@generazioneai/authz 0.0.4 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/nest/authz-context.interceptor.d.ts.map +1 -1
- package/dist/nest/authz-context.interceptor.js +4 -1
- package/dist/nest/authz-context.interceptor.js.map +1 -1
- package/dist/nest/internal-auth.interceptor.d.ts +29 -0
- package/dist/nest/internal-auth.interceptor.d.ts.map +1 -1
- package/dist/nest/internal-auth.interceptor.js +47 -2
- package/dist/nest/internal-auth.interceptor.js.map +1 -1
- package/dist/snapshot/ability-builder.d.ts +2 -1
- package/dist/snapshot/ability-builder.d.ts.map +1 -1
- package/dist/snapshot/ability-builder.js.map +1 -1
- package/dist/snapshot/snapshot.envelope.d.ts +10 -0
- package/dist/snapshot/snapshot.envelope.d.ts.map +1 -1
- package/dist/snapshot/snapshot.envelope.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authz-context.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"authz-context.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAuB,MAAM,MAAM,CAAC;AAKvD,qBACa,uBAAwB,YAAW,eAAe;IAC7D,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;CA0B7E"}
|
|
@@ -37,7 +37,10 @@ let AuthzContextInterceptor = class AuthzContextInterceptor {
|
|
|
37
37
|
},
|
|
38
38
|
ability: null,
|
|
39
39
|
};
|
|
40
|
-
|
|
40
|
+
// Run the whole handler inside ALS so downstream signed .send() calls — even those
|
|
41
|
+
// after an await — see the context. The callback returns a promise (lastValueFrom)
|
|
42
|
+
// so the store stays bound across awaits; a sync subscribe loses it at the first await.
|
|
43
|
+
return (0, rxjs_1.from)(als_1.authzAls.run(ctx, () => (0, rxjs_1.lastValueFrom)(next.handle())));
|
|
41
44
|
}
|
|
42
45
|
};
|
|
43
46
|
exports.AuthzContextInterceptor = AuthzContextInterceptor;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authz-context.interceptor.js","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":";;;;;;;;;AAAA,6DAA6D;AAC7D,EAAE;AACF,0FAA0F;AAC1F,yFAAyF;AACzF,6FAA6F;AAC7F,4FAA4F;AAC5F,2CAKwB;AACxB,+
|
|
1
|
+
{"version":3,"file":"authz-context.interceptor.js","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":";;;;;;;;;AAAA,6DAA6D;AAC7D,EAAE;AACF,0FAA0F;AAC1F,yFAAyF;AACzF,6FAA6F;AAC7F,4FAA4F;AAC5F,2CAKwB;AACxB,+BAAuD;AACvD,wCAA0C;AAKnC,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAClC,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QAEvD,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAsB,CAAC;QACpE,IAAI,CAAC,GAAG,EAAE,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,4CAA4C;QAEpF,MAAM,GAAG,GAAiB;YACxB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,qBAAqB,EAAE,GAAG,CAAC,qBAAqB;YAChD,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,iBAAiB;YAC/C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,SAAS,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,0BAA0B,EAAE,EAAE,EAAE;YAC1F,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;gBAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;aAC7D;YACD,OAAO,EAAE,IAA0C;SACpD,CAAC;QAEF,mFAAmF;QACnF,mFAAmF;QACnF,wFAAwF;QACxF,OAAO,IAAA,WAAI,EAAC,cAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAa,EAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;CACF,CAAA;AA3BY,0DAAuB;kCAAvB,uBAAuB;IADnC,IAAA,mBAAU,GAAE;GACA,uBAAuB,CA2BnC"}
|
|
@@ -1,9 +1,15 @@
|
|
|
1
1
|
import { type CallHandler, type ExecutionContext, type NestInterceptor } from '@nestjs/common';
|
|
2
2
|
import type { Reflector } from '@nestjs/core';
|
|
3
3
|
import { Observable } from 'rxjs';
|
|
4
|
+
import type { AuthzContext } from '../context/authz-context';
|
|
4
5
|
import { type VerificationKey } from '../nats/internal-token';
|
|
5
6
|
import type { ReplayCache } from '../nats/replay-cache';
|
|
7
|
+
import type { AbilityRule, SnapshotEnvelope } from '../snapshot/snapshot.envelope';
|
|
6
8
|
export type InternalAuthMode = 'off' | 'shadow' | 'enforce';
|
|
9
|
+
/** Step 4 — fetch a snapshot envelope by the JWT `snap` claim. */
|
|
10
|
+
export interface SnapshotFetcher {
|
|
11
|
+
getBySnapId(snapId: string): Promise<SnapshotEnvelope | null>;
|
|
12
|
+
}
|
|
7
13
|
export interface InternalAuthOptions {
|
|
8
14
|
jwks: VerificationKey;
|
|
9
15
|
replay: ReplayCache;
|
|
@@ -14,6 +20,23 @@ export interface InternalAuthOptions {
|
|
|
14
20
|
mode?: InternalAuthMode;
|
|
15
21
|
/** Compare the token cmd against the NATS subject. Default true. */
|
|
16
22
|
strictCmd?: boolean;
|
|
23
|
+
/**
|
|
24
|
+
* Step 4 runtime hydration. When both are provided and the token carries a `snap`
|
|
25
|
+
* claim, the verified context's ability is rehydrated from the Redis snapshot so the
|
|
26
|
+
* Prisma extension can scope queries. `hydrate` is injected (createPrismaAbility) so
|
|
27
|
+
* this module stays free of a static @casl/prisma dependency.
|
|
28
|
+
*/
|
|
29
|
+
snapshotStore?: SnapshotFetcher;
|
|
30
|
+
hydrate?: (rules: AbilityRule[]) => AuthzContext['ability'];
|
|
31
|
+
/**
|
|
32
|
+
* Cross-service substitution (optional). When the envelope carries raw `grants` and
|
|
33
|
+
* both `buildRules` (buildRulesFromGrants) and this service's `registry` are provided,
|
|
34
|
+
* scope templates are re-substituted with the LOCAL registry — so this service scopes
|
|
35
|
+
* subjects the builder (skillID) doesn't own. Falls back to the envelope's pre-built
|
|
36
|
+
* `rules` when absent. `buildRules`/`registry` are injected to avoid a static dep.
|
|
37
|
+
*/
|
|
38
|
+
buildRules?: (grants: unknown[], registry: unknown, ctx: AuthzContext) => AbilityRule[];
|
|
39
|
+
registry?: unknown;
|
|
17
40
|
}
|
|
18
41
|
export declare class InternalAuthInterceptor implements NestInterceptor {
|
|
19
42
|
private readonly opts;
|
|
@@ -23,6 +46,12 @@ export declare class InternalAuthInterceptor implements NestInterceptor {
|
|
|
23
46
|
intercept(context: ExecutionContext, next: CallHandler): Observable<unknown>;
|
|
24
47
|
/** Returns the ALS context on success; in shadow mode returns null on failure (pass). */
|
|
25
48
|
private verify;
|
|
49
|
+
/**
|
|
50
|
+
* Step 4 — rehydrate the ability from the Redis snapshot named by the `snap` claim.
|
|
51
|
+
* Missing/evicted snapshot in enforce → throw (fail-closed: the gateway must rebuild);
|
|
52
|
+
* in shadow → leave ability null (the request runs unscoped, logged elsewhere).
|
|
53
|
+
*/
|
|
54
|
+
private hydrateSnapshot;
|
|
26
55
|
private stripToken;
|
|
27
56
|
private tryGetSubject;
|
|
28
57
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"internal-auth.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":"AAcA,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"internal-auth.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":"AAcA,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAuB,MAAM,MAAM,CAAC;AAGvD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAOL,KAAK,eAAe,EACrB,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAGnF,MAAM,MAAM,gBAAgB,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE5D,kEAAkE;AAClE,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,eAAe,CAAC;IACtB,MAAM,EAAE,WAAW,CAAC;IACpB,0DAA0D;IAC1D,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,qEAAqE;IACrE,IAAI,CAAC,EAAE,gBAAgB,CAAC;IACxB,oEAAoE;IACpE,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,eAAe,CAAC;IAChC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,YAAY,CAAC,SAAS,CAAC,CAAC;IAC5D;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,KAAK,WAAW,EAAE,CAAC;IACxF,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AA8BD,qBACa,uBAAwB,YAAW,eAAe;IAIjD,OAAO,CAAC,QAAQ,CAAC,IAAI;IAHjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA8B;IACrD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAmB;gBAEX,IAAI,EAAE,mBAAmB;IAKtD,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;IAgC5E,yFAAyF;YAC3E,MAAM;IAqCpB;;;;OAIG;YACW,eAAe;IA+B7B,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,aAAa;CAItB"}
|
|
@@ -84,7 +84,11 @@ let InternalAuthInterceptor = class InternalAuthInterceptor {
|
|
|
84
84
|
return next.handle();
|
|
85
85
|
}
|
|
86
86
|
return (0, rxjs_1.from)(this.verify(context)).pipe((0, operators_1.mergeMap)((authCtx) => authCtx
|
|
87
|
-
?
|
|
87
|
+
? // Run the WHOLE handler inside the ALS context. The callback must return a
|
|
88
|
+
// promise (lastValueFrom) so the store stays bound across every await — a
|
|
89
|
+
// sync `run(ctx, () => obs.subscribe())` loses context at the first await,
|
|
90
|
+
// leaving the Prisma extension unscoped (request/response RPC: single value).
|
|
91
|
+
(0, rxjs_1.from)(als_1.authzAls.run(authCtx, () => (0, rxjs_1.lastValueFrom)(next.handle())))
|
|
88
92
|
: next.handle()));
|
|
89
93
|
}
|
|
90
94
|
/** Returns the ALS context on success; in shadow mode returns null on failure (pass). */
|
|
@@ -110,7 +114,9 @@ let InternalAuthInterceptor = class InternalAuthInterceptor {
|
|
|
110
114
|
}
|
|
111
115
|
if (!first)
|
|
112
116
|
throw new internal_token_1.InternalAuthError('replay', `jti '${claims.jti}' already used`);
|
|
113
|
-
|
|
117
|
+
const authCtx = claimsToContext(claims);
|
|
118
|
+
await this.hydrateSnapshot(authCtx, claims);
|
|
119
|
+
return authCtx;
|
|
114
120
|
}
|
|
115
121
|
catch (e) {
|
|
116
122
|
const reason = e instanceof internal_token_1.InternalAuthError ? e.reason : 'sig';
|
|
@@ -122,6 +128,45 @@ let InternalAuthInterceptor = class InternalAuthInterceptor {
|
|
|
122
128
|
throw new microservices_1.RpcException({ code: 'INTERNAL_AUTH', reason, message: e.message });
|
|
123
129
|
}
|
|
124
130
|
}
|
|
131
|
+
/**
|
|
132
|
+
* Step 4 — rehydrate the ability from the Redis snapshot named by the `snap` claim.
|
|
133
|
+
* Missing/evicted snapshot in enforce → throw (fail-closed: the gateway must rebuild);
|
|
134
|
+
* in shadow → leave ability null (the request runs unscoped, logged elsewhere).
|
|
135
|
+
*/
|
|
136
|
+
async hydrateSnapshot(ctx, claims) {
|
|
137
|
+
if (!this.opts.snapshotStore || !this.opts.hydrate)
|
|
138
|
+
return; // hydration not wired
|
|
139
|
+
if (!claims.snap) {
|
|
140
|
+
if (this.mode === 'enforce')
|
|
141
|
+
throw new internal_token_1.InternalAuthError('missing', 'token has no snap claim');
|
|
142
|
+
return;
|
|
143
|
+
}
|
|
144
|
+
const env = await this.opts.snapshotStore.getBySnapId(claims.snap);
|
|
145
|
+
if (!env) {
|
|
146
|
+
if (this.mode === 'enforce')
|
|
147
|
+
throw new internal_token_1.InternalAuthError('backend', `snapshot '${claims.snap}' not found (evicted/expired)`);
|
|
148
|
+
this.logger.warn(`shadow: snapshot '${claims.snap}' not found — running unscoped`);
|
|
149
|
+
return;
|
|
150
|
+
}
|
|
151
|
+
if (claims.ph && env.permHash !== claims.ph) {
|
|
152
|
+
// Stale token vs rebuilt snapshot; treat as a revocation signal.
|
|
153
|
+
if (this.mode === 'enforce')
|
|
154
|
+
throw new internal_token_1.InternalAuthError('hash', 'permHash mismatch (snapshot rebuilt/revoked)');
|
|
155
|
+
this.logger.warn(`shadow: permHash mismatch snap='${claims.snap}'`);
|
|
156
|
+
}
|
|
157
|
+
ctx.connected = env.connected;
|
|
158
|
+
ctx.accreditedAs = env.accreditedAs;
|
|
159
|
+
if (env.individualId !== undefined)
|
|
160
|
+
ctx.individualId = env.individualId;
|
|
161
|
+
if (env.juridicalIndividualId !== undefined)
|
|
162
|
+
ctx.juridicalIndividualId = env.juridicalIndividualId;
|
|
163
|
+
// Cross-service: re-substitute scope templates with the LOCAL registry when grants
|
|
164
|
+
// are available; otherwise use the builder's pre-substituted rules (same-service).
|
|
165
|
+
const rules = env.grants && this.opts.buildRules && this.opts.registry
|
|
166
|
+
? this.opts.buildRules(env.grants, this.opts.registry, ctx)
|
|
167
|
+
: env.rules;
|
|
168
|
+
ctx.ability = this.opts.hydrate(rules);
|
|
169
|
+
}
|
|
125
170
|
stripToken(context) {
|
|
126
171
|
const data = context.switchToRpc().getData();
|
|
127
172
|
if (data && internal_token_1.INTERNAL_JWT_FIELD in data)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"internal-auth.interceptor.js","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":";AAAA,uFAAuF;AACvF,yFAAyF;AACzF,eAAe;AACf,EAAE;AACF,mDAAmD;AACnD,qGAAqG;AACrG,EAAE;AACF,6DAA6D;AAC7D,0FAA0F;AAC1F,8FAA8F;AAC9F,0FAA0F;AAC1F,4EAA4E;AAC5E,8FAA8F;;;;;;;;;;;;AAE9F,2CAMwB;AACxB,yDAAqD;AAErD,+
|
|
1
|
+
{"version":3,"file":"internal-auth.interceptor.js","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":";AAAA,uFAAuF;AACvF,yFAAyF;AACzF,eAAe;AACf,EAAE;AACF,mDAAmD;AACnD,qGAAqG;AACrG,EAAE;AACF,6DAA6D;AAC7D,0FAA0F;AAC1F,8FAA8F;AAC9F,0FAA0F;AAC1F,4EAA4E;AAC5E,8FAA8F;;;;;;;;;;;;AAE9F,2CAMwB;AACxB,yDAAqD;AAErD,+BAAuD;AACvD,8CAA0C;AAC1C,wCAA0C;AAE1C,2DAQgC;AAGhC,iFAAwE;AAsCxE,SAAS,YAAY,CAAC,OAA2B;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;YAAE,OAAO,MAAM,CAAC,GAAG,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,MAAsB;IAC7C,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,GAAG;QAClB,qBAAqB,EAAE,MAAM,CAAC,EAAE;QAChC,QAAQ,EAAE,MAAM,CAAC,GAAG;QACpB,MAAM,EAAE,MAAM,CAAC,IAAI;QACnB,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,+EAA+E;QAC/E,SAAS,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,0BAA0B,EAAE,EAAE,EAAE;QAC1F,YAAY,EAAE;YACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;YAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;SAC7D;QACD,OAAO,EAAE,IAA0C;KACpD,CAAC;AACJ,CAAC;AAGM,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAIlC,YAA6B,IAAyB;QAAzB,SAAI,GAAJ,IAAI,CAAqB;QAHrC,WAAM,GAAG,IAAI,eAAM,CAAC,cAAc,CAAC,CAAC;QAInD,IAAI,CAAC,IAAI;YACP,IAAI,CAAC,IAAI,IAAK,OAAO,CAAC,GAAG,CAAC,wBAA6C,IAAI,KAAK,CAAC;IACrF,CAAC;IAED,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,aAAa;QAEpE,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACxB,yEAAyE;YACzE,gFAAgF;YAChF,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,qDAAsB,EAAE;YAClF,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,OAAO,IAAA,WAAI,EAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CACpC,IAAA,oBAAQ,EAAC,CAAC,OAAO,EAAE,EAAE,CACnB,OAAO;YACL,CAAC,CAAC,2EAA2E;gBAC3E,0EAA0E;gBAC1E,2EAA2E;gBAC3E,8EAA8E;gBAC9E,IAAA,WAAI,EAAC,cAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAa,EAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACjE,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAClB,CACF,CAAC;IACJ,CAAC;IAED,yFAAyF;IACjF,KAAK,CAAC,MAAM,CAAC,OAAyB;QAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,EAAyC,CAAC;QAClE,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,IAAK,IAAI,CAAC,mCAAkB,CAAwB,CAAC;YACrE,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,4BAA4B,CAAC,CAAC;YAE/E,MAAM,MAAM,GAAG,MAAM,IAAA,oCAAmB,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAErF,OAAQ,IAAgC,CAAC,mCAAkB,CAAC,CAAC;YAC7D,IAAA,+BAAc,EAAC,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,KAAK,KAAK,IAAI,GAAG;gBAAE,IAAA,0BAAS,EAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAEjE,IAAI,KAAc,CAAC;YACnB,IAAI,CAAC;gBACH,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,+BAAgC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAChG,CAAC;YACD,IAAI,CAAC,KAAK;gBAAE,MAAM,IAAI,kCAAiB,CAAC,QAAQ,EAAE,QAAQ,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC;YAEtF,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5C,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,MAAM,GAAG,CAAC,YAAY,kCAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YACjE,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,MAAM,SAAS,GAAG,IAAI,GAAG,KAAM,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC7F,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,qCAAqC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,IAAI,4BAAY,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,eAAe,CAAC,GAAiB,EAAE,MAAsB;QACrE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,sBAAsB;QAClF,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;gBAAE,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC;YAC/F,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACnE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;gBAAE,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,aAAa,MAAM,CAAC,IAAI,+BAA+B,CAAC,CAAC;YAC7H,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,IAAI,gCAAgC,CAAC,CAAC;YACnF,OAAO;QACT,CAAC;QACD,IAAI,MAAM,CAAC,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YAC5C,iEAAiE;YACjE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;gBAAE,MAAM,IAAI,kCAAiB,CAAC,MAAM,EAAE,8CAA8C,CAAC,CAAC;YACjH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC;QACtE,CAAC;QACD,GAAG,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC;QAC9B,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC;QACpC,IAAI,GAAG,CAAC,YAAY,KAAK,SAAS;YAAE,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC;QACxE,IAAI,GAAG,CAAC,qBAAqB,KAAK,SAAS;YAAE,GAAG,CAAC,qBAAqB,GAAG,GAAG,CAAC,qBAAqB,CAAC;QAEnG,mFAAmF;QACnF,mFAAmF;QACnF,MAAM,KAAK,GACT,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ;YACtD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC;YAC3D,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QAChB,GAAG,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAEO,UAAU,CAAC,OAAyB;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,EAAyC,CAAC;QACpF,IAAI,IAAI,IAAI,mCAAkB,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC,mCAAkB,CAAC,CAAC;IAC1E,CAAC;IAEO,aAAa,CAAC,GAAgD;QACpE,MAAM,GAAG,GAAG,GAAG,CAAC,UAAU,EAA+C,CAAC;QAC1E,OAAO,OAAO,GAAG,EAAE,UAAU,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,CAAC;CACF,CAAA;AA5HY,0DAAuB;kCAAvB,uBAAuB;IADnC,IAAA,mBAAU,GAAE;;GACA,uBAAuB,CA4HnC"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { type PrismaAbility } from '@casl/prisma';
|
|
1
2
|
import type { AuthzContext } from '../context/authz-context';
|
|
2
3
|
import type { ResourceRegistry } from '../resource-registry';
|
|
3
4
|
import type { AbilityRule } from './snapshot.envelope';
|
|
@@ -18,5 +19,5 @@ export interface Grant {
|
|
|
18
19
|
*/
|
|
19
20
|
export declare function buildRulesFromGrants(grants: Grant[], registry: ResourceRegistry, ctx: AuthzContext): AbilityRule[];
|
|
20
21
|
/** Rehydrate a PrismaAbility from serialized rules (snapshot → runtime). */
|
|
21
|
-
export declare function hydrateAbility(rules: AbilityRule[]):
|
|
22
|
+
export declare function hydrateAbility(rules: AbilityRule[]): PrismaAbility<any>;
|
|
22
23
|
//# sourceMappingURL=ability-builder.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ability-builder.d.ts","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"ability-builder.d.ts","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":"AAIA,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC;AAEvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,MAAM,MAAM,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,CAAC;AAExF,MAAM,WAAW,KAAK;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,KAAK,CAAC;IACb,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,KAAK,EAAE,EACf,QAAQ,EAAE,gBAAgB,EAC1B,GAAG,EAAE,YAAY,GAChB,WAAW,EAAE,CAiBf;AAED,4EAA4E;AAC5E,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,CAEvE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ability-builder.js","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":";;AA2BA,oDAqBC;AAGD,wCAEC;AArDD,qFAAqF;AACrF,wFAAwF;AACxF,oFAAoF;AACpF,iEAAiE;AACjE,
|
|
1
|
+
{"version":3,"file":"ability-builder.js","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":";;AA2BA,oDAqBC;AAGD,wCAEC;AArDD,qFAAqF;AACrF,wFAAwF;AACxF,oFAAoF;AACpF,iEAAiE;AACjE,yCAAuE;AACvE,0DAAwD;AAiBxD;;;;GAIG;AACH,SAAgB,oBAAoB,CAClC,MAAe,EACf,QAA0B,EAC1B,GAAiB;IAEjB,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QACnE,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM;YAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;QACxD,IAAI,CAAC,CAAC,QAAQ;YAAE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErC,IAAI,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAChD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,QAAQ;YAAE,SAAS,CAAC,gEAAgE;QACzF,IAAI,CAAC,UAAU,GAAG,IAAA,oCAAiB,EAAC,QAAQ,EAAE,GAAG,CAA4B,CAAC;QAC9E,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4EAA4E;AAC5E,SAAgB,cAAc,CAAC,KAAoB;IACjD,OAAO,IAAA,4BAAmB,EAAC,KAAkD,CAAuB,CAAC;AACvG,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import type { AccreditedAs, ConnectedEdges } from '../context/authz-context';
|
|
2
|
+
import type { Grant } from './ability-builder';
|
|
2
3
|
export declare const SNAPSHOT_SCHEMA_VERSION = 1;
|
|
3
4
|
/** A serialized CASL rule (post $ctx-substitution). Shape accepted by createPrismaAbility. */
|
|
4
5
|
export interface AbilityRule {
|
|
@@ -22,7 +23,16 @@ export interface SnapshotEnvelope {
|
|
|
22
23
|
permHash: string;
|
|
23
24
|
/** epoch ms — drives refresh-ahead (DEC-S4.30). */
|
|
24
25
|
builtAt: number;
|
|
26
|
+
/** Rules pre-substituted by the BUILDER's registry (skillID). Fast path for same-service. */
|
|
25
27
|
rules: AbilityRule[];
|
|
28
|
+
/**
|
|
29
|
+
* Raw grants (action × subject × scope) — let a downstream service re-substitute scope
|
|
30
|
+
* templates with ITS OWN registry, so it can scope subjects the builder doesn't own
|
|
31
|
+
* (cross-service correctness). Builder also stores the ctx scalars needed for that.
|
|
32
|
+
*/
|
|
33
|
+
grants?: Grant[];
|
|
34
|
+
individualId?: string;
|
|
35
|
+
juridicalIndividualId?: string;
|
|
26
36
|
connected: ConnectedEdges;
|
|
27
37
|
accreditedAs: AccreditedAs;
|
|
28
38
|
/** Set when the rules blob was lz4-compressed (DEC-S4.27). Day-1: null. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"snapshot.envelope.d.ts","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;
|
|
1
|
+
{"version":3,"file":"snapshot.envelope.d.ts","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC7E,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE/C,eAAO,MAAM,uBAAuB,IAAI,CAAC;AAEzC,8FAA8F;AAC9F,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC3B,2EAA2E;IAC3E,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,+EAA+E;IAC/E,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,8EAA8E;IAC9E,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,6FAA6F;IAC7F,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,EAAE,cAAc,CAAC;IAC1B,YAAY,EAAE,YAAY,CAAC;IAC3B,2EAA2E;IAC3E,UAAU,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CAC3B;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,iBAAiB,EAAE,MAAM,GAAG,SAAS,EACrC,SAAS,EAAE,MAAM,GAChB,MAAM,CAMR"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"snapshot.envelope.js","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"snapshot.envelope.js","sourceRoot":"","sources":["../../src/snapshot/snapshot.envelope.ts"],"names":[],"mappings":";;;AAsDA,sCAUC;AAhED,wEAAwE;AACxE,EAAE;AACF,wFAAwF;AACxF,yFAAyF;AACzF,6DAA6D;AAC7D,6CAAyC;AAI5B,QAAA,uBAAuB,GAAG,CAAC,CAAC;AAyCzC;;;GAGG;AACH,SAAgB,aAAa,CAC3B,MAAc,EACd,iBAAqC,EACrC,SAAiB;IAEjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC5C,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,GAAG,MAAM,IAAI,iBAAiB,IAAI,EAAE,IAAI,MAAM,EAAE,CAAC;SACxD,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC"}
|