@globaltracking/auth-middleware 2.0.0

package/dist/nestjs/gt-auth.module.js

@@ -0,0 +1,102 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var GtAuthModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GtAuthModule = void 0;
+const common_1 = require("@nestjs/common");
+const config_1 = require("../config");
+const constants_1 = require("./constants");
+const trusted_headers_middleware_1 = require("./middleware/trusted-headers.middleware");
+const internal_only_guard_1 = require("./guards/internal-only.guard");
+const permissions_guard_1 = require("./guards/permissions.guard");
+const auth_guard_1 = require("./guards/auth.guard");
+const org_context_interceptor_1 = require("./interceptors/org-context.interceptor");
+const auth_exception_filter_1 = require("./filters/auth-exception.filter");
+/**
+ * NestJS dynamic module for Global Tracking authentication and authorization.
+ *
+ * Provides: InternalOnlyGuard, GtPermissionsGuard, GtAuthGuard,
+ * OrgContextInterceptor, AuthExceptionFilter, and the GtTrustedHeadersMiddleware.
+ *
+ * @example
+ * ```typescript
+ * GtAuthModule.forRoot({
+ *   strategies: ['trusted-headers'],
+ *   internalGatewayToken: 'secret',
+ *   adminRoles: ['system_admin', 'org_admin'],
+ *   rbacServiceUrl: 'http://gt-rbac-service:3000',
+ * })
+ * ```
+ */
+let GtAuthModule = GtAuthModule_1 = class GtAuthModule {
+    configure(consumer) {
+        consumer.apply(trusted_headers_middleware_1.GtTrustedHeadersMiddleware).forRoutes('*');
+    }
+    static forRoot(options = {}) {
+        (0, config_1.initAuth)(options);
+        return {
+            module: GtAuthModule_1,
+            global: true,
+            providers: [
+                {
+                    provide: constants_1.GT_AUTH_CONFIG,
+                    useFactory: () => (0, config_1.getConfig)(),
+                },
+                internal_only_guard_1.InternalOnlyGuard,
+                permissions_guard_1.GtPermissionsGuard,
+                auth_guard_1.GtAuthGuard,
+                org_context_interceptor_1.OrgContextInterceptor,
+                auth_exception_filter_1.AuthExceptionFilter,
+            ],
+            exports: [
+                constants_1.GT_AUTH_CONFIG,
+                internal_only_guard_1.InternalOnlyGuard,
+                permissions_guard_1.GtPermissionsGuard,
+                auth_guard_1.GtAuthGuard,
+                org_context_interceptor_1.OrgContextInterceptor,
+                auth_exception_filter_1.AuthExceptionFilter,
+            ],
+        };
+    }
+    static forRootAsync(options) {
+        return {
+            module: GtAuthModule_1,
+            global: true,
+            imports: options.imports || [],
+            providers: [
+                {
+                    provide: constants_1.GT_AUTH_CONFIG,
+                    useFactory: async (...args) => {
+                        const config = await options.useFactory(...args);
+                        (0, config_1.initAuth)(config);
+                        return (0, config_1.getConfig)();
+                    },
+                    inject: options.inject || [],
+                },
+                internal_only_guard_1.InternalOnlyGuard,
+                permissions_guard_1.GtPermissionsGuard,
+                auth_guard_1.GtAuthGuard,
+                org_context_interceptor_1.OrgContextInterceptor,
+                auth_exception_filter_1.AuthExceptionFilter,
+            ],
+            exports: [
+                constants_1.GT_AUTH_CONFIG,
+                internal_only_guard_1.InternalOnlyGuard,
+                permissions_guard_1.GtPermissionsGuard,
+                auth_guard_1.GtAuthGuard,
+                org_context_interceptor_1.OrgContextInterceptor,
+                auth_exception_filter_1.AuthExceptionFilter,
+            ],
+        };
+    }
+};
+exports.GtAuthModule = GtAuthModule;
+exports.GtAuthModule = GtAuthModule = GtAuthModule_1 = __decorate([
+    (0, common_1.Module)({})
+], GtAuthModule);
+//# sourceMappingURL=gt-auth.module.js.map

package/dist/nestjs/gt-auth.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gt-auth.module.js","sourceRoot":"","sources":["../../src/nestjs/gt-auth.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAuF;AAEvF,sCAAgD;AAChD,2CAA6C;AAC7C,wFAAqF;AACrF,sEAAiE;AACjE,kEAAgE;AAChE,oDAAkD;AAClD,oFAA+E;AAC/E,2EAAsE;AAUtE;;;;;;;;;;;;;;;GAeG;AAEI,IAAM,YAAY,oBAAlB,MAAM,YAAY;IACvB,SAAS,CAAC,QAA4B;QACpC,QAAQ,CAAC,KAAK,CAAC,uDAA0B,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,UAA+B,EAAE;QAC9C,IAAA,iBAAQ,EAAC,OAAO,CAAC,CAAC;QAElB,OAAO;YACL,MAAM,EAAE,cAAY;YACpB,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,0BAAc;oBACvB,UAAU,EAAE,GAAG,EAAE,CAAC,IAAA,kBAAS,GAAE;iBAC9B;gBACD,uCAAiB;gBACjB,sCAAkB;gBAClB,wBAAW;gBACX,+CAAqB;gBACrB,2CAAmB;aACpB;YACD,OAAO,EAAE;gBACP,0BAAc;gBACd,uCAAiB;gBACjB,sCAAkB;gBAClB,wBAAW;gBACX,+CAAqB;gBACrB,2CAAmB;aACpB;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAiC;QACnD,OAAO;YACL,MAAM,EAAE,cAAY;YACpB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,EAAE;YAC9B,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,0BAAc;oBACvB,UAAU,EAAE,KAAK,EAAE,GAAG,IAAW,EAAE,EAAE;wBACnC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;wBACjD,IAAA,iBAAQ,EAAC,MAAM,CAAC,CAAC;wBACjB,OAAO,IAAA,kBAAS,GAAE,CAAC;oBACrB,CAAC;oBACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;iBAC7B;gBACD,uCAAiB;gBACjB,sCAAkB;gBAClB,wBAAW;gBACX,+CAAqB;gBACrB,2CAAmB;aACpB;YACD,OAAO,EAAE;gBACP,0BAAc;gBACd,uCAAiB;gBACjB,sCAAkB;gBAClB,wBAAW;gBACX,+CAAqB;gBACrB,2CAAmB;aACpB;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AAhEY,oCAAY;uBAAZ,YAAY;IADxB,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,YAAY,CAgExB"}

package/dist/nestjs/guards/auth.guard.d.ts

@@ -0,0 +1,13 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+/**
+ * Optional NestJS guard that runs the core extractUser() logic.
+ * Use this when you need guard-based auth extraction instead of middleware.
+ * Skips @Public() routes.
+ */
+export declare class GtAuthGuard implements CanActivate {
+    private readonly reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+//# sourceMappingURL=auth.guard.d.ts.map

package/dist/nestjs/guards/auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.guard.d.ts","sourceRoot":"","sources":["../../../src/nestjs/guards/auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAqC,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAIzC;;;;GAIG;AACH,qBACa,WAAY,YAAW,WAAW;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS;gBAAT,SAAS,EAAE,SAAS;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAwBhD"}

package/dist/nestjs/guards/auth.guard.js

@@ -0,0 +1,53 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GtAuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const extract_user_1 = require("../../extract-user");
+const constants_1 = require("../constants");
+/**
+ * Optional NestJS guard that runs the core extractUser() logic.
+ * Use this when you need guard-based auth extraction instead of middleware.
+ * Skips @Public() routes.
+ */
+let GtAuthGuard = class GtAuthGuard {
+    constructor(reflector) {
+        this.reflector = reflector;
+    }
+    canActivate(context) {
+        const isPublic = this.reflector.getAllAndOverride(constants_1.IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        // If user was already set by middleware, skip
+        if (request.user) {
+            return true;
+        }
+        try {
+            request.user = (0, extract_user_1.extractUser)(request);
+            return true;
+        }
+        catch {
+            throw new common_1.UnauthorizedException('Authentication required');
+        }
+    }
+};
+exports.GtAuthGuard = GtAuthGuard;
+exports.GtAuthGuard = GtAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector])
+], GtAuthGuard);
+//# sourceMappingURL=auth.guard.js.map

package/dist/nestjs/guards/auth.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.guard.js","sourceRoot":"","sources":["../../../src/nestjs/guards/auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAAkG;AAClG,uCAAyC;AACzC,qDAAiD;AACjD,4CAA6C;AAE7C;;;;GAIG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IACtB,YAA6B,SAAoB;QAApB,cAAS,GAAT,SAAS,CAAW;IAAG,CAAC;IAErD,WAAW,CAAC,OAAyB;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,yBAAa,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QAEpD,8CAA8C;QAC9C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,GAAG,IAAA,0BAAW,EAAC,OAAO,CAAC,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,8BAAqB,CAAC,yBAAyB,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;CACF,CAAA;AA3BY,kCAAW;sBAAX,WAAW;IADvB,IAAA,mBAAU,GAAE;qCAE6B,gBAAS;GADtC,WAAW,CA2BvB"}

package/dist/nestjs/guards/internal-only.guard.d.ts

@@ -0,0 +1,15 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ResolvedAuthConfig } from '../../types';
+/**
+ * Guard that ensures requests come through the trusted gateway.
+ * Validates X-Gateway-Token against the configured internalGatewayToken.
+ * Skips validation for @Public() routes.
+ */
+export declare class InternalOnlyGuard implements CanActivate {
+    private readonly config;
+    private readonly reflector;
+    constructor(config: ResolvedAuthConfig, reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+//# sourceMappingURL=internal-only.guard.d.ts.map

package/dist/nestjs/guards/internal-only.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-only.guard.d.ts","sourceRoot":"","sources":["../../../src/nestjs/guards/internal-only.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAA0C,MAAM,gBAAgB,CAAC;AACvG,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD;;;;GAIG;AACH,qBACa,iBAAkB,YAAW,WAAW;IAEzB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAC/C,OAAO,CAAC,QAAQ,CAAC,SAAS;gBADe,MAAM,EAAE,kBAAkB,EAClD,SAAS,EAAE,SAAS;IAGvC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAmBhD"}

package/dist/nestjs/guards/internal-only.guard.js

@@ -0,0 +1,51 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InternalOnlyGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const constants_1 = require("../constants");
+/**
+ * Guard that ensures requests come through the trusted gateway.
+ * Validates X-Gateway-Token against the configured internalGatewayToken.
+ * Skips validation for @Public() routes.
+ */
+let InternalOnlyGuard = class InternalOnlyGuard {
+    constructor(config, reflector) {
+        this.config = config;
+        this.reflector = reflector;
+    }
+    canActivate(context) {
+        const isPublic = this.reflector.getAllAndOverride(constants_1.IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const gatewayToken = request.headers[this.config.trustedHeaderNames.gatewayToken];
+        if (!this.config.internalGatewayToken || gatewayToken !== this.config.internalGatewayToken) {
+            throw new common_1.ForbiddenException('Direct access not allowed');
+        }
+        return true;
+    }
+};
+exports.InternalOnlyGuard = InternalOnlyGuard;
+exports.InternalOnlyGuard = InternalOnlyGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)(constants_1.GT_AUTH_CONFIG)),
+    __metadata("design:paramtypes", [Object, core_1.Reflector])
+], InternalOnlyGuard);
+//# sourceMappingURL=internal-only.guard.js.map

package/dist/nestjs/guards/internal-only.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-only.guard.js","sourceRoot":"","sources":["../../../src/nestjs/guards/internal-only.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAAuG;AACvG,uCAAyC;AACzC,4CAA6D;AAG7D;;;;GAIG;AAEI,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAC5B,YAC2C,MAA0B,EAClD,SAAoB;QADI,WAAM,GAAN,MAAM,CAAoB;QAClD,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEJ,WAAW,CAAC,OAAyB;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,yBAAa,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAElF,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,YAAY,KAAK,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;YAC3F,MAAM,IAAI,2BAAkB,CAAC,2BAA2B,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AAzBY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,mBAAU,GAAE;IAGR,WAAA,IAAA,eAAM,EAAC,0BAAc,CAAC,CAAA;6CACK,gBAAS;GAH5B,iBAAiB,CAyB7B"}

package/dist/nestjs/guards/permissions.guard.d.ts

@@ -0,0 +1,23 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ResolvedAuthConfig } from '../../types';
+/**
+ * Hybrid permission guard with 3-tier resolution:
+ *
+ * 1. If user.permissions is non-empty → in-memory check (fast, from JWT)
+ * 2. If permissionResolver is configured → call it (for RBAC service's own ResolveService)
+ * 3. If rbacServiceUrl is configured → HTTP call to RBAC service
+ * 4. Else → deny (fail-closed)
+ *
+ * Admin roles (config.adminRoles) always bypass.
+ */
+export declare class GtPermissionsGuard implements CanActivate {
+    private readonly config;
+    private readonly reflector;
+    private readonly logger;
+    constructor(config: ResolvedAuthConfig, reflector: Reflector);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    private resolveViaFunction;
+    private resolveViaHttp;
+}
+//# sourceMappingURL=permissions.guard.d.ts.map

package/dist/nestjs/guards/permissions.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.guard.d.ts","sourceRoot":"","sources":["../../../src/nestjs/guards/permissions.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAkD,MAAM,gBAAgB,CAAC;AAC/G,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAY,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAE3D;;;;;;;;;GASG;AACH,qBACa,kBAAmB,YAAW,WAAW;IAI1B,OAAO,CAAC,QAAQ,CAAC,MAAM;IAC/C,OAAO,CAAC,QAAQ,CAAC,SAAS;IAJ5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;gBAGnB,MAAM,EAAE,kBAAkB,EAClD,SAAS,EAAE,SAAS;IAGjC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;YA8DhD,kBAAkB;YAwBlB,cAAc;CA8C7B"}

package/dist/nestjs/guards/permissions.guard.js

@@ -0,0 +1,134 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var GtPermissionsGuard_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GtPermissionsGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const constants_1 = require("../constants");
+/**
+ * Hybrid permission guard with 3-tier resolution:
+ *
+ * 1. If user.permissions is non-empty → in-memory check (fast, from JWT)
+ * 2. If permissionResolver is configured → call it (for RBAC service's own ResolveService)
+ * 3. If rbacServiceUrl is configured → HTTP call to RBAC service
+ * 4. Else → deny (fail-closed)
+ *
+ * Admin roles (config.adminRoles) always bypass.
+ */
+let GtPermissionsGuard = GtPermissionsGuard_1 = class GtPermissionsGuard {
+    constructor(config, reflector) {
+        this.config = config;
+        this.reflector = reflector;
+        this.logger = new common_1.Logger(GtPermissionsGuard_1.name);
+    }
+    async canActivate(context) {
+        const isPublic = this.reflector.getAllAndOverride(constants_1.IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic) {
+            return true;
+        }
+        const requiredPermissions = this.reflector.getAllAndOverride(constants_1.PERMISSIONS_KEY, [context.getHandler(), context.getClass()]);
+        if (!requiredPermissions || requiredPermissions.length === 0) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const user = request.user;
+        if (!user) {
+            throw new common_1.ForbiddenException('No user context found');
+        }
+        // Admin roles bypass all permission checks
+        if (this.config.adminRoles.includes(user.role)) {
+            return true;
+        }
+        // Tier 1: In-memory check from JWT claims
+        if (user.permissions && user.permissions.length > 0) {
+            const userPerms = new Set(user.permissions);
+            const hasAll = requiredPermissions.every((p) => userPerms.has(p));
+            if (!hasAll) {
+                throw new common_1.ForbiddenException('You do not have the required permissions to access this resource');
+            }
+            return true;
+        }
+        // Tier 2: Custom permission resolver (e.g., RBAC service's own ResolveService)
+        if (this.config.permissionResolver) {
+            return this.resolveViaFunction(user, requiredPermissions);
+        }
+        // Tier 3: HTTP call to RBAC service
+        if (this.config.rbacServiceUrl) {
+            return this.resolveViaHttp(user, requiredPermissions);
+        }
+        // Fail-closed: no resolution mechanism available
+        this.logger.warn(`No permission resolution mechanism configured. Denying access for user ${user.userId}.`);
+        throw new common_1.ForbiddenException('You do not have the required permissions to access this resource');
+    }
+    async resolveViaFunction(user, requiredPermissions) {
+        for (const perm of requiredPermissions) {
+            const [resource, action] = perm.split(':');
+            if (!resource || !action)
+                continue;
+            const hasPermission = await this.config.permissionResolver(user.orgId, user.userId, resource, action);
+            if (!hasPermission) {
+                throw new common_1.ForbiddenException('You do not have the required permissions to access this resource');
+            }
+        }
+        return true;
+    }
+    async resolveViaHttp(user, requiredPermissions) {
+        for (const perm of requiredPermissions) {
+            const [resource, action] = perm.split(':');
+            if (!resource || !action)
+                continue;
+            const url = `${this.config.rbacServiceUrl}/v1/resolve/check`;
+            try {
+                const response = await fetch(url, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'x-user-id': user.userId,
+                        'x-org-id': user.orgId,
+                        'x-user-role': user.role,
+                        ...(this.config.internalGatewayToken
+                            ? { 'x-gateway-token': this.config.internalGatewayToken }
+                            : {}),
+                    },
+                    body: JSON.stringify({ resource, action }),
+                });
+                if (!response.ok) {
+                    throw new common_1.ForbiddenException('You do not have the required permissions to access this resource');
+                }
+                const body = await response.json();
+                if (!body.allowed) {
+                    throw new common_1.ForbiddenException('You do not have the required permissions to access this resource');
+                }
+            }
+            catch (err) {
+                if (err instanceof common_1.ForbiddenException)
+                    throw err;
+                this.logger.error(`RBAC service call failed: ${err}`, err.stack);
+                throw new common_1.ForbiddenException('Permission check failed — RBAC service unavailable');
+            }
+        }
+        return true;
+    }
+};
+exports.GtPermissionsGuard = GtPermissionsGuard;
+exports.GtPermissionsGuard = GtPermissionsGuard = GtPermissionsGuard_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)(constants_1.GT_AUTH_CONFIG)),
+    __metadata("design:paramtypes", [Object, core_1.Reflector])
+], GtPermissionsGuard);
+//# sourceMappingURL=permissions.guard.js.map

package/dist/nestjs/guards/permissions.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.guard.js","sourceRoot":"","sources":["../../../src/nestjs/guards/permissions.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAA+G;AAC/G,uCAAyC;AACzC,4CAA8E;AAG9E;;;;;;;;;GASG;AAEI,IAAM,kBAAkB,0BAAxB,MAAM,kBAAkB;IAG7B,YAC0B,MAA2C,EAClD,SAAoB;QADI,WAAM,GAAN,MAAM,CAAoB;QAClD,cAAS,GAAT,SAAS,CAAW;QAJtB,WAAM,GAAG,IAAI,eAAM,CAAC,oBAAkB,CAAC,IAAI,CAAC,CAAC;IAK3D,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,yBAAa,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,mBAAmB,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAC1D,2BAAe,EACf,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC3C,CAAC;QAEF,IAAI,CAAC,mBAAmB,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,IAAI,GAAa,OAAO,CAAC,IAAI,CAAC;QAEpC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,2BAAkB,CAAC,uBAAuB,CAAC,CAAC;QACxD,CAAC;QAED,2CAA2C;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,0CAA0C;QAC1C,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAClE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,2BAAkB,CAC1B,kEAAkE,CACnE,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+EAA+E;QAC/E,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;QAC5D,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;QACxD,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,0EAA0E,IAAI,CAAC,MAAM,GAAG,CACzF,CAAC;QACF,MAAM,IAAI,2BAAkB,CAC1B,kEAAkE,CACnE,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAC9B,IAAc,EACd,mBAA6B;QAE7B,KAAK,MAAM,IAAI,IAAI,mBAAmB,EAAE,CAAC;YACvC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEnC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAmB,CACzD,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,QAAQ,EACR,MAAM,CACP,CAAC;YAEF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,2BAAkB,CAC1B,kEAAkE,CACnE,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,cAAc,CAC1B,IAAc,EACd,mBAA6B;QAE7B,KAAK,MAAM,IAAI,IAAI,mBAAmB,EAAE,CAAC;YACvC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEnC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,mBAAmB,CAAC;YAC7D,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAChC,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,kBAAkB;wBAClC,WAAW,EAAE,IAAI,CAAC,MAAM;wBACxB,UAAU,EAAE,IAAI,CAAC,KAAK;wBACtB,aAAa,EAAE,IAAI,CAAC,IAAI;wBACxB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB;4BAClC,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE;4BACzD,CAAC,CAAC,EAAE,CAAC;qBACR;oBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;iBAC3C,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,2BAAkB,CAC1B,kEAAkE,CACnE,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA2B,CAAC;gBAC5D,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;oBAClB,MAAM,IAAI,2BAAkB,CAC1B,kEAAkE,CACnE,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,2BAAkB;oBAAE,MAAM,GAAG,CAAC;gBACjD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,GAAG,EAAE,EAAG,GAAa,CAAC,KAAK,CAAC,CAAC;gBAC5E,MAAM,IAAI,2BAAkB,CAC1B,oDAAoD,CACrD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AA5IY,gDAAkB;6BAAlB,kBAAkB;IAD9B,IAAA,mBAAU,GAAE;IAKR,WAAA,IAAA,eAAM,EAAC,0BAAc,CAAC,CAAA;6CACK,gBAAS;GAL5B,kBAAkB,CA4I9B"}

package/dist/nestjs/index.d.ts

@@ -0,0 +1,12 @@
+export { GtAuthModule, GtAuthModuleOptions, GtAuthModuleAsyncOptions } from './gt-auth.module';
+export { GT_AUTH_CONFIG, IS_PUBLIC_KEY, PERMISSIONS_KEY, ROLES_KEY } from './constants';
+export { InternalOnlyGuard } from './guards/internal-only.guard';
+export { GtPermissionsGuard } from './guards/permissions.guard';
+export { GtAuthGuard } from './guards/auth.guard';
+export { CurrentUser, CurrentOrg, Public, RequirePermissions, RequireRoles } from './decorators/index';
+export { GtTrustedHeadersMiddleware } from './middleware/trusted-headers.middleware';
+export { OrgContextInterceptor } from './interceptors/org-context.interceptor';
+export { AuthExceptionFilter } from './filters/auth-exception.filter';
+export { AuthUser, RequestUser, AuthConfig, AuthStrategy, UserRole } from '../types';
+export { AuthError, UnauthorizedError, ForbiddenError } from '../errors';
+//# sourceMappingURL=index.d.ts.map

package/dist/nestjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nestjs/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAG/F,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGxF,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGvG,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF,OAAO,EAAE,qBAAqB,EAAE,MAAM,wCAAwC,CAAC;AAG/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAGtE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACrF,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}

package/dist/nestjs/index.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ForbiddenError = exports.UnauthorizedError = exports.AuthError = exports.AuthExceptionFilter = exports.OrgContextInterceptor = exports.GtTrustedHeadersMiddleware = exports.RequireRoles = exports.RequirePermissions = exports.Public = exports.CurrentOrg = exports.CurrentUser = exports.GtAuthGuard = exports.GtPermissionsGuard = exports.InternalOnlyGuard = exports.ROLES_KEY = exports.PERMISSIONS_KEY = exports.IS_PUBLIC_KEY = exports.GT_AUTH_CONFIG = exports.GtAuthModule = void 0;
+// Module
+var gt_auth_module_1 = require("./gt-auth.module");
+Object.defineProperty(exports, "GtAuthModule", { enumerable: true, get: function () { return gt_auth_module_1.GtAuthModule; } });
+// Constants
+var constants_1 = require("./constants");
+Object.defineProperty(exports, "GT_AUTH_CONFIG", { enumerable: true, get: function () { return constants_1.GT_AUTH_CONFIG; } });
+Object.defineProperty(exports, "IS_PUBLIC_KEY", { enumerable: true, get: function () { return constants_1.IS_PUBLIC_KEY; } });
+Object.defineProperty(exports, "PERMISSIONS_KEY", { enumerable: true, get: function () { return constants_1.PERMISSIONS_KEY; } });
+Object.defineProperty(exports, "ROLES_KEY", { enumerable: true, get: function () { return constants_1.ROLES_KEY; } });
+// Guards
+var internal_only_guard_1 = require("./guards/internal-only.guard");
+Object.defineProperty(exports, "InternalOnlyGuard", { enumerable: true, get: function () { return internal_only_guard_1.InternalOnlyGuard; } });
+var permissions_guard_1 = require("./guards/permissions.guard");
+Object.defineProperty(exports, "GtPermissionsGuard", { enumerable: true, get: function () { return permissions_guard_1.GtPermissionsGuard; } });
+var auth_guard_1 = require("./guards/auth.guard");
+Object.defineProperty(exports, "GtAuthGuard", { enumerable: true, get: function () { return auth_guard_1.GtAuthGuard; } });
+// Decorators
+var index_1 = require("./decorators/index");
+Object.defineProperty(exports, "CurrentUser", { enumerable: true, get: function () { return index_1.CurrentUser; } });
+Object.defineProperty(exports, "CurrentOrg", { enumerable: true, get: function () { return index_1.CurrentOrg; } });
+Object.defineProperty(exports, "Public", { enumerable: true, get: function () { return index_1.Public; } });
+Object.defineProperty(exports, "RequirePermissions", { enumerable: true, get: function () { return index_1.RequirePermissions; } });
+Object.defineProperty(exports, "RequireRoles", { enumerable: true, get: function () { return index_1.RequireRoles; } });
+// Middleware
+var trusted_headers_middleware_1 = require("./middleware/trusted-headers.middleware");
+Object.defineProperty(exports, "GtTrustedHeadersMiddleware", { enumerable: true, get: function () { return trusted_headers_middleware_1.GtTrustedHeadersMiddleware; } });
+// Interceptors
+var org_context_interceptor_1 = require("./interceptors/org-context.interceptor");
+Object.defineProperty(exports, "OrgContextInterceptor", { enumerable: true, get: function () { return org_context_interceptor_1.OrgContextInterceptor; } });
+// Filters
+var auth_exception_filter_1 = require("./filters/auth-exception.filter");
+Object.defineProperty(exports, "AuthExceptionFilter", { enumerable: true, get: function () { return auth_exception_filter_1.AuthExceptionFilter; } });
+var errors_1 = require("../errors");
+Object.defineProperty(exports, "AuthError", { enumerable: true, get: function () { return errors_1.AuthError; } });
+Object.defineProperty(exports, "UnauthorizedError", { enumerable: true, get: function () { return errors_1.UnauthorizedError; } });
+Object.defineProperty(exports, "ForbiddenError", { enumerable: true, get: function () { return errors_1.ForbiddenError; } });
+//# sourceMappingURL=index.js.map

package/dist/nestjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nestjs/index.ts"],"names":[],"mappings":";;;AAAA,SAAS;AACT,mDAA+F;AAAtF,8GAAA,YAAY,OAAA;AAErB,YAAY;AACZ,yCAAwF;AAA/E,2GAAA,cAAc,OAAA;AAAE,0GAAA,aAAa,OAAA;AAAE,4GAAA,eAAe,OAAA;AAAE,sGAAA,SAAS,OAAA;AAElE,SAAS;AACT,oEAAiE;AAAxD,wHAAA,iBAAiB,OAAA;AAC1B,gEAAgE;AAAvD,uHAAA,kBAAkB,OAAA;AAC3B,kDAAkD;AAAzC,yGAAA,WAAW,OAAA;AAEpB,aAAa;AACb,4CAAuG;AAA9F,oGAAA,WAAW,OAAA;AAAE,mGAAA,UAAU,OAAA;AAAE,+FAAA,MAAM,OAAA;AAAE,2GAAA,kBAAkB,OAAA;AAAE,qGAAA,YAAY,OAAA;AAE1E,aAAa;AACb,sFAAqF;AAA5E,wIAAA,0BAA0B,OAAA;AAEnC,eAAe;AACf,kFAA+E;AAAtE,gIAAA,qBAAqB,OAAA;AAE9B,UAAU;AACV,yEAAsE;AAA7D,4HAAA,mBAAmB,OAAA;AAI5B,oCAAyE;AAAhE,mGAAA,SAAS,OAAA;AAAE,2GAAA,iBAAiB,OAAA;AAAE,wGAAA,cAAc,OAAA"}

package/dist/nestjs/interceptors/org-context.interceptor.d.ts

@@ -0,0 +1,21 @@
+import { CallHandler, ExecutionContext, NestInterceptor } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Observable } from 'rxjs';
+import { DataSource } from 'typeorm';
+/**
+ * Interceptor that sets PostgreSQL session variable for Row-Level Security.
+ * Runs `SET LOCAL app.current_org_id = $1` inside a transaction so RLS policies
+ * can filter rows by the current organization.
+ *
+ * Attaches the transaction's EntityManager to `request.entityManager` so
+ * services can use it for all queries within the request scope.
+ *
+ * Skips @Public() routes and requests without a valid orgId.
+ */
+export declare class OrgContextInterceptor implements NestInterceptor {
+    private readonly dataSource;
+    private readonly reflector;
+    constructor(dataSource: DataSource, reflector: Reflector);
+    intercept(context: ExecutionContext, next: CallHandler): Observable<any>;
+}
+//# sourceMappingURL=org-context.interceptor.d.ts.map

package/dist/nestjs/interceptors/org-context.interceptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"org-context.interceptor.d.ts","sourceRoot":"","sources":["../../../src/nestjs/interceptors/org-context.interceptor.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,gBAAgB,EAEhB,eAAe,EAChB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,UAAU,EAAmB,MAAM,MAAM,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAMrC;;;;;;;;;GASG;AACH,qBACa,qBAAsB,YAAW,eAAe;IAEzD,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;gBADT,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS;IAGvC,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,GAAG,CAAC;CA6BzE"}

package/dist/nestjs/interceptors/org-context.interceptor.js

@@ -0,0 +1,63 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrgContextInterceptor = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const rxjs_1 = require("rxjs");
+const typeorm_1 = require("typeorm");
+const constants_1 = require("../constants");
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+/**
+ * Interceptor that sets PostgreSQL session variable for Row-Level Security.
+ * Runs `SET LOCAL app.current_org_id = $1` inside a transaction so RLS policies
+ * can filter rows by the current organization.
+ *
+ * Attaches the transaction's EntityManager to `request.entityManager` so
+ * services can use it for all queries within the request scope.
+ *
+ * Skips @Public() routes and requests without a valid orgId.
+ */
+let OrgContextInterceptor = class OrgContextInterceptor {
+    constructor(dataSource, reflector) {
+        this.dataSource = dataSource;
+        this.reflector = reflector;
+    }
+    intercept(context, next) {
+        const isPublic = this.reflector.getAllAndOverride(constants_1.IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic) {
+            return next.handle();
+        }
+        const request = context.switchToHttp().getRequest();
+        const user = request.user;
+        if (!user?.orgId) {
+            return next.handle();
+        }
+        // Validate orgId is a valid UUID to prevent SQL injection
+        if (!UUID_REGEX.test(user.orgId)) {
+            return next.handle();
+        }
+        return (0, rxjs_1.from)(this.dataSource.transaction(async (manager) => {
+            await manager.query(`SET LOCAL app.current_org_id = $1`, [user.orgId]);
+            request.entityManager = manager;
+        })).pipe((0, rxjs_1.switchMap)(() => next.handle()));
+    }
+};
+exports.OrgContextInterceptor = OrgContextInterceptor;
+exports.OrgContextInterceptor = OrgContextInterceptor = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [typeorm_1.DataSource,
+        core_1.Reflector])
+], OrgContextInterceptor);
+//# sourceMappingURL=org-context.interceptor.js.map

package/dist/nestjs/interceptors/org-context.interceptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"org-context.interceptor.js","sourceRoot":"","sources":["../../../src/nestjs/interceptors/org-context.interceptor.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAKwB;AACxB,uCAAyC;AACzC,+BAAmD;AACnD,qCAAqC;AAErC,4CAA6C;AAE7C,MAAM,UAAU,GAAG,iEAAiE,CAAC;AAErF;;;;;;;;;GASG;AAEI,IAAM,qBAAqB,GAA3B,MAAM,qBAAqB;IAChC,YACmB,UAAsB,EACtB,SAAoB;QADpB,eAAU,GAAV,UAAU,CAAY;QACtB,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEJ,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,yBAAa,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,IAAI,GAAyB,OAAO,CAAC,IAAI,CAAC;QAEhD,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,0DAA0D;QAC1D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,OAAO,IAAA,WAAI,EACT,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;YAC5C,MAAM,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACvE,OAAO,CAAC,aAAa,GAAG,OAAO,CAAC;QAClC,CAAC,CAAC,CACH,CAAC,IAAI,CAAC,IAAA,gBAAS,EAAC,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;CACF,CAAA;AAnCY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,mBAAU,GAAE;qCAGoB,oBAAU;QACX,gBAAS;GAH5B,qBAAqB,CAmCjC"}

package/dist/nestjs/middleware/trusted-headers.middleware.d.ts

@@ -0,0 +1,15 @@
+import { NestMiddleware } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+/**
+ * NestJS middleware that wraps the core extractUser() function.
+ * Sets req.user and req.tenantId from the configured strategy chain.
+ *
+ * Register in your module's configure():
+ * ```
+ * consumer.apply(GtTrustedHeadersMiddleware).forRoutes('*');
+ * ```
+ */
+export declare class GtTrustedHeadersMiddleware implements NestMiddleware {
+    use(req: Request, _res: Response, next: NextFunction): void;
+}
+//# sourceMappingURL=trusted-headers.middleware.d.ts.map

package/dist/nestjs/middleware/trusted-headers.middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-headers.middleware.d.ts","sourceRoot":"","sources":["../../../src/nestjs/middleware/trusted-headers.middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAI1D;;;;;;;;GAQG;AACH,qBACa,0BAA2B,YAAW,cAAc;IAC/D,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI;CAa5D"}