@generazioneai/authz 0.0.1

package/dist/codegen/generate-types.d.ts

@@ -0,0 +1,8 @@
+import type { ResourceManifest } from '../define-resource';
+export interface GeneratedFile {
+    filename: string;
+    content: string;
+}
+/** Emit all generated files for `@generazioneai/authz-types/src/generated/`. */
+export declare function generateTypeFiles(manifests: ResourceManifest[]): GeneratedFile[];
+//# sourceMappingURL=generate-types.d.ts.map

package/dist/codegen/generate-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-types.d.ts","sourceRoot":"","sources":["../../src/codegen/generate-types.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAG3D,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB;AAoHD,gFAAgF;AAChF,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,gBAAgB,EAAE,GAAG,aAAa,EAAE,CAShF"}

package/dist/codegen/generate-types.js

@@ -0,0 +1,121 @@
+"use strict";
+// Step 8 DEC-S8.1: codegen emitters for `@generazioneai/authz-types/src/generated/`.
+//
+// Pure functions: manifests in → file contents out. No filesystem here (the CLI
+// in `index.ts` does the IO). Output is deterministic (subjects + actions sorted)
+// so `authz:codegen --check` drift detection is stable (DEC-S8.4).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateTypeFiles = generateTypeFiles;
+const effective_actions_1 = require("./effective-actions");
+const HEADER = '// @generated by `authz:codegen` — DO NOT EDIT.\n' +
+    '// Run `npm run authz:codegen` to regenerate from the resource manifests.\n';
+function sorted(manifests) {
+    return [...manifests].sort((a, b) => a.subject.localeCompare(b.subject));
+}
+function genSubjects(manifests) {
+    const members = [...sorted(manifests).map((m) => m.subject), 'all'];
+    const body = members.map((s) => `  | '${s}'`).join('\n');
+    return `${HEADER}\nexport type Subject =\n${body};\n`;
+}
+function genActions(manifests) {
+    const entries = sorted(manifests).map((m) => {
+        const acts = (0, effective_actions_1.effectiveActions)(m);
+        const union = acts.length ? acts.map((a) => `'${a}'`).join(' | ') : 'never';
+        return `  ${m.subject}: ${union};`;
+    });
+    // 'all' is the CASL wildcard subject (system tier `manage`) — any action.
+    entries.push('  all: string;');
+    return (`${HEADER}\nimport type { Subject } from './subjects';\n\n` +
+        '/** Effective actions per subject (declared actions ∪ lifecycle transition verbs). */\n' +
+        `export interface SubjectActionMap {\n${entries.join('\n')}\n}\n\n` +
+        'export type ActionFor<S extends Subject> = SubjectActionMap[S];\n' +
+        "/** Union of every concrete action across all subjects (excludes the 'all' wildcard). */\n" +
+        "export type Action = SubjectActionMap[Exclude<Subject, 'all'>];\n");
+}
+function genSubjectShapes(manifests) {
+    const mapBody = sorted(manifests)
+        .map((m) => `  ${m.subject}: { service: '${m.service}', model: '${m.prismaModel}' },`)
+        .join('\n');
+    return `${HEADER}
+/** Maps each Subject to its owning service + Prisma model name (Step 3 lookup). */
+export const SUBJECT_MODEL_MAP = {
+${mapBody}
+} as const;
+
+export type SubjectModelMap = typeof SUBJECT_MODEL_MAP;
+
+/**
+ * Per-service Prisma row types are merged here via declaration merging inside the
+ * owning service (the SDK cannot import service Prisma clients):
+ *
+ *   declare module '@generazioneai/authz-types' {
+ *     interface SubjectShape { Course: import('@prisma-lms/client').Course }
+ *   }
+ */
+export interface SubjectShape {}
+`;
+}
+// Static (depends only on the generated Subject/ActionFor types, not on the
+// manifest list). Emitted as a generated file per DEC-S8.1 so all type surface
+// lives under generated/.
+function genAuthorizeDecorator() {
+    return `${HEADER}
+import { SetMetadata, type CustomDecorator } from '@nestjs/common';
+import type { Subject } from './subjects';
+import type { ActionFor } from './actions';
+
+/** Reflect metadata key read by the gateway's GlobalAuthzGuard (Step 6). */
+export const AUTHZ_REQUIREMENT_KEY = 'skillera:authz:requirement';
+
+export interface AuthzRequirement {
+  action: string;
+  subject: string;
+}
+
+/**
+ * Declares the route-level authz requirement for a controller handler.
+ * Type-safe: \`action\` must be valid for \`subject\` per its resource manifest.
+ *
+ *   @Authorize('read', 'Planning')
+ *   @Get('plannings')
+ *   findAll() { ... }
+ */
+export function Authorize<S extends Subject>(
+  action: ActionFor<S>,
+  subject: S,
+): CustomDecorator {
+  return SetMetadata(AUTHZ_REQUIREMENT_KEY, { action, subject } as AuthzRequirement);
+}
+`;
+}
+// DEC-S8.18: perms come from the canonical skillID seed (not the manifests),
+// which does not exist yet — emit a typed placeholder.
+function genPerms() {
+    return `${HEADER}
+// Permission slugs are generated from the skillID canonical seed (DEC-S8.18),
+// which does not exist yet. Re-run \`authz:codegen --include-perms\` once it lands.
+export const PERM = {} as const;
+export type PermKey = keyof typeof PERM;
+`;
+}
+function genBarrel() {
+    return `${HEADER}
+export * from './subjects';
+export * from './actions';
+export * from './subject-shapes';
+export * from './authorize-decorator';
+export * from './perms';
+`;
+}
+/** Emit all generated files for `@generazioneai/authz-types/src/generated/`. */
+function generateTypeFiles(manifests) {
+    return [
+        { filename: 'subjects.ts', content: genSubjects(manifests) },
+        { filename: 'actions.ts', content: genActions(manifests) },
+        { filename: 'subject-shapes.ts', content: genSubjectShapes(manifests) },
+        { filename: 'authorize-decorator.ts', content: genAuthorizeDecorator() },
+        { filename: 'perms.ts', content: genPerms() },
+        { filename: 'index.ts', content: genBarrel() },
+    ];
+}
+//# sourceMappingURL=generate-types.js.map

package/dist/codegen/generate-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-types.js","sourceRoot":"","sources":["../../src/codegen/generate-types.ts"],"names":[],"mappings":";AAAA,qFAAqF;AACrF,EAAE;AACF,gFAAgF;AAChF,kFAAkF;AAClF,mEAAmE;;AA6HnE,8CASC;AAnID,2DAAuD;AAOvD,MAAM,MAAM,GACV,mDAAmD;IACnD,6EAA6E,CAAC;AAEhF,SAAS,MAAM,CAAC,SAA6B;IAC3C,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,WAAW,CAAC,SAA6B;IAChD,MAAM,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,CAAC,CAAC;IACpE,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,OAAO,GAAG,MAAM,4BAA4B,IAAI,KAAK,CAAC;AACxD,CAAC;AAED,SAAS,UAAU,CAAC,SAA6B;IAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC1C,MAAM,IAAI,GAAG,IAAA,oCAAgB,EAAC,CAAC,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAC5E,OAAO,KAAK,CAAC,CAAC,OAAO,KAAK,KAAK,GAAG,CAAC;IACrC,CAAC,CAAC,CAAC;IACH,0EAA0E;IAC1E,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC/B,OAAO,CACL,GAAG,MAAM,kDAAkD;QAC3D,yFAAyF;QACzF,wCAAwC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS;QACnE,mEAAmE;QACnE,4FAA4F;QAC5F,mEAAmE,CACpE,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,SAA6B;IACrD,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC;SAC9B,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,KAAK,CAAC,CAAC,OAAO,iBAAiB,CAAC,CAAC,OAAO,cAAc,CAAC,CAAC,WAAW,MAAM,CAC5E;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,OAAO,GAAG,MAAM;;;EAGhB,OAAO;;;;;;;;;;;;;;CAcR,CAAC;AACF,CAAC;AAED,4EAA4E;AAC5E,+EAA+E;AAC/E,0BAA0B;AAC1B,SAAS,qBAAqB;IAC5B,OAAO,GAAG,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2BjB,CAAC;AACF,CAAC;AAED,6EAA6E;AAC7E,uDAAuD;AACvD,SAAS,QAAQ;IACf,OAAO,GAAG,MAAM;;;;;CAKjB,CAAC;AACF,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,GAAG,MAAM;;;;;;CAMjB,CAAC;AACF,CAAC;AAED,gFAAgF;AAChF,SAAgB,iBAAiB,CAAC,SAA6B;IAC7D,OAAO;QACL,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,WAAW,CAAC,SAAS,CAAC,EAAE;QAC5D,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE;QAC1D,EAAE,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,gBAAgB,CAAC,SAAS,CAAC,EAAE;QACvE,EAAE,QAAQ,EAAE,wBAAwB,EAAE,OAAO,EAAE,qBAAqB,EAAE,EAAE;QACxE,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE;QAC7C,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE;KAC/C,CAAC;AACJ,CAAC"}

package/dist/codegen/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export declare function runCodegen(argv: string[]): number;
+//# sourceMappingURL=index.d.ts.map

package/dist/codegen/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/codegen/index.ts"],"names":[],"mappings":";AAkDA,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAiCjD"}

package/dist/codegen/index.js

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+"use strict";
+// Step 8 DEC-S8.1/3/4: `authz:codegen` CLI.
+//
+// Reads serialized resource manifests (one or more `authz-manifest.json` files)
+// and emits the typed surface into `@generazioneai/authz-types/src/generated/`.
+//
+// Usage:
+//   authz:codegen [--manifests <a.json> <b.json>...] [--out <dir>] [--check]
+//
+// `--check` (DEC-S8.4): generate in memory, compare to the checked-in files, exit
+// 1 with a diff list if they differ — the drift gate used in CI.
+//
+// With no `--manifests`, emits the empty baseline (Subject = 'all' only), which is
+// what bootstraps the package before any service ships its manifests.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runCodegen = runCodegen;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const generate_types_1 = require("./generate-types");
+const manifest_io_1 = require("./manifest-io");
+// Default: resolve `<repo>/packages/authz-types/src/generated` relative to this
+// file (works from dist/codegen/ at runtime and src/codegen/ under ts-node).
+const DEFAULT_OUT = (0, node_path_1.resolve)(__dirname, '../../../authz-types/src/generated');
+function parseArgs(argv) {
+    const args = { manifests: [], out: DEFAULT_OUT, check: false };
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        if (a === '--check')
+            args.check = true;
+        else if (a === '--out')
+            args.out = (0, node_path_1.resolve)(argv[++i]);
+        else if (a === '--manifests') {
+            while (i + 1 < argv.length && !argv[i + 1].startsWith('--')) {
+                args.manifests.push((0, node_path_1.resolve)(argv[++i]));
+            }
+        }
+    }
+    return args;
+}
+function runCodegen(argv) {
+    const args = parseArgs(argv);
+    const manifests = args.manifests.length ? (0, manifest_io_1.loadManifests)(args.manifests) : [];
+    const files = (0, generate_types_1.generateTypeFiles)(manifests);
+    if (args.check) {
+        const drifted = [];
+        for (const f of files) {
+            const path = (0, node_path_1.join)(args.out, f.filename);
+            const current = (0, node_fs_1.existsSync)(path) ? (0, node_fs_1.readFileSync)(path, 'utf8') : null;
+            if (current !== f.content)
+                drifted.push(f.filename);
+        }
+        if (drifted.length) {
+            console.error(`[authz:codegen] DRIFT — ${drifted.length} generated file(s) out of date: ${drifted.join(', ')}`);
+            console.error('[authz:codegen] run `npm run authz:codegen` and commit the result.');
+            return 1;
+        }
+        console.log(`[authz:codegen] OK — ${files.length} generated file(s) in sync (${manifests.length} manifest(s)).`);
+        return 0;
+    }
+    (0, node_fs_1.mkdirSync)(args.out, { recursive: true });
+    for (const f of files) {
+        const path = (0, node_path_1.join)(args.out, f.filename);
+        (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(path), { recursive: true });
+        (0, node_fs_1.writeFileSync)(path, f.content, 'utf8');
+    }
+    console.log(`[authz:codegen] wrote ${files.length} file(s) to ${args.out} (${manifests.length} manifest(s)).`);
+    return 0;
+}
+// Executed directly (not imported) → run.
+if (require.main === module) {
+    process.exit(runCodegen(process.argv.slice(2)));
+}
+//# sourceMappingURL=index.js.map

package/dist/codegen/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/codegen/index.ts"],"names":[],"mappings":";;AACA,4CAA4C;AAC5C,EAAE;AACF,gFAAgF;AAChF,gFAAgF;AAChF,EAAE;AACF,SAAS;AACT,6EAA6E;AAC7E,EAAE;AACF,kFAAkF;AAClF,iEAAiE;AACjE,EAAE;AACF,mFAAmF;AACnF,sEAAsE;;AAqCtE,gCAiCC;AApED,qCAKiB;AACjB,yCAAmD;AACnD,qDAAqD;AACrD,+CAA8C;AAQ9C,gFAAgF;AAChF,6EAA6E;AAC7E,MAAM,WAAW,GAAG,IAAA,mBAAO,EAAC,SAAS,EAAE,oCAAoC,CAAC,CAAC;AAE7E,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,IAAI,GAAY,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACxE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,CAAC,KAAK,SAAS;YAAE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;aAClC,IAAI,CAAC,KAAK,OAAO;YAAE,IAAI,CAAC,GAAG,GAAG,IAAA,mBAAO,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;aACjD,IAAI,CAAC,KAAK,aAAa,EAAE,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5D,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,UAAU,CAAC,IAAc;IACvC,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,IAAA,2BAAa,EAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,MAAM,KAAK,GAAG,IAAA,kCAAiB,EAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,GAAG,IAAA,gBAAI,EAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,IAAA,oBAAU,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAA,sBAAY,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACrE,IAAI,OAAO,KAAK,CAAC,CAAC,OAAO;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CACX,2BAA2B,OAAO,CAAC,MAAM,mCAAmC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACjG,CAAC;YACF,OAAO,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;YACpF,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,MAAM,+BAA+B,SAAS,CAAC,MAAM,gBAAgB,CAAC,CAAC;QACjH,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAA,mBAAS,EAAC,IAAI,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,IAAA,gBAAI,EAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAA,mBAAS,EAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,IAAA,uBAAa,EAAC,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,CAAC,GAAG,CACT,yBAAyB,KAAK,CAAC,MAAM,eAAe,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,MAAM,gBAAgB,CAClG,CAAC;IACF,OAAO,CAAC,CAAC;AACX,CAAC;AAED,0CAA0C;AAC1C,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;IAC5B,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC"}

package/dist/codegen/manifest-io.d.ts

@@ -0,0 +1,19 @@
+import type { ResourceManifest } from '../define-resource';
+/** A manifest as it survives `JSON.stringify` (no functions, generics erased). */
+export type SerializedManifest = ResourceManifest;
+export declare function loadManifestFile(path: string): SerializedManifest[];
+/** Load + concatenate manifests from several files (no dedup — checks catch dups). */
+export declare function loadManifests(paths: string[]): SerializedManifest[];
+/**
+ * Strip the TS-only generics + any non-JSON residue from a manifest set.
+ * A JSON round-trip drops `undefined` keys and would throw on a stray function —
+ * a guard that scope templates stayed pure JSON (DEC-2).
+ */
+export declare function serializeManifests(manifests: ResourceManifest[]): SerializedManifest[];
+/**
+ * DEC-18 (SDK side): the per-service `authz:export` build step calls this with
+ * its registered manifests to emit `dist/authz-manifest.json`. skillID's
+ * aggregator and the CI `authz:check` / `authz:codegen` gates read those files.
+ */
+export declare function writeManifestFile(path: string, manifests: ResourceManifest[]): void;
+//# sourceMappingURL=manifest-io.d.ts.map

package/dist/codegen/manifest-io.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-io.d.ts","sourceRoot":"","sources":["../../src/codegen/manifest-io.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAE3D,kFAAkF;AAClF,MAAM,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;AAElD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,kBAAkB,EAAE,CAoBnE;AAED,sFAAsF;AACtF,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,kBAAkB,EAAE,CAInE;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,SAAS,EAAE,gBAAgB,EAAE,GAC5B,kBAAkB,EAAE,CAEtB;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,gBAAgB,EAAE,GAC5B,IAAI,CAGN"}

package/dist/codegen/manifest-io.js

@@ -0,0 +1,59 @@
+"use strict";
+// Step 1 DEC-18 / Step 8 DEC-S8.1: manifest aggregation for codegen + check.
+//
+// Each service emits a serialized `authz-manifest.json` (an array of manifests).
+// Because scope templates are pure JSON with `{ $ctx }` placeholders (DEC-2),
+// a manifest is fully serializable — the only erased part is the TS-only `W`
+// generic. The codegen / check tooling reads these JSON files and merges them.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadManifestFile = loadManifestFile;
+exports.loadManifests = loadManifests;
+exports.serializeManifests = serializeManifests;
+exports.writeManifestFile = writeManifestFile;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+function loadManifestFile(path) {
+    if (!(0, node_fs_1.existsSync)(path)) {
+        throw new Error(`[authz] manifest file not found: ${path}`);
+    }
+    const raw = (0, node_fs_1.readFileSync)(path, 'utf8');
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (e) {
+        throw new Error(`[authz] invalid JSON in ${path}: ${e.message}`);
+    }
+    const arr = Array.isArray(parsed)
+        ? parsed
+        : parsed?.manifests;
+    if (!Array.isArray(arr)) {
+        throw new Error(`[authz] ${path} must be a JSON array of manifests (or { "manifests": [...] }).`);
+    }
+    return arr;
+}
+/** Load + concatenate manifests from several files (no dedup — checks catch dups). */
+function loadManifests(paths) {
+    const all = [];
+    for (const p of paths)
+        all.push(...loadManifestFile(p));
+    return all;
+}
+/**
+ * Strip the TS-only generics + any non-JSON residue from a manifest set.
+ * A JSON round-trip drops `undefined` keys and would throw on a stray function —
+ * a guard that scope templates stayed pure JSON (DEC-2).
+ */
+function serializeManifests(manifests) {
+    return JSON.parse(JSON.stringify(manifests));
+}
+/**
+ * DEC-18 (SDK side): the per-service `authz:export` build step calls this with
+ * its registered manifests to emit `dist/authz-manifest.json`. skillID's
+ * aggregator and the CI `authz:check` / `authz:codegen` gates read those files.
+ */
+function writeManifestFile(path, manifests) {
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(path), { recursive: true });
+    (0, node_fs_1.writeFileSync)(path, JSON.stringify(serializeManifests(manifests), null, 2) + '\n', 'utf8');
+}
+//# sourceMappingURL=manifest-io.js.map

package/dist/codegen/manifest-io.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-io.js","sourceRoot":"","sources":["../../src/codegen/manifest-io.ts"],"names":[],"mappings":";AAAA,6EAA6E;AAC7E,EAAE;AACF,iFAAiF;AACjF,8EAA8E;AAC9E,6EAA6E;AAC7E,+EAA+E;;AAS/E,4CAoBC;AAGD,sCAIC;AAOD,gDAIC;AAOD,8CAMC;AA1DD,qCAA6E;AAC7E,yCAAoC;AAMpC,SAAgB,gBAAgB,CAAC,IAAY;IAC3C,IAAI,CAAC,IAAA,oBAAU,EAAC,IAAI,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,oCAAoC,IAAI,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,KAAM,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAC/B,CAAC,CAAC,MAAM;QACR,CAAC,CAAE,MAAkC,EAAE,SAAS,CAAC;IACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,WAAW,IAAI,iEAAiE,CACjF,CAAC;IACJ,CAAC;IACD,OAAO,GAA2B,CAAC;AACrC,CAAC;AAED,sFAAsF;AACtF,SAAgB,aAAa,CAAC,KAAe;IAC3C,MAAM,GAAG,GAAyB,EAAE,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,GAAG,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAChC,SAA6B;IAE7B,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAC/B,IAAY,EACZ,SAA6B;IAE7B,IAAA,mBAAS,EAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,IAAA,uBAAa,EAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;AAC7F,CAAC"}

package/dist/context/als.d.ts

@@ -0,0 +1,14 @@
+import { AsyncLocalStorage } from 'node:async_hooks';
+import type { AuthzContext } from './authz-context';
+/**
+ * Singleton ALS condivisa. Importata ovunque serva leggere/popolare il context.
+ *
+ * Esempio popolamento (middleware/guard):
+ *   authzAls.run(buildAuthzContext(req), () => next());
+ *
+ * Esempio lettura (repository/extension hook):
+ *   const ctx = authzAls.getStore();
+ *   if (!ctx) throw new UnscopedQueryException();
+ */
+export declare const authzAls: AsyncLocalStorage<AuthzContext>;
+//# sourceMappingURL=als.d.ts.map

package/dist/context/als.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"als.d.ts","sourceRoot":"","sources":["../../src/context/als.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,EAAE,iBAAiB,CAAC,YAAY,CACd,CAAC"}

package/dist/context/als.js

@@ -0,0 +1,30 @@
+"use strict";
+// Step 2 DEC-S2.17/24: AsyncLocalStorage condivisa tra gateway e downstream.
+// Pattern allineato a skillAuth/src/oidc/common/request-context.ts (esistente).
+//
+// Popolata:
+//   - Gateway: `AuthzContextMiddleware` post-JwtAuthGuard+TenantGuard, prima dei controller
+//   - Downstream (skillID/skillCertet): `InternalAuthGuard` post-verify JWT firmato (Step 6 DEC-S6.3)
+//     legge `snap` ref dal JWT, fetcha snapshot da Redis, popola contesto, runs handler dentro als.run().
+//
+// Letta:
+//   - ScopedRepository (Step 3)
+//   - Prisma extension hook $allOperations (Step 3 DEC-S3.6)
+//   - SecureQueryEngine (Step 5)
+//   - GlobalAuthzGuard (Step 6)
+//   - AuditEmitter (Step 7, quando attivato)
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authzAls = void 0;
+const node_async_hooks_1 = require("node:async_hooks");
+/**
+ * Singleton ALS condivisa. Importata ovunque serva leggere/popolare il context.
+ *
+ * Esempio popolamento (middleware/guard):
+ *   authzAls.run(buildAuthzContext(req), () => next());
+ *
+ * Esempio lettura (repository/extension hook):
+ *   const ctx = authzAls.getStore();
+ *   if (!ctx) throw new UnscopedQueryException();
+ */
+exports.authzAls = new node_async_hooks_1.AsyncLocalStorage();
+//# sourceMappingURL=als.js.map

package/dist/context/als.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"als.js","sourceRoot":"","sources":["../../src/context/als.ts"],"names":[],"mappings":";AAAA,6EAA6E;AAC7E,gFAAgF;AAChF,EAAE;AACF,YAAY;AACZ,4FAA4F;AAC5F,sGAAsG;AACtG,0GAA0G;AAC1G,EAAE;AACF,SAAS;AACT,gCAAgC;AAChC,6DAA6D;AAC7D,iCAAiC;AACjC,gCAAgC;AAChC,6CAA6C;;;AAE7C,uDAAqD;AAGrD;;;;;;;;;GASG;AACU,QAAA,QAAQ,GACnB,IAAI,oCAAiB,EAAgB,CAAC"}

package/dist/context/authz-context.d.ts

@@ -0,0 +1,54 @@
+import type { PrismaAbility } from '@casl/prisma';
+/**
+ * Path validi nei template `$ctx` dei resource manifest (Step 1).
+ * Usato come union literal per type-check compile-time dei manifest.
+ * Estendibile via codegen quando si aggiungono campi al context.
+ */
+export type CtxPath = 'userId' | 'individualId' | 'tenantId' | 'juridicalIndividualId' | `connected.${'studentsOfTeacher' | 'reportsOfManager' | 'pendingApprovalResourceIds' | 'customRelations'}` | `accreditedAs.${'provider' | 'customer'}.${'accreditationIds' | 'customerJuridicalIds' | 'providerJuridicalIds'}` | string;
+export interface ConnectedEdges {
+    studentsOfTeacher: string[];
+    reportsOfManager: string[];
+    pendingApprovalResourceIds: Record<string, string[]>;
+    customRelations?: Record<string, string[]>;
+}
+export interface AccreditedAs {
+    provider: {
+        accreditationIds: string[];
+        customerJuridicalIds: string[];
+    };
+    customer: {
+        accreditationIds: string[];
+        providerJuridicalIds: string[];
+    };
+}
+/**
+ * Contesto authz per una request. Vive in AsyncLocalStorage.
+ * Letto da: ScopedRepository, Prisma extension hook, GenQuery v2, GlobalAuthzGuard.
+ */
+export interface AuthzContext {
+    userId: string;
+    individualId?: string;
+    tenantId?: string;
+    juridicalIndividualId?: string;
+    /** Pre-calcolato da skillID nello snapshot builder (Step 4) */
+    connected: ConnectedEdges;
+    accreditedAs: AccreditedAs;
+    /** PrismaAbility hidratata da `createPrismaAbility(snapshot.rules)` */
+    ability: PrismaAbility<any>;
+    /** Snapshot identifier (Step 4) — propagato nei JWT NATS (Step 2 claim `snap`) */
+    snapId?: string;
+    /** Hash truncated 32 hex char (Step 4 DEC-S4.9) — JWT claim `ph` per sanity check */
+    permHash?: string;
+    /** Flag impostata da `runUnscoped()` (Step 3 DEC-S3.17). Hook check bypassa scope se true. */
+    unscoped?: boolean;
+    unscopedReason?: string;
+    /** Override action per lifecycle transition (Step 3 DEC-S3.15) */
+    actionOverride?: string;
+    /** Cache per-request `accessibleBy(ability, action)[subject]` (Step 3 DEC-S3.25) */
+    accessibleByCache?: Map<string, unknown>;
+    /** Modalità soft-delete (Step 3 DEC-S3.11): default null, opt-in 'include-deleted'/'only-deleted' */
+    softDeleteMode?: 'normal' | 'include-deleted' | 'only-deleted';
+}
+/** Context vuoto usato come baseline da `runUnscoped()` quando non c'è parent context. */
+export declare const EMPTY_CTX: AuthzContext;
+//# sourceMappingURL=authz-context.d.ts.map

package/dist/context/authz-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-context.d.ts","sourceRoot":"","sources":["../../src/context/authz-context.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAElD;;;;GAIG;AACH,MAAM,MAAM,OAAO,GACf,QAAQ,GACR,cAAc,GACd,UAAU,GACV,uBAAuB,GACvB,aACI,mBAAmB,GACnB,kBAAkB,GAClB,4BAA4B,GAC5B,iBAAiB,EAAE,GACvB,gBAAgB,UAAU,GAAG,UAAU,IACnC,kBAAkB,GAClB,sBAAsB,GACtB,sBAAsB,EAAE,GAC5B,MAAM,CAAC;AAEX,MAAM,WAAW,cAAc;IAC7B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,0BAA0B,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE;QACR,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,oBAAoB,EAAE,MAAM,EAAE,CAAC;KAChC,CAAC;IACF,QAAQ,EAAE;QACR,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,oBAAoB,EAAE,MAAM,EAAE,CAAC;KAChC,CAAC;CACH;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B,+DAA+D;IAC/D,SAAS,EAAE,cAAc,CAAC;IAC1B,YAAY,EAAE,YAAY,CAAC;IAE3B,uEAAuE;IACvE,OAAO,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC;IAE5B,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8FAA8F;IAC9F,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,kEAAkE;IAClE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,oFAAoF;IACpF,iBAAiB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEzC,qGAAqG;IACrG,cAAc,CAAC,EAAE,QAAQ,GAAG,iBAAiB,GAAG,cAAc,CAAC;CAChE;AAED,0FAA0F;AAC1F,eAAO,MAAM,SAAS,EAAE,YAcvB,CAAC"}

package/dist/context/authz-context.js

@@ -0,0 +1,24 @@
+"use strict";
+// Step 2 DEC-S2.17 / Step 4 DEC-S4.1
+// AuthzContext: il payload che vive in ALS per ogni request.
+// Popolato dal middleware al gateway (post-snapshot-fetch) e dal verifier al downstream
+// (post-JWT-verify + post-snapshot-fetch-via-snapId).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EMPTY_CTX = void 0;
+/** Context vuoto usato come baseline da `runUnscoped()` quando non c'è parent context. */
+exports.EMPTY_CTX = {
+    userId: '__system__',
+    connected: {
+        studentsOfTeacher: [],
+        reportsOfManager: [],
+        pendingApprovalResourceIds: {},
+    },
+    accreditedAs: {
+        provider: { accreditationIds: [], customerJuridicalIds: [] },
+        customer: { accreditationIds: [], providerJuridicalIds: [] },
+    },
+    ability: null,
+    unscoped: true,
+    unscopedReason: 'system-bootstrap',
+};
+//# sourceMappingURL=authz-context.js.map

package/dist/context/authz-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-context.js","sourceRoot":"","sources":["../../src/context/authz-context.ts"],"names":[],"mappings":";AAAA,qCAAqC;AACrC,6DAA6D;AAC7D,wFAAwF;AACxF,sDAAsD;;;AA+EtD,0FAA0F;AAC7E,QAAA,SAAS,GAAiB;IACrC,MAAM,EAAE,YAAY;IACpB,SAAS,EAAE;QACT,iBAAiB,EAAE,EAAE;QACrB,gBAAgB,EAAE,EAAE;QACpB,0BAA0B,EAAE,EAAE;KAC/B;IACD,YAAY,EAAE;QACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;QAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;KAC7D;IACD,OAAO,EAAE,IAAqC;IAC9C,QAAQ,EAAE,IAAI;IACd,cAAc,EAAE,kBAAkB;CACnC,CAAC"}

package/dist/define-resource.d.ts

@@ -0,0 +1,150 @@
+import type { CtxPath } from './context/authz-context';
+/** Placeholder $ctx nei template scope. Sostituito a build-time snapshot dal builder skillID. */
+export type CtxPlaceholder = {
+    $ctx: CtxPath;
+};
+export type DeepPartial<T> = {
+    [K in keyof T]?: T[K] extends object ? DeepPartial<T[K]> : T[K];
+};
+/**
+ * Template Prisma WhereInput con segnaposti `{ $ctx: 'path' }` al posto dei valori.
+ * Esempio:
+ *   { juridicalId: { $ctx: 'tenantId' } }
+ *   → al snapshot build diventa { juridicalId: '<actual tenantId>' }
+ */
+export type WhereTemplate<W> = DeepPartial<W | {
+    [k: string]: CtxPlaceholder | any;
+}>;
+/**
+ * 5 kind di tenancy (Step 1 DEC-6/7/8/9/10 con scope ristretto):
+ * - single: standard `juridicalId` required (es. JuridicalIndividual)
+ * - multiRef: N FK juridical OR-uniti (es. Planning, JuridicalAccreditation)
+ * - transitive: ereditata via single relation (es. Certificate via IndividualDocument)
+ * - inheritFrom: ereditata via relation chain multi-hop (junction, PlanningResult deep)
+ * - global: nessuna tenancy (catalog, top-level masters)
+ */
+export type TenancyDecl = {
+    kind: 'single';
+    field: string;
+} | {
+    kind: 'multiRef';
+    fields: string[];
+    relation: 'AND' | 'OR';
+} | {
+    kind: 'transitive';
+    via: string;
+    through: string;
+    field: string;
+} | {
+    kind: 'inheritFrom';
+    relation: string;
+    field?: string;
+} | {
+    kind: 'global';
+};
+/** Step 1 DEC-11: ownership sempre array, multi-actor distinto per role. */
+export type OwnershipDecl = {
+    field: string;
+    actor: 'individualId' | 'juridicalIndividualId' | 'userId';
+    role?: 'submitter' | 'reviewer' | 'approver' | 'methodologist' | 'releaser' | 'actor';
+};
+/** Step 1 DEC-15/DEC-S3.21: lifecycle state machine inline nel manifest. */
+export type LifecycleDecl<S extends string> = {
+    field: string;
+    initial: S;
+    states: readonly S[];
+    transitions: Record<string, {
+        from: readonly S[];
+        to: S;
+        requires?: ('TENANT' | 'OWN' | 'CONNECTED')[];
+    }>;
+};
+/** Step 1 DEC-21 + Step 5: autoquery allowlist whitelist tassativa. */
+export type AutoqueryDecl = {
+    filterable: Record<string, readonly ('eq' | 'in' | 'contains' | 'gte' | 'lte' | 'gt' | 'lt' | 'between' | 'null')[]>;
+    sortable: readonly string[];
+    includable: readonly string[];
+    pagination: {
+        default: number;
+        max: number;
+        cursorRequiredOver?: number;
+        /** Step 5 DEC-S5.10: opt-in per autorizzare paginazione unbounded. Default false. */
+        allowUnbounded?: boolean;
+    };
+    /** Step 5 DEC-S5.31: default sort se client non passa orderBy. Fallback {id:'desc'}. */
+    defaultSort?: {
+        field: string;
+        order: 'asc' | 'desc';
+    };
+};
+export type AuditDecl = {
+    create?: 'always' | 'never';
+    update?: 'always' | 'never' | 'fields';
+    delete?: 'always';
+    custom?: string[];
+    /** Step 7 DEC-S7.7: campi che richiedono PII redaction nei log. */
+    piiFields?: string[];
+    /** Step 7 EDGE-S7.8: cattura diff before/after nei mutate. Default false. */
+    captureDiff?: boolean;
+};
+export interface ResourceManifest<W = any, S extends string = string, ST extends string = string> {
+    /** CASL Subject literal — es. 'JuridicalIndividual' */
+    subject: S;
+    /** Prisma model name camelCase — es. 'juridicalIndividual' */
+    prismaModel: string;
+    /** Step 1 DEC-5: union literal stretto */
+    service: 'skillAuth' | 'skillID' | 'skillCertet';
+    tenancy: TenancyDecl;
+    ownership?: OwnershipDecl[];
+    /** Cross-tenant link (JuridicalAccreditation) — provider/customer field names */
+    external?: {
+        providerField: string;
+        customerField: string;
+    };
+    /**
+     * Step 1 DEC-25a / DEC-S5.16 (codegen): polymorphic dispatch (e.g. ApprovalRequest).
+     * Values are OTHER subjects (the target resources), not this resource's own subject,
+     * so they are plain subject strings — validated against the registry by `authz:check`.
+     */
+    polymorphicMap?: Record<string, string>;
+    /**
+     * Step 1 DEC-12/27: nested children — standalone findMany BLOCKED. `parent`/`rootSubject`
+     * reference OTHER subjects (the ancestor resources), hence subject strings (not `S`).
+     */
+    nested?: {
+        parent: string;
+        via: string;
+        rootSubject?: string;
+    };
+    /** Step 1 DEC-23: default attivo {field:'deletedAt', restoreAction:'restore'} */
+    softDelete?: false | {
+        field?: 'deletedAt';
+        restoreAction?: string;
+    };
+    lifecycle?: LifecycleDecl<ST>;
+    /** Lista actions consentite. Step 1 DEC-17: lifecycle verbs auto-aggiunti da framework. */
+    actions: readonly string[];
+    /** Scope templates per i 6 scope CASL. Sostituiti a build-time snapshot. */
+    scopes: Partial<Record<'TENANT' | 'OWN' | 'CONNECTED' | 'PROVIDER' | 'CUSTOMER' | 'GLOBAL', WhereTemplate<W>>>;
+    autoquery: AutoqueryDecl;
+    audit?: AuditDecl;
+    documentation?: {
+        description: string;
+        owner: string;
+    };
+}
+/**
+ * Identity function generica. Type inference vincola scope templates a essere
+ * strutturalmente compatibili con `Prisma.<Model>WhereInput`.
+ *
+ * Esempio:
+ *   export const CourseResource = defineResource<Prisma.CourseWhereInput, 'Course'>({
+ *     subject: 'Course',
+ *     prismaModel: 'course',
+ *     service: 'skillID',
+ *     tenancy: { kind: 'single', field: 'juridicalId' },
+ *     // ...
+ *   });
+ */
+export declare function defineResource<W = any, S extends string = string, ST extends string = string>(manifest: ResourceManifest<W, S, ST>): ResourceManifest<W, S, ST>;
+//# sourceMappingURL=define-resource.d.ts.map

package/dist/define-resource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"define-resource.d.ts","sourceRoot":"","sources":["../src/define-resource.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAEvD,iGAAiG;AACjG,MAAM,MAAM,cAAc,GAAG;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,CAAC;AAE/C,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI;KAC1B,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAChE,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,CAAC,IAAI,WAAW,CAAC,CAAC,GAAG;IAAE,CAAC,CAAC,EAAE,MAAM,GAAG,cAAc,GAAG,GAAG,CAAA;CAAE,CAAC,CAAC;AAEtF;;;;;;;GAOG;AACH,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACjC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAAC,QAAQ,EAAE,KAAK,GAAG,IAAI,CAAA;CAAE,GAC9D;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACzD;IAAE,IAAI,EAAE,QAAQ,CAAA;CAAE,CAAC;AAEvB,4EAA4E;AAC5E,MAAM,MAAM,aAAa,GAAG;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,cAAc,GAAG,uBAAuB,GAAG,QAAQ,CAAC;IAC3D,IAAI,CAAC,EACD,WAAW,GACX,UAAU,GACV,UAAU,GACV,eAAe,GACf,UAAU,GACV,OAAO,CAAC;CACb,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,aAAa,CAAC,CAAC,SAAS,MAAM,IAAI;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,CAAC,CAAC;IACX,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,CACjB,MAAM,EACN;QAAE,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;QAAC,EAAE,EAAE,CAAC,CAAC;QAAC,QAAQ,CAAC,EAAE,CAAC,QAAQ,GAAG,KAAK,GAAG,WAAW,CAAC,EAAE,CAAA;KAAE,CAC7E,CAAC;CACH,CAAC;AAEF,uEAAuE;AACvE,MAAM,MAAM,aAAa,GAAG;IAC1B,UAAU,EAAE,MAAM,CAChB,MAAM,EACN,SAAS,CACL,IAAI,GACJ,IAAI,GACJ,UAAU,GACV,KAAK,GACL,KAAK,GACL,IAAI,GACJ,IAAI,GACJ,SAAS,GACT,MAAM,CACT,EAAE,CACJ,CAAC;IACF,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5B,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,UAAU,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;QACZ,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,qFAAqF;QACrF,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,wFAAwF;IACxF,WAAW,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,KAAK,GAAG,MAAM,CAAA;KAAE,CAAC;CACxD,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG;IACtB,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC;IAC5B,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,GAAG,QAAQ,CAAC;IACvC,MAAM,CAAC,EAAE,QAAQ,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,6EAA6E;IAC7E,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB,CAAC;AAEF,MAAM,WAAW,gBAAgB,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,EAAE,SAAS,MAAM,GAAG,MAAM;IAC9F,uDAAuD;IACvD,OAAO,EAAE,CAAC,CAAC;IACX,8DAA8D;IAC9D,WAAW,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,OAAO,EAAE,WAAW,GAAG,SAAS,GAAG,aAAa,CAAC;IAEjD,OAAO,EAAE,WAAW,CAAC;IACrB,SAAS,CAAC,EAAE,aAAa,EAAE,CAAC;IAE5B,iFAAiF;IACjF,QAAQ,CAAC,EAAE;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IAE5D;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAExC;;;OAGG;IACH,MAAM,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAE/D,iFAAiF;IACjF,UAAU,CAAC,EAAE,KAAK,GAAG;QAAE,KAAK,CAAC,EAAE,WAAW,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAErE,SAAS,CAAC,EAAE,aAAa,CAAC,EAAE,CAAC,CAAC;IAE9B,2FAA2F;IAC3F,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;IAE3B,4EAA4E;IAC5E,MAAM,EAAE,OAAO,CACb,MAAM,CACJ,QAAQ,GAAG,KAAK,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,EACnE,aAAa,CAAC,CAAC,CAAC,CACjB,CACF,CAAC;IAEF,SAAS,EAAE,aAAa,CAAC;IACzB,KAAK,CAAC,EAAE,SAAS,CAAC;IAElB,aAAa,CAAC,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;CACxD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAC5B,CAAC,GAAG,GAAG,EACP,CAAC,SAAS,MAAM,GAAG,MAAM,EACzB,EAAE,SAAS,MAAM,GAAG,MAAM,EAC1B,QAAQ,EAAE,gBAAgB,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,gBAAgB,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAElE"}