@hazeljs/auth 0.2.0-beta.8 → 0.2.0-beta.81

package/dist/decorators/current-user.decorator.d.ts

@@ -0,0 +1,26 @@
+import 'reflect-metadata';
+/**
+ * Parameter decorator that injects the authenticated user from the request
+ * context into a controller method parameter.
+ *
+ * Requires JwtAuthGuard (or any guard that sets `req.user`) to run before
+ * the route handler. The value injected is the `AuthUser` object attached
+ * by the guard.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Get('/profile')
+ * getProfile(@CurrentUser() user: AuthUser) {
+ *   return user;
+ * }
+ *
+ * // Access a specific field:
+ * @Get('/me')
+ * whoAmI(@CurrentUser('role') role: string) {
+ *   return { role };
+ * }
+ * ```
+ */
+export declare function CurrentUser(field?: string): ParameterDecorator;
+//# sourceMappingURL=current-user.decorator.d.ts.map

package/dist/decorators/current-user.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.d.ts","sourceRoot":"","sources":["../../src/decorators/current-user.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAI1B;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,kBAAkB,CAe9D"}

package/dist/decorators/current-user.decorator.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentUser = CurrentUser;
+require("reflect-metadata");
+const INJECT_METADATA_KEY = 'hazel:inject';
+/**
+ * Parameter decorator that injects the authenticated user from the request
+ * context into a controller method parameter.
+ *
+ * Requires JwtAuthGuard (or any guard that sets `req.user`) to run before
+ * the route handler. The value injected is the `AuthUser` object attached
+ * by the guard.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Get('/profile')
+ * getProfile(@CurrentUser() user: AuthUser) {
+ *   return user;
+ * }
+ *
+ * // Access a specific field:
+ * @Get('/me')
+ * whoAmI(@CurrentUser('role') role: string) {
+ *   return { role };
+ * }
+ * ```
+ */
+function CurrentUser(field) {
+    return (target, propertyKey, parameterIndex) => {
+        if (!propertyKey) {
+            throw new Error('@CurrentUser() must be used on a method parameter');
+        }
+        const constructor = target.constructor;
+        const injections = Reflect.getMetadata(INJECT_METADATA_KEY, constructor, propertyKey) ?? [];
+        injections[parameterIndex] = { type: 'user', field };
+        Reflect.defineMetadata(INJECT_METADATA_KEY, injections, constructor, propertyKey);
+    };
+}

package/dist/guards/jwt-auth.guard.d.ts

@@ -0,0 +1,24 @@
+import { CanActivate, ExecutionContext } from '@hazeljs/core';
+import { AuthService } from '../auth.service';
+/**
+ * Guard that verifies a Bearer JWT token and attaches the decoded user to
+ * the request object.  Use this with @UseGuards() on controllers or methods.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Controller('/profile')
+ * export class ProfileController {
+ *   @Get('/')
+ *   getProfile(@CurrentUser() user: AuthUser) {
+ *     return user;
+ *   }
+ * }
+ * ```
+ */
+export declare class JwtAuthGuard implements CanActivate {
+    private readonly authService;
+    constructor(authService: AuthService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=jwt-auth.guard.d.ts.map

package/dist/guards/jwt-auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C;;;;;;;;;;;;;;;GAeG;AACH,qBACa,YAAa,YAAW,WAAW;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW;gBAAX,WAAW,EAAE,WAAW;IAE/C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CA2B/D"}

package/dist/guards/jwt-auth.guard.js

@@ -0,0 +1,61 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthGuard = void 0;
+const core_1 = require("@hazeljs/core");
+const auth_service_1 = require("../auth.service");
+/**
+ * Guard that verifies a Bearer JWT token and attaches the decoded user to
+ * the request object.  Use this with @UseGuards() on controllers or methods.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Controller('/profile')
+ * export class ProfileController {
+ *   @Get('/')
+ *   getProfile(@CurrentUser() user: AuthUser) {
+ *     return user;
+ *   }
+ * }
+ * ```
+ */
+let JwtAuthGuard = class JwtAuthGuard {
+    constructor(authService) {
+        this.authService = authService;
+    }
+    async canActivate(context) {
+        const req = context.switchToHttp().getRequest();
+        const authHeader = req.headers?.['authorization'];
+        if (!authHeader) {
+            const err = Object.assign(new Error('No authorization header'), { status: 400 });
+            throw err;
+        }
+        const [scheme, token] = authHeader.split(' ');
+        if (scheme?.toLowerCase() !== 'bearer' || !token) {
+            const err = Object.assign(new Error('Invalid authorization header format'), { status: 400 });
+            throw err;
+        }
+        const user = await this.authService.verifyToken(token);
+        if (!user) {
+            const err = Object.assign(new Error('Invalid or expired token'), { status: 401 });
+            throw err;
+        }
+        // Attach to req so the router propagates it to context.user and @CurrentUser() can read it.
+        req.user = user;
+        return true;
+    }
+};
+exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = __decorate([
+    (0, core_1.Injectable)(),
+    __metadata("design:paramtypes", [auth_service_1.AuthService])
+], JwtAuthGuard);

package/dist/guards/role.guard.d.ts

@@ -0,0 +1,36 @@
+import { CanActivate, Type } from '@hazeljs/core';
+import { RoleHierarchy, RoleHierarchyMap } from '../utils/role-hierarchy';
+export interface RoleGuardOptions {
+    /**
+     * Custom role hierarchy to use instead of DEFAULT_ROLE_HIERARCHY.
+     * Pass a plain map or a RoleHierarchy instance.
+     */
+    hierarchy?: RoleHierarchyMap | RoleHierarchy;
+}
+/**
+ * Factory that returns a guard allowing only users whose role satisfies at
+ * least one of the provided roles — directly or via the role hierarchy.
+ *
+ * By default uses DEFAULT_ROLE_HIERARCHY so `admin` automatically passes a
+ * `manager` check, `manager` passes a `user` check, etc.
+ *
+ * Must be used after JwtAuthGuard (or any guard that attaches `user` to the
+ * request).
+ *
+ * @example
+ * ```ts
+ * // admin, manager, AND user can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('user'))
+ *
+ * // Only admin and above (superadmin) can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin'))
+ *
+ * // Custom hierarchy (no inheritance):
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', { hierarchy: {} }))
+ *
+ * // Multiple accepted roles:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', 'moderator'))
+ * ```
+ */
+export declare function RoleGuard(...args: Array<string | RoleGuardOptions>): Type<CanActivate>;
+//# sourceMappingURL=role.guard.d.ts.map

package/dist/guards/role.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.guard.d.ts","sourceRoot":"","sources":["../../src/guards/role.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAoB,IAAI,EAAE,MAAM,eAAe,CAAC;AAEhF,OAAO,EAAE,aAAa,EAA0B,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAElG,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,SAAS,CAAC,EAAE,gBAAgB,GAAG,aAAa,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,SAAS,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,MAAM,GAAG,gBAAgB,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAwCtF"}

package/dist/guards/role.guard.js

@@ -0,0 +1,66 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RoleGuard = RoleGuard;
+const core_1 = require("@hazeljs/core");
+const role_hierarchy_1 = require("../utils/role-hierarchy");
+/**
+ * Factory that returns a guard allowing only users whose role satisfies at
+ * least one of the provided roles — directly or via the role hierarchy.
+ *
+ * By default uses DEFAULT_ROLE_HIERARCHY so `admin` automatically passes a
+ * `manager` check, `manager` passes a `user` check, etc.
+ *
+ * Must be used after JwtAuthGuard (or any guard that attaches `user` to the
+ * request).
+ *
+ * @example
+ * ```ts
+ * // admin, manager, AND user can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('user'))
+ *
+ * // Only admin and above (superadmin) can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin'))
+ *
+ * // Custom hierarchy (no inheritance):
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', { hierarchy: {} }))
+ *
+ * // Multiple accepted roles:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', 'moderator'))
+ * ```
+ */
+function RoleGuard(...args) {
+    // Separate trailing options object from role strings
+    const lastArg = args[args.length - 1];
+    const hasOptions = typeof lastArg === 'object' && lastArg !== null;
+    const roles = (hasOptions ? args.slice(0, -1) : args);
+    const options = (hasOptions ? lastArg : {});
+    const hierarchyInstance = options.hierarchy instanceof role_hierarchy_1.RoleHierarchy
+        ? options.hierarchy
+        : new role_hierarchy_1.RoleHierarchy(options.hierarchy ?? role_hierarchy_1.DEFAULT_ROLE_HIERARCHY);
+    let RoleGuardMixin = class RoleGuardMixin {
+        canActivate(context) {
+            const req = context.switchToHttp().getRequest();
+            const user = req.user;
+            if (!user) {
+                const err = Object.assign(new Error('Unauthorized'), { status: 401 });
+                throw err;
+            }
+            const permitted = roles.some((required) => hierarchyInstance.satisfies(user.role, required));
+            if (!permitted) {
+                const err = Object.assign(new Error(`Requires one of the following roles: ${roles.join(', ')}`), { status: 403 });
+                throw err;
+            }
+            return true;
+        }
+    };
+    RoleGuardMixin = __decorate([
+        (0, core_1.Injectable)()
+    ], RoleGuardMixin);
+    return RoleGuardMixin;
+}

package/dist/guards/tenant.guard.d.ts

@@ -0,0 +1,54 @@
+import { CanActivate, Type } from '@hazeljs/core';
+export interface TenantGuardOptions {
+    /**
+     * Where to read the expected tenant ID from the incoming request.
+     *
+     * - `'param'`   — URL segment, e.g. `/orgs/:tenantId/products`  (default)
+     * - `'header'`  — HTTP header, e.g. `X-Tenant-ID`
+     * - `'query'`   — Query string, e.g. `?tenantId=acme`
+     *
+     * @default 'param'
+     */
+    source?: 'param' | 'header' | 'query';
+    /**
+     * Name of the param / header / query key that carries the tenant ID.
+     * @default 'tenantId'
+     */
+    key?: string;
+    /**
+     * Field on the authenticated user object that holds the user's tenant ID.
+     * @default 'tenantId'
+     */
+    userField?: string;
+}
+/**
+ * Factory that returns a guard enforcing tenant-level isolation.
+ *
+ * Compares the tenant ID carried by the request (from a URL param, header,
+ * or query param) against the tenant ID stored on the authenticated user
+ * (from the JWT payload).  Returns 403 if they do not match.
+ *
+ * Must be used after JwtAuthGuard so that `req.user` is populated.
+ *
+ * @example
+ * ```ts
+ * // URL param: GET /orgs/:tenantId/invoices
+ * @UseGuards(JwtAuthGuard, TenantGuard())
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ *
+ * // Header: X-Org-ID
+ * @UseGuards(JwtAuthGuard, TenantGuard({ source: 'header', key: 'x-org-id' }))
+ * @Controller('/invoices')
+ * export class InvoicesController {}
+ *
+ * // Superadmins bypass tenant check:
+ * @UseGuards(JwtAuthGuard, TenantGuard({ bypassRoles: ['superadmin'] }))
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ * ```
+ */
+export declare function TenantGuard(options?: TenantGuardOptions & {
+    bypassRoles?: string[];
+}): Type<CanActivate>;
+//# sourceMappingURL=tenant.guard.d.ts.map

package/dist/guards/tenant.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.guard.d.ts","sourceRoot":"","sources":["../../src/guards/tenant.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAoB,IAAI,EAAkB,MAAM,eAAe,CAAC;AAIhG,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;OAQG;IACH,MAAM,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;IAEtC;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,WAAW,CACzB,OAAO,GAAE,kBAAkB,GAAG;IAAE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CAAO,GAC5D,IAAI,CAAC,WAAW,CAAC,CAsEnB"}

package/dist/guards/tenant.guard.js

@@ -0,0 +1,96 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TenantGuard = TenantGuard;
+const core_1 = require("@hazeljs/core");
+const tenant_context_1 = require("../tenant/tenant-context");
+/**
+ * Factory that returns a guard enforcing tenant-level isolation.
+ *
+ * Compares the tenant ID carried by the request (from a URL param, header,
+ * or query param) against the tenant ID stored on the authenticated user
+ * (from the JWT payload).  Returns 403 if they do not match.
+ *
+ * Must be used after JwtAuthGuard so that `req.user` is populated.
+ *
+ * @example
+ * ```ts
+ * // URL param: GET /orgs/:tenantId/invoices
+ * @UseGuards(JwtAuthGuard, TenantGuard())
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ *
+ * // Header: X-Org-ID
+ * @UseGuards(JwtAuthGuard, TenantGuard({ source: 'header', key: 'x-org-id' }))
+ * @Controller('/invoices')
+ * export class InvoicesController {}
+ *
+ * // Superadmins bypass tenant check:
+ * @UseGuards(JwtAuthGuard, TenantGuard({ bypassRoles: ['superadmin'] }))
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ * ```
+ */
+function TenantGuard(options = {}) {
+    const { source = 'param', key = 'tenantId', userField = 'tenantId', bypassRoles = [] } = options;
+    let TenantGuardMixin = class TenantGuardMixin {
+        canActivate(context) {
+            const req = context.switchToHttp().getRequest();
+            const ctx = context.switchToHttp().getContext();
+            const user = req.user;
+            if (!user) {
+                const err = Object.assign(new Error('Unauthorized'), { status: 401 });
+                throw err;
+            }
+            // Privileged roles can bypass the tenant check entirely.
+            // Still seed the context so their own queries are naturally scoped.
+            if (bypassRoles.includes(user.role)) {
+                const bypassTenantId = user[userField];
+                if (bypassTenantId)
+                    tenant_context_1.TenantContext.enterWith(bypassTenantId);
+                return true;
+            }
+            const userTenantId = user[userField];
+            if (!userTenantId) {
+                const err = Object.assign(new Error(`User is not associated with any tenant (missing "${userField}")`), { status: 403 });
+                throw err;
+            }
+            // Extract the request-level tenant ID from the configured source.
+            let requestTenantId;
+            switch (source) {
+                case 'param':
+                    requestTenantId = ctx.params?.[key];
+                    break;
+                case 'header':
+                    requestTenantId = ctx.headers?.[key.toLowerCase()];
+                    break;
+                case 'query':
+                    requestTenantId = ctx.query?.[key];
+                    break;
+            }
+            if (!requestTenantId) {
+                const err = Object.assign(new Error(`Tenant ID not found in request ${source} "${key}"`), {
+                    status: 400,
+                });
+                throw err;
+            }
+            if (userTenantId !== requestTenantId) {
+                const err = Object.assign(new Error('Access denied: resource belongs to a different tenant'), { status: 403 });
+                throw err;
+            }
+            // Seed AsyncLocalStorage so repositories can call tenantCtx.requireId()
+            // without needing tenantId passed through every function parameter.
+            tenant_context_1.TenantContext.enterWith(userTenantId);
+            return true;
+        }
+    };
+    TenantGuardMixin = __decorate([
+        (0, core_1.Injectable)()
+    ], TenantGuardMixin);
+    return TenantGuardMixin;
+}

package/dist/index.d.ts

@@ -1,8 +1,18 @@
 /**
  * @hazeljs/auth - Authentication module for HazelJS
  */
-export { AuthGuard } from './auth.guard';
+export { AuthGuard, Auth } from './auth.guard';
 export { AuthService } from './auth.service';
+export type { AuthUser } from './auth.service';
 export { JwtModule } from './jwt/jwt.module';
 export { JwtService } from './jwt/jwt.service';
+export { JwtAuthGuard } from './guards/jwt-auth.guard';
+export { RoleGuard } from './guards/role.guard';
+export type { RoleGuardOptions } from './guards/role.guard';
+export { TenantGuard } from './guards/tenant.guard';
+export type { TenantGuardOptions } from './guards/tenant.guard';
+export { TenantContext } from './tenant/tenant-context';
+export { RoleHierarchy, DEFAULT_ROLE_HIERARCHY } from './utils/role-hierarchy';
+export type { RoleHierarchyMap } from './utils/role-hierarchy';
+export { CurrentUser } from './decorators/current-user.decorator';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,YAAY,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,YAAY,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,YAAY,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAC/E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC"}

package/dist/index.js

@@ -3,12 +3,26 @@
  * @hazeljs/auth - Authentication module for HazelJS
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.JwtService = exports.JwtModule = exports.AuthService = exports.AuthGuard = void 0;
+exports.CurrentUser = exports.DEFAULT_ROLE_HIERARCHY = exports.RoleHierarchy = exports.TenantContext = exports.TenantGuard = exports.RoleGuard = exports.JwtAuthGuard = exports.JwtService = exports.JwtModule = exports.AuthService = exports.Auth = exports.AuthGuard = void 0;
 var auth_guard_1 = require("./auth.guard");
 Object.defineProperty(exports, "AuthGuard", { enumerable: true, get: function () { return auth_guard_1.AuthGuard; } });
+Object.defineProperty(exports, "Auth", { enumerable: true, get: function () { return auth_guard_1.Auth; } });
 var auth_service_1 = require("./auth.service");
 Object.defineProperty(exports, "AuthService", { enumerable: true, get: function () { return auth_service_1.AuthService; } });
 var jwt_module_1 = require("./jwt/jwt.module");
 Object.defineProperty(exports, "JwtModule", { enumerable: true, get: function () { return jwt_module_1.JwtModule; } });
 var jwt_service_1 = require("./jwt/jwt.service");
 Object.defineProperty(exports, "JwtService", { enumerable: true, get: function () { return jwt_service_1.JwtService; } });
+var jwt_auth_guard_1 = require("./guards/jwt-auth.guard");
+Object.defineProperty(exports, "JwtAuthGuard", { enumerable: true, get: function () { return jwt_auth_guard_1.JwtAuthGuard; } });
+var role_guard_1 = require("./guards/role.guard");
+Object.defineProperty(exports, "RoleGuard", { enumerable: true, get: function () { return role_guard_1.RoleGuard; } });
+var tenant_guard_1 = require("./guards/tenant.guard");
+Object.defineProperty(exports, "TenantGuard", { enumerable: true, get: function () { return tenant_guard_1.TenantGuard; } });
+var tenant_context_1 = require("./tenant/tenant-context");
+Object.defineProperty(exports, "TenantContext", { enumerable: true, get: function () { return tenant_context_1.TenantContext; } });
+var role_hierarchy_1 = require("./utils/role-hierarchy");
+Object.defineProperty(exports, "RoleHierarchy", { enumerable: true, get: function () { return role_hierarchy_1.RoleHierarchy; } });
+Object.defineProperty(exports, "DEFAULT_ROLE_HIERARCHY", { enumerable: true, get: function () { return role_hierarchy_1.DEFAULT_ROLE_HIERARCHY; } });
+var current_user_decorator_1 = require("./decorators/current-user.decorator");
+Object.defineProperty(exports, "CurrentUser", { enumerable: true, get: function () { return current_user_decorator_1.CurrentUser; } });

package/dist/jwt/jwt.service.js

@@ -56,6 +56,6 @@ let JwtService = JwtService_1 = class JwtService {
 exports.JwtService = JwtService;
 JwtService.moduleOptions = {};
 exports.JwtService = JwtService = JwtService_1 = __decorate([
-    (0, core_1.Injectable)(),
+    (0, core_1.Service)(),
     __metadata("design:paramtypes", [])
 ], JwtService);

package/dist/tenant/tenant-context.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Provides request-scoped tenant context via AsyncLocalStorage.
+ *
+ * ─── Why two layers? ──────────────────────────────────────────────────────────
+ * TenantGuard enforces isolation at the HTTP layer — it rejects requests where
+ * the JWT tenant doesn't match the route tenant.  That's necessary but not
+ * sufficient: a bug in service code could still query another tenant's rows if
+ * the guard is misconfigured or skipped.
+ *
+ * TenantContext closes that gap at the DATA layer.  After the guard validates
+ * the request, it calls TenantContext.enterWith(tenantId) which seeds an
+ * AsyncLocalStorage store for the remainder of the request's async call chain.
+ * Every repository/service that injects TenantContext can then call
+ * requireId() without receiving tenantId as a function parameter.
+ *
+ * ─── Usage in a repository ───────────────────────────────────────────────────
+ * ```ts
+ * @Service()
+ * export class OrdersRepository {
+ *   constructor(private readonly tenantCtx: TenantContext) {}
+ *
+ *   findAll() {
+ *     const tenantId = this.tenantCtx.requireId();
+ *     return db.query('SELECT * FROM orders WHERE tenant_id = $1', [tenantId]);
+ *   }
+ *
+ *   findById(id: string) {
+ *     const tenantId = this.tenantCtx.requireId();
+ *     // Even a direct ID lookup is scoped — prevents horizontal privilege escalation
+ *     return db.query(
+ *       'SELECT * FROM orders WHERE id = $1 AND tenant_id = $2',
+ *       [id, tenantId]
+ *     );
+ *   }
+ * }
+ * ```
+ *
+ * ─── How it propagates ────────────────────────────────────────────────────────
+ * Node.js AsyncLocalStorage propagates through the async call graph.
+ * TenantGuard calls enterWith() during guard execution; because the route
+ * handler is called afterwards in the same async chain, it (and everything
+ * it awaits) automatically has access to the stored tenant ID.
+ */
+export declare class TenantContext {
+    /**
+     * Returns the current tenant ID, or `undefined` if called outside a
+     * request context (e.g. during startup or in a background job).
+     */
+    getId(): string | undefined;
+    /**
+     * Returns the current tenant ID and throws if it is not set.
+     *
+     * Use this in any repository or service method that must never run without
+     * a tenant — it acts as a last-resort safety net even if the guard was
+     * accidentally omitted on a route.
+     */
+    requireId(): string;
+    /**
+     * Seeds the current async context with the given tenant ID.
+     *
+     * Called internally by TenantGuard after it validates the request.
+     * Unlike `run()`, `enterWith` propagates through the rest of the current
+     * async execution chain without requiring a wrapping callback — which
+     * makes it the right tool for seeding from within a guard.
+     */
+    static enterWith(tenantId: string): void;
+    /**
+     * Wraps a callback so that everything inside it (and all async operations
+     * it spawns) runs with the given tenant ID in context.
+     *
+     * Use this when you need explicit scoping, e.g. in background jobs or tests:
+     *
+     * ```ts
+     * await TenantContext.run('acme', async () => {
+     *   await ordersService.processPendingOrders();
+     * });
+     * ```
+     */
+    static run<T>(tenantId: string, fn: () => T): T;
+}
+//# sourceMappingURL=tenant-context.d.ts.map

package/dist/tenant/tenant-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-context.d.ts","sourceRoot":"","sources":["../../src/tenant/tenant-context.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,qBACa,aAAa;IACxB;;;OAGG;IACH,KAAK,IAAI,MAAM,GAAG,SAAS;IAI3B;;;;;;OAMG;IACH,SAAS,IAAI,MAAM;IAanB;;;;;;;OAOG;IACH,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAIxC;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC;CAGhD"}