAChB,oBAAA,UAAU,EAAE,EAAE;AACd,iBAAA,CAAC;YACH;AAEA,YAAA,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;AACvB,YAAA,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC;AAEnD,YAAA,IAAI,IAAI,CAAC,eAAe,EAAE;AACzB,gBAAA,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC;YACtC;QACD;AAEA,QAAA,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE;AAC9B,YAAA,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE;AAClC,gBAAA,YAAY,EAAE,EAAE;gBAChB,MAAM,EAAE,oBAAoB,CAAC,IAAI;AACjC,gBAAA,KAAK,EAAE,SAAS;AAChB,gBAAA,UAAU,EAAE,EAAE;AACd,aAAA,CAAC;QACH;AAEA,QAAA,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE;AAClC,YAAA,YAAY,EAAE,YAAY;YAC1B,MAAM,EAAE,oBAAoB,CAAC,KAAK;YAClC,KAAK;YACL,UAAU;AACV,SAAA,CAAC;IACH;IAEQ,aAAa,CACpB,OAAqD,EACrD,OAKC,EAAA;QAED,OAAO;YACN,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,MAAM,EAAE,OAAO,CAAC,MAAM;AACtB,YAAA,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ;YACjC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,iBAAiB;YAC7D,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,UAAU,EAAE,OAAO,CAAC,UAAU;SAC9B;IACF;AAEQ,IAAA,MAAM,iBAAiB,CAA8B,IAAiC,EAAE,OAAwC,EAAA;AACvI,QAAA,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE;AACpB,YAAA,OAAO,IAAI;QACZ;QAEA,MAAM,MAAM,GAAY,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;QAErD,OAAO,MAAM,KAAK,IAAI;IACvB;AAEQ,IAAA,MAAM,UAAU,CAA8B,YAAmD,EAAE,IAAiC,EAAE,OAAwC,EAAA;AACrL,QAAA,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;AAChB,YAAA,OAAO,YAAY;QACpB;QAEA,MAAM,UAAU,GAA0C,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;QAEnF,IAAI,CAAC,UAAU,EAAE;AAChB,YAAA,OAAO,YAAY;QACpB;QAEA,IAAI,CAAC,YAAY,EAAE;AAClB,YAAA,OAAO,UAAU;QAClB;QAEA,OAAO;AACN,YAAA,GAAG,YAAY;AACf,YAAA,GAAG,UAAU;YACb,KAAK,EAAE,4BAA4B,CAAC,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;SACzE;IACF;;AAxGY,sBAAsB,GAAA,UAAA,CAAA;AADlC,IAAA,UAAU;AACE,CAAA,EAAA,sBAAsB,CAyGlC;;;;"}

package/dist/esm/class/api/authorization/guard.class.d.ts

@@ -0,0 +1,13 @@
+import type { IApiAuthorizationPolicyRegistry } from '../../../interface/authorization/policy/registry.interface';
+import { ApiAuthorizationEngine } from './engine.class';
+import { CanActivate, ExecutionContext } from "@nestjs/common";
+export declare class ApiAuthorizationGuard implements CanActivate {
+    private readonly policyRegistry;
+    private readonly authorizationEngine;
+    constructor(policyRegistry: IApiAuthorizationPolicyRegistry, authorizationEngine: ApiAuthorizationEngine);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    private attachDecisionToRequest;
+    private isControllerSecurable;
+    private resolveAction;
+    private resolveEntityConstructor;
+}

package/dist/esm/class/api/authorization/guard.class.js

@@ -0,0 +1,79 @@
+import { __decorate, __param, __metadata } from '../../../external/tslib/tslib.es6.js';
+import { ApiAuthorizationEngine } from './engine.class.js';
+import { AUTHORIZATION_DECISION_METADATA_CONSTANT } from '../../../constant/authorization/metadata/decision.constant.js';
+import { AUTHORIZATION_POLICY_REGISTRY_TOKEN } from '../../../constant/authorization/token/registry.constant.js';
+import { CONTROLLER_API_DECORATOR_CONSTANT } from '../../../constant/decorator/api/controller.constant.js';
+import { EAuthorizationEffect } from '../../../enum/authorization/effect.enum.js';
+import { Injectable, Inject, ForbiddenException } from '@nestjs/common';
+import { AuthorizationResolveDefaultSubject } from '../../../utility/authorization/subject/resolve-default-subject.utility.js';
+import { LoggerUtility } from '../../../utility/logger.utility.js';
+
+const authorizationGuardLogger = LoggerUtility.getLogger("ApiAuthorizationGuard");
+let ApiAuthorizationGuard = class ApiAuthorizationGuard {
+    policyRegistry;
+    authorizationEngine;
+    constructor(policyRegistry, authorizationEngine) {
+        this.policyRegistry = policyRegistry;
+        this.authorizationEngine = authorizationEngine;
+    }
+    async canActivate(context) {
+        if (!this.isControllerSecurable(context)) {
+            authorizationGuardLogger.debug("Controller is not marked as @ApiControllerSecurable, skipping authorization");
+            return true;
+        }
+        const entityConstructor = this.resolveEntityConstructor(context);
+        if (!entityConstructor) {
+            authorizationGuardLogger.debug("No entity constructor found in controller metadata, skipping authorization");
+            return true;
+        }
+        const action = this.resolveAction(context);
+        authorizationGuardLogger.verbose(`Evaluating authorization for entity "${entityConstructor.name}" action "${action}"`);
+        const policy = await this.policyRegistry.buildAggregatedPolicy(entityConstructor, action);
+        if (!policy) {
+            authorizationGuardLogger.debug(`No policy found for entity "${entityConstructor.name}" action "${action}", allowing access`);
+            return true;
+        }
+        authorizationGuardLogger.verbose(`Found policy "${policy.policyId}" with ${policy.rules.length} rules for entity "${entityConstructor.name}" action "${action}"`);
+        const request = context.switchToHttp().getRequest();
+        const subject = AuthorizationResolveDefaultSubject(request.user);
+        const decision = await this.authorizationEngine.evaluate({
+            action,
+            policy,
+            resource: undefined,
+            subject,
+        });
+        this.attachDecisionToRequest(request, decision);
+        if (decision.effect === EAuthorizationEffect.DENY) {
+            authorizationGuardLogger.warn(`Access denied for entity "${entityConstructor.name}" action "${action}" subject "${subject.id}"`);
+            throw new ForbiddenException("Access denied");
+        }
+        authorizationGuardLogger.verbose(`Access granted for entity "${entityConstructor.name}" action "${action}" subject "${subject.id}"`);
+        return true;
+    }
+    attachDecisionToRequest(request, decision) {
+        request.authorizationDecision = decision;
+        request[AUTHORIZATION_DECISION_METADATA_CONSTANT.REQUEST_KEY] = decision;
+    }
+    isControllerSecurable(context) {
+        return Boolean(Reflect.getMetadata(CONTROLLER_API_DECORATOR_CONSTANT.SECURABLE_METADATA_KEY, context.getClass()));
+    }
+    resolveAction(context) {
+        const handlerName = context.getHandler().name;
+        const prefix = CONTROLLER_API_DECORATOR_CONSTANT.RESERVED_METHOD_PREFIX ?? "";
+        if (handlerName.startsWith(prefix)) {
+            return handlerName.slice(prefix.length);
+        }
+        return handlerName;
+    }
+    resolveEntityConstructor(context) {
+        return Reflect.getMetadata(CONTROLLER_API_DECORATOR_CONSTANT.ENTITY_METADATA_KEY, context.getClass());
+    }
+};
+ApiAuthorizationGuard = __decorate([
+    Injectable(),
+    __param(0, Inject(AUTHORIZATION_POLICY_REGISTRY_TOKEN)),
+    __metadata("design:paramtypes", [Object, ApiAuthorizationEngine])
+], ApiAuthorizationGuard);
+
+export { ApiAuthorizationGuard };
+//# sourceMappingURL=guard.class.js.map

package/dist/esm/class/api/authorization/guard.class.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.class.js","sources":["../../../../../../src/class/api/authorization/guard.class.ts"],"sourcesContent":[null],"names":[],"mappings":";;;;;;;;;;AAiBA,MAAM,wBAAwB,GAAkB,aAAa,CAAC,SAAS,CAAC,uBAAuB,CAAC;AAGzF,IAAM,qBAAqB,GAA3B,MAAM,qBAAqB,CAAA;AAE8B,IAAA,cAAA;AAC7C,IAAA,mBAAA;IAFlB,WAAA,CAC+D,cAA+C,EAC5F,mBAA2C,EAAA;QADE,IAAA,CAAA,cAAc,GAAd,cAAc;QAC3D,IAAA,CAAA,mBAAmB,GAAnB,mBAAmB;IAClC;IAEI,MAAM,WAAW,CAAC,OAAyB,EAAA;QACjD,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,EAAE;AACzC,YAAA,wBAAwB,CAAC,KAAK,CAAC,6EAA6E,CAAC;AAE7G,YAAA,OAAO,IAAI;QACZ;QAEA,MAAM,iBAAiB,GAA2C,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC;QAExG,IAAI,CAAC,iBAAiB,EAAE;AACvB,YAAA,wBAAwB,CAAC,KAAK,CAAC,4EAA4E,CAAC;AAE5G,YAAA,OAAO,IAAI;QACZ;QAEA,MAAM,MAAM,GAAW,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC;QAClD,wBAAwB,CAAC,OAAO,CAAC,CAAA,qCAAA,EAAwC,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,CAAA,CAAG,CAAC;AAEtH,QAAA,MAAM,MAAM,GAA+G,MAAM,IAAI,CAAC,cAAc,CAAC,qBAAqB,CAAC,iBAAiB,EAAE,MAAM,CAAC;QAErM,IAAI,CAAC,MAAM,EAAE;YACZ,wBAAwB,CAAC,KAAK,CAAC,CAAA,4BAAA,EAA+B,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,kBAAA,CAAoB,CAAC;AAE5H,YAAA,OAAO,IAAI;QACZ;QAEA,wBAAwB,CAAC,OAAO,CAAC,CAAA,cAAA,EAAiB,MAAM,CAAC,QAAQ,UAAU,MAAM,CAAC,KAAK,CAAC,MAAM,sBAAsB,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,CAAA,CAAG,CAAC;QAEjK,MAAM,OAAO,GAAkC,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAiC;QACjH,MAAM,OAAO,GAA6B,kCAAkC,CAAC,OAAO,CAAC,IAAI,CAAC;QAE1F,MAAM,QAAQ,GAAqG,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC;YAC1J,MAAM;YACN,MAAM;AACN,YAAA,QAAQ,EAAE,SAAS;YACnB,OAAO;AACP,SAAA,CAAC;AAEF,QAAA,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC;QAE/C,IAAI,QAAQ,CAAC,MAAM,KAAK,oBAAoB,CAAC,IAAI,EAAE;AAClD,YAAA,wBAAwB,CAAC,IAAI,CAAC,CAAA,0BAAA,EAA6B,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,cAAc,OAAO,CAAC,EAAE,CAAA,CAAA,CAAG,CAAC;AAEhI,YAAA,MAAM,IAAI,kBAAkB,CAAC,eAAe,CAAC;QAC9C;AAEA,QAAA,wBAAwB,CAAC,OAAO,CAAC,CAAA,2BAAA,EAA8B,iBAAiB,CAAC,IAAI,CAAA,UAAA,EAAa,MAAM,cAAc,OAAO,CAAC,EAAE,CAAA,CAAA,CAAG,CAAC;AAEpI,QAAA,OAAO,IAAI;IACZ;IAEQ,uBAAuB,CAAC,OAAsC,EAAE,QAA0G,EAAA;AACjL,QAAA,OAAO,CAAC,qBAAqB,GAAG,QAAQ;AACxC,QAAA,OAAO,CAAC,wCAAwC,CAAC,WAAW,CAAC,GAAG,QAAQ;IACzE;AAEQ,IAAA,qBAAqB,CAAC,OAAyB,EAAA;AACtD,QAAA,OAAO,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,iCAAiC,CAAC,sBAAsB,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAClH;AAEQ,IAAA,aAAa,CAAC,OAAyB,EAAA;QAC9C,MAAM,WAAW,GAAW,OAAO,CAAC,UAAU,EAAE,CAAC,IAAI;AACrD,QAAA,MAAM,MAAM,GAAW,iCAAiC,CAAC,sBAAsB,IAAI,EAAE;AAErF,QAAA,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE;YACnC,OAAO,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC;QACxC;AAEA,QAAA,OAAO,WAAW;IACnB;AAEQ,IAAA,wBAAwB,CAAC,OAAyB,EAAA;AACzD,QAAA,OAAO,OAAO,CAAC,WAAW,CAAC,iCAAiC,CAAC,mBAAmB,EAAE,OAAO,CAAC,QAAQ,EAAE,CAA2C;IAChJ;;AA/EY,qBAAqB,GAAA,UAAA,CAAA;AADjC,IAAA,UAAU,EAAE;AAGV,IAAA,OAAA,CAAA,CAAA,EAAA,MAAM,CAAC,mCAAmC,CAAC,CAAA;6CACN,sBAAsB,CAAA;AAHjD,CAAA,EAAA,qBAAqB,CAgFjC;;;;"}

package/dist/esm/class/api/authorization/index.d.ts

@@ -0,0 +1,3 @@
+export { ApiAuthorizationEngine } from './engine.class';
+export { ApiAuthorizationGuard } from './guard.class';
+export * from './policy/index';

package/dist/esm/class/api/authorization/policy/base.class.d.ts

@@ -0,0 +1,37 @@
+import type { IApiBaseEntity } from '../../../../interface/api-base-entity.interface';
+import type { IApiAuthorizationPolicySubscriberRule } from '../../../../interface/authorization/policy/subscriber/index';
+import { ApiSubscriberBase } from '../../subscriber/base.class';
+/**
+ * Base class for all authorization policies. It mirrors ApiFunctionSubscriberBase
+ * and provides helper methods to create allow/deny rules that are later executed by the policy executor.
+ * @template E - Entity type extending IApiBaseEntity
+ */
+export declare abstract class ApiAuthorizationPolicyBase<E extends IApiBaseEntity> extends ApiSubscriberBase {
+    /**
+     * Creates an ALLOW rule with optional overrides.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Rule fields to merge.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule.
+     */
+    protected allow<R>(rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+    /**
+     * Helper that creates an allow rule conditioned on the subject having at least one of the provided roles.
+     * @param {Array<string>} roles - Roles that grant access.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Optional overrides.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule targeting the given roles.
+     */
+    protected allowForRoles<R>(roles: Array<string>, rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+    /**
+     * Creates a DENY rule with optional overrides.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Rule fields to merge.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Deny rule.
+     */
+    protected deny<R>(rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+    /**
+     * Helper that scopes data access to the owner identified by a field.
+     * Automatically handles relations by using nested id structure.
+     * @param {keyof E} [ownerField] - Entity field used to match the subject id, defaults to ownerId.
+     * @param {Omit<IApiAuthorizationPolicySubscriberRule<E>, "effect">} [rule] - Optional overrides.
+     * @returns {IApiAuthorizationPolicySubscriberRule<E>} Allow rule with owner scope.
+     */
+    protected scopeToOwner<R>(ownerField?: keyof E, rule?: Omit<IApiAuthorizationPolicySubscriberRule<E, R>, "effect">): IApiAuthorizationPolicySubscriberRule<E, R>;
+}