@generazioneai/authz 0.0.2 → 0.0.4

package/dist/enforce/index.d.ts

@@ -0,0 +1,4 @@
+export * from './prisma-extension';
+export * from './run-unscoped';
+export * from './scoped-repository';
+//# sourceMappingURL=index.d.ts.map

package/dist/enforce/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/enforce/index.ts"],"names":[],"mappings":"AACA,cAAc,oBAAoB,CAAC;AACnC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,qBAAqB,CAAC"}

package/dist/enforce/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// @generazioneai/authz/enforce — Step 3 query-level enforcement (no NestJS runtime dep).
+__exportStar(require("./prisma-extension"), exports);
+__exportStar(require("./run-unscoped"), exports);
+__exportStar(require("./scoped-repository"), exports);
+//# sourceMappingURL=index.js.map

package/dist/enforce/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/enforce/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yFAAyF;AACzF,qDAAmC;AACnC,iDAA+B;AAC/B,sDAAoC"}

package/dist/enforce/prisma-extension.d.ts

@@ -0,0 +1,25 @@
+import type { ResourceRegistry } from '../resource-registry';
+export type EnforceMode = 'off' | 'shadow' | 'enforce';
+export interface AuthzExtensionOptions {
+    mode?: EnforceMode;
+    /** called in shadow mode with what WOULD be restricted (metrics/logging). */
+    onShadow?: (info: {
+        model: string;
+        operation: string;
+        subject: string;
+    }) => void;
+}
+export declare function createAuthzPrismaExtension(registry: ResourceRegistry, opts?: AuthzExtensionOptions): {
+    name: string;
+    query: {
+        $allModels: {
+            $allOperations({ model, operation, args, query }: {
+                model: string;
+                operation: string;
+                args: any;
+                query: (a: any) => Promise<unknown>;
+            }): Promise<unknown>;
+        };
+    };
+};
+//# sourceMappingURL=prisma-extension.d.ts.map

package/dist/enforce/prisma-extension.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma-extension.d.ts","sourceRoot":"","sources":["../../src/enforce/prisma-extension.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;AAiBvD,MAAM,WAAW,qBAAqB;IACpC,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;CAClF;AAED,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,gBAAgB,EAAE,IAAI,GAAE,qBAA0B;;;;8DAOvC;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,SAAS,EAAE,MAAM,CAAC;gBAAC,IAAI,EAAE,GAAG,CAAC;gBAAC,KAAK,EAAE,CAAC,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;aAAE;;;EAyCnJ"}

package/dist/enforce/prisma-extension.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthzPrismaExtension = createAuthzPrismaExtension;
+// Step 3 — Prisma Client extension that enforces the request's CASL ability on EVERY
+// query (the safety net: impossible to bypass from inside the service). Reads the ability
+// from ALS, looks up the model's Subject in the registry, and ANDs accessibleBy(ability,
+// action)[Subject] into the where (reads/updates/deletes) or stamps tenancy on creates.
+//
+// Mode (AUTHZ_ENFORCE_MODE, default 'off'):
+//   off     → passthrough (no behaviour change — safe to ship).
+//   shadow  → compute but DON'T apply; log would-restrict (readiness measurement).
+//   enforce → apply (fail-closed: no ALS context / no ability → throw).
+const prisma_1 = require("@casl/prisma");
+const als_1 = require("../context/als");
+const READ = new Set(['findUnique', 'findUniqueOrThrow', 'findFirst', 'findFirstOrThrow', 'findMany', 'count', 'aggregate', 'groupBy']);
+const UPDATE = new Set(['update', 'updateMany', 'upsert']);
+const DELETE = new Set(['delete', 'deleteMany']);
+const CREATE = new Set(['create', 'createMany', 'createManyAndReturn']);
+function opToAction(op) {
+    if (READ.has(op))
+        return 'read';
+    if (CREATE.has(op))
+        return 'create';
+    if (UPDATE.has(op))
+        return 'update';
+    if (DELETE.has(op))
+        return 'delete';
+    return 'manage';
+}
+const lowerFirst = (s) => (s ? s.charAt(0).toLowerCase() + s.slice(1) : s);
+function createAuthzPrismaExtension(registry, opts = {}) {
+    const mode = opts.mode ?? process.env.AUTHZ_ENFORCE_MODE ?? 'off';
+    return {
+        name: 'skillera-authz-enforce',
+        query: {
+            $allModels: {
+                async $allOperations({ model, operation, args, query }) {
+                    if (mode === 'off')
+                        return query(args);
+                    const ctx = als_1.authzAls.getStore();
+                    if (!ctx) {
+                        if (mode === 'enforce')
+                            throw new Error(`[authz] UNSCOPED_QUERY ${model}.${operation} — no request context`);
+                        return query(args);
+                    }
+                    if (ctx.unscoped)
+                        return query(args); // runUnscoped escape hatch (system tasks)
+                    if (!ctx.ability) {
+                        if (mode === 'enforce')
+                            throw new Error(`[authz] no ability in context for ${model}.${operation}`);
+                        return query(args);
+                    }
+                    const manifest = registry.get(model) ?? registry.byPrismaModel(lowerFirst(model));
+                    if (!manifest)
+                        return query(args); // unmanaged model → not scoped
+                    const subject = manifest.subject;
+                    const action = opToAction(operation);
+                    if (mode === 'shadow') {
+                        opts.onShadow?.({ model, operation, subject });
+                        return query(args);
+                    }
+                    // enforce
+                    if (CREATE.has(operation)) {
+                        const t = manifest.tenancy;
+                        if (t && t.kind === 'single' && ctx.tenantId && args?.data) {
+                            const stamp = (d) => ({ [t.field]: ctx.tenantId, ...d });
+                            args = { ...args, data: Array.isArray(args.data) ? args.data.map(stamp) : stamp(args.data) };
+                        }
+                        return query(args);
+                    }
+                    const scopeWhere = (0, prisma_1.accessibleBy)(ctx.ability, action)[subject];
+                    args = { ...args, where: args?.where ? { AND: [args.where, scopeWhere] } : scopeWhere };
+                    return query(args);
+                },
+            },
+        },
+    };
+}
+//# sourceMappingURL=prisma-extension.js.map

package/dist/enforce/prisma-extension.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma-extension.js","sourceRoot":"","sources":["../../src/enforce/prisma-extension.ts"],"names":[],"mappings":";;AAoCA,gEAgDC;AApFD,qFAAqF;AACrF,0FAA0F;AAC1F,yFAAyF;AACzF,wFAAwF;AACxF,EAAE;AACF,4CAA4C;AAC5C,gEAAgE;AAChE,mFAAmF;AACnF,wEAAwE;AACxE,yCAA4C;AAC5C,wCAA0C;AAK1C,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,mBAAmB,EAAE,WAAW,EAAE,kBAAkB,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;AACxI,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC3D,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;AACjD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,YAAY,EAAE,qBAAqB,CAAC,CAAC,CAAC;AAExE,SAAS,UAAU,CAAC,EAAU;IAC5B,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAAE,OAAO,QAAQ,CAAC;IACpC,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAAE,OAAO,QAAQ,CAAC;IACpC,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAAE,OAAO,QAAQ,CAAC;IACpC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAQnF,SAAgB,0BAA0B,CAAC,QAA0B,EAAE,OAA8B,EAAE;IACrG,MAAM,IAAI,GAAgB,IAAI,CAAC,IAAI,IAAK,OAAO,CAAC,GAAG,CAAC,kBAAkC,IAAI,KAAK,CAAC;IAEhG,OAAO;QACL,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE;YACL,UAAU,EAAE;gBACV,KAAK,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAwF;oBAC1I,IAAI,IAAI,KAAK,KAAK;wBAAE,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC;oBAEvC,MAAM,GAAG,GAAG,cAAQ,CAAC,QAAQ,EAAE,CAAC;oBAChC,IAAI,CAAC,GAAG,EAAE,CAAC;wBACT,IAAI,IAAI,KAAK,SAAS;4BAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,IAAI,SAAS,uBAAuB,CAAC,CAAC;wBAC7G,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrB,CAAC;oBACD,IAAI,GAAG,CAAC,QAAQ;wBAAE,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,0CAA0C;oBAChF,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;wBACjB,IAAI,IAAI,KAAK,SAAS;4BAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,KAAK,IAAI,SAAS,EAAE,CAAC,CAAC;wBACnG,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrB,CAAC;oBAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,QAAQ,CAAC,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;oBAClF,IAAI,CAAC,QAAQ;wBAAE,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,+BAA+B;oBAClE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;oBACjC,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;oBAErC,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;wBACtB,IAAI,CAAC,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;wBAC/C,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrB,CAAC;oBAED,UAAU;oBACV,IAAI,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC1B,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC;wBAC3B,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,IAAI,IAAI,EAAE,IAAI,EAAE,CAAC;4BAC3D,MAAM,KAAK,GAAG,CAAC,CAA0B,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;4BAClF,IAAI,GAAG,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/F,CAAC;wBACD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrB,CAAC;oBAED,MAAM,UAAU,GAAI,IAAA,qBAAY,EAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAA6B,CAAC,OAAO,CAAC,CAAC;oBAC3F,IAAI,GAAG,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC;oBACxF,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;aACF;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/enforce/run-unscoped.d.ts

@@ -0,0 +1,2 @@
+export declare function runUnscoped<T>(reason: string, fn: () => T): T;
+//# sourceMappingURL=run-unscoped.d.ts.map

package/dist/enforce/run-unscoped.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-unscoped.d.ts","sourceRoot":"","sources":["../../src/enforce/run-unscoped.ts"],"names":[],"mappings":"AAMA,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAI7D"}

package/dist/enforce/run-unscoped.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runUnscoped = runUnscoped;
+// Step 3 DEC-S3.17 — escape hatch for legitimate system work that must bypass scoping
+// (seeds, cross-tenant admin jobs, the snapshot builder itself). Sets ctx.unscoped so the
+// Prisma extension lets queries through. Requires an explicit reason (lint-enforced, Step 8).
+const als_1 = require("../context/als");
+const authz_context_1 = require("../context/authz-context");
+function runUnscoped(reason, fn) {
+    const current = als_1.authzAls.getStore();
+    const ctx = { ...(current ?? authz_context_1.EMPTY_CTX), unscoped: true, unscopedReason: reason };
+    return als_1.authzAls.run(ctx, fn);
+}
+//# sourceMappingURL=run-unscoped.js.map

package/dist/enforce/run-unscoped.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-unscoped.js","sourceRoot":"","sources":["../../src/enforce/run-unscoped.ts"],"names":[],"mappings":";;AAMA,kCAIC;AAVD,sFAAsF;AACtF,0FAA0F;AAC1F,8FAA8F;AAC9F,wCAA0C;AAC1C,4DAAwE;AAExE,SAAgB,WAAW,CAAI,MAAc,EAAE,EAAW;IACxD,MAAM,OAAO,GAAG,cAAQ,CAAC,QAAQ,EAAE,CAAC;IACpC,MAAM,GAAG,GAAiB,EAAE,GAAG,CAAC,OAAO,IAAI,yBAAS,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC;IAChG,OAAO,cAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AAC/B,CAAC"}

package/dist/enforce/scoped-repository.d.ts

@@ -0,0 +1,10 @@
+import type { AuthzContext } from '../context/authz-context';
+export declare class ScopedRepository<TDelegate> {
+    private readonly delegate;
+    constructor(delegate: TDelegate);
+    /** Current request context (throws if missing — enforcement is never accidental). */
+    protected ctx(): AuthzContext;
+    /** The underlying (extension-scoped) Prisma delegate. */
+    get scoped(): TDelegate;
+}
+//# sourceMappingURL=scoped-repository.d.ts.map

package/dist/enforce/scoped-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped-repository.d.ts","sourceRoot":"","sources":["../../src/enforce/scoped-repository.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE7D,qBAAa,gBAAgB,CAAC,SAAS;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,SAAS;IAEhD,qFAAqF;IACrF,SAAS,CAAC,GAAG,IAAI,YAAY;IAM7B,yDAAyD;IACzD,IAAI,MAAM,IAAI,SAAS,CAGtB;CACF"}

package/dist/enforce/scoped-repository.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopedRepository = void 0;
+// Step 3 DX wrapper — services inject a ScopedRepository instead of the raw Prisma
+// delegate. The Prisma extension already enforces scope on every query; this surface
+// makes the intent explicit and asserts a request context is present.
+const als_1 = require("../context/als");
+class ScopedRepository {
+    constructor(delegate) {
+        this.delegate = delegate;
+    }
+    /** Current request context (throws if missing — enforcement is never accidental). */
+    ctx() {
+        const c = als_1.authzAls.getStore();
+        if (!c)
+            throw new Error('[authz] ScopedRepository used outside a request context');
+        return c;
+    }
+    /** The underlying (extension-scoped) Prisma delegate. */
+    get scoped() {
+        this.ctx();
+        return this.delegate;
+    }
+}
+exports.ScopedRepository = ScopedRepository;
+//# sourceMappingURL=scoped-repository.js.map

package/dist/enforce/scoped-repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped-repository.js","sourceRoot":"","sources":["../../src/enforce/scoped-repository.ts"],"names":[],"mappings":";;;AAAA,mFAAmF;AACnF,qFAAqF;AACrF,sEAAsE;AACtE,wCAA0C;AAG1C,MAAa,gBAAgB;IAC3B,YAA6B,QAAmB;QAAnB,aAAQ,GAAR,QAAQ,CAAW;IAAG,CAAC;IAEpD,qFAAqF;IAC3E,GAAG;QACX,MAAM,CAAC,GAAG,cAAQ,CAAC,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QACnF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,yDAAyD;IACzD,IAAI,MAAM;QACR,IAAI,CAAC,GAAG,EAAE,CAAC;QACX,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AAfD,4CAeC"}

package/dist/nest/authorize.decorator.d.ts

@@ -0,0 +1,3 @@
+import { type CustomDecorator } from '@nestjs/common';
+export declare function Authorize(action: string, subject: string): CustomDecorator;
+//# sourceMappingURL=authorize.decorator.d.ts.map

package/dist/nest/authorize.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.decorator.d.ts","sourceRoot":"","sources":["../../src/nest/authorize.decorator.ts"],"names":[],"mappings":"AAMA,OAAO,EAAe,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGnE,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,eAAe,CAE1E"}

package/dist/nest/authorize.decorator.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Authorize = Authorize;
+// Step 6 — declare the permission a route requires. Read by GlobalAuthzGuard.
+//
+//   @Authorize('read', 'JuridicalIndividual')
+//   @Get() findAll() { ... }
+//
+// Mode-gated by the guard (AUTHZ_ENFORCE_MODE): in 'off' this metadata is inert.
+const common_1 = require("@nestjs/common");
+const global_authz_guard_1 = require("./global-authz.guard");
+function Authorize(action, subject) {
+    return (0, common_1.SetMetadata)(global_authz_guard_1.AUTHZ_REQUIREMENT_KEY, { action, subject });
+}
+//# sourceMappingURL=authorize.decorator.js.map

package/dist/nest/authorize.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.decorator.js","sourceRoot":"","sources":["../../src/nest/authorize.decorator.ts"],"names":[],"mappings":";;AASA,8BAEC;AAXD,8EAA8E;AAC9E,EAAE;AACF,8CAA8C;AAC9C,6BAA6B;AAC7B,EAAE;AACF,iFAAiF;AACjF,2CAAmE;AACnE,6DAAoF;AAEpF,SAAgB,SAAS,CAAC,MAAc,EAAE,OAAe;IACvD,OAAO,IAAA,oBAAW,EAAC,0CAAqB,EAAE,EAAE,MAAM,EAAE,OAAO,EAA6B,CAAC,CAAC;AAC5F,CAAC"}

package/dist/nest/global-authz.guard.d.ts

@@ -0,0 +1,34 @@
+import { type CanActivate, type ExecutionContext } from '@nestjs/common';
+import type { Reflector } from '@nestjs/core';
+import type { AuthzContext } from '../context/authz-context';
+export type EnforceMode = 'off' | 'shadow' | 'enforce';
+export declare const AUTHZ_REQUIREMENT_KEY = "skillera:authz:requirement";
+export declare const PUBLIC_KEY = "skillera:authz:public";
+export interface AuthzRequirement {
+    action: string;
+    subject: string;
+}
+/** Resolves the ability + context for an HTTP request (gateway-specific impl supplies it). */
+export interface AbilityResolver {
+    resolve(req: unknown): Promise<AuthzContext | null>;
+}
+export interface GlobalAuthzGuardOptions {
+    mode?: EnforceMode;
+    /**
+     * Fallback requirement source, consulted when a route has no @Authorize.
+     * Lets a host reuse pre-existing route metadata (e.g. the gateway's legacy
+     * @CheckPolicies) instead of re-decorating every endpoint. Returns null when
+     * the route genuinely has no requirement (→ default-deny still applies).
+     */
+    requirementResolver?: (context: ExecutionContext, reflector: Reflector) => AuthzRequirement | null;
+}
+export declare class GlobalAuthzGuard implements CanActivate {
+    private readonly reflector;
+    private readonly resolver;
+    private readonly logger;
+    private readonly mode;
+    private readonly requirementResolver?;
+    constructor(reflector: Reflector, resolver: AbilityResolver, opts?: GlobalAuthzGuardOptions | EnforceMode);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=global-authz.guard.d.ts.map

package/dist/nest/global-authz.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"global-authz.guard.d.ts","sourceRoot":"","sources":["../../src/nest/global-authz.guard.ts"],"names":[],"mappings":"AAYA,OAAO,EAIL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE7D,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;AACvD,eAAO,MAAM,qBAAqB,+BAA+B,CAAC;AAClE,eAAO,MAAM,UAAU,0BAA0B,CAAC;AAElD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,8FAA8F;AAC9F,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;CACrD;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,SAAS,EAAE,SAAS,KAAK,gBAAgB,GAAG,IAAI,CAAC;CACpG;AAED,qBACa,gBAAiB,YAAW,WAAW;IAMhD,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAN3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA6B;IACpD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAc;IACnC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAiD;gBAGnE,SAAS,EAAE,SAAS,EACpB,QAAQ,EAAE,eAAe,EAC1C,IAAI,GAAE,uBAAuB,GAAG,WAAgB;IAQ5C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAwC/D"}

package/dist/nest/global-authz.guard.js

@@ -0,0 +1,82 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GlobalAuthzGuard = exports.PUBLIC_KEY = exports.AUTHZ_REQUIREMENT_KEY = void 0;
+// Step 6 — gateway route-level enforcement (default-deny).
+//
+// Resolves the request's CASL ability (via a pluggable AbilityResolver — at the gateway,
+// that fetches the user's permission snapshot from Redis/skillID), then checks the route's
+// @Authorize(action, subject) requirement. Runs the rest of the request inside authzAls.run
+// so the signing client / downstream propagation see the context.
+//
+// Mode (AUTHZ_ENFORCE_MODE, default 'off'):
+//   off     → allow (no resolution, zero behaviour change).
+//   shadow  → resolve + log would-deny, but ALLOW.
+//   enforce → default-deny: a route with no @Authorize and no @Public → 403; otherwise
+//             allow iff ability.can(action, subject).
+const common_1 = require("@nestjs/common");
+const als_1 = require("../context/als");
+exports.AUTHZ_REQUIREMENT_KEY = 'skillera:authz:requirement';
+exports.PUBLIC_KEY = 'skillera:authz:public';
+let GlobalAuthzGuard = class GlobalAuthzGuard {
+    constructor(reflector, resolver, opts = {}) {
+        this.reflector = reflector;
+        this.resolver = resolver;
+        this.logger = new common_1.Logger('GlobalAuthz');
+        // Back-compat: a bare mode string is still accepted.
+        const o = typeof opts === 'string' ? { mode: opts } : opts;
+        this.mode = o.mode ?? process.env.AUTHZ_ENFORCE_MODE ?? 'off';
+        this.requirementResolver = o.requirementResolver;
+    }
+    async canActivate(context) {
+        if (this.mode === 'off' || context.getType() !== 'http')
+            return true;
+        const isPublic = this.reflector.getAllAndOverride(exports.PUBLIC_KEY, [context.getHandler(), context.getClass()]);
+        if (isPublic)
+            return true;
+        const requirement = this.reflector.getAllAndOverride(exports.AUTHZ_REQUIREMENT_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]) ?? this.requirementResolver?.(context, this.reflector) ?? undefined;
+        const req = context.switchToHttp().getRequest();
+        const ctx = await this.resolver.resolve(req);
+        // Make the ability/context available downstream (signing client, etc.) for this request.
+        if (ctx) {
+            const als = als_1.authzAls.getStore();
+            if (als)
+                Object.assign(als, ctx);
+            else
+                req._authzCtx = ctx;
+        }
+        // Default-deny: a protected route MUST declare @Authorize (or @Public).
+        if (!requirement) {
+            if (this.mode === 'shadow') {
+                this.logger.warn(`shadow would-deny: ${req?.method} ${req?.url} has no @Authorize`);
+                return true;
+            }
+            throw new common_1.ForbiddenException('authz: endpoint has no permission requirement (@Authorize) declared');
+        }
+        const allowed = !!ctx?.ability?.can(requirement.action, requirement.subject);
+        if (allowed)
+            return true;
+        if (this.mode === 'shadow') {
+            this.logger.warn(`shadow would-deny ${requirement.action}:${requirement.subject} for user=${ctx?.userId ?? '?'} (${req?.method} ${req?.url})`);
+            return true;
+        }
+        throw new common_1.ForbiddenException(`authz: missing permission ${requirement.action}:${requirement.subject}`);
+    }
+};
+exports.GlobalAuthzGuard = GlobalAuthzGuard;
+exports.GlobalAuthzGuard = GlobalAuthzGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [Function, Object, Object])
+], GlobalAuthzGuard);
+//# sourceMappingURL=global-authz.guard.js.map

package/dist/nest/global-authz.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"global-authz.guard.js","sourceRoot":"","sources":["../../src/nest/global-authz.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2DAA2D;AAC3D,EAAE;AACF,yFAAyF;AACzF,2FAA2F;AAC3F,4FAA4F;AAC5F,kEAAkE;AAClE,EAAE;AACF,4CAA4C;AAC5C,4DAA4D;AAC5D,mDAAmD;AACnD,uFAAuF;AACvF,sDAAsD;AACtD,2CAMwB;AAExB,wCAA0C;AAI7B,QAAA,qBAAqB,GAAG,4BAA4B,CAAC;AACrD,QAAA,UAAU,GAAG,uBAAuB,CAAC;AAwB3C,IAAM,gBAAgB,GAAtB,MAAM,gBAAgB;IAK3B,YACmB,SAAoB,EACpB,QAAyB,EAC1C,OAA8C,EAAE;QAF/B,cAAS,GAAT,SAAS,CAAW;QACpB,aAAQ,GAAR,QAAQ,CAAiB;QAN3B,WAAM,GAAG,IAAI,eAAM,CAAC,aAAa,CAAC,CAAC;QASlD,qDAAqD;QACrD,MAAM,CAAC,GAA4B,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACpF,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,IAAK,OAAO,CAAC,GAAG,CAAC,kBAAkC,IAAI,KAAK,CAAC;QAC/E,IAAI,CAAC,mBAAmB,GAAG,CAAC,CAAC,mBAAmB,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QAErE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,kBAAU,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QACnH,IAAI,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE1B,MAAM,WAAW,GACf,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAmB,6BAAqB,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;QAEzE,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAE7C,yFAAyF;QACzF,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,GAAG,GAAG,cAAQ,CAAC,QAAQ,EAAE,CAAC;YAChC,IAAI,GAAG;gBAAE,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;;gBAC3B,GAAoC,CAAC,SAAS,GAAG,GAAG,CAAC;QAC7D,CAAC;QAED,wEAAwE;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,GAAG,EAAE,MAAM,IAAI,GAAG,EAAE,GAAG,oBAAoB,CAAC,CAAC;gBACpF,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,IAAI,2BAAkB,CAAC,qEAAqE,CAAC,CAAC;QACtG,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;QAC7E,IAAI,OAAO;YAAE,OAAO,IAAI,CAAC;QAEzB,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,WAAW,CAAC,MAAM,IAAI,WAAW,CAAC,OAAO,aAAa,GAAG,EAAE,MAAM,IAAI,GAAG,KAAK,GAAG,EAAE,MAAM,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,CAAC;YAC/I,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,IAAI,2BAAkB,CAAC,6BAA6B,WAAW,CAAC,MAAM,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;IACzG,CAAC;CACF,CAAA;AAxDY,4CAAgB;2BAAhB,gBAAgB;IAD5B,IAAA,mBAAU,GAAE;;GACA,gBAAgB,CAwD5B"}

package/dist/nest/index.d.ts

@@ -3,4 +3,7 @@ export * from './nats-scoped-client.proxy';
 export * from './internal-auth.interceptor';
 export * from './authz-context.middleware';
 export * from './authz-context.interceptor';
+export * from './global-authz.guard';
+export * from './public.decorator';
+export * from './authorize.decorator';
 //# sourceMappingURL=index.d.ts.map

package/dist/nest/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nest/index.ts"],"names":[],"mappings":"AAGA,cAAc,gCAAgC,CAAC;AAC/C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nest/index.ts"],"names":[],"mappings":"AAGA,cAAc,gCAAgC,CAAC;AAC/C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,uBAAuB,CAAC"}

package/dist/nest/index.js

@@ -22,4 +22,7 @@ __exportStar(require("./nats-scoped-client.proxy"), exports);
 __exportStar(require("./internal-auth.interceptor"), exports);
 __exportStar(require("./authz-context.middleware"), exports);
 __exportStar(require("./authz-context.interceptor"), exports);
+__exportStar(require("./global-authz.guard"), exports);
+__exportStar(require("./public.decorator"), exports);
+__exportStar(require("./authorize.decorator"), exports);
 //# sourceMappingURL=index.js.map

package/dist/nest/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nest/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yFAAyF;AACzF,mFAAmF;AACnF,iCAAiC;AACjC,iEAA+C;AAC/C,6DAA2C;AAC3C,8DAA4C;AAC5C,6DAA2C;AAC3C,8DAA4C"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nest/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yFAAyF;AACzF,mFAAmF;AACnF,iCAAiC;AACjC,iEAA+C;AAC/C,6DAA2C;AAC3C,8DAA4C;AAC5C,6DAA2C;AAC3C,8DAA4C;AAC5C,uDAAqC;AACrC,qDAAmC;AACnC,wDAAsC"}

package/dist/nest/public.decorator.d.ts

@@ -0,0 +1,3 @@
+import { type CustomDecorator } from '@nestjs/common';
+export declare function Public(): CustomDecorator;
+//# sourceMappingURL=public.decorator.d.ts.map

package/dist/nest/public.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"public.decorator.d.ts","sourceRoot":"","sources":["../../src/nest/public.decorator.ts"],"names":[],"mappings":"AACA,OAAO,EAAe,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGnE,wBAAgB,MAAM,IAAI,eAAe,CAExC"}

package/dist/nest/public.decorator.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Public = Public;
+// Step 6 — opt a route out of default-deny (login, health, public pages).
+const common_1 = require("@nestjs/common");
+const global_authz_guard_1 = require("./global-authz.guard");
+function Public() {
+    return (0, common_1.SetMetadata)(global_authz_guard_1.PUBLIC_KEY, true);
+}
+//# sourceMappingURL=public.decorator.js.map

package/dist/nest/public.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"public.decorator.js","sourceRoot":"","sources":["../../src/nest/public.decorator.ts"],"names":[],"mappings":";;AAIA,wBAEC;AAND,0EAA0E;AAC1E,2CAAmE;AACnE,6DAAkD;AAElD,SAAgB,MAAM;IACpB,OAAO,IAAA,oBAAW,EAAC,+BAAU,EAAE,IAAI,CAAC,CAAC;AACvC,CAAC"}

package/dist/snapshot/ability-builder.d.ts

@@ -0,0 +1,22 @@
+import type { AuthzContext } from '../context/authz-context';
+import type { ResourceRegistry } from '../resource-registry';
+import type { AbilityRule } from './snapshot.envelope';
+export type Scope = 'GLOBAL' | 'TENANT' | 'OWN' | 'CONNECTED' | 'PROVIDER' | 'CUSTOMER';
+export interface Grant {
+    action: string;
+    /** subject literal, or 'all' for the CASL wildcard (system tier). */
+    subject: string;
+    scope: Scope;
+    /** field-level allow-list; empty/absent = all fields. */
+    fields?: string[];
+    inverted?: boolean;
+}
+/**
+ * Grants → serialized CASL rules. GLOBAL scope (and the 'all' wildcard) emit no
+ * conditions (unrestricted within the grant); every other scope pulls the manifest's
+ * `scopes[scope]` template and substitutes the $ctx placeholders against `ctx`.
+ */
+export declare function buildRulesFromGrants(grants: Grant[], registry: ResourceRegistry, ctx: AuthzContext): AbilityRule[];
+/** Rehydrate a PrismaAbility from serialized rules (snapshot → runtime). */
+export declare function hydrateAbility(rules: AbilityRule[]): import("@casl/ability").PureAbility<any, any>;
+//# sourceMappingURL=ability-builder.d.ts.map

package/dist/snapshot/ability-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability-builder.d.ts","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,MAAM,MAAM,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,CAAC;AAExF,MAAM,WAAW,KAAK;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,KAAK,CAAC;IACb,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,KAAK,EAAE,EACf,QAAQ,EAAE,gBAAgB,EAC1B,GAAG,EAAE,YAAY,GAChB,WAAW,EAAE,CAiBf;AAED,4EAA4E;AAC5E,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,EAAE,iDAElD"}

package/dist/snapshot/ability-builder.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildRulesFromGrants = buildRulesFromGrants;
+exports.hydrateAbility = hydrateAbility;
+// Step 4 builder core — turn a user's role-permission GRANTS into CASL rules, then a
+// PrismaAbility. A grant = (action × subject × scope [× fields]); the scope is resolved
+// to a Prisma where via the resource manifest's scope template + substituteContext.
+// (skillID flattens its 3-tier RBAC into grants and calls this.)
+const prisma_1 = require("@casl/prisma");
+const scope_substitute_1 = require("../scope-substitute");
+/**
+ * Grants → serialized CASL rules. GLOBAL scope (and the 'all' wildcard) emit no
+ * conditions (unrestricted within the grant); every other scope pulls the manifest's
+ * `scopes[scope]` template and substitutes the $ctx placeholders against `ctx`.
+ */
+function buildRulesFromGrants(grants, registry, ctx) {
+    const rules = [];
+    for (const g of grants) {
+        const rule = { action: g.action, subject: g.subject };
+        if (g.fields && g.fields.length)
+            rule.fields = g.fields;
+        if (g.inverted)
+            rule.inverted = true;
+        if (g.scope === 'GLOBAL' || g.subject === 'all') {
+            rules.push(rule);
+            continue;
+        }
+        const template = registry.get(g.subject)?.scopes?.[g.scope];
+        if (!template)
+            continue; // scope not declared for this subject (authz:check guards this)
+        rule.conditions = (0, scope_substitute_1.substituteContext)(template, ctx);
+        rules.push(rule);
+    }
+    return rules;
+}
+/** Rehydrate a PrismaAbility from serialized rules (snapshot → runtime). */
+function hydrateAbility(rules) {
+    return (0, prisma_1.createPrismaAbility)(rules);
+}
+//# sourceMappingURL=ability-builder.js.map

package/dist/snapshot/ability-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability-builder.js","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":";;AA2BA,oDAqBC;AAGD,wCAEC;AArDD,qFAAqF;AACrF,wFAAwF;AACxF,oFAAoF;AACpF,iEAAiE;AACjE,yCAAmD;AACnD,0DAAwD;AAiBxD;;;;GAIG;AACH,SAAgB,oBAAoB,CAClC,MAAe,EACf,QAA0B,EAC1B,GAAiB;IAEjB,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QACnE,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM;YAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;QACxD,IAAI,CAAC,CAAC,QAAQ;YAAE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErC,IAAI,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAChD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,QAAQ;YAAE,SAAS,CAAC,gEAAgE;QACzF,IAAI,CAAC,UAAU,GAAG,IAAA,oCAAiB,EAAC,QAAQ,EAAE,GAAG,CAA4B,CAAC;QAC9E,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4EAA4E;AAC5E,SAAgB,cAAc,CAAC,KAAoB;IACjD,OAAO,IAAA,4BAAmB,EAAC,KAAkD,CAAC,CAAC;AACjF,CAAC"}

package/dist/snapshot/distributed-lock.d.ts

@@ -0,0 +1,19 @@
+import type Redis from 'ioredis';
+export declare const DEFAULT_LOCK_PREFIX = "authz:lock:";
+export declare const DEFAULT_LOCK_TTL_SEC = 10;
+export declare const DEFAULT_BACKOFF_MS: number[];
+export declare class DistributedLock {
+    private readonly redis;
+    private readonly prefix;
+    constructor(redis: Redis, prefix?: string);
+    /** SET key owner EX ttl NX → true if acquired. */
+    acquire(key: string, owner: string, ttlSec?: number): Promise<boolean>;
+    /** Release only if still owned (compare-and-delete, avoids deleting a re-acquired lock). */
+    release(key: string, owner: string): Promise<void>;
+    /**
+     * Lock loser path: poll `read` with backoff, returning the first non-null result.
+     * Returns null if all attempts are exhausted (→ caller falls back to a direct build).
+     */
+    pollForResult<T>(read: () => Promise<T | null>, backoffMs?: number[]): Promise<T | null>;
+}
+//# sourceMappingURL=distributed-lock.d.ts.map

package/dist/snapshot/distributed-lock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"distributed-lock.d.ts","sourceRoot":"","sources":["../../src/snapshot/distributed-lock.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AAIjC,eAAO,MAAM,mBAAmB,gBAAgB,CAAC;AACjD,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,eAAO,MAAM,kBAAkB,UAAmB,CAAC;AAEnD,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBADN,KAAK,EAAE,KAAK,EACZ,MAAM,GAAE,MAA4B;IAGvD,kDAAkD;IAC5C,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,SAAuB,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1F,4FAA4F;IACtF,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMxD;;;OAGG;IACG,aAAa,CAAC,CAAC,EACnB,IAAI,EAAE,MAAM,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,EAC7B,SAAS,GAAE,MAAM,EAAuB,GACvC,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;CAQrB"}

package/dist/snapshot/distributed-lock.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DistributedLock = exports.DEFAULT_BACKOFF_MS = exports.DEFAULT_LOCK_TTL_SEC = exports.DEFAULT_LOCK_PREFIX = void 0;
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+exports.DEFAULT_LOCK_PREFIX = 'authz:lock:';
+exports.DEFAULT_LOCK_TTL_SEC = 10;
+exports.DEFAULT_BACKOFF_MS = [5, 15, 50, 150];
+class DistributedLock {
+    constructor(redis, prefix = exports.DEFAULT_LOCK_PREFIX) {
+        this.redis = redis;
+        this.prefix = prefix;
+    }
+    /** SET key owner EX ttl NX → true if acquired. */
+    async acquire(key, owner, ttlSec = exports.DEFAULT_LOCK_TTL_SEC) {
+        return (await this.redis.set(this.prefix + key, owner, 'EX', ttlSec, 'NX')) === 'OK';
+    }
+    /** Release only if still owned (compare-and-delete, avoids deleting a re-acquired lock). */
+    async release(key, owner) {
+        const lua = "if redis.call('get', KEYS[1]) == ARGV[1] then return redis.call('del', KEYS[1]) else return 0 end";
+        await this.redis.eval(lua, 1, this.prefix + key, owner);
+    }
+    /**
+     * Lock loser path: poll `read` with backoff, returning the first non-null result.
+     * Returns null if all attempts are exhausted (→ caller falls back to a direct build).
+     */
+    async pollForResult(read, backoffMs = exports.DEFAULT_BACKOFF_MS) {
+        for (const wait of backoffMs) {
+            await sleep(wait);
+            const v = await read();
+            if (v != null)
+                return v;
+        }
+        return null;
+    }
+}
+exports.DistributedLock = DistributedLock;
+//# sourceMappingURL=distributed-lock.js.map

package/dist/snapshot/distributed-lock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"distributed-lock.js","sourceRoot":"","sources":["../../src/snapshot/distributed-lock.ts"],"names":[],"mappings":";;;AAKA,MAAM,KAAK,GAAG,CAAC,EAAU,EAAE,EAAE,CAAC,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAE7D,QAAA,mBAAmB,GAAG,aAAa,CAAC;AACpC,QAAA,oBAAoB,GAAG,EAAE,CAAC;AAC1B,QAAA,kBAAkB,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;AAEnD,MAAa,eAAe;IAC1B,YACmB,KAAY,EACZ,SAAiB,2BAAmB;QADpC,UAAK,GAAL,KAAK,CAAO;QACZ,WAAM,GAAN,MAAM,CAA8B;IACpD,CAAC;IAEJ,kDAAkD;IAClD,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,KAAa,EAAE,MAAM,GAAG,4BAAoB;QACrE,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC;IACvF,CAAC;IAED,4FAA4F;IAC5F,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,KAAa;QACtC,MAAM,GAAG,GACP,mGAAmG,CAAC;QACtG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CACjB,IAA6B,EAC7B,YAAsB,0BAAkB;QAExC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;YAClB,MAAM,CAAC,GAAG,MAAM,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC,IAAI,IAAI;gBAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAjCD,0CAiCC"}

package/dist/snapshot/index.d.ts

@@ -0,0 +1,7 @@
+export * from './snapshot.envelope';
+export * from './ability-builder';
+export * from './perm-hash';
+export * from './l1-cache';
+export * from './distributed-lock';
+export * from './snapshot.store';
+//# sourceMappingURL=index.d.ts.map

package/dist/snapshot/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/snapshot/index.ts"],"names":[],"mappings":"AAGA,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC"}

package/dist/snapshot/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// @generazioneai/authz/snapshot — Step 4 permission snapshot primitives.
+// Pure core (envelope, perm-hash) + Redis-backed pieces (store, lock) + in-process L1.
+// The NestJS resolver/subscriber + skillID builder/emitter are wired in the services.
+__exportStar(require("./snapshot.envelope"), exports);
+__exportStar(require("./ability-builder"), exports);
+__exportStar(require("./perm-hash"), exports);
+__exportStar(require("./l1-cache"), exports);
+__exportStar(require("./distributed-lock"), exports);
+__exportStar(require("./snapshot.store"), exports);
+//# sourceMappingURL=index.js.map

package/dist/snapshot/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/snapshot/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yEAAyE;AACzE,uFAAuF;AACvF,sFAAsF;AACtF,sDAAoC;AACpC,oDAAkC;AAClC,8CAA4B;AAC5B,6CAA2B;AAC3B,qDAAmC;AACnC,mDAAiC"}

package/dist/snapshot/l1-cache.d.ts

@@ -0,0 +1,16 @@
+import type { SnapshotEnvelope } from './snapshot.envelope';
+export interface L1Options {
+    max?: number;
+    ttlMs?: number;
+}
+export declare class L1SnapshotCache {
+    private readonly cache;
+    constructor(opts?: L1Options);
+    private key;
+    get(userId: string, actingJuridicalId?: string): SnapshotEnvelope | undefined;
+    set(env: SnapshotEnvelope): void;
+    /** Evict one tenant entry, or ALL entries for a user when actingJuridicalId is omitted. */
+    evict(userId: string, actingJuridicalId?: string): number;
+    clear(): void;
+}
+//# sourceMappingURL=l1-cache.d.ts.map

package/dist/snapshot/l1-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"l1-cache.d.ts","sourceRoot":"","sources":["../../src/snapshot/l1-cache.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqC;gBAE/C,IAAI,GAAE,SAAc;IAOhC,OAAO,CAAC,GAAG;IAIX,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,iBAAiB,CAAC,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAI7E,GAAG,CAAC,GAAG,EAAE,gBAAgB,GAAG,IAAI;IAIhC,2FAA2F;IAC3F,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,iBAAiB,CAAC,EAAE,MAAM,GAAG,MAAM;IAezD,KAAK,IAAI,IAAI;CAGd"}

package/dist/snapshot/l1-cache.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.L1SnapshotCache = void 0;
+// Step 4 DEC-S4.5/10 — in-process L1 snapshot cache (TTL 30s = Redis TTL / 2, so an L1
+// hit never outlives a revoke that already hit Redis). Keyed by (userId, actingJuridicalId).
+const lru_cache_1 = require("lru-cache");
+class L1SnapshotCache {
+    constructor(opts = {}) {
+        this.cache = new lru_cache_1.LRUCache({
+            max: opts.max ?? 2000,
+            ttl: opts.ttlMs ?? 30_000,
+        });
+    }
+    key(userId, actingJuridicalId) {
+        return `${userId}:${actingJuridicalId ?? ''}`;
+    }
+    get(userId, actingJuridicalId) {
+        return this.cache.get(this.key(userId, actingJuridicalId));
+    }
+    set(env) {
+        this.cache.set(this.key(env.userId, env.actingJuridicalId), env);
+    }
+    /** Evict one tenant entry, or ALL entries for a user when actingJuridicalId is omitted. */
+    evict(userId, actingJuridicalId) {
+        if (actingJuridicalId !== undefined) {
+            return this.cache.delete(this.key(userId, actingJuridicalId)) ? 1 : 0;
+        }
+        const prefix = `${userId}:`;
+        let n = 0;
+        for (const k of this.cache.keys()) {
+            if (k.startsWith(prefix)) {
+                this.cache.delete(k);
+                n++;
+            }
+        }
+        return n;
+    }
+    clear() {
+        this.cache.clear();
+    }
+}
+exports.L1SnapshotCache = L1SnapshotCache;
+//# sourceMappingURL=l1-cache.js.map

package/dist/snapshot/l1-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"l1-cache.js","sourceRoot":"","sources":["../../src/snapshot/l1-cache.ts"],"names":[],"mappings":";;;AAAA,uFAAuF;AACvF,6FAA6F;AAC7F,yCAAqC;AAQrC,MAAa,eAAe;IAG1B,YAAY,OAAkB,EAAE;QAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAQ,CAA2B;YAClD,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,IAAI;YACrB,GAAG,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM;SAC1B,CAAC,CAAC;IACL,CAAC;IAEO,GAAG,CAAC,MAAc,EAAE,iBAA0B;QACpD,OAAO,GAAG,MAAM,IAAI,iBAAiB,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,iBAA0B;QAC5C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,iBAAiB,CAAC,EAAE,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,2FAA2F;IAC3F,KAAK,CAAC,MAAc,EAAE,iBAA0B;QAC9C,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC;QAC5B,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACrB,CAAC,EAAE,CAAC;YACN,CAAC;QACH,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAzCD,0CAyCC"}

package/dist/snapshot/perm-hash.d.ts

@@ -0,0 +1,3 @@
+import type { AbilityRule } from './snapshot.envelope';
+export declare function computePermHash(rules: AbilityRule[]): string;
+//# sourceMappingURL=perm-hash.d.ts.map

package/dist/snapshot/perm-hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"perm-hash.d.ts","sourceRoot":"","sources":["../../src/snapshot/perm-hash.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AA2BvD,wBAAgB,eAAe,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,CAM5D"}

package/dist/snapshot/perm-hash.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computePermHash = computePermHash;
+// Step 4 DEC-S4.7/8/9 — deterministic permission hash (128-bit, 32 hex).
+//
+// Two users with the same roles but different tenantId get DIFFERENT permHashes
+// (conditions are post-substitution → tenant-specific) — that is correct. The hash is
+// cross-pod deterministic: rules are normalized + sorted, then json-stable-stringify'd.
+const node_crypto_1 = require("node:crypto");
+const json_stable_stringify_1 = __importDefault(require("json-stable-stringify"));
+const asSortedArray = (v) => Array.isArray(v) ? [...v].sort() : v;
+const ruleKey = (r) => `${JSON.stringify(r.subject)}|${JSON.stringify(r.action)}|${r.inverted ? 1 : 0}`;
+/** Canonical, hash-relevant projection of a rule (excludes `reason`/metadata). */
+function normalize(r) {
+    return {
+        action: asSortedArray(r.action),
+        subject: asSortedArray(r.subject),
+        fields: r.fields && r.fields.length ? [...r.fields].sort() : undefined,
+        conditions: r.conditions ?? undefined,
+        inverted: r.inverted ?? false,
+    };
+}
+function computePermHash(rules) {
+    const normalized = rules
+        .map(normalize)
+        .sort((a, b) => ruleKey(a).localeCompare(ruleKey(b)));
+    const canonical = (0, json_stable_stringify_1.default)(normalized) ?? '[]';
+    return (0, node_crypto_1.createHash)('sha256').update(canonical).digest('hex').slice(0, 32);
+}
+//# sourceMappingURL=perm-hash.js.map

package/dist/snapshot/perm-hash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"perm-hash.js","sourceRoot":"","sources":["../../src/snapshot/perm-hash.ts"],"names":[],"mappings":";;;;;AAkCA,0CAMC;AAxCD,yEAAyE;AACzE,EAAE;AACF,gFAAgF;AAChF,sFAAsF;AACtF,wFAAwF;AACxF,6CAAyC;AACzC,kFAAoD;AAWpD,MAAM,aAAa,GAAG,CAAC,CAAoB,EAAqB,EAAE,CAChE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAEvC,MAAM,OAAO,GAAG,CAAC,CAAiB,EAAU,EAAE,CAC5C,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAEnF,kFAAkF;AAClF,SAAS,SAAS,CAAC,CAAc;IAC/B,OAAO;QACL,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC;QAC/B,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC;QACjC,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS;QACtE,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,SAAS;QACrC,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,KAAK;KAC9B,CAAC;AACJ,CAAC;AAED,SAAgB,eAAe,CAAC,KAAoB;IAClD,MAAM,UAAU,GAAG,KAAK;SACrB,GAAG,CAAC,SAAS,CAAC;SACd,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAA,+BAAe,EAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IACtD,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC3E,CAAC"}

package/dist/snapshot/snapshot.envelope.d.ts

@@ -0,0 +1,36 @@
+import type { AccreditedAs, ConnectedEdges } from '../context/authz-context';
+export declare const SNAPSHOT_SCHEMA_VERSION = 1;
+/** A serialized CASL rule (post $ctx-substitution). Shape accepted by createPrismaAbility. */
+export interface AbilityRule {
+    action: string | string[];
+    subject: string | string[];
+    /** Field-level allow-list (Step 1 fields[]). Empty/absent = all fields. */
+    fields?: string[];
+    /** Prisma WhereInput-shaped conditions (already substituted; no $ctx left). */
+    conditions?: Record<string, unknown>;
+    /** CASL `cannot` rule. */
+    inverted?: boolean;
+    /** Audit-only; excluded from permHash. */
+    reason?: string;
+}
+export interface SnapshotEnvelope {
+    schemaVersion: number;
+    snapId: string;
+    userId: string;
+    actingJuridicalId?: string;
+    /** sha256(canonical(sortedRules)) truncated to 32 hex (Step 4 DEC-S4.7/9). */
+    permHash: string;
+    /** epoch ms — drives refresh-ahead (DEC-S4.30). */
+    builtAt: number;
+    rules: AbilityRule[];
+    connected: ConnectedEdges;
+    accreditedAs: AccreditedAs;
+    /** Set when the rules blob was lz4-compressed (DEC-S4.27). Day-1: null. */
+    compressed?: 'lz4' | null;
+}
+/**
+ * Opaque snapshot id (DEC-S4.4): doesn't leak userId, idempotent per 1s build bucket.
+ * blake3 in the plan; sha256 here keeps zero extra deps (opacity is what matters).
+ */
+export declare function computeSnapId(userId: string, actingJuridicalId: string | undefined, builtAtMs: number): string;
+//# sourceMappingURL=snapshot.envelope.d.ts.map

package/dist/snapshot/snapshot.envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.envelope.d.ts","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE7E,eAAO,MAAM,uBAAuB,IAAI,CAAC;AAEzC,8FAA8F;AAC9F,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC3B,2EAA2E;IAC3E,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,+EAA+E;IAC/E,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,8EAA8E;IAC9E,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,SAAS,EAAE,cAAc,CAAC;IAC1B,YAAY,EAAE,YAAY,CAAC;IAC3B,2EAA2E;IAC3E,UAAU,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CAC3B;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,iBAAiB,EAAE,MAAM,GAAG,SAAS,EACrC,SAAS,EAAE,MAAM,GAChB,MAAM,CAMR"}

package/dist/snapshot/snapshot.envelope.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SNAPSHOT_SCHEMA_VERSION = void 0;
+exports.computeSnapId = computeSnapId;
+// Step 4 DEC-S4.1/3 — the permission snapshot envelope cached in Redis.
+//
+// skillID builds it (rules already $ctx-substituted), stores it under an opaque snapId;
+// the gateway/downstream fetch it by snapId (carried in the Step 2 JWT `snap` claim) and
+// rehydrate the CASL ability via createPrismaAbility(rules).
+const node_crypto_1 = require("node:crypto");
+exports.SNAPSHOT_SCHEMA_VERSION = 1;
+/**
+ * Opaque snapshot id (DEC-S4.4): doesn't leak userId, idempotent per 1s build bucket.
+ * blake3 in the plan; sha256 here keeps zero extra deps (opacity is what matters).
+ */
+function computeSnapId(userId, actingJuridicalId, builtAtMs) {
+    const bucket = Math.floor(builtAtMs / 1000);
+    return (0, node_crypto_1.createHash)('sha256')
+        .update(`${userId}:${actingJuridicalId ?? ''}:${bucket}`)
+        .digest('hex')
+        .slice(0, 22);
+}
+//# sourceMappingURL=snapshot.envelope.js.map

package/dist/snapshot/snapshot.envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.envelope.js","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":";;;AA4CA,sCAUC;AAtDD,wEAAwE;AACxE,EAAE;AACF,wFAAwF;AACxF,yFAAyF;AACzF,6DAA6D;AAC7D,6CAAyC;AAG5B,QAAA,uBAAuB,GAAG,CAAC,CAAC;AAgCzC;;;GAGG;AACH,SAAgB,aAAa,CAC3B,MAAc,EACd,iBAAqC,EACrC,SAAiB;IAEjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC5C,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,GAAG,MAAM,IAAI,iBAAiB,IAAI,EAAE,IAAI,MAAM,EAAE,CAAC;SACxD,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC"}

package/dist/snapshot/snapshot.store.d.ts

@@ -0,0 +1,24 @@
+import type Redis from 'ioredis';
+import type { SnapshotEnvelope } from './snapshot.envelope';
+export declare const SNAP_PREFIX = "authz:snap:";
+export declare const CURRENT_PREFIX = "authz:user:";
+export declare const ROLE_PREFIX = "authz:role:";
+export declare const DEFAULT_SNAPSHOT_TTL_SEC = 60;
+export declare class RedisSnapshotStore {
+    private readonly redis;
+    constructor(redis: Redis);
+    /** Store the envelope + point the user's `current` pointer at it (atomic pipeline). */
+    put(env: SnapshotEnvelope, ttlSec?: number): Promise<void>;
+    getBySnapId(snapId: string): Promise<SnapshotEnvelope | null>;
+    /** Resolve the current snapId for (user, tenant) then load the envelope (pipelined). */
+    getCurrent(userId: string, actingJur?: string): Promise<SnapshotEnvelope | null>;
+    indexRoleMember(tier: string, roleId: string, userId: string): Promise<void>;
+    usersForRole(tier: string, roleId: string): Promise<string[]>;
+    /** Evict every snapshot of a user across tenants (SCAN the `current` pointers). */
+    revokeUser(userId: string): Promise<number>;
+    /** Evict one (user, tenant) snapshot. */
+    revokeUserTenant(userId: string, actingJur: string): Promise<void>;
+    /** Cascade a role revoke to all its members (reverse-index lookup → per-user evict). */
+    revokeRole(tier: string, roleId: string): Promise<number>;
+}
+//# sourceMappingURL=snapshot.store.d.ts.map

package/dist/snapshot/snapshot.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.store.d.ts","sourceRoot":"","sources":["../../src/snapshot/snapshot.store.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AACjC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,eAAO,MAAM,WAAW,gBAAgB,CAAC;AACzC,eAAO,MAAM,cAAc,gBAAgB,CAAC;AAC5C,eAAO,MAAM,WAAW,gBAAgB,CAAC;AACzC,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAM3C,qBAAa,kBAAkB;IACjB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,KAAK;IAEzC,uFAAuF;IACjF,GAAG,CAAC,GAAG,EAAE,gBAAgB,EAAE,MAAM,SAA2B,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ5E,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAKnE,wFAAwF;IAClF,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAMhF,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAG5E,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKnE,mFAAmF;IAC7E,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmBjD,yCAAyC;IACnC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASxE,wFAAwF;IAClF,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAMhE"}

package/dist/snapshot/snapshot.store.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisSnapshotStore = exports.DEFAULT_SNAPSHOT_TTL_SEC = exports.ROLE_PREFIX = exports.CURRENT_PREFIX = exports.SNAP_PREFIX = void 0;
+exports.SNAP_PREFIX = 'authz:snap:';
+exports.CURRENT_PREFIX = 'authz:user:';
+exports.ROLE_PREFIX = 'authz:role:';
+exports.DEFAULT_SNAPSHOT_TTL_SEC = 60;
+const currentKey = (userId, actingJur) => `${exports.CURRENT_PREFIX}${userId}:${actingJur ?? ''}:current`;
+const roleKey = (tier, roleId) => `${exports.ROLE_PREFIX}${tier}:${roleId}:users`;
+class RedisSnapshotStore {
+    constructor(redis) {
+        this.redis = redis;
+    }
+    /** Store the envelope + point the user's `current` pointer at it (atomic pipeline). */
+    async put(env, ttlSec = exports.DEFAULT_SNAPSHOT_TTL_SEC) {
+        await this.redis
+            .pipeline()
+            .set(exports.SNAP_PREFIX + env.snapId, JSON.stringify(env), 'EX', ttlSec)
+            .set(currentKey(env.userId, env.actingJuridicalId), env.snapId, 'EX', ttlSec)
+            .exec();
+    }
+    async getBySnapId(snapId) {
+        const raw = await this.redis.get(exports.SNAP_PREFIX + snapId);
+        return raw ? JSON.parse(raw) : null;
+    }
+    /** Resolve the current snapId for (user, tenant) then load the envelope (pipelined). */
+    async getCurrent(userId, actingJur) {
+        const snapId = await this.redis.get(currentKey(userId, actingJur));
+        return snapId ? this.getBySnapId(snapId) : null;
+    }
+    // ---- reverse-index (role-cascade revocation, DEC-S4.15) --------------------
+    async indexRoleMember(tier, roleId, userId) {
+        await this.redis.sadd(roleKey(tier, roleId), userId);
+    }
+    async usersForRole(tier, roleId) {
+        return this.redis.smembers(roleKey(tier, roleId));
+    }
+    // ---- revocation (DEC-S4.13) ------------------------------------------------
+    /** Evict every snapshot of a user across tenants (SCAN the `current` pointers). */
+    async revokeUser(userId) {
+        const pattern = `${exports.CURRENT_PREFIX}${userId}:*:current`;
+        let cursor = '0';
+        let evicted = 0;
+        do {
+            const [next, keys] = await this.redis.scan(cursor, 'MATCH', pattern, 'COUNT', 200);
+            cursor = next;
+            if (keys.length) {
+                const snapIds = (await this.redis.mget(...keys)).filter(Boolean);
+                const pipe = this.redis.pipeline();
+                keys.forEach((k) => pipe.del(k));
+                snapIds.forEach((id) => pipe.del(exports.SNAP_PREFIX + id));
+                await pipe.exec();
+                evicted += keys.length;
+            }
+        } while (cursor !== '0');
+        return evicted;
+    }
+    /** Evict one (user, tenant) snapshot. */
+    async revokeUserTenant(userId, actingJur) {
+        const ck = currentKey(userId, actingJur);
+        const snapId = await this.redis.get(ck);
+        const pipe = this.redis.pipeline();
+        pipe.del(ck);
+        if (snapId)
+            pipe.del(exports.SNAP_PREFIX + snapId);
+        await pipe.exec();
+    }
+    /** Cascade a role revoke to all its members (reverse-index lookup → per-user evict). */
+    async revokeRole(tier, roleId) {
+        const users = await this.usersForRole(tier, roleId);
+        let n = 0;
+        for (const u of users)
+            n += await this.revokeUser(u);
+        return n;
+    }
+}
+exports.RedisSnapshotStore = RedisSnapshotStore;
+//# sourceMappingURL=snapshot.store.js.map

package/dist/snapshot/snapshot.store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.store.js","sourceRoot":"","sources":["../../src/snapshot/snapshot.store.ts"],"names":[],"mappings":";;;AASa,QAAA,WAAW,GAAG,aAAa,CAAC;AAC5B,QAAA,cAAc,GAAG,aAAa,CAAC;AAC/B,QAAA,WAAW,GAAG,aAAa,CAAC;AAC5B,QAAA,wBAAwB,GAAG,EAAE,CAAC;AAE3C,MAAM,UAAU,GAAG,CAAC,MAAc,EAAE,SAAkB,EAAE,EAAE,CACxD,GAAG,sBAAc,GAAG,MAAM,IAAI,SAAS,IAAI,EAAE,UAAU,CAAC;AAC1D,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,EAAE,CAAC,GAAG,mBAAW,GAAG,IAAI,IAAI,MAAM,QAAQ,CAAC;AAE1F,MAAa,kBAAkB;IAC7B,YAA6B,KAAY;QAAZ,UAAK,GAAL,KAAK,CAAO;IAAG,CAAC;IAE7C,uFAAuF;IACvF,KAAK,CAAC,GAAG,CAAC,GAAqB,EAAE,MAAM,GAAG,gCAAwB;QAChE,MAAM,IAAI,CAAC,KAAK;aACb,QAAQ,EAAE;aACV,GAAG,CAAC,mBAAW,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC;aAChE,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,iBAAiB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC;aAC5E,IAAI,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc;QAC9B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,GAAG,MAAM,CAAC,CAAC;QACvD,OAAO,GAAG,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5D,CAAC;IAED,wFAAwF;IACxF,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,SAAkB;QACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAClD,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,eAAe,CAAC,IAAY,EAAE,MAAc,EAAE,MAAc;QAChE,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;IACvD,CAAC;IACD,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,MAAc;QAC7C,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,+EAA+E;IAC/E,mFAAmF;IACnF,KAAK,CAAC,UAAU,CAAC,MAAc;QAC7B,MAAM,OAAO,GAAG,GAAG,sBAAc,GAAG,MAAM,YAAY,CAAC;QACvD,IAAI,MAAM,GAAG,GAAG,CAAC;QACjB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,GAAG,CAAC;YACF,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;YACnF,MAAM,GAAG,IAAI,CAAC;YACd,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;gBAC7E,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACnC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjC,OAAO,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,mBAAW,GAAG,EAAE,CAAC,CAAC,CAAC;gBACpD,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;gBAClB,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC;YACzB,CAAC;QACH,CAAC,QAAQ,MAAM,KAAK,GAAG,EAAE;QACzB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,gBAAgB,CAAC,MAAc,EAAE,SAAiB;QACtD,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACb,IAAI,MAAM;YAAE,IAAI,CAAC,GAAG,CAAC,mBAAW,GAAG,MAAM,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAED,wFAAwF;IACxF,KAAK,CAAC,UAAU,CAAC,IAAY,EAAE,MAAc;QAC3C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpD,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK;YAAE,CAAC,IAAI,MAAM,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,CAAC;IACX,CAAC;CACF;AArED,gDAqEC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@generazioneai/authz",
-  "version": "0.0.2",
+  "version": "0.0.4",
   "description": "Runtime authz + autoquery for Skillera microservices",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -44,6 +44,14 @@
     "./nest": {
       "types": "./dist/nest/index.d.ts",
       "default": "./dist/nest/index.js"
+    },
+    "./snapshot": {
+      "types": "./dist/snapshot/index.d.ts",
+      "default": "./dist/snapshot/index.js"
+    },
+    "./enforce": {
+      "types": "./dist/enforce/index.d.ts",
+      "default": "./dist/enforce/index.js"
     }
   },
   "typesVersions": {
@@ -56,12 +64,18 @@
       ],
       "internal": [
         "dist/internal/index.d.ts"
+      ],
+      "snapshot": [
+        "dist/snapshot/index.d.ts"
+      ],
+      "enforce": [
+        "dist/enforce/index.d.ts"
       ]
     }
   },
   "peerDependencies": {
     "@casl/ability": "^6.7.0",
-    "@casl/prisma": "^1.5.0 || ^2.0.0",
+    "@casl/prisma": "^1.5.0",
     "@nestjs/common": "^11.0.0",
     "@nestjs/core": "^11.0.0",
     "@nestjs/microservices": "^11.0.0",
@@ -70,16 +84,23 @@
   "peerDependenciesMeta": {
     "@prisma/client": {
       "optional": true
+    },
+    "@casl/ability": {
+      "optional": true
+    },
+    "@casl/prisma": {
+      "optional": true
     }
   },
   "dependencies": {
-    "jose": "^6.0.10",
     "ioredis": "^5.4.0",
-    "json-stable-stringify": "^1.1.1"
+    "jose": "^6.0.10",
+    "json-stable-stringify": "^1.1.1",
+    "lru-cache": "^10.4.0"
   },
   "devDependencies": {
     "@casl/ability": "^6.7.3",
-    "@casl/prisma": "^1.5.0",
+    "@casl/prisma": "^1.6.2",
     "@nestjs/core": "^11.1.24",
     "@nestjs/microservices": "^11.1.24",
     "@types/json-stable-stringify": "^1.0.36",