@flusys/nestjs-shared 2.0.0 → 3.0.0

package/cjs/classes/api-controller.class.js

@@ -72,11 +72,11 @@ function _ts_param(paramIndex, decorator) {
             // Apply PermissionGuard to check permissions from cache
             decorators.push((0, _common.UseGuards)(_guards.JwtAuthGuard, _guards.PermissionGuard));
             decorators.push((0, _swagger.ApiBearerAuth)());
-            // Check for complex nested condition first
-            if (security.condition) {
-                decorators.push((0, _decorators.RequirePermissionCondition)(security.condition));
+            // Check for complex logic first
+            if (security.logic) {
+                decorators.push((0, _decorators.RequirePermissionLogic)(security.logic));
             } else if (security.permissions && security.permissions.length > 0) {
-                if (security.operator === 'or') {
+                if (security.operator === 'OR') {
                     decorators.push((0, _decorators.RequireAnyPermission)(...security.permissions));
                 } else {
                     // AND is default and most secure

package/cjs/decorators/require-permission.decorator.js

@@ -17,16 +17,20 @@ _export(exports, {
     },
     get RequirePermissionCondition () {
         return RequirePermissionCondition;
+    },
+    get RequirePermissionLogic () {
+        return RequirePermissionLogic;
     }
 });
 const _common = require("@nestjs/common");
 const _constants = require("../constants");
 const RequirePermission = (...permissions)=>(0, _common.SetMetadata)(_constants.PERMISSIONS_KEY, {
         permissions,
-        operator: 'and'
+        operator: 'AND'
     });
 const RequireAnyPermission = (...permissions)=>(0, _common.SetMetadata)(_constants.PERMISSIONS_KEY, {
         permissions,
-        operator: 'or'
+        operator: 'OR'
     });
-const RequirePermissionCondition = (condition)=>(0, _common.SetMetadata)(_constants.PERMISSIONS_KEY, condition);
+const RequirePermissionLogic = (logic)=>(0, _common.SetMetadata)(_constants.PERMISSIONS_KEY, logic);
+const RequirePermissionCondition = RequirePermissionLogic;

package/cjs/exceptions/permission.exception.js

@@ -30,8 +30,8 @@ let PermissionSystemUnavailableException = class PermissionSystemUnavailableExce
     }
 };
 let InsufficientPermissionsException = class InsufficientPermissionsException extends _common.ForbiddenException {
-    constructor(missingPermissions, operator = 'and'){
-        const message = operator === 'or' ? `Requires at least one of: ${missingPermissions.join(', ')}` : `Missing required permissions: ${missingPermissions.join(', ')}`;
+    constructor(missingPermissions, operator = 'AND'){
+        const message = operator === 'OR' ? `Requires at least one of: ${missingPermissions.join(', ')}` : `Missing required permissions: ${missingPermissions.join(', ')}`;
         super({
             success: false,
             message,

package/cjs/guards/permission.guard.js

@@ -55,8 +55,6 @@ let PermissionGuard = class PermissionGuard {
             context.getClass()
         ]);
         if (!permissionConfig) return true;
-        const { permissions: requiredPermissions, operator } = this.normalizePermissionConfig(permissionConfig);
-        if (!requiredPermissions || requiredPermissions.length === 0) return true;
         const request = context.switchToHttp().getRequest();
         const user = request.user;
         if (!user) throw new _common.UnauthorizedException('Authentication required');
@@ -69,90 +67,93 @@ let PermissionGuard = class PermissionGuard {
             this.logger.warn(`No permissions found (userId: ${user.id})`, 'PermissionGuard');
             throw new _permissionexception.NoPermissionsFoundException();
         }
-        if (this.isNestedCondition(permissionConfig)) {
-            const result = this.evaluateCondition(permissionConfig, userPermissions);
-            if (!result.passed) {
-                this.logger.warn(`Permission denied (userId: ${user.id})`, 'PermissionGuard');
-                throw new _permissionexception.InsufficientPermissionsException(result.missingPermissions, result.operator);
-            }
-        } else {
-            this.validateSimplePermissions(requiredPermissions, userPermissions, operator);
+        const logicNode = this.normalizeToLogicNode(permissionConfig);
+        if (!logicNode) return true;
+        const result = this.evaluateLogicNode(logicNode, userPermissions);
+        if (!result.passed) {
+            this.logger.warn(`Permission denied (userId: ${user.id})`, 'PermissionGuard');
+            throw new _permissionexception.InsufficientPermissionsException(result.missingPermissions, result.operator);
         }
         return true;
     }
-    normalizePermissionConfig(config) {
-        if (Array.isArray(config)) return {
-            permissions: config,
-            operator: 'and'
-        };
-        return {
-            permissions: config.permissions || [],
-            operator: config.operator || 'and'
-        };
-    }
-    validateSimplePermissions(requiredPermissions, userPermissions, operator) {
-        if (operator === 'or') {
-            const hasAny = requiredPermissions.some((p)=>this.hasPermission(userPermissions, p));
-            if (!hasAny) throw new _permissionexception.InsufficientPermissionsException(requiredPermissions, 'or');
-        } else {
-            const hasAll = requiredPermissions.every((p)=>this.hasPermission(userPermissions, p));
-            if (!hasAll) {
-                const missing = requiredPermissions.filter((p)=>!this.hasPermission(userPermissions, p));
-                throw new _permissionexception.InsufficientPermissionsException(missing, 'and');
-            }
+    normalizeToLogicNode(config) {
+        // string - single permission
+        if (typeof config === 'string') {
+            return config ? {
+                type: 'action',
+                actionId: config
+            } : null;
         }
+        // string[] - treat as AND of multiple permissions
+        if (Array.isArray(config)) {
+            if (config.length === 0) return null;
+            if (config.length === 1) return {
+                type: 'action',
+                actionId: config[0]
+            };
+            return {
+                type: 'group',
+                operator: 'AND',
+                children: config.map((p)=>({
+                        type: 'action',
+                        actionId: p
+                    }))
+            };
+        }
+        // SimplePermissionConfig - { permissions: string[], operator: 'AND'|'OR' }
+        if ('permissions' in config && Array.isArray(config.permissions)) {
+            const simple = config;
+            if (simple.permissions.length === 0) return null;
+            if (simple.permissions.length === 1) return {
+                type: 'action',
+                actionId: simple.permissions[0]
+            };
+            return {
+                type: 'group',
+                operator: simple.operator || 'AND',
+                children: simple.permissions.map((p)=>({
+                        type: 'action',
+                        actionId: p
+                    }))
+            };
+        }
+        // ILogicNode
+        return config;
     }
-    isNestedCondition(config) {
-        if (Array.isArray(config)) return false;
-        return 'children' in config && Array.isArray(config.children) && config.children.length > 0;
-    }
-    evaluateCondition(condition, userPermissions) {
-        const { permissions = [], operator, children = [] } = condition;
-        // SECURITY: Fail-closed - deny access when no permissions configured (empty condition)
-        if (permissions.length === 0 && children.length === 0) {
+    evaluateLogicNode(node, userPermissions) {
+        if (node.type === 'action') {
+            const passed = this.hasPermission(userPermissions, node.actionId);
+            return {
+                passed,
+                missingPermissions: passed ? [] : [
+                    node.actionId
+                ],
+                operator: 'AND'
+            };
+        }
+        // Group node
+        const { operator, children } = node;
+        // SECURITY: Fail-closed - deny access when no children configured
+        if (!children || children.length === 0) {
             return {
                 passed: false,
-                message: 'No permissions configured - access denied by default',
                 missingPermissions: [],
                 operator
             };
         }
         const results = [];
-        const failureDetails = [];
         const missingPermissions = [];
-        if (permissions.length > 0) {
-            if (operator === 'or') {
-                const hasAny = permissions.some((p)=>this.hasPermission(userPermissions, p));
-                results.push(hasAny);
-                if (!hasAny) {
-                    failureDetails.push(`needs one of: [${permissions.join(', ')}]`);
-                    missingPermissions.push(...permissions);
-                }
-            } else {
-                const hasAll = permissions.every((p)=>this.hasPermission(userPermissions, p));
-                results.push(hasAll);
-                if (!hasAll) {
-                    const missing = permissions.filter((p)=>!this.hasPermission(userPermissions, p));
-                    failureDetails.push(`missing: [${missing.join(', ')}]`);
-                    missingPermissions.push(...missing);
-                }
-            }
-        }
         for (const child of children){
-            const childResult = this.evaluateCondition(child, userPermissions);
+            const childResult = this.evaluateLogicNode(child, userPermissions);
             results.push(childResult.passed);
             if (!childResult.passed) {
-                failureDetails.push(`(${childResult.message})`);
                 missingPermissions.push(...childResult.missingPermissions);
             }
         }
-        // Evaluate based on operator - empty results already handled above
-        const passed = operator === 'or' ? results.some((r)=>r) : results.every((r)=>r);
-        const message = passed ? 'OK' : `Denied: ${failureDetails.join(` ${operator.toUpperCase()} `)}`;
+        const passed = operator === 'OR' ? results.some((r)=>r) : results.every((r)=>r);
         return {
             passed,
-            message,
-            missingPermissions,
+            missingPermissions: passed ? [] : missingPermissions,
             operator
         };
     }

package/cjs/interfaces/permission.interface.js

@@ -1,4 +1,4 @@
-"use strict";
+/** Action node - checks a single permission/action code */ "use strict";
 Object.defineProperty(exports, "__esModule", {
     value: true
 });

package/cjs/utils/html-sanitizer.util.js

@@ -1,11 +1,4 @@
-/**
- * HTML Sanitizer Utilities
- *
- * Provides functions for escaping HTML content to prevent XSS attacks.
- * Use these utilities when interpolating user-provided variables into HTML content.
- */ /**
- * HTML entity mapping for escaping special characters
- */ "use strict";
+"use strict";
 Object.defineProperty(exports, "__esModule", {
     value: true
 });
@@ -23,7 +16,14 @@ _export(exports, {
         return escapeHtmlVariables;
     }
 });
-const HTML_ESCAPE_MAP = {
+/**
+ * HTML Sanitizer Utilities
+ *
+ * Provides functions for escaping HTML content to prevent XSS attacks.
+ * Use these utilities when interpolating user-provided variables into HTML content.
+ */ /**
+ * HTML entity mapping for escaping special characters
+ */ const HTML_ESCAPE_MAP = {
     '&': '&',
     '<': '&lt;',
     '>': '&gt;',

package/cjs/utils/request.util.js

@@ -19,6 +19,7 @@ _export(exports, {
         return parseDurationToMs;
     }
 });
+const _config = require("@flusys/nestjs-core/config");
 const _constants = require("../constants");
 /** Time unit multipliers in milliseconds */ const TIME_UNIT_MS = {
     s: 1000,
@@ -45,7 +46,7 @@ function isBrowserRequest(req) {
 function buildCookieOptions(req) {
     const hostname = req.hostname || '';
     const origin = req.headers.origin || '';
-    const isProduction = process.env.NODE_ENV === 'production';
+    const isProduction = _config.envConfig.isProduction();
     const forwardedProto = req.headers['x-forwarded-proto'];
     const isHttps = isProduction || forwardedProto === 'https' || origin.startsWith('https://') || req.secure;
     let domain;

package/classes/api-controller.class.d.ts

@@ -1,14 +1,14 @@
 import { BulkResponseDto, DeleteDto, FilterAndPaginationDto, GetByIdBodyDto, ListResponseDto, MessageResponseDto, SingleResponseDto } from '../dtos';
 import { Identity } from '../entities';
-import { ILoggedUserInfo, IService, PermissionCondition, PermissionOperator } from '../interfaces';
+import { ILoggedUserInfo, IPermissionLogic, IService } from '../interfaces';
 import { Type } from '@nestjs/common';
 export type ApiEndpoint = 'insert' | 'insertMany' | 'getById' | 'getAll' | 'update' | 'updateMany' | 'delete';
 export type SecurityLevel = 'public' | 'jwt' | 'permission';
 export interface EndpointSecurity {
     level: SecurityLevel;
     permissions?: string[];
-    operator?: PermissionOperator;
-    condition?: PermissionCondition;
+    operator?: 'AND' | 'OR';
+    logic?: IPermissionLogic;
 }
 export type ApiSecurityConfig = {
     [K in ApiEndpoint]?: EndpointSecurity | SecurityLevel;

package/decorators/require-permission.decorator.d.ts

@@ -1,4 +1,5 @@
-import { PermissionCondition } from '../interfaces/permission.interface';
+import { IPermissionLogic } from '../interfaces/permission.interface';
 export declare const RequirePermission: (...permissions: string[]) => import("@nestjs/common").CustomDecorator<string>;
 export declare const RequireAnyPermission: (...permissions: string[]) => import("@nestjs/common").CustomDecorator<string>;
-export declare const RequirePermissionCondition: (condition: PermissionCondition) => import("@nestjs/common").CustomDecorator<string>;
+export declare const RequirePermissionLogic: (logic: IPermissionLogic) => import("@nestjs/common").CustomDecorator<string>;
+export declare const RequirePermissionCondition: (logic: IPermissionLogic) => import("@nestjs/common").CustomDecorator<string>;

package/exceptions/permission.exception.d.ts

@@ -3,7 +3,7 @@ export declare class PermissionSystemUnavailableException extends InternalServer
     constructor(message?: string);
 }
 export declare class InsufficientPermissionsException extends ForbiddenException {
-    constructor(missingPermissions: string[], operator?: 'and' | 'or');
+    constructor(missingPermissions: string[], operator?: 'AND' | 'OR');
 }
 export declare class NoPermissionsFoundException extends ForbiddenException {
     constructor();

package/fesm/classes/api-controller.class.js

@@ -25,7 +25,7 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { CurrentUser, Public, RequirePermission, RequireAnyPermission, RequirePermissionCondition } from '../decorators';
+import { CurrentUser, Public, RequirePermission, RequireAnyPermission, RequirePermissionLogic } from '../decorators';
 import { DeleteDto, FilterAndPaginationDto, GetByIdBodyDto } from '../dtos';
 import { JwtAuthGuard, PermissionGuard } from '../guards';
 import { IdempotencyInterceptor, SetCreatedByOnBody, SetDeletedByOnBody, SetUpdateByOnBody, Slug } from '../interceptors';
@@ -62,11 +62,11 @@ import { ApiResponseDto } from '../decorators/api-response.decorator';
             // Apply PermissionGuard to check permissions from cache
             decorators.push(UseGuards(JwtAuthGuard, PermissionGuard));
             decorators.push(ApiBearerAuth());
-            // Check for complex nested condition first
-            if (security.condition) {
-                decorators.push(RequirePermissionCondition(security.condition));
+            // Check for complex logic first
+            if (security.logic) {
+                decorators.push(RequirePermissionLogic(security.logic));
             } else if (security.permissions && security.permissions.length > 0) {
-                if (security.operator === 'or') {
+                if (security.operator === 'OR') {
                     decorators.push(RequireAnyPermission(...security.permissions));
                 } else {
                     // AND is default and most secure

package/fesm/decorators/require-permission.decorator.js

@@ -1,75 +1,28 @@
 import { SetMetadata } from '@nestjs/common';
 import { PERMISSIONS_KEY } from '../constants';
-/**
- * Decorator to require specific permissions for a route
- *
- * By default uses AND logic (user must have ALL permissions).
- * This is the most common and secure pattern.
- *
- * @param permissions - One or more permission keys required (AND logic)
- *
- * @example
- * // Require single permission
- * @RequirePermission('users.read')
- *
- * @example
- * // Require ALL permissions (AND)
- * @RequirePermission('users.read', 'users.write')
- *
- * @example
- * // For OR logic, use RequireAnyPermission instead
- * @RequireAnyPermission('admin.access', 'manager.access')
- */ export const RequirePermission = (...permissions)=>SetMetadata(PERMISSIONS_KEY, {
+/** Require ALL permissions (AND logic) - most secure pattern */ export const RequirePermission = (...permissions)=>SetMetadata(PERMISSIONS_KEY, {
         permissions,
-        operator: 'and'
+        operator: 'AND'
     });
-/**
- * Decorator to require ANY of the specified permissions (OR logic)
- *
- * User must have at least ONE of the specified permissions.
- * Less secure than RequirePermission (AND), use carefully.
- *
- * @param permissions - User must have at least ONE of these permissions
- *
- * @example
- * @RequireAnyPermission('admin.access', 'manager.access')
- */ export const RequireAnyPermission = (...permissions)=>SetMetadata(PERMISSIONS_KEY, {
+/** Require ANY permission (OR logic) - use carefully */ export const RequireAnyPermission = (...permissions)=>SetMetadata(PERMISSIONS_KEY, {
         permissions,
-        operator: 'or'
+        operator: 'OR'
     });
 /**
- * Decorator for complex permission conditions with nested logic
- *
- * Supports building complex permission trees:
- * - AND/OR operators
- * - Nested children for complex logic
- *
- * @param condition - Complex permission condition
- *
- * @example
- * // Simple: User needs 'admin' OR 'manager'
- * @RequirePermissionCondition({
- *   operator: 'or',
- *   permissions: ['admin', 'manager'],
- * })
- *
+ * Require complex permission logic using ILogicNode tree
  * @example
- * // Complex: User needs 'users.read' AND ('admin' OR 'manager')
- * @RequirePermissionCondition({
- *   operator: 'and',
- *   permissions: ['users.read'],
- *   children: [
- *     { operator: 'or', permissions: ['admin', 'manager'] }
- *   ]
- * })
- *
+ * // Single permission
+ * @RequirePermissionLogic('users.read')
  * @example
- * // Very complex: (A AND B) OR (C AND D)
- * @RequirePermissionCondition({
- *   operator: 'or',
- *   children: [
- *     { operator: 'and', permissions: ['finance.read', 'finance.write'] },
- *     { operator: 'and', permissions: ['admin.full', 'reports.access'] }
- *   ]
+ * // Complex: users.read AND (admin OR manager)
+ * @RequirePermissionLogic({
+ *   type: 'group', operator: 'AND', children: [
+ *     { type: 'action', actionId: 'users.read' },
+ *     { type: 'group', operator: 'OR', children: [
+ *       { type: 'action', actionId: 'admin' },
+ *       { type: 'action', actionId: 'manager' },
+ *     ]},
+ *   ],
  * })
- */ export const RequirePermissionCondition = (condition)=>SetMetadata(PERMISSIONS_KEY, condition);
+ */ export const RequirePermissionLogic = (logic)=>SetMetadata(PERMISSIONS_KEY, logic);
+/** @deprecated Use RequirePermissionLogic instead */ export const RequirePermissionCondition = RequirePermissionLogic;

package/fesm/exceptions/permission.exception.js

@@ -13,8 +13,8 @@ import { ForbiddenException, InternalServerErrorException } from '@nestjs/common
 /**
  * Exception thrown when user lacks required permissions
  */ export class InsufficientPermissionsException extends ForbiddenException {
-    constructor(missingPermissions, operator = 'and'){
-        const message = operator === 'or' ? `Requires at least one of: ${missingPermissions.join(', ')}` : `Missing required permissions: ${missingPermissions.join(', ')}`;
+    constructor(missingPermissions, operator = 'AND'){
+        const message = operator === 'OR' ? `Requires at least one of: ${missingPermissions.join(', ')}` : `Missing required permissions: ${missingPermissions.join(', ')}`;
         super({
             success: false,
             message,

package/fesm/guards/permission.guard.js

@@ -45,8 +45,6 @@ export class PermissionGuard {
             context.getClass()
         ]);
         if (!permissionConfig) return true;
-        const { permissions: requiredPermissions, operator } = this.normalizePermissionConfig(permissionConfig);
-        if (!requiredPermissions || requiredPermissions.length === 0) return true;
         const request = context.switchToHttp().getRequest();
         const user = request.user;
         if (!user) throw new UnauthorizedException('Authentication required');
@@ -59,90 +57,93 @@ export class PermissionGuard {
             this.logger.warn(`No permissions found (userId: ${user.id})`, 'PermissionGuard');
             throw new NoPermissionsFoundException();
         }
-        if (this.isNestedCondition(permissionConfig)) {
-            const result = this.evaluateCondition(permissionConfig, userPermissions);
-            if (!result.passed) {
-                this.logger.warn(`Permission denied (userId: ${user.id})`, 'PermissionGuard');
-                throw new InsufficientPermissionsException(result.missingPermissions, result.operator);
-            }
-        } else {
-            this.validateSimplePermissions(requiredPermissions, userPermissions, operator);
+        const logicNode = this.normalizeToLogicNode(permissionConfig);
+        if (!logicNode) return true;
+        const result = this.evaluateLogicNode(logicNode, userPermissions);
+        if (!result.passed) {
+            this.logger.warn(`Permission denied (userId: ${user.id})`, 'PermissionGuard');
+            throw new InsufficientPermissionsException(result.missingPermissions, result.operator);
         }
         return true;
     }
-    normalizePermissionConfig(config) {
-        if (Array.isArray(config)) return {
-            permissions: config,
-            operator: 'and'
-        };
-        return {
-            permissions: config.permissions || [],
-            operator: config.operator || 'and'
-        };
-    }
-    validateSimplePermissions(requiredPermissions, userPermissions, operator) {
-        if (operator === 'or') {
-            const hasAny = requiredPermissions.some((p)=>this.hasPermission(userPermissions, p));
-            if (!hasAny) throw new InsufficientPermissionsException(requiredPermissions, 'or');
-        } else {
-            const hasAll = requiredPermissions.every((p)=>this.hasPermission(userPermissions, p));
-            if (!hasAll) {
-                const missing = requiredPermissions.filter((p)=>!this.hasPermission(userPermissions, p));
-                throw new InsufficientPermissionsException(missing, 'and');
-            }
+    normalizeToLogicNode(config) {
+        // string - single permission
+        if (typeof config === 'string') {
+            return config ? {
+                type: 'action',
+                actionId: config
+            } : null;
         }
+        // string[] - treat as AND of multiple permissions
+        if (Array.isArray(config)) {
+            if (config.length === 0) return null;
+            if (config.length === 1) return {
+                type: 'action',
+                actionId: config[0]
+            };
+            return {
+                type: 'group',
+                operator: 'AND',
+                children: config.map((p)=>({
+                        type: 'action',
+                        actionId: p
+                    }))
+            };
+        }
+        // SimplePermissionConfig - { permissions: string[], operator: 'AND'|'OR' }
+        if ('permissions' in config && Array.isArray(config.permissions)) {
+            const simple = config;
+            if (simple.permissions.length === 0) return null;
+            if (simple.permissions.length === 1) return {
+                type: 'action',
+                actionId: simple.permissions[0]
+            };
+            return {
+                type: 'group',
+                operator: simple.operator || 'AND',
+                children: simple.permissions.map((p)=>({
+                        type: 'action',
+                        actionId: p
+                    }))
+            };
+        }
+        // ILogicNode
+        return config;
     }
-    isNestedCondition(config) {
-        if (Array.isArray(config)) return false;
-        return 'children' in config && Array.isArray(config.children) && config.children.length > 0;
-    }
-    evaluateCondition(condition, userPermissions) {
-        const { permissions = [], operator, children = [] } = condition;
-        // SECURITY: Fail-closed - deny access when no permissions configured (empty condition)
-        if (permissions.length === 0 && children.length === 0) {
+    evaluateLogicNode(node, userPermissions) {
+        if (node.type === 'action') {
+            const passed = this.hasPermission(userPermissions, node.actionId);
+            return {
+                passed,
+                missingPermissions: passed ? [] : [
+                    node.actionId
+                ],
+                operator: 'AND'
+            };
+        }
+        // Group node
+        const { operator, children } = node;
+        // SECURITY: Fail-closed - deny access when no children configured
+        if (!children || children.length === 0) {
             return {
                 passed: false,
-                message: 'No permissions configured - access denied by default',
                 missingPermissions: [],
                 operator
             };
         }
         const results = [];
-        const failureDetails = [];
         const missingPermissions = [];
-        if (permissions.length > 0) {
-            if (operator === 'or') {
-                const hasAny = permissions.some((p)=>this.hasPermission(userPermissions, p));
-                results.push(hasAny);
-                if (!hasAny) {
-                    failureDetails.push(`needs one of: [${permissions.join(', ')}]`);
-                    missingPermissions.push(...permissions);
-                }
-            } else {
-                const hasAll = permissions.every((p)=>this.hasPermission(userPermissions, p));
-                results.push(hasAll);
-                if (!hasAll) {
-                    const missing = permissions.filter((p)=>!this.hasPermission(userPermissions, p));
-                    failureDetails.push(`missing: [${missing.join(', ')}]`);
-                    missingPermissions.push(...missing);
-                }
-            }
-        }
         for (const child of children){
-            const childResult = this.evaluateCondition(child, userPermissions);
+            const childResult = this.evaluateLogicNode(child, userPermissions);
             results.push(childResult.passed);
             if (!childResult.passed) {
-                failureDetails.push(`(${childResult.message})`);
                 missingPermissions.push(...childResult.missingPermissions);
             }
         }
-        // Evaluate based on operator - empty results already handled above
-        const passed = operator === 'or' ? results.some((r)=>r) : results.every((r)=>r);
-        const message = passed ? 'OK' : `Denied: ${failureDetails.join(` ${operator.toUpperCase()} `)}`;
+        const passed = operator === 'OR' ? results.some((r)=>r) : results.every((r)=>r);
         return {
             passed,
-            message,
-            missingPermissions,
+            missingPermissions: passed ? [] : missingPermissions,
             operator
         };
     }

package/fesm/interfaces/permission.interface.js

@@ -1,3 +1 @@
-/**
- * Configuration for the permission guard
- */ export { };
+/** Action node - checks a single permission/action code */ /** Configuration for the permission guard */ export { };

package/fesm/utils/request.util.js

@@ -1,3 +1,4 @@
+import { envConfig } from '@flusys/nestjs-core/config';
 import { CLIENT_TYPE_HEADER } from '../constants';
 /** Time unit multipliers in milliseconds */ const TIME_UNIT_MS = {
     s: 1000,
@@ -30,7 +31,7 @@ import { CLIENT_TYPE_HEADER } from '../constants';
  */ export function buildCookieOptions(req) {
     const hostname = req.hostname || '';
     const origin = req.headers.origin || '';
-    const isProduction = process.env.NODE_ENV === 'production';
+    const isProduction = envConfig.isProduction();
     const forwardedProto = req.headers['x-forwarded-proto'];
     const isHttps = isProduction || forwardedProto === 'https' || origin.startsWith('https://') || req.secure;
     let domain;

package/guards/permission.guard.d.ts

@@ -10,10 +10,8 @@ export declare class PermissionGuard implements CanActivate {
     private readonly logger;
     constructor(reflector: Reflector, cache?: HybridCache, config?: PermissionGuardConfig, logger?: ILogger);
     canActivate(context: ExecutionContext): Promise<boolean>;
-    private normalizePermissionConfig;
-    private validateSimplePermissions;
-    private isNestedCondition;
-    private evaluateCondition;
+    private normalizeToLogicNode;
+    private evaluateLogicNode;
     private getUserPermissions;
     private buildPermissionCacheKey;
     private hasPermission;