@generazioneai/authz 0.0.1

package/dist/nest/authz-context.interceptor.js

@@ -0,0 +1,47 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthzContextInterceptor = void 0;
+// Step 2 DEC-S2.17 (corrected) — gateway-side ALS populator.
+//
+// NestJS middleware runs BEFORE guards, so it can't see req.userId (set by JwtAuthGuard).
+// An interceptor runs AFTER guards, so it can read the authenticated request and run the
+// handler — including any downstream NATS .send() made by the NatsScopedClientProxy signer —
+// inside authzAls.run(). Register globally at the gateway (only needed when signing is on).
+const common_1 = require("@nestjs/common");
+const rxjs_1 = require("rxjs");
+const als_1 = require("../context/als");
+let AuthzContextInterceptor = class AuthzContextInterceptor {
+    intercept(context, next) {
+        if (context.getType() !== 'http')
+            return next.handle();
+        const req = context.switchToHttp().getRequest();
+        if (!req?.userId)
+            return next.handle(); // public/unauthenticated route → no context
+        const ctx = {
+            userId: req.userId,
+            individualId: req.individualId,
+            juridicalIndividualId: req.juridicalIndividualId,
+            tenantId: req.tenantId ?? req.actingJuridicalId,
+            snapId: req.snapId,
+            permHash: req.permHash,
+            connected: { studentsOfTeacher: [], reportsOfManager: [], pendingApprovalResourceIds: {} },
+            accreditedAs: {
+                provider: { accreditationIds: [], customerJuridicalIds: [] },
+                customer: { accreditationIds: [], providerJuridicalIds: [] },
+            },
+            ability: null,
+        };
+        return new rxjs_1.Observable((subscriber) => als_1.authzAls.run(ctx, () => next.handle().subscribe(subscriber)));
+    }
+};
+exports.AuthzContextInterceptor = AuthzContextInterceptor;
+exports.AuthzContextInterceptor = AuthzContextInterceptor = __decorate([
+    (0, common_1.Injectable)()
+], AuthzContextInterceptor);
+//# sourceMappingURL=authz-context.interceptor.js.map

package/dist/nest/authz-context.interceptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-context.interceptor.js","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":";;;;;;;;;AAAA,6DAA6D;AAC7D,EAAE;AACF,0FAA0F;AAC1F,yFAAyF;AACzF,6FAA6F;AAC7F,4FAA4F;AAC5F,2CAKwB;AACxB,+BAAkC;AAClC,wCAA0C;AAKnC,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAClC,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QAEvD,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAsB,CAAC;QACpE,IAAI,CAAC,GAAG,EAAE,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,4CAA4C;QAEpF,MAAM,GAAG,GAAiB;YACxB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,qBAAqB,EAAE,GAAG,CAAC,qBAAqB;YAChD,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,iBAAiB;YAC/C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,SAAS,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,0BAA0B,EAAE,EAAE,EAAE;YAC1F,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;gBAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;aAC7D;YACD,OAAO,EAAE,IAA0C;SACpD,CAAC;QAEF,OAAO,IAAI,iBAAU,CAAC,CAAC,UAAU,EAAE,EAAE,CACnC,cAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAC7D,CAAC;IACJ,CAAC;CACF,CAAA;AA1BY,0DAAuB;kCAAvB,uBAAuB;IADnC,IAAA,mBAAU,GAAE;GACA,uBAAuB,CA0BnC"}

package/dist/nest/authz-context.middleware.d.ts

@@ -0,0 +1,15 @@
+import { type NestMiddleware } from '@nestjs/common';
+/** Shape of the request fields the upstream auth guards populate. */
+export interface AuthzRequestFields {
+    userId?: string;
+    individualId?: string;
+    juridicalIndividualId?: string;
+    tenantId?: string;
+    actingJuridicalId?: string;
+    snapId?: string;
+    permHash?: string;
+}
+export declare class AuthzContextMiddleware implements NestMiddleware {
+    use(req: AuthzRequestFields, _res: unknown, next: () => void): void;
+}
+//# sourceMappingURL=authz-context.middleware.d.ts.map

package/dist/nest/authz-context.middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-context.middleware.d.ts","sourceRoot":"","sources":["../../src/nest/authz-context.middleware.ts"],"names":[],"mappings":"AAKA,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAIjE,qEAAqE;AACrE,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,qBACa,sBAAuB,YAAW,cAAc;IAC3D,GAAG,CAAC,GAAG,EAAE,kBAAkB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,GAAG,IAAI;CAiBpE"}

package/dist/nest/authz-context.middleware.js

@@ -0,0 +1,40 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthzContextMiddleware = void 0;
+// Step 2 DEC-S2.17 — gateway middleware that seeds the authz ALS from the HTTP request.
+//
+// Runs after the auth guards (which set req.userId / req.actingJuridicalId / etc.), so the
+// NatsScopedClientProxy signer (and Step 3 ScopedRepository) can read the context via ALS
+// for any downstream NATS call made during the request — including outside the controller.
+const common_1 = require("@nestjs/common");
+const als_1 = require("../context/als");
+let AuthzContextMiddleware = class AuthzContextMiddleware {
+    use(req, _res, next) {
+        const ctx = {
+            userId: req.userId,
+            individualId: req.individualId,
+            juridicalIndividualId: req.juridicalIndividualId,
+            tenantId: req.tenantId ?? req.actingJuridicalId,
+            snapId: req.snapId,
+            permHash: req.permHash,
+            connected: { studentsOfTeacher: [], reportsOfManager: [], pendingApprovalResourceIds: {} },
+            accreditedAs: {
+                provider: { accreditationIds: [], customerJuridicalIds: [] },
+                customer: { accreditationIds: [], providerJuridicalIds: [] },
+            },
+            ability: null,
+        };
+        als_1.authzAls.run(ctx, () => next());
+    }
+};
+exports.AuthzContextMiddleware = AuthzContextMiddleware;
+exports.AuthzContextMiddleware = AuthzContextMiddleware = __decorate([
+    (0, common_1.Injectable)()
+], AuthzContextMiddleware);
+//# sourceMappingURL=authz-context.middleware.js.map

package/dist/nest/authz-context.middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-context.middleware.js","sourceRoot":"","sources":["../../src/nest/authz-context.middleware.ts"],"names":[],"mappings":";;;;;;;;;AAAA,wFAAwF;AACxF,EAAE;AACF,2FAA2F;AAC3F,0FAA0F;AAC1F,2FAA2F;AAC3F,2CAAiE;AACjE,wCAA0C;AAenC,IAAM,sBAAsB,GAA5B,MAAM,sBAAsB;IACjC,GAAG,CAAC,GAAuB,EAAE,IAAa,EAAE,IAAgB;QAC1D,MAAM,GAAG,GAAiB;YACxB,MAAM,EAAE,GAAG,CAAC,MAAgB;YAC5B,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,qBAAqB,EAAE,GAAG,CAAC,qBAAqB;YAChD,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,iBAAiB;YAC/C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,SAAS,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,0BAA0B,EAAE,EAAE,EAAE;YAC1F,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;gBAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;aAC7D;YACD,OAAO,EAAE,IAA0C;SACpD,CAAC;QACF,cAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC;CACF,CAAA;AAlBY,wDAAsB;iCAAtB,sBAAsB;IADlC,IAAA,mBAAU,GAAE;GACA,sBAAsB,CAkBlC"}

package/dist/nest/index.d.ts

@@ -0,0 +1,6 @@
+export * from './skip-internal-auth.decorator';
+export * from './nats-scoped-client.proxy';
+export * from './internal-auth.interceptor';
+export * from './authz-context.middleware';
+export * from './authz-context.interceptor';
+//# sourceMappingURL=index.d.ts.map

package/dist/nest/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nest/index.ts"],"names":[],"mappings":"AAGA,cAAc,gCAAgC,CAAC;AAC/C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC"}

package/dist/nest/index.js

@@ -0,0 +1,25 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// @generazioneai/authz/nest — Step 2 NestJS integration (imports the @nestjs/* runtime).
+// Kept out of the main barrel + ./nats so Step-1-only consumers and the jest tests
+// don't pull the NestJS runtime.
+__exportStar(require("./skip-internal-auth.decorator"), exports);
+__exportStar(require("./nats-scoped-client.proxy"), exports);
+__exportStar(require("./internal-auth.interceptor"), exports);
+__exportStar(require("./authz-context.middleware"), exports);
+__exportStar(require("./authz-context.interceptor"), exports);
+//# sourceMappingURL=index.js.map

package/dist/nest/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nest/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yFAAyF;AACzF,mFAAmF;AACnF,iCAAiC;AACjC,iEAA+C;AAC/C,6DAA2C;AAC3C,8DAA4C;AAC5C,6DAA2C;AAC3C,8DAA4C"}

package/dist/nest/internal-auth.interceptor.d.ts

@@ -0,0 +1,29 @@
+import { type CallHandler, type ExecutionContext, type NestInterceptor } from '@nestjs/common';
+import type { Reflector } from '@nestjs/core';
+import { Observable } from 'rxjs';
+import { type VerificationKey } from '../nats/internal-token';
+import type { ReplayCache } from '../nats/replay-cache';
+export type InternalAuthMode = 'off' | 'shadow' | 'enforce';
+export interface InternalAuthOptions {
+    jwks: VerificationKey;
+    replay: ReplayCache;
+    /** This service's audience: 'skillID' | 'skillCertet'. */
+    serviceName: string;
+    reflector: Reflector;
+    /** Default reads AUTHZ_INTERNAL_AUTH_MODE, falling back to 'off'. */
+    mode?: InternalAuthMode;
+    /** Compare the token cmd against the NATS subject. Default true. */
+    strictCmd?: boolean;
+}
+export declare class InternalAuthInterceptor implements NestInterceptor {
+    private readonly opts;
+    private readonly logger;
+    private readonly mode;
+    constructor(opts: InternalAuthOptions);
+    intercept(context: ExecutionContext, next: CallHandler): Observable<unknown>;
+    /** Returns the ALS context on success; in shadow mode returns null on failure (pass). */
+    private verify;
+    private stripToken;
+    private tryGetSubject;
+}
+//# sourceMappingURL=internal-auth.interceptor.d.ts.map

package/dist/nest/internal-auth.interceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-auth.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":"AAcA,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAQ,MAAM,MAAM,CAAC;AAIxC,OAAO,EAOL,KAAK,eAAe,EACrB,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGxD,MAAM,MAAM,gBAAgB,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE5D,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,eAAe,CAAC;IACtB,MAAM,EAAE,WAAW,CAAC;IACpB,0DAA0D;IAC1D,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,qEAAqE;IACrE,IAAI,CAAC,EAAE,gBAAgB,CAAC;IACxB,oEAAoE;IACpE,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AA8BD,qBACa,uBAAwB,YAAW,eAAe;IAIjD,OAAO,CAAC,QAAQ,CAAC,IAAI;IAHjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA8B;IACrD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAmB;gBAEX,IAAI,EAAE,mBAAmB;IAKtD,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;IA8B5E,yFAAyF;YAC3E,MAAM;IAmCpB,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,aAAa;CAItB"}

package/dist/nest/internal-auth.interceptor.js

@@ -0,0 +1,140 @@
+"use strict";
+// Step 2 DEC-S2.22/23/25 + Step 6 (mode) — downstream global interceptor that verifies
+// the internal NATS JWT on every @MessagePattern, then runs the handler inside the authz
+// ALS context.
+//
+// Registered in each downstream service's main.ts:
+//   app.useGlobalInterceptors(new InternalAuthInterceptor({ jwks, replay, serviceName, reflector }))
+//
+// Rollout-safe via AUTHZ_INTERNAL_AUTH_MODE (default 'off'):
+//   off     → strip _internalJwt (so forbidNonWhitelisted validation never trips during a
+//             mixed-version window) and pass. No verification, no ALS. Zero behaviour change.
+//   shadow  → verify + log failures (authz_internal_token_verify_total) but NEVER reject;
+//             populate ALS on success. Measures readiness before enforcing.
+//   enforce → verify and REJECT (fail-closed) on any missing/invalid/tampered/replayed token.
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InternalAuthInterceptor = void 0;
+const common_1 = require("@nestjs/common");
+const microservices_1 = require("@nestjs/microservices");
+const rxjs_1 = require("rxjs");
+const operators_1 = require("rxjs/operators");
+const als_1 = require("../context/als");
+const internal_token_1 = require("../nats/internal-token");
+const skip_internal_auth_decorator_1 = require("./skip-internal-auth.decorator");
+function subjectToCmd(subject) {
+    if (!subject)
+        return undefined;
+    try {
+        const parsed = JSON.parse(subject);
+        if (parsed && typeof parsed.cmd === 'string')
+            return parsed.cmd;
+    }
+    catch {
+        /* not JSON — use raw subject */
+    }
+    return subject;
+}
+function claimsToContext(claims) {
+    return {
+        userId: claims.sub,
+        juridicalIndividualId: claims.ji,
+        tenantId: claims.tnt,
+        snapId: claims.snap,
+        permHash: claims.ph,
+        // connected/accreditedAs/ability are hydrated by the Step 4 snapshot resolver.
+        connected: { studentsOfTeacher: [], reportsOfManager: [], pendingApprovalResourceIds: {} },
+        accreditedAs: {
+            provider: { accreditationIds: [], customerJuridicalIds: [] },
+            customer: { accreditationIds: [], providerJuridicalIds: [] },
+        },
+        ability: null,
+    };
+}
+let InternalAuthInterceptor = class InternalAuthInterceptor {
+    constructor(opts) {
+        this.opts = opts;
+        this.logger = new common_1.Logger('InternalAuth');
+        this.mode =
+            opts.mode ?? process.env.AUTHZ_INTERNAL_AUTH_MODE ?? 'off';
+    }
+    intercept(context, next) {
+        if (context.getType() !== 'rpc')
+            return next.handle(); // HTTP no-op
+        if (this.mode === 'off') {
+            // Strip the field if a (signing) gateway is already attaching it, so the
+            // downstream ValidationPipe(forbidNonWhitelisted) doesn't 400. No verification.
+            this.stripToken(context);
+            return next.handle();
+        }
+        const skip = this.opts.reflector.getAllAndOverride(skip_internal_auth_decorator_1.SKIP_INTERNAL_AUTH_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (skip) {
+            this.stripToken(context);
+            return next.handle();
+        }
+        return (0, rxjs_1.from)(this.verify(context)).pipe((0, operators_1.mergeMap)((authCtx) => authCtx
+            ? new rxjs_1.Observable((subscriber) => als_1.authzAls.run(authCtx, () => next.handle().subscribe(subscriber)))
+            : next.handle()));
+    }
+    /** Returns the ALS context on success; in shadow mode returns null on failure (pass). */
+    async verify(context) {
+        const rpc = context.switchToRpc();
+        const data = rpc.getData();
+        const cmd = subjectToCmd(this.tryGetSubject(rpc));
+        try {
+            const jwt = data && data[internal_token_1.INTERNAL_JWT_FIELD];
+            if (!jwt)
+                throw new internal_token_1.InternalAuthError('missing', 'internal auth token absent');
+            const claims = await (0, internal_token_1.verifyInternalToken)(jwt, this.opts.jwks, this.opts.serviceName);
+            delete data[internal_token_1.INTERNAL_JWT_FIELD];
+            (0, internal_token_1.assertBodyHash)(claims, data ?? {});
+            if (this.opts.strictCmd !== false && cmd)
+                (0, internal_token_1.assertCmd)(claims, cmd);
+            let first;
+            try {
+                first = await this.opts.replay.firstSeen(claims.jti);
+            }
+            catch (e) {
+                throw new internal_token_1.InternalAuthError('backend', `replay backend unavailable: ${e.message}`);
+            }
+            if (!first)
+                throw new internal_token_1.InternalAuthError('replay', `jti '${claims.jti}' already used`);
+            return claimsToContext(claims);
+        }
+        catch (e) {
+            const reason = e instanceof internal_token_1.InternalAuthError ? e.reason : 'sig';
+            if (this.mode === 'shadow') {
+                this.logger.warn(`shadow would-deny [${reason}] cmd=${cmd ?? '?'}: ${e.message}`);
+                this.stripToken(context); // keep payload clean for the handler
+                return null;
+            }
+            throw new microservices_1.RpcException({ code: 'INTERNAL_AUTH', reason, message: e.message });
+        }
+    }
+    stripToken(context) {
+        const data = context.switchToRpc().getData();
+        if (data && internal_token_1.INTERNAL_JWT_FIELD in data)
+            delete data[internal_token_1.INTERNAL_JWT_FIELD];
+    }
+    tryGetSubject(rpc) {
+        const ctx = rpc.getContext();
+        return typeof ctx?.getSubject === 'function' ? ctx.getSubject() : undefined;
+    }
+};
+exports.InternalAuthInterceptor = InternalAuthInterceptor;
+exports.InternalAuthInterceptor = InternalAuthInterceptor = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [Object])
+], InternalAuthInterceptor);
+//# sourceMappingURL=internal-auth.interceptor.js.map

package/dist/nest/internal-auth.interceptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-auth.interceptor.js","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":";AAAA,uFAAuF;AACvF,yFAAyF;AACzF,eAAe;AACf,EAAE;AACF,mDAAmD;AACnD,qGAAqG;AACrG,EAAE;AACF,6DAA6D;AAC7D,0FAA0F;AAC1F,8FAA8F;AAC9F,0FAA0F;AAC1F,4EAA4E;AAC5E,8FAA8F;;;;;;;;;;;;AAE9F,2CAMwB;AACxB,yDAAqD;AAErD,+BAAwC;AACxC,8CAA0C;AAC1C,wCAA0C;AAE1C,2DAQgC;AAEhC,iFAAwE;AAgBxE,SAAS,YAAY,CAAC,OAA2B;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;YAAE,OAAO,MAAM,CAAC,GAAG,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,MAAsB;IAC7C,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,GAAG;QAClB,qBAAqB,EAAE,MAAM,CAAC,EAAE;QAChC,QAAQ,EAAE,MAAM,CAAC,GAAG;QACpB,MAAM,EAAE,MAAM,CAAC,IAAI;QACnB,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,+EAA+E;QAC/E,SAAS,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,0BAA0B,EAAE,EAAE,EAAE;QAC1F,YAAY,EAAE;YACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;YAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;SAC7D;QACD,OAAO,EAAE,IAA0C;KACpD,CAAC;AACJ,CAAC;AAGM,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAIlC,YAA6B,IAAyB;QAAzB,SAAI,GAAJ,IAAI,CAAqB;QAHrC,WAAM,GAAG,IAAI,eAAM,CAAC,cAAc,CAAC,CAAC;QAInD,IAAI,CAAC,IAAI;YACP,IAAI,CAAC,IAAI,IAAK,OAAO,CAAC,GAAG,CAAC,wBAA6C,IAAI,KAAK,CAAC;IACrF,CAAC;IAED,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,aAAa;QAEpE,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACxB,yEAAyE;YACzE,gFAAgF;YAChF,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,qDAAsB,EAAE;YAClF,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,OAAO,IAAA,WAAI,EAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CACpC,IAAA,oBAAQ,EAAC,CAAC,OAAO,EAAE,EAAE,CACnB,OAAO;YACL,CAAC,CAAC,IAAI,iBAAU,CAAC,CAAC,UAAU,EAAE,EAAE,CAC5B,cAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CACjE;YACH,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAClB,CACF,CAAC;IACJ,CAAC;IAED,yFAAyF;IACjF,KAAK,CAAC,MAAM,CAAC,OAAyB;QAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,EAAyC,CAAC;QAClE,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,IAAK,IAAI,CAAC,mCAAkB,CAAwB,CAAC;YACrE,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,4BAA4B,CAAC,CAAC;YAE/E,MAAM,MAAM,GAAG,MAAM,IAAA,oCAAmB,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAErF,OAAQ,IAAgC,CAAC,mCAAkB,CAAC,CAAC;YAC7D,IAAA,+BAAc,EAAC,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,KAAK,KAAK,IAAI,GAAG;gBAAE,IAAA,0BAAS,EAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAEjE,IAAI,KAAc,CAAC;YACnB,IAAI,CAAC;gBACH,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,+BAAgC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAChG,CAAC;YACD,IAAI,CAAC,KAAK;gBAAE,MAAM,IAAI,kCAAiB,CAAC,QAAQ,EAAE,QAAQ,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC;YAEtF,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,MAAM,GAAG,CAAC,YAAY,kCAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YACjE,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,MAAM,SAAS,GAAG,IAAI,GAAG,KAAM,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC7F,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,qCAAqC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,IAAI,4BAAY,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAEO,UAAU,CAAC,OAAyB;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,EAAyC,CAAC;QACpF,IAAI,IAAI,IAAI,mCAAkB,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC,mCAAkB,CAAC,CAAC;IAC1E,CAAC;IAEO,aAAa,CAAC,GAAgD;QACpE,MAAM,GAAG,GAAG,GAAG,CAAC,UAAU,EAA+C,CAAC;QAC1E,OAAO,OAAO,GAAG,EAAE,UAAU,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,CAAC;CACF,CAAA;AApFY,0DAAuB;kCAAvB,uBAAuB;IADnC,IAAA,mBAAU,GAAE;;GACA,uBAAuB,CAoFnC"}

package/dist/nest/nats-scoped-client.proxy.d.ts

@@ -0,0 +1,23 @@
+import { ClientProxy, type NatsOptions, type ReadPacket, type WritePacket } from '@nestjs/microservices';
+import { Observable } from 'rxjs';
+import { InternalTokenSigner } from '../nats/internal-token.signer';
+export interface NatsScopedClientOptions {
+    /** NATS transport options (servers, queue, etc.) — same shape as Transport.NATS. */
+    nats: NatsOptions['options'];
+    signer: InternalTokenSigner;
+    /** Audience of THIS client's target service: 'skillID' | 'skillCertet'. */
+    audience: string;
+}
+export declare class NatsScopedClientProxy extends ClientProxy {
+    private readonly opts;
+    private readonly delegate;
+    constructor(opts: NatsScopedClientOptions);
+    connect(): Promise<unknown>;
+    close(): Promise<void> | void;
+    unwrap<T>(): T;
+    protected publish(packet: ReadPacket, callback: (packet: WritePacket) => void): () => void;
+    protected dispatchEvent<T = unknown>(packet: ReadPacket): Promise<T>;
+    send<TResult = unknown, TInput = unknown>(pattern: unknown, data: TInput): Observable<TResult>;
+    emit<TResult = unknown, TInput = unknown>(pattern: unknown, data: TInput): Observable<TResult>;
+}
+//# sourceMappingURL=nats-scoped-client.proxy.d.ts.map

package/dist/nest/nats-scoped-client.proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nats-scoped-client.proxy.d.ts","sourceRoot":"","sources":["../../src/nest/nats-scoped-client.proxy.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,WAAW,EAGX,KAAK,WAAW,EAChB,KAAK,UAAU,EACf,KAAK,WAAW,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,UAAU,EAAQ,MAAM,MAAM,CAAC;AAExC,OAAO,EAAE,mBAAmB,EAAgB,MAAM,+BAA+B,CAAC;AAElF,MAAM,WAAW,uBAAuB;IACtC,oFAAoF;IACpF,IAAI,EAAE,WAAW,CAAC,SAAS,CAAC,CAAC;IAC7B,MAAM,EAAE,mBAAmB,CAAC;IAC5B,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,qBAAsB,SAAQ,WAAW;IAGxC,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAc;gBAEV,IAAI,EAAE,uBAAuB;IAQ1D,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;IAG3B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI;IAG7B,MAAM,CAAC,CAAC,KAAK,CAAC;IAKd,SAAS,CAAC,OAAO,CACf,MAAM,EAAE,UAAU,EAClB,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,IAAI,GACtC,MAAM,IAAI;IAKb,SAAS,CAAC,aAAa,CAAC,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC;IAMpE,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,MAAM,GAAG,OAAO,EACtC,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,MAAM,GACX,UAAU,CAAC,OAAO,CAAC;IAOtB,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,MAAM,GAAG,OAAO,EACtC,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,MAAM,GACX,UAAU,CAAC,OAAO,CAAC;CAMvB"}

package/dist/nest/nats-scoped-client.proxy.js

@@ -0,0 +1,50 @@
+"use strict";
+// Step 2 DEC-S2.16/18 — gateway-side NATS client that signs every outbound call.
+//
+// Registered as `customClass` in the gateway's ClientsModule. Delegates the actual
+// NATS transport to a real client created via ClientProxyFactory, and overrides
+// send()/emit() to attach a freshly-signed `_internalJwt` (DEC-S2.18: top-level
+// field, not NATS headers). Wrapping the transport — not an interceptor — guarantees
+// signing on 100% of outbound calls, including those outside the HTTP request pipeline.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NatsScopedClientProxy = void 0;
+const microservices_1 = require("@nestjs/microservices");
+const rxjs_1 = require("rxjs");
+const operators_1 = require("rxjs/operators");
+const internal_token_signer_1 = require("../nats/internal-token.signer");
+class NatsScopedClientProxy extends microservices_1.ClientProxy {
+    constructor(opts) {
+        super();
+        this.opts = opts;
+        this.delegate = microservices_1.ClientProxyFactory.create({
+            transport: microservices_1.Transport.NATS,
+            options: opts.nats,
+        });
+    }
+    connect() {
+        return this.delegate.connect();
+    }
+    close() {
+        return this.delegate.close();
+    }
+    unwrap() {
+        return this.delegate.unwrap();
+    }
+    // Abstract transport hooks delegate to the real client (protected in the base).
+    publish(packet, callback) {
+        return this.delegate.publish(packet, callback);
+    }
+    dispatchEvent(packet) {
+        return this.delegate.dispatchEvent(packet);
+    }
+    send(pattern, data) {
+        const cmd = (0, internal_token_signer_1.patternToCmd)(pattern);
+        return (0, rxjs_1.from)(this.opts.signer.sign(cmd, this.opts.audience, (data ?? {}))).pipe((0, operators_1.mergeMap)((signed) => this.delegate.send(pattern, signed)));
+    }
+    emit(pattern, data) {
+        const cmd = (0, internal_token_signer_1.patternToCmd)(pattern);
+        return (0, rxjs_1.from)(this.opts.signer.sign(cmd, this.opts.audience, (data ?? {}))).pipe((0, operators_1.mergeMap)((signed) => this.delegate.emit(pattern, signed)));
+    }
+}
+exports.NatsScopedClientProxy = NatsScopedClientProxy;
+//# sourceMappingURL=nats-scoped-client.proxy.js.map

package/dist/nest/nats-scoped-client.proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nats-scoped-client.proxy.js","sourceRoot":"","sources":["../../src/nest/nats-scoped-client.proxy.ts"],"names":[],"mappings":";AAAA,iFAAiF;AACjF,EAAE;AACF,mFAAmF;AACnF,gFAAgF;AAChF,gFAAgF;AAChF,qFAAqF;AACrF,wFAAwF;;;AAExF,yDAO+B;AAC/B,+BAAwC;AACxC,8CAA0C;AAC1C,yEAAkF;AAUlF,MAAa,qBAAsB,SAAQ,2BAAW;IAGpD,YAA6B,IAA6B;QACxD,KAAK,EAAE,CAAC;QADmB,SAAI,GAAJ,IAAI,CAAyB;QAExD,IAAI,CAAC,QAAQ,GAAG,kCAAkB,CAAC,MAAM,CAAC;YACxC,SAAS,EAAE,yBAAS,CAAC,IAAI;YACzB,OAAO,EAAE,IAAI,CAAC,IAAI;SACnB,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;IACjC,CAAC;IACD,KAAK;QACH,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IAC/B,CAAC;IACD,MAAM;QACJ,OAAQ,IAAI,CAAC,QAA+B,CAAC,MAAM,EAAK,CAAC;IAC3D,CAAC;IAED,gFAAgF;IACtE,OAAO,CACf,MAAkB,EAClB,QAAuC;QAEvC,OAAQ,IAAI,CAAC,QAEX,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC/B,CAAC;IACS,aAAa,CAAc,MAAkB;QACrD,OAAQ,IAAI,CAAC,QAEX,CAAC,aAAa,CAAI,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,CACF,OAAgB,EAChB,IAAY;QAEZ,MAAM,GAAG,GAAG,IAAA,oCAAY,EAAC,OAAO,CAAC,CAAC;QAClC,OAAO,IAAA,WAAI,EAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC,CAAC,CAAC,IAAI,CACvG,IAAA,oBAAQ,EAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAU,OAAgB,EAAE,MAAM,CAAC,CAAC,CAC5E,CAAC;IACJ,CAAC;IAED,IAAI,CACF,OAAgB,EAChB,IAAY;QAEZ,MAAM,GAAG,GAAG,IAAA,oCAAY,EAAC,OAAO,CAAC,CAAC;QAClC,OAAO,IAAA,WAAI,EAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC,CAAC,CAAC,IAAI,CACvG,IAAA,oBAAQ,EAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAU,OAAgB,EAAE,MAAM,CAAC,CAAC,CAC5E,CAAC;IACJ,CAAC;CACF;AAvDD,sDAuDC"}

package/dist/nest/skip-internal-auth.decorator.d.ts

@@ -0,0 +1,4 @@
+import { type CustomDecorator } from '@nestjs/common';
+export declare const SKIP_INTERNAL_AUTH_KEY = "skillera:authz:skip-internal-auth";
+export declare function SkipInternalAuth(): CustomDecorator;
+//# sourceMappingURL=skip-internal-auth.decorator.d.ts.map

package/dist/nest/skip-internal-auth.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skip-internal-auth.decorator.d.ts","sourceRoot":"","sources":["../../src/nest/skip-internal-auth.decorator.ts"],"names":[],"mappings":"AAGA,OAAO,EAAe,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEnE,eAAO,MAAM,sBAAsB,sCAAsC,CAAC;AAE1E,wBAAgB,gBAAgB,IAAI,eAAe,CAElD"}

package/dist/nest/skip-internal-auth.decorator.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SKIP_INTERNAL_AUTH_KEY = void 0;
+exports.SkipInternalAuth = SkipInternalAuth;
+// Step 2 DEC-S2.27 — opt a @MessagePattern out of internal-auth verification.
+// Allowlist must stay minimal (health pings only); a CI lint rule (Step 8) requires
+// a `// reason:` comment on each use.
+const common_1 = require("@nestjs/common");
+exports.SKIP_INTERNAL_AUTH_KEY = 'skillera:authz:skip-internal-auth';
+function SkipInternalAuth() {
+    return (0, common_1.SetMetadata)(exports.SKIP_INTERNAL_AUTH_KEY, true);
+}
+//# sourceMappingURL=skip-internal-auth.decorator.js.map

package/dist/nest/skip-internal-auth.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"skip-internal-auth.decorator.js","sourceRoot":"","sources":["../../src/nest/skip-internal-auth.decorator.ts"],"names":[],"mappings":";;;AAOA,4CAEC;AATD,8EAA8E;AAC9E,oFAAoF;AACpF,sCAAsC;AACtC,2CAAmE;AAEtD,QAAA,sBAAsB,GAAG,mCAAmC,CAAC;AAE1E,SAAgB,gBAAgB;IAC9B,OAAO,IAAA,oBAAW,EAAC,8BAAsB,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC"}

package/dist/resource-registry.d.ts

@@ -0,0 +1,31 @@
+import type { ResourceManifest } from './define-resource';
+/**
+ * Registry singleton per-processo. Iniettabile via NestJS DI come `ResourceRegistry`.
+ * Lookup primario per subject + secondario per prismaModel (Step 3 DEC-S3.14).
+ */
+export declare class ResourceRegistry {
+    private readonly bySubject;
+    private readonly byModel;
+    /**
+     * Registra un manifest. Throws se subject o prismaModel sono già registrati
+     * (Step 1 DEC-3: 1:1 manifest ↔ Prisma model).
+     */
+    register(manifest: ResourceManifest): void;
+    /** Step 1 DEC-3 lookup primario. Ritorna undefined se subject non registrato. */
+    get(subject: string): ResourceManifest | undefined;
+    /** Step 3 DEC-S3.14 lookup secondario. Usato dal Prisma extension hook. */
+    byPrismaModel(model: string): ResourceManifest | undefined;
+    /** Iterazione per CI coherence check + codegen. */
+    all(): ResourceManifest[];
+    /** Filter per service (utile in skillID aggregator). */
+    forService(service: ResourceManifest['service']): ResourceManifest[];
+    /** Reset (solo per test). */
+    clear(): void;
+    size(): number;
+}
+/**
+ * Singleton globale di processo. Iniettato in NestJS providers via factory.
+ * In test ambient, sostituibile creando una nuova `ResourceRegistry`.
+ */
+export declare const globalResourceRegistry: ResourceRegistry;
+//# sourceMappingURL=resource-registry.d.ts.map

package/dist/resource-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-registry.d.ts","sourceRoot":"","sources":["../src/resource-registry.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAuC;IACjE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAuC;IAE/D;;;OAGG;IACH,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAiB1C,iFAAiF;IACjF,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAIlD,2EAA2E;IAC3E,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAI1D,mDAAmD;IACnD,GAAG,IAAI,gBAAgB,EAAE;IAIzB,wDAAwD;IACxD,UAAU,CAAC,OAAO,EAAE,gBAAgB,CAAC,SAAS,CAAC,GAAG,gBAAgB,EAAE;IAIpE,6BAA6B;IAC7B,KAAK,IAAI,IAAI;IAKb,IAAI,IAAI,MAAM;CAGf;AAED;;;GAGG;AACH,eAAO,MAAM,sBAAsB,kBAAyB,CAAC"}

package/dist/resource-registry.js

@@ -0,0 +1,64 @@
+"use strict";
+// Step 1 DEC-17/18: ResourceRegistry singleton per servizio
+// Registrazione esplicita via `ResourceRegistryModule.forFeature([CourseResource, ...])`
+// nel `*.module.ts` NestJS (no glob magic).
+//
+// skillID a startup aggrega via `@generazioneai/resource-registry-aggregator` (build-time JSON merge)
+// per buildare snapshot CASL.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.globalResourceRegistry = exports.ResourceRegistry = void 0;
+/**
+ * Registry singleton per-processo. Iniettabile via NestJS DI come `ResourceRegistry`.
+ * Lookup primario per subject + secondario per prismaModel (Step 3 DEC-S3.14).
+ */
+class ResourceRegistry {
+    constructor() {
+        this.bySubject = new Map();
+        this.byModel = new Map();
+    }
+    /**
+     * Registra un manifest. Throws se subject o prismaModel sono già registrati
+     * (Step 1 DEC-3: 1:1 manifest ↔ Prisma model).
+     */
+    register(manifest) {
+        if (this.bySubject.has(manifest.subject)) {
+            throw new Error(`[authz] Subject '${manifest.subject}' already registered. Duplicate manifest?`);
+        }
+        if (this.byModel.has(manifest.prismaModel)) {
+            throw new Error(`[authz] Prisma model '${manifest.prismaModel}' already mapped to subject '${this.byModel.get(manifest.prismaModel).subject}'. Cannot map to '${manifest.subject}'.`);
+        }
+        this.bySubject.set(manifest.subject, manifest);
+        this.byModel.set(manifest.prismaModel, manifest);
+    }
+    /** Step 1 DEC-3 lookup primario. Ritorna undefined se subject non registrato. */
+    get(subject) {
+        return this.bySubject.get(subject);
+    }
+    /** Step 3 DEC-S3.14 lookup secondario. Usato dal Prisma extension hook. */
+    byPrismaModel(model) {
+        return this.byModel.get(model);
+    }
+    /** Iterazione per CI coherence check + codegen. */
+    all() {
+        return Array.from(this.bySubject.values());
+    }
+    /** Filter per service (utile in skillID aggregator). */
+    forService(service) {
+        return this.all().filter((m) => m.service === service);
+    }
+    /** Reset (solo per test). */
+    clear() {
+        this.bySubject.clear();
+        this.byModel.clear();
+    }
+    size() {
+        return this.bySubject.size;
+    }
+}
+exports.ResourceRegistry = ResourceRegistry;
+/**
+ * Singleton globale di processo. Iniettato in NestJS providers via factory.
+ * In test ambient, sostituibile creando una nuova `ResourceRegistry`.
+ */
+exports.globalResourceRegistry = new ResourceRegistry();
+//# sourceMappingURL=resource-registry.js.map

package/dist/resource-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-registry.js","sourceRoot":"","sources":["../src/resource-registry.ts"],"names":[],"mappings":";AAAA,4DAA4D;AAC5D,yFAAyF;AACzF,4CAA4C;AAC5C,EAAE;AACF,sGAAsG;AACtG,8BAA8B;;;AAI9B;;;GAGG;AACH,MAAa,gBAAgB;IAA7B;QACmB,cAAS,GAAG,IAAI,GAAG,EAA4B,CAAC;QAChD,YAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;IAoDjE,CAAC;IAlDC;;;OAGG;IACH,QAAQ,CAAC,QAA0B;QACjC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACb,oBAAoB,QAAQ,CAAC,OAAO,2CAA2C,CAChF,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,CAAC,WAAW,gCAC3C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAE,CAAC,OAC1C,qBAAqB,QAAQ,CAAC,OAAO,IAAI,CAC1C,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IAED,iFAAiF;IACjF,GAAG,CAAC,OAAe;QACjB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,2EAA2E;IAC3E,aAAa,CAAC,KAAa;QACzB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED,mDAAmD;IACnD,GAAG;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,wDAAwD;IACxD,UAAU,CAAC,OAAoC;QAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,6BAA6B;IAC7B,KAAK;QACH,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;IAC7B,CAAC;CACF;AAtDD,4CAsDC;AAED;;;GAGG;AACU,QAAA,sBAAsB,GAAG,IAAI,gBAAgB,EAAE,CAAC"}

package/dist/resource-registry.module.d.ts

@@ -0,0 +1,25 @@
+import type { DynamicModule } from '@nestjs/common';
+import type { ResourceManifest } from './define-resource';
+import { ResourceRegistry } from './resource-registry';
+/** DI token for the per-process ResourceRegistry (alias of the class token). */
+export declare const RESOURCE_REGISTRY: unique symbol;
+export interface ResourceRegistryRootOptions {
+    /** Manifests to register eagerly at root (e.g. the aggregated set in skillID). */
+    manifests?: ResourceManifest[];
+    /** Inject a pre-built registry (tests / aggregator). Defaults to a fresh instance. */
+    registry?: ResourceRegistry;
+}
+export declare class ResourceRegistryModule {
+    /**
+     * Provides the singleton `ResourceRegistry` for the process. Global, so
+     * `forFeature(...)` in any feature module can inject it. Call once at app root.
+     */
+    static forRoot(options?: ResourceRegistryRootOptions): DynamicModule;
+    /**
+     * Registers a feature module's manifests into the root registry. The factory
+     * runs at bootstrap (eager, non-request-scoped) and registers each manifest;
+     * a duplicate subject/prismaModel surfaces as a startup error (DEC-3).
+     */
+    static forFeature(manifests: ResourceManifest[]): DynamicModule;
+}
+//# sourceMappingURL=resource-registry.module.d.ts.map

package/dist/resource-registry.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-registry.module.d.ts","sourceRoot":"","sources":["../src/resource-registry.module.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,aAAa,EAAY,MAAM,gBAAgB,CAAC;AAC9D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,gFAAgF;AAChF,eAAO,MAAM,iBAAiB,eAAuC,CAAC;AAEtE,MAAM,WAAW,2BAA2B;IAC1C,kFAAkF;IAClF,SAAS,CAAC,EAAE,gBAAgB,EAAE,CAAC;IAC/B,sFAAsF;IACtF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;CAC7B;AAED,qBAAa,sBAAsB;IACjC;;;OAGG;IACH,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,2BAAgC,GAAG,aAAa;IAgBxE;;;;OAIG;IACH,MAAM,CAAC,UAAU,CAAC,SAAS,EAAE,gBAAgB,EAAE,GAAG,aAAa;CAmBhE"}