@generazioneai/authz 0.0.3 → 0.0.5

package/dist/snapshot/ability-builder.d.ts

@@ -0,0 +1,23 @@
+import { type PrismaAbility } from '@casl/prisma';
+import type { AuthzContext } from '../context/authz-context';
+import type { ResourceRegistry } from '../resource-registry';
+import type { AbilityRule } from './snapshot.envelope';
+export type Scope = 'GLOBAL' | 'TENANT' | 'OWN' | 'CONNECTED' | 'PROVIDER' | 'CUSTOMER';
+export interface Grant {
+    action: string;
+    /** subject literal, or 'all' for the CASL wildcard (system tier). */
+    subject: string;
+    scope: Scope;
+    /** field-level allow-list; empty/absent = all fields. */
+    fields?: string[];
+    inverted?: boolean;
+}
+/**
+ * Grants → serialized CASL rules. GLOBAL scope (and the 'all' wildcard) emit no
+ * conditions (unrestricted within the grant); every other scope pulls the manifest's
+ * `scopes[scope]` template and substitutes the $ctx placeholders against `ctx`.
+ */
+export declare function buildRulesFromGrants(grants: Grant[], registry: ResourceRegistry, ctx: AuthzContext): AbilityRule[];
+/** Rehydrate a PrismaAbility from serialized rules (snapshot → runtime). */
+export declare function hydrateAbility(rules: AbilityRule[]): PrismaAbility<any>;
+//# sourceMappingURL=ability-builder.d.ts.map

package/dist/snapshot/ability-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability-builder.d.ts","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":"AAIA,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC;AAEvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,MAAM,MAAM,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,CAAC;AAExF,MAAM,WAAW,KAAK;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,KAAK,CAAC;IACb,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,KAAK,EAAE,EACf,QAAQ,EAAE,gBAAgB,EAC1B,GAAG,EAAE,YAAY,GAChB,WAAW,EAAE,CAiBf;AAED,4EAA4E;AAC5E,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,CAEvE"}

package/dist/snapshot/ability-builder.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildRulesFromGrants = buildRulesFromGrants;
+exports.hydrateAbility = hydrateAbility;
+// Step 4 builder core — turn a user's role-permission GRANTS into CASL rules, then a
+// PrismaAbility. A grant = (action × subject × scope [× fields]); the scope is resolved
+// to a Prisma where via the resource manifest's scope template + substituteContext.
+// (skillID flattens its 3-tier RBAC into grants and calls this.)
+const prisma_1 = require("@casl/prisma");
+const scope_substitute_1 = require("../scope-substitute");
+/**
+ * Grants → serialized CASL rules. GLOBAL scope (and the 'all' wildcard) emit no
+ * conditions (unrestricted within the grant); every other scope pulls the manifest's
+ * `scopes[scope]` template and substitutes the $ctx placeholders against `ctx`.
+ */
+function buildRulesFromGrants(grants, registry, ctx) {
+    const rules = [];
+    for (const g of grants) {
+        const rule = { action: g.action, subject: g.subject };
+        if (g.fields && g.fields.length)
+            rule.fields = g.fields;
+        if (g.inverted)
+            rule.inverted = true;
+        if (g.scope === 'GLOBAL' || g.subject === 'all') {
+            rules.push(rule);
+            continue;
+        }
+        const template = registry.get(g.subject)?.scopes?.[g.scope];
+        if (!template)
+            continue; // scope not declared for this subject (authz:check guards this)
+        rule.conditions = (0, scope_substitute_1.substituteContext)(template, ctx);
+        rules.push(rule);
+    }
+    return rules;
+}
+/** Rehydrate a PrismaAbility from serialized rules (snapshot → runtime). */
+function hydrateAbility(rules) {
+    return (0, prisma_1.createPrismaAbility)(rules);
+}
+//# sourceMappingURL=ability-builder.js.map

package/dist/snapshot/ability-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability-builder.js","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":";;AA2BA,oDAqBC;AAGD,wCAEC;AArDD,qFAAqF;AACrF,wFAAwF;AACxF,oFAAoF;AACpF,iEAAiE;AACjE,yCAAuE;AACvE,0DAAwD;AAiBxD;;;;GAIG;AACH,SAAgB,oBAAoB,CAClC,MAAe,EACf,QAA0B,EAC1B,GAAiB;IAEjB,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QACnE,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM;YAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;QACxD,IAAI,CAAC,CAAC,QAAQ;YAAE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErC,IAAI,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAChD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,QAAQ;YAAE,SAAS,CAAC,gEAAgE;QACzF,IAAI,CAAC,UAAU,GAAG,IAAA,oCAAiB,EAAC,QAAQ,EAAE,GAAG,CAA4B,CAAC;QAC9E,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4EAA4E;AAC5E,SAAgB,cAAc,CAAC,KAAoB;IACjD,OAAO,IAAA,4BAAmB,EAAC,KAAkD,CAAuB,CAAC;AACvG,CAAC"}

package/dist/snapshot/distributed-lock.d.ts

@@ -0,0 +1,19 @@
+import type Redis from 'ioredis';
+export declare const DEFAULT_LOCK_PREFIX = "authz:lock:";
+export declare const DEFAULT_LOCK_TTL_SEC = 10;
+export declare const DEFAULT_BACKOFF_MS: number[];
+export declare class DistributedLock {
+    private readonly redis;
+    private readonly prefix;
+    constructor(redis: Redis, prefix?: string);
+    /** SET key owner EX ttl NX → true if acquired. */
+    acquire(key: string, owner: string, ttlSec?: number): Promise<boolean>;
+    /** Release only if still owned (compare-and-delete, avoids deleting a re-acquired lock). */
+    release(key: string, owner: string): Promise<void>;
+    /**
+     * Lock loser path: poll `read` with backoff, returning the first non-null result.
+     * Returns null if all attempts are exhausted (→ caller falls back to a direct build).
+     */
+    pollForResult<T>(read: () => Promise<T | null>, backoffMs?: number[]): Promise<T | null>;
+}
+//# sourceMappingURL=distributed-lock.d.ts.map

package/dist/snapshot/distributed-lock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"distributed-lock.d.ts","sourceRoot":"","sources":["../../src/snapshot/distributed-lock.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AAIjC,eAAO,MAAM,mBAAmB,gBAAgB,CAAC;AACjD,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,eAAO,MAAM,kBAAkB,UAAmB,CAAC;AAEnD,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBADN,KAAK,EAAE,KAAK,EACZ,MAAM,GAAE,MAA4B;IAGvD,kDAAkD;IAC5C,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,SAAuB,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1F,4FAA4F;IACtF,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMxD;;;OAGG;IACG,aAAa,CAAC,CAAC,EACnB,IAAI,EAAE,MAAM,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,EAC7B,SAAS,GAAE,MAAM,EAAuB,GACvC,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;CAQrB"}

package/dist/snapshot/distributed-lock.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DistributedLock = exports.DEFAULT_BACKOFF_MS = exports.DEFAULT_LOCK_TTL_SEC = exports.DEFAULT_LOCK_PREFIX = void 0;
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+exports.DEFAULT_LOCK_PREFIX = 'authz:lock:';
+exports.DEFAULT_LOCK_TTL_SEC = 10;
+exports.DEFAULT_BACKOFF_MS = [5, 15, 50, 150];
+class DistributedLock {
+    constructor(redis, prefix = exports.DEFAULT_LOCK_PREFIX) {
+        this.redis = redis;
+        this.prefix = prefix;
+    }
+    /** SET key owner EX ttl NX → true if acquired. */
+    async acquire(key, owner, ttlSec = exports.DEFAULT_LOCK_TTL_SEC) {
+        return (await this.redis.set(this.prefix + key, owner, 'EX', ttlSec, 'NX')) === 'OK';
+    }
+    /** Release only if still owned (compare-and-delete, avoids deleting a re-acquired lock). */
+    async release(key, owner) {
+        const lua = "if redis.call('get', KEYS[1]) == ARGV[1] then return redis.call('del', KEYS[1]) else return 0 end";
+        await this.redis.eval(lua, 1, this.prefix + key, owner);
+    }
+    /**
+     * Lock loser path: poll `read` with backoff, returning the first non-null result.
+     * Returns null if all attempts are exhausted (→ caller falls back to a direct build).
+     */
+    async pollForResult(read, backoffMs = exports.DEFAULT_BACKOFF_MS) {
+        for (const wait of backoffMs) {
+            await sleep(wait);
+            const v = await read();
+            if (v != null)
+                return v;
+        }
+        return null;
+    }
+}
+exports.DistributedLock = DistributedLock;
+//# sourceMappingURL=distributed-lock.js.map

package/dist/snapshot/distributed-lock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"distributed-lock.js","sourceRoot":"","sources":["../../src/snapshot/distributed-lock.ts"],"names":[],"mappings":";;;AAKA,MAAM,KAAK,GAAG,CAAC,EAAU,EAAE,EAAE,CAAC,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAE7D,QAAA,mBAAmB,GAAG,aAAa,CAAC;AACpC,QAAA,oBAAoB,GAAG,EAAE,CAAC;AAC1B,QAAA,kBAAkB,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;AAEnD,MAAa,eAAe;IAC1B,YACmB,KAAY,EACZ,SAAiB,2BAAmB;QADpC,UAAK,GAAL,KAAK,CAAO;QACZ,WAAM,GAAN,MAAM,CAA8B;IACpD,CAAC;IAEJ,kDAAkD;IAClD,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,KAAa,EAAE,MAAM,GAAG,4BAAoB;QACrE,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC;IACvF,CAAC;IAED,4FAA4F;IAC5F,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,KAAa;QACtC,MAAM,GAAG,GACP,mGAAmG,CAAC;QACtG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CACjB,IAA6B,EAC7B,YAAsB,0BAAkB;QAExC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;YAClB,MAAM,CAAC,GAAG,MAAM,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC,IAAI,IAAI;gBAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAjCD,0CAiCC"}

package/dist/snapshot/index.d.ts

@@ -0,0 +1,7 @@
+export * from './snapshot.envelope';
+export * from './ability-builder';
+export * from './perm-hash';
+export * from './l1-cache';
+export * from './distributed-lock';
+export * from './snapshot.store';
+//# sourceMappingURL=index.d.ts.map

package/dist/snapshot/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/snapshot/index.ts"],"names":[],"mappings":"AAGA,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC"}

package/dist/snapshot/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// @generazioneai/authz/snapshot — Step 4 permission snapshot primitives.
+// Pure core (envelope, perm-hash) + Redis-backed pieces (store, lock) + in-process L1.
+// The NestJS resolver/subscriber + skillID builder/emitter are wired in the services.
+__exportStar(require("./snapshot.envelope"), exports);
+__exportStar(require("./ability-builder"), exports);
+__exportStar(require("./perm-hash"), exports);
+__exportStar(require("./l1-cache"), exports);
+__exportStar(require("./distributed-lock"), exports);
+__exportStar(require("./snapshot.store"), exports);
+//# sourceMappingURL=index.js.map

package/dist/snapshot/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/snapshot/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yEAAyE;AACzE,uFAAuF;AACvF,sFAAsF;AACtF,sDAAoC;AACpC,oDAAkC;AAClC,8CAA4B;AAC5B,6CAA2B;AAC3B,qDAAmC;AACnC,mDAAiC"}

package/dist/snapshot/l1-cache.d.ts

@@ -0,0 +1,16 @@
+import type { SnapshotEnvelope } from './snapshot.envelope';
+export interface L1Options {
+    max?: number;
+    ttlMs?: number;
+}
+export declare class L1SnapshotCache {
+    private readonly cache;
+    constructor(opts?: L1Options);
+    private key;
+    get(userId: string, actingJuridicalId?: string): SnapshotEnvelope | undefined;
+    set(env: SnapshotEnvelope): void;
+    /** Evict one tenant entry, or ALL entries for a user when actingJuridicalId is omitted. */
+    evict(userId: string, actingJuridicalId?: string): number;
+    clear(): void;
+}
+//# sourceMappingURL=l1-cache.d.ts.map

package/dist/snapshot/l1-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"l1-cache.d.ts","sourceRoot":"","sources":["../../src/snapshot/l1-cache.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqC;gBAE/C,IAAI,GAAE,SAAc;IAOhC,OAAO,CAAC,GAAG;IAIX,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,iBAAiB,CAAC,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAI7E,GAAG,CAAC,GAAG,EAAE,gBAAgB,GAAG,IAAI;IAIhC,2FAA2F;IAC3F,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,iBAAiB,CAAC,EAAE,MAAM,GAAG,MAAM;IAezD,KAAK,IAAI,IAAI;CAGd"}

package/dist/snapshot/l1-cache.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.L1SnapshotCache = void 0;
+// Step 4 DEC-S4.5/10 — in-process L1 snapshot cache (TTL 30s = Redis TTL / 2, so an L1
+// hit never outlives a revoke that already hit Redis). Keyed by (userId, actingJuridicalId).
+const lru_cache_1 = require("lru-cache");
+class L1SnapshotCache {
+    constructor(opts = {}) {
+        this.cache = new lru_cache_1.LRUCache({
+            max: opts.max ?? 2000,
+            ttl: opts.ttlMs ?? 30_000,
+        });
+    }
+    key(userId, actingJuridicalId) {
+        return `${userId}:${actingJuridicalId ?? ''}`;
+    }
+    get(userId, actingJuridicalId) {
+        return this.cache.get(this.key(userId, actingJuridicalId));
+    }
+    set(env) {
+        this.cache.set(this.key(env.userId, env.actingJuridicalId), env);
+    }
+    /** Evict one tenant entry, or ALL entries for a user when actingJuridicalId is omitted. */
+    evict(userId, actingJuridicalId) {
+        if (actingJuridicalId !== undefined) {
+            return this.cache.delete(this.key(userId, actingJuridicalId)) ? 1 : 0;
+        }
+        const prefix = `${userId}:`;
+        let n = 0;
+        for (const k of this.cache.keys()) {
+            if (k.startsWith(prefix)) {
+                this.cache.delete(k);
+                n++;
+            }
+        }
+        return n;
+    }
+    clear() {
+        this.cache.clear();
+    }
+}
+exports.L1SnapshotCache = L1SnapshotCache;
+//# sourceMappingURL=l1-cache.js.map

package/dist/snapshot/l1-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"l1-cache.js","sourceRoot":"","sources":["../../src/snapshot/l1-cache.ts"],"names":[],"mappings":";;;AAAA,uFAAuF;AACvF,6FAA6F;AAC7F,yCAAqC;AAQrC,MAAa,eAAe;IAG1B,YAAY,OAAkB,EAAE;QAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAQ,CAA2B;YAClD,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,IAAI;YACrB,GAAG,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM;SAC1B,CAAC,CAAC;IACL,CAAC;IAEO,GAAG,CAAC,MAAc,EAAE,iBAA0B;QACpD,OAAO,GAAG,MAAM,IAAI,iBAAiB,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,iBAA0B;QAC5C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,iBAAiB,CAAC,EAAE,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,2FAA2F;IAC3F,KAAK,CAAC,MAAc,EAAE,iBAA0B;QAC9C,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC;QAC5B,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACrB,CAAC,EAAE,CAAC;YACN,CAAC;QACH,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAzCD,0CAyCC"}

package/dist/snapshot/perm-hash.d.ts

@@ -0,0 +1,3 @@
+import type { AbilityRule } from './snapshot.envelope';
+export declare function computePermHash(rules: AbilityRule[]): string;
+//# sourceMappingURL=perm-hash.d.ts.map

package/dist/snapshot/perm-hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"perm-hash.d.ts","sourceRoot":"","sources":["../../src/snapshot/perm-hash.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AA2BvD,wBAAgB,eAAe,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,CAM5D"}

package/dist/snapshot/perm-hash.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computePermHash = computePermHash;
+// Step 4 DEC-S4.7/8/9 — deterministic permission hash (128-bit, 32 hex).
+//
+// Two users with the same roles but different tenantId get DIFFERENT permHashes
+// (conditions are post-substitution → tenant-specific) — that is correct. The hash is
+// cross-pod deterministic: rules are normalized + sorted, then json-stable-stringify'd.
+const node_crypto_1 = require("node:crypto");
+const json_stable_stringify_1 = __importDefault(require("json-stable-stringify"));
+const asSortedArray = (v) => Array.isArray(v) ? [...v].sort() : v;
+const ruleKey = (r) => `${JSON.stringify(r.subject)}|${JSON.stringify(r.action)}|${r.inverted ? 1 : 0}`;
+/** Canonical, hash-relevant projection of a rule (excludes `reason`/metadata). */
+function normalize(r) {
+    return {
+        action: asSortedArray(r.action),
+        subject: asSortedArray(r.subject),
+        fields: r.fields && r.fields.length ? [...r.fields].sort() : undefined,
+        conditions: r.conditions ?? undefined,
+        inverted: r.inverted ?? false,
+    };
+}
+function computePermHash(rules) {
+    const normalized = rules
+        .map(normalize)
+        .sort((a, b) => ruleKey(a).localeCompare(ruleKey(b)));
+    const canonical = (0, json_stable_stringify_1.default)(normalized) ?? '[]';
+    return (0, node_crypto_1.createHash)('sha256').update(canonical).digest('hex').slice(0, 32);
+}
+//# sourceMappingURL=perm-hash.js.map

package/dist/snapshot/perm-hash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"perm-hash.js","sourceRoot":"","sources":["../../src/snapshot/perm-hash.ts"],"names":[],"mappings":";;;;;AAkCA,0CAMC;AAxCD,yEAAyE;AACzE,EAAE;AACF,gFAAgF;AAChF,sFAAsF;AACtF,wFAAwF;AACxF,6CAAyC;AACzC,kFAAoD;AAWpD,MAAM,aAAa,GAAG,CAAC,CAAoB,EAAqB,EAAE,CAChE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAEvC,MAAM,OAAO,GAAG,CAAC,CAAiB,EAAU,EAAE,CAC5C,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAEnF,kFAAkF;AAClF,SAAS,SAAS,CAAC,CAAc;IAC/B,OAAO;QACL,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC;QAC/B,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC;QACjC,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS;QACtE,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,SAAS;QACrC,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,KAAK;KAC9B,CAAC;AACJ,CAAC;AAED,SAAgB,eAAe,CAAC,KAAoB;IAClD,MAAM,UAAU,GAAG,KAAK;SACrB,GAAG,CAAC,SAAS,CAAC;SACd,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAA,+BAAe,EAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IACtD,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC3E,CAAC"}

package/dist/snapshot/snapshot.envelope.d.ts

@@ -0,0 +1,36 @@
+import type { AccreditedAs, ConnectedEdges } from '../context/authz-context';
+export declare const SNAPSHOT_SCHEMA_VERSION = 1;
+/** A serialized CASL rule (post $ctx-substitution). Shape accepted by createPrismaAbility. */
+export interface AbilityRule {
+    action: string | string[];
+    subject: string | string[];
+    /** Field-level allow-list (Step 1 fields[]). Empty/absent = all fields. */
+    fields?: string[];
+    /** Prisma WhereInput-shaped conditions (already substituted; no $ctx left). */
+    conditions?: Record<string, unknown>;
+    /** CASL `cannot` rule. */
+    inverted?: boolean;
+    /** Audit-only; excluded from permHash. */
+    reason?: string;
+}
+export interface SnapshotEnvelope {
+    schemaVersion: number;
+    snapId: string;
+    userId: string;
+    actingJuridicalId?: string;
+    /** sha256(canonical(sortedRules)) truncated to 32 hex (Step 4 DEC-S4.7/9). */
+    permHash: string;
+    /** epoch ms — drives refresh-ahead (DEC-S4.30). */
+    builtAt: number;
+    rules: AbilityRule[];
+    connected: ConnectedEdges;
+    accreditedAs: AccreditedAs;
+    /** Set when the rules blob was lz4-compressed (DEC-S4.27). Day-1: null. */
+    compressed?: 'lz4' | null;
+}
+/**
+ * Opaque snapshot id (DEC-S4.4): doesn't leak userId, idempotent per 1s build bucket.
+ * blake3 in the plan; sha256 here keeps zero extra deps (opacity is what matters).
+ */
+export declare function computeSnapId(userId: string, actingJuridicalId: string | undefined, builtAtMs: number): string;
+//# sourceMappingURL=snapshot.envelope.d.ts.map

package/dist/snapshot/snapshot.envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.envelope.d.ts","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE7E,eAAO,MAAM,uBAAuB,IAAI,CAAC;AAEzC,8FAA8F;AAC9F,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC3B,2EAA2E;IAC3E,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,+EAA+E;IAC/E,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,8EAA8E;IAC9E,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,SAAS,EAAE,cAAc,CAAC;IAC1B,YAAY,EAAE,YAAY,CAAC;IAC3B,2EAA2E;IAC3E,UAAU,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CAC3B;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,iBAAiB,EAAE,MAAM,GAAG,SAAS,EACrC,SAAS,EAAE,MAAM,GAChB,MAAM,CAMR"}

package/dist/snapshot/snapshot.envelope.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SNAPSHOT_SCHEMA_VERSION = void 0;
+exports.computeSnapId = computeSnapId;
+// Step 4 DEC-S4.1/3 — the permission snapshot envelope cached in Redis.
+//
+// skillID builds it (rules already $ctx-substituted), stores it under an opaque snapId;
+// the gateway/downstream fetch it by snapId (carried in the Step 2 JWT `snap` claim) and
+// rehydrate the CASL ability via createPrismaAbility(rules).
+const node_crypto_1 = require("node:crypto");
+exports.SNAPSHOT_SCHEMA_VERSION = 1;
+/**
+ * Opaque snapshot id (DEC-S4.4): doesn't leak userId, idempotent per 1s build bucket.
+ * blake3 in the plan; sha256 here keeps zero extra deps (opacity is what matters).
+ */
+function computeSnapId(userId, actingJuridicalId, builtAtMs) {
+    const bucket = Math.floor(builtAtMs / 1000);
+    return (0, node_crypto_1.createHash)('sha256')
+        .update(`${userId}:${actingJuridicalId ?? ''}:${bucket}`)
+        .digest('hex')
+        .slice(0, 22);
+}
+//# sourceMappingURL=snapshot.envelope.js.map

package/dist/snapshot/snapshot.envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.envelope.js","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":";;;AA4CA,sCAUC;AAtDD,wEAAwE;AACxE,EAAE;AACF,wFAAwF;AACxF,yFAAyF;AACzF,6DAA6D;AAC7D,6CAAyC;AAG5B,QAAA,uBAAuB,GAAG,CAAC,CAAC;AAgCzC;;;GAGG;AACH,SAAgB,aAAa,CAC3B,MAAc,EACd,iBAAqC,EACrC,SAAiB;IAEjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC5C,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,GAAG,MAAM,IAAI,iBAAiB,IAAI,EAAE,IAAI,MAAM,EAAE,CAAC;SACxD,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC"}

package/dist/snapshot/snapshot.store.d.ts

@@ -0,0 +1,24 @@
+import type Redis from 'ioredis';
+import type { SnapshotEnvelope } from './snapshot.envelope';
+export declare const SNAP_PREFIX = "authz:snap:";
+export declare const CURRENT_PREFIX = "authz:user:";
+export declare const ROLE_PREFIX = "authz:role:";
+export declare const DEFAULT_SNAPSHOT_TTL_SEC = 60;
+export declare class RedisSnapshotStore {
+    private readonly redis;
+    constructor(redis: Redis);
+    /** Store the envelope + point the user's `current` pointer at it (atomic pipeline). */
+    put(env: SnapshotEnvelope, ttlSec?: number): Promise<void>;
+    getBySnapId(snapId: string): Promise<SnapshotEnvelope | null>;
+    /** Resolve the current snapId for (user, tenant) then load the envelope (pipelined). */
+    getCurrent(userId: string, actingJur?: string): Promise<SnapshotEnvelope | null>;
+    indexRoleMember(tier: string, roleId: string, userId: string): Promise<void>;
+    usersForRole(tier: string, roleId: string): Promise<string[]>;
+    /** Evict every snapshot of a user across tenants (SCAN the `current` pointers). */
+    revokeUser(userId: string): Promise<number>;
+    /** Evict one (user, tenant) snapshot. */
+    revokeUserTenant(userId: string, actingJur: string): Promise<void>;
+    /** Cascade a role revoke to all its members (reverse-index lookup → per-user evict). */
+    revokeRole(tier: string, roleId: string): Promise<number>;
+}
+//# sourceMappingURL=snapshot.store.d.ts.map

package/dist/snapshot/snapshot.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.store.d.ts","sourceRoot":"","sources":["../../src/snapshot/snapshot.store.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AACjC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,eAAO,MAAM,WAAW,gBAAgB,CAAC;AACzC,eAAO,MAAM,cAAc,gBAAgB,CAAC;AAC5C,eAAO,MAAM,WAAW,gBAAgB,CAAC;AACzC,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAM3C,qBAAa,kBAAkB;IACjB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,KAAK;IAEzC,uFAAuF;IACjF,GAAG,CAAC,GAAG,EAAE,gBAAgB,EAAE,MAAM,SAA2B,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ5E,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAKnE,wFAAwF;IAClF,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAMhF,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAG5E,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKnE,mFAAmF;IAC7E,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmBjD,yCAAyC;IACnC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASxE,wFAAwF;IAClF,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAMhE"}

package/dist/snapshot/snapshot.store.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisSnapshotStore = exports.DEFAULT_SNAPSHOT_TTL_SEC = exports.ROLE_PREFIX = exports.CURRENT_PREFIX = exports.SNAP_PREFIX = void 0;
+exports.SNAP_PREFIX = 'authz:snap:';
+exports.CURRENT_PREFIX = 'authz:user:';
+exports.ROLE_PREFIX = 'authz:role:';
+exports.DEFAULT_SNAPSHOT_TTL_SEC = 60;
+const currentKey = (userId, actingJur) => `${exports.CURRENT_PREFIX}${userId}:${actingJur ?? ''}:current`;
+const roleKey = (tier, roleId) => `${exports.ROLE_PREFIX}${tier}:${roleId}:users`;
+class RedisSnapshotStore {
+    constructor(redis) {
+        this.redis = redis;
+    }
+    /** Store the envelope + point the user's `current` pointer at it (atomic pipeline). */
+    async put(env, ttlSec = exports.DEFAULT_SNAPSHOT_TTL_SEC) {
+        await this.redis
+            .pipeline()
+            .set(exports.SNAP_PREFIX + env.snapId, JSON.stringify(env), 'EX', ttlSec)
+            .set(currentKey(env.userId, env.actingJuridicalId), env.snapId, 'EX', ttlSec)
+            .exec();
+    }
+    async getBySnapId(snapId) {
+        const raw = await this.redis.get(exports.SNAP_PREFIX + snapId);
+        return raw ? JSON.parse(raw) : null;
+    }
+    /** Resolve the current snapId for (user, tenant) then load the envelope (pipelined). */
+    async getCurrent(userId, actingJur) {
+        const snapId = await this.redis.get(currentKey(userId, actingJur));
+        return snapId ? this.getBySnapId(snapId) : null;
+    }
+    // ---- reverse-index (role-cascade revocation, DEC-S4.15) --------------------
+    async indexRoleMember(tier, roleId, userId) {
+        await this.redis.sadd(roleKey(tier, roleId), userId);
+    }
+    async usersForRole(tier, roleId) {
+        return this.redis.smembers(roleKey(tier, roleId));
+    }
+    // ---- revocation (DEC-S4.13) ------------------------------------------------
+    /** Evict every snapshot of a user across tenants (SCAN the `current` pointers). */
+    async revokeUser(userId) {
+        const pattern = `${exports.CURRENT_PREFIX}${userId}:*:current`;
+        let cursor = '0';
+        let evicted = 0;
+        do {
+            const [next, keys] = await this.redis.scan(cursor, 'MATCH', pattern, 'COUNT', 200);
+            cursor = next;
+            if (keys.length) {
+                const snapIds = (await this.redis.mget(...keys)).filter(Boolean);
+                const pipe = this.redis.pipeline();
+                keys.forEach((k) => pipe.del(k));
+                snapIds.forEach((id) => pipe.del(exports.SNAP_PREFIX + id));
+                await pipe.exec();
+                evicted += keys.length;
+            }
+        } while (cursor !== '0');
+        return evicted;
+    }
+    /** Evict one (user, tenant) snapshot. */
+    async revokeUserTenant(userId, actingJur) {
+        const ck = currentKey(userId, actingJur);
+        const snapId = await this.redis.get(ck);
+        const pipe = this.redis.pipeline();
+        pipe.del(ck);
+        if (snapId)
+            pipe.del(exports.SNAP_PREFIX + snapId);
+        await pipe.exec();
+    }
+    /** Cascade a role revoke to all its members (reverse-index lookup → per-user evict). */
+    async revokeRole(tier, roleId) {
+        const users = await this.usersForRole(tier, roleId);
+        let n = 0;
+        for (const u of users)
+            n += await this.revokeUser(u);
+        return n;
+    }
+}
+exports.RedisSnapshotStore = RedisSnapshotStore;
+//# sourceMappingURL=snapshot.store.js.map

package/dist/snapshot/snapshot.store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.store.js","sourceRoot":"","sources":["../../src/snapshot/snapshot.store.ts"],"names":[],"mappings":";;;AASa,QAAA,WAAW,GAAG,aAAa,CAAC;AAC5B,QAAA,cAAc,GAAG,aAAa,CAAC;AAC/B,QAAA,WAAW,GAAG,aAAa,CAAC;AAC5B,QAAA,wBAAwB,GAAG,EAAE,CAAC;AAE3C,MAAM,UAAU,GAAG,CAAC,MAAc,EAAE,SAAkB,EAAE,EAAE,CACxD,GAAG,sBAAc,GAAG,MAAM,IAAI,SAAS,IAAI,EAAE,UAAU,CAAC;AAC1D,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,EAAE,CAAC,GAAG,mBAAW,GAAG,IAAI,IAAI,MAAM,QAAQ,CAAC;AAE1F,MAAa,kBAAkB;IAC7B,YAA6B,KAAY;QAAZ,UAAK,GAAL,KAAK,CAAO;IAAG,CAAC;IAE7C,uFAAuF;IACvF,KAAK,CAAC,GAAG,CAAC,GAAqB,EAAE,MAAM,GAAG,gCAAwB;QAChE,MAAM,IAAI,CAAC,KAAK;aACb,QAAQ,EAAE;aACV,GAAG,CAAC,mBAAW,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC;aAChE,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,iBAAiB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC;aAC5E,IAAI,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc;QAC9B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,GAAG,MAAM,CAAC,CAAC;QACvD,OAAO,GAAG,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5D,CAAC;IAED,wFAAwF;IACxF,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,SAAkB;QACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAClD,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,eAAe,CAAC,IAAY,EAAE,MAAc,EAAE,MAAc;QAChE,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;IACvD,CAAC;IACD,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,MAAc;QAC7C,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,+EAA+E;IAC/E,mFAAmF;IACnF,KAAK,CAAC,UAAU,CAAC,MAAc;QAC7B,MAAM,OAAO,GAAG,GAAG,sBAAc,GAAG,MAAM,YAAY,CAAC;QACvD,IAAI,MAAM,GAAG,GAAG,CAAC;QACjB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,GAAG,CAAC;YACF,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;YACnF,MAAM,GAAG,IAAI,CAAC;YACd,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;gBAC7E,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACnC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjC,OAAO,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,mBAAW,GAAG,EAAE,CAAC,CAAC,CAAC;gBACpD,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;gBAClB,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC;YACzB,CAAC;QACH,CAAC,QAAQ,MAAM,KAAK,GAAG,EAAE;QACzB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,gBAAgB,CAAC,MAAc,EAAE,SAAiB;QACtD,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACb,IAAI,MAAM;YAAE,IAAI,CAAC,GAAG,CAAC,mBAAW,GAAG,MAAM,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAED,wFAAwF;IACxF,KAAK,CAAC,UAAU,CAAC,IAAY,EAAE,MAAc;QAC3C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpD,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK;YAAE,CAAC,IAAI,MAAM,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,CAAC;IACX,CAAC;CACF;AArED,gDAqEC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@generazioneai/authz",
-  "version": "0.0.3",
+  "version": "0.0.5",
   "description": "Runtime authz + autoquery for Skillera microservices",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -44,6 +44,14 @@
     "./nest": {
       "types": "./dist/nest/index.d.ts",
       "default": "./dist/nest/index.js"
+    },
+    "./snapshot": {
+      "types": "./dist/snapshot/index.d.ts",
+      "default": "./dist/snapshot/index.js"
+    },
+    "./enforce": {
+      "types": "./dist/enforce/index.d.ts",
+      "default": "./dist/enforce/index.js"
     }
   },
   "typesVersions": {
@@ -56,6 +64,12 @@
       ],
       "internal": [
         "dist/internal/index.d.ts"
+      ],
+      "snapshot": [
+        "dist/snapshot/index.d.ts"
+      ],
+      "enforce": [
+        "dist/enforce/index.d.ts"
       ]
     }
   },
@@ -79,13 +93,14 @@
     }
   },
   "dependencies": {
-    "jose": "^6.0.10",
     "ioredis": "^5.4.0",
-    "json-stable-stringify": "^1.1.1"
+    "jose": "^6.0.10",
+    "json-stable-stringify": "^1.1.1",
+    "lru-cache": "^10.4.0"
   },
   "devDependencies": {
     "@casl/ability": "^6.7.3",
-    "@casl/prisma": "^1.5.0",
+    "@casl/prisma": "^1.6.2",
     "@nestjs/core": "^11.1.24",
     "@nestjs/microservices": "^11.1.24",
     "@types/json-stable-stringify": "^1.0.36",