@hazeljs/casl 0.7.8 → 0.8.0

package/README.md

@@ -3,6 +3,7 @@
 **Attribute-level (record-level) authorization for HazelJS, powered by [CASL](https://casl.js.org).**
 
 Where `RoleGuard` asks "is your role high enough?", `@hazeljs/casl` asks:
+
 > **Can _this_ user perform _this action_ on _this specific record_?**
 
 [![npm version](https://img.shields.io/npm/v/@hazeljs/casl.svg)](https://www.npmjs.com/package/@hazeljs/casl)
@@ -43,7 +44,7 @@ import { Injectable } from '@hazeljs/core';
 // All @casl/ability symbols are re-exported — no separate @casl/ability dep needed.
 import { AbilityFactory, MongoAbility, AbilityBuilder, createMongoAbility } from '@hazeljs/casl';
 
-type Action  = 'create' | 'read' | 'update' | 'delete' | 'manage';
+type Action = 'create' | 'read' | 'update' | 'delete' | 'manage';
 type Subject = Post | 'Post' | 'all';
 export type AppAbility = MongoAbility<[Action, Subject]>;
 
@@ -53,10 +54,10 @@ export class AppAbilityFactory extends AbilityFactory<AppAbility> {
     const { can, cannot, build } = new AbilityBuilder<AppAbility>(createMongoAbility);
 
     if (user.role === 'admin') {
-      can('manage', 'all');                              // admin: everything
+      can('manage', 'all'); // admin: everything
     } else {
-      can('read',   'Post');
-      can('update', 'Post', { authorId: user.id });     // own posts only
+      can('read', 'Post');
+      can('update', 'Post', { authorId: user.id }); // own posts only
       cannot('delete', 'Post');
     }
 
@@ -75,9 +76,7 @@ import { CaslModule } from '@hazeljs/casl';
 import { AppAbilityFactory } from './casl/app-ability.factory';
 
 @HazelModule({
-  imports: [
-    CaslModule.forRoot({ abilityFactory: AppAbilityFactory }),
-  ],
+  imports: [CaslModule.forRoot({ abilityFactory: AppAbilityFactory })],
 })
 export class AppModule {}
 ```
@@ -114,10 +113,10 @@ export class PostsController {
 
 Errors thrown:
 
-| Condition | Status |
-|---|---|
-| No `req.user` (guard order wrong) | 401 |
-| Any handler returns `false` | 403 |
+| Condition                         | Status |
+| --------------------------------- | ------ |
+| No `req.user` (guard order wrong) | 401    |
+| Any handler returns `false`       | 403    |
 
 ---
 
@@ -216,7 +215,7 @@ Request
 
 ## `@Ability()` — inject the ability directly
 
-`@Ability()` is a **parameter decorator** that resolves `CaslService.createForUser(req.user)` once per request and injects the result straight into your controller method.  Services receive the pre-built ability instead of the raw user, keeping business logic clean.
+`@Ability()` is a **parameter decorator** that resolves `CaslService.createForUser(req.user)` once per request and injects the result straight into your controller method. Services receive the pre-built ability instead of the raw user, keeping business logic clean.
 
 ```typescript
 // posts.controller.ts
@@ -232,18 +231,15 @@ export class PostsController {
 
   @Patch('/:id')
   update(
-    @Ability() ability: AppAbility,   // ← resolved from req.user automatically
+    @Ability() ability: AppAbility, // ← resolved from req.user automatically
     @Param('id') id: string,
-    @Body() dto: UpdatePostDto,
+    @Body() dto: UpdatePostDto
   ) {
     return this.postsService.update(ability, id, dto);
   }
 
   @Delete('/:id')
-  remove(
-    @Ability() ability: AppAbility,
-    @Param('id') id: string,
-  ) {
+  remove(@Ability() ability: AppAbility, @Param('id') id: string) {
     return this.postsService.remove(ability, id);
   }
 }
@@ -254,7 +250,7 @@ The service just receives an `AppAbility` — no `CaslService` injection needed:
 ```typescript
 // posts.service.ts
 import { Injectable } from '@hazeljs/core';
-import { subject } from '@hazeljs/casl';   // re-exported — no @casl/ability dep needed
+import { subject } from '@hazeljs/casl'; // re-exported — no @casl/ability dep needed
 import type { AppAbility } from './casl/app-ability.factory';
 
 @Injectable()
@@ -283,7 +279,7 @@ export class PostsService {
 ```
 
 > **When to use `@Ability()` vs `CaslService`**  
-> Use `@Ability()` when the controller passes the ability to a single service.  Use `CaslService` directly when a service is called from multiple places (background jobs, other services) and the caller may not hold an ability object.
+> Use `@Ability()` when the controller passes the ability to a single service. Use `CaslService` directly when a service is called from multiple places (background jobs, other services) and the caller may not hold an ability object.
 
 ---
 
@@ -300,11 +296,11 @@ import type { AppAbility } from './casl/app-ability.factory';
 export class PostsService {
   constructor(
     private readonly postsRepo: PostsRepository,
-    private readonly casl: CaslService<AppAbility>,
+    private readonly casl: CaslService<AppAbility>
   ) {}
 
   async update(user: Record<string, unknown>, postId: string, dto: UpdatePostDto) {
-    const post    = await this.postsRepo.findById(postId);
+    const post = await this.postsRepo.findById(postId);
     const ability = this.casl.createForUser(user);
 
     if (!ability.can('update', subject('Post', post))) {
@@ -327,9 +323,9 @@ import { CaslService } from '@hazeljs/casl';
 // Inject and call createForUser to get an ability for the current user
 const ability = this.casl.createForUser(user);
 
-ability.can('read',   'Post')                          // true / false
-ability.can('update', subject('Post', post))           // checks conditions
-ability.cannot('delete', 'Post')                       // negation check
+ability.can('read', 'Post'); // true / false
+ability.can('update', subject('Post', post)); // checks conditions
+ability.cannot('delete', 'Post'); // negation check
 ```
 
 ---
@@ -349,9 +345,9 @@ abstract class AbilityFactory<A extends AnyAbility> {
 
 ## `CaslModule.forRoot()` options
 
-| Option | Type | Required | Description |
-|---|---|---|---|
-| `abilityFactory` | `new (...args: any[]) => AbilityFactory<A>` | ✓ | Your factory class (must be `@Injectable()`) |
+| Option           | Type                                        | Required | Description                                  |
+| ---------------- | ------------------------------------------- | -------- | -------------------------------------------- |
+| `abilityFactory` | `new (...args: any[]) => AbilityFactory<A>` | ✓        | Your factory class (must be `@Injectable()`) |
 
 ---
 
@@ -360,4 +356,4 @@ abstract class AbilityFactory<A extends AnyAbility> {
 - [Documentation](https://hazeljs.ai/docs/packages/casl)
 - [GitHub](https://github.com/hazel-js/hazeljs)
 - [Issues](https://github.com/hazel-js/hazeljs/issues)
-- [Discord](https://discord.com/channels/1448263814238965833/1448263814859456575)
+- [Discord](https://discord.gg/PxNBPzvQk7)

package/dist/ability.factory.d.ts

@@ -0,0 +1,37 @@
+import type { AnyAbility } from '@casl/ability';
+/**
+ * Abstract base class for user-defined ability factories.
+ *
+ * Extend this class and implement `createForUser` to define what actions a
+ * given user can perform.  Register your factory with `CaslModule.forRoot()`.
+ *
+ * @example
+ * ```ts
+ * import { MongoAbility, createMongoAbility, AbilityBuilder } from '@casl/ability';
+ * import { Injectable } from '@hazeljs/core';
+ * import { AbilityFactory } from '@hazeljs/casl';
+ *
+ * type Action  = 'create' | 'read' | 'update' | 'delete' | 'manage';
+ * type Subject = Post | 'Post' | 'all';
+ * export type AppAbility = MongoAbility<[Action, Subject]>;
+ *
+ * @Injectable()
+ * export class AppAbilityFactory extends AbilityFactory<AppAbility> {
+ *   createForUser(user: AuthUser): AppAbility {
+ *     const { can, cannot, build } = new AbilityBuilder<AppAbility>(createMongoAbility);
+ *     if (user.role === 'admin') {
+ *       can('manage', 'all');
+ *     } else {
+ *       can('read', 'Post');
+ *       can('update', 'Post', { authorId: user.id }); // own posts only
+ *       cannot('delete', 'Post');
+ *     }
+ *     return build();
+ *   }
+ * }
+ * ```
+ */
+export declare abstract class AbilityFactory<A extends AnyAbility> {
+    abstract createForUser(user: Record<string, unknown>): A;
+}
+//# sourceMappingURL=ability.factory.d.ts.map

package/dist/ability.factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability.factory.d.ts","sourceRoot":"","sources":["../src/ability.factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,8BAAsB,cAAc,CAAC,CAAC,SAAS,UAAU;IACvD,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC;CACzD"}

package/dist/ability.factory.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AbilityFactory = void 0;
+/**
+ * Abstract base class for user-defined ability factories.
+ *
+ * Extend this class and implement `createForUser` to define what actions a
+ * given user can perform.  Register your factory with `CaslModule.forRoot()`.
+ *
+ * @example
+ * ```ts
+ * import { MongoAbility, createMongoAbility, AbilityBuilder } from '@casl/ability';
+ * import { Injectable } from '@hazeljs/core';
+ * import { AbilityFactory } from '@hazeljs/casl';
+ *
+ * type Action  = 'create' | 'read' | 'update' | 'delete' | 'manage';
+ * type Subject = Post | 'Post' | 'all';
+ * export type AppAbility = MongoAbility<[Action, Subject]>;
+ *
+ * @Injectable()
+ * export class AppAbilityFactory extends AbilityFactory<AppAbility> {
+ *   createForUser(user: AuthUser): AppAbility {
+ *     const { can, cannot, build } = new AbilityBuilder<AppAbility>(createMongoAbility);
+ *     if (user.role === 'admin') {
+ *       can('manage', 'all');
+ *     } else {
+ *       can('read', 'Post');
+ *       can('update', 'Post', { authorId: user.id }); // own posts only
+ *       cannot('delete', 'Post');
+ *     }
+ *     return build();
+ *   }
+ * }
+ * ```
+ */
+class AbilityFactory {
+}
+exports.AbilityFactory = AbilityFactory;

package/dist/casl.module.d.ts

@@ -0,0 +1,35 @@
+import type { AnyAbility } from '@casl/ability';
+import { AbilityFactory } from './ability.factory';
+export interface CaslModuleOptions<A extends AnyAbility = AnyAbility> {
+    /**
+     * Your application's ability factory class.  It must extend `AbilityFactory`
+     * and be decorated with `@Injectable()` so the DI container can resolve it.
+     *
+     * @example
+     * ```ts
+     * CaslModule.forRoot({ abilityFactory: AppAbilityFactory })
+     * ```
+     */
+    abilityFactory: new (...args: any[]) => AbilityFactory<A>;
+}
+/**
+ * HazelJS module that wires attribute-level authorization into your app.
+ *
+ * Register once in your root module:
+ *
+ * ```ts
+ * @HazelModule({
+ *   imports: [
+ *     CaslModule.forRoot({ abilityFactory: AppAbilityFactory }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ *
+ * Then use `PoliciesGuard` / `@CheckPolicies` on your routes and inject
+ * `CaslService` in your services for record-level checks.
+ */
+export declare class CaslModule {
+    static forRoot<A extends AnyAbility>(options: CaslModuleOptions<A>): typeof CaslModule;
+}
+//# sourceMappingURL=casl.module.d.ts.map

package/dist/casl.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"casl.module.d.ts","sourceRoot":"","sources":["../src/casl.module.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD,MAAM,WAAW,iBAAiB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU;IAClE;;;;;;;;OAQG;IAEH,cAAc,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,CAAC;CAC3D;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAIa,UAAU;IACrB,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,UAAU,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAAG,OAAO,UAAU;CAIvF"}

package/dist/casl.module.js

@@ -0,0 +1,42 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var CaslModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CaslModule = void 0;
+const core_1 = require("@hazeljs/core");
+const casl_service_1 = require("./casl.service");
+/**
+ * HazelJS module that wires attribute-level authorization into your app.
+ *
+ * Register once in your root module:
+ *
+ * ```ts
+ * @HazelModule({
+ *   imports: [
+ *     CaslModule.forRoot({ abilityFactory: AppAbilityFactory }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ *
+ * Then use `PoliciesGuard` / `@CheckPolicies` on your routes and inject
+ * `CaslService` in your services for record-level checks.
+ */
+let CaslModule = CaslModule_1 = class CaslModule {
+    static forRoot(options) {
+        casl_service_1.CaslService.configure(options.abilityFactory);
+        return CaslModule_1;
+    }
+};
+exports.CaslModule = CaslModule;
+exports.CaslModule = CaslModule = CaslModule_1 = __decorate([
+    (0, core_1.HazelModule)({
+        providers: [casl_service_1.CaslService],
+        exports: [casl_service_1.CaslService],
+    })
+], CaslModule);

package/dist/casl.service.d.ts

@@ -0,0 +1,35 @@
+import type { AnyAbility } from '@casl/ability';
+import { AbilityFactory } from './ability.factory';
+/**
+ * Core service that builds a CASL ability for a given user.
+ *
+ * Inject this service anywhere you need record-level authorization:
+ *
+ * @example
+ * ```ts
+ * @Injectable()
+ * export class PostsService {
+ *   constructor(private readonly casl: CaslService<AppAbility>) {}
+ *
+ *   async update(user: AuthUser, postId: string, dto: UpdatePostDto) {
+ *     const post  = await this.postsRepo.findById(postId);
+ *     const ability = this.casl.createForUser(user);
+ *     if (!ability.can('update', post)) {
+ *       throw Object.assign(new Error('Forbidden'), { status: 403 });
+ *     }
+ *     return this.postsRepo.update(postId, dto);
+ *   }
+ * }
+ * ```
+ */
+export declare class CaslService<A extends AnyAbility = AnyAbility> {
+    private get factory();
+    /**
+     * Build an ability instance for the given user object.
+     * The user value comes from `req.user` (set by JwtAuthGuard or your own guard).
+     */
+    createForUser(user: Record<string, unknown>): A;
+    static factoryClass: (new (...args: any[]) => AbilityFactory<AnyAbility>) | undefined;
+    static configure(factoryClass: new (...args: any[]) => AbilityFactory<AnyAbility>): void;
+}
+//# sourceMappingURL=casl.service.d.ts.map

package/dist/casl.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"casl.service.d.ts","sourceRoot":"","sources":["../src/casl.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBACa,WAAW,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU;IAExD,OAAO,KAAK,OAAO,GASlB;IAED;;;OAGG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC;IAS/C,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,cAAc,CAAC,UAAU,CAAC,CAAC,GAAG,SAAS,CAAC;IAGtF,MAAM,CAAC,SAAS,CAAC,YAAY,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI;CAGzF"}

package/dist/casl.service.js

@@ -0,0 +1,59 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var CaslService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CaslService = void 0;
+const core_1 = require("@hazeljs/core");
+/**
+ * Core service that builds a CASL ability for a given user.
+ *
+ * Inject this service anywhere you need record-level authorization:
+ *
+ * @example
+ * ```ts
+ * @Injectable()
+ * export class PostsService {
+ *   constructor(private readonly casl: CaslService<AppAbility>) {}
+ *
+ *   async update(user: AuthUser, postId: string, dto: UpdatePostDto) {
+ *     const post  = await this.postsRepo.findById(postId);
+ *     const ability = this.casl.createForUser(user);
+ *     if (!ability.can('update', post)) {
+ *       throw Object.assign(new Error('Forbidden'), { status: 403 });
+ *     }
+ *     return this.postsRepo.update(postId, dto);
+ *   }
+ * }
+ * ```
+ */
+let CaslService = CaslService_1 = class CaslService {
+    // Resolved lazily so the factory class is available after DI wires everything up.
+    get factory() {
+        const factoryClass = CaslService_1.factoryClass;
+        if (!factoryClass) {
+            throw new Error('CaslService: no AbilityFactory registered. ' +
+                'Call CaslModule.forRoot({ abilityFactory: YourFactory }) in your app module.');
+        }
+        return core_1.Container.getInstance().resolve(factoryClass);
+    }
+    /**
+     * Build an ability instance for the given user object.
+     * The user value comes from `req.user` (set by JwtAuthGuard or your own guard).
+     */
+    createForUser(user) {
+        return this.factory.createForUser(user);
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    static configure(factoryClass) {
+        CaslService_1.factoryClass = factoryClass;
+    }
+};
+exports.CaslService = CaslService;
+exports.CaslService = CaslService = CaslService_1 = __decorate([
+    (0, core_1.Injectable)()
+], CaslService);

package/dist/casl.test.d.ts

@@ -0,0 +1,2 @@
+import 'reflect-metadata';
+//# sourceMappingURL=casl.test.d.ts.map

package/dist/casl.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"casl.test.d.ts","sourceRoot":"","sources":["../src/casl.test.ts"],"names":[],"mappings":"AAEA,OAAO,kBAAkB,CAAC"}

package/dist/casl.test.js

@@ -0,0 +1,320 @@
+"use strict";
+/// <reference types="jest" />
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+require("reflect-metadata");
+jest.mock('@hazeljs/core', () => ({
+    __esModule: true,
+    Service: () => () => undefined,
+    Injectable: () => () => undefined,
+    HazelModule: () => () => undefined,
+    Container: {
+        getInstance: jest.fn(),
+    },
+    logger: { info: jest.fn(), debug: jest.fn(), warn: jest.fn(), error: jest.fn() },
+    default: { info: jest.fn(), debug: jest.fn(), warn: jest.fn(), error: jest.fn() },
+}));
+const core_1 = require("@hazeljs/core");
+const ability_1 = require("@casl/ability");
+const ability_factory_1 = require("./ability.factory");
+const casl_service_1 = require("./casl.service");
+const casl_module_1 = require("./casl.module");
+const policy_guard_1 = require("./policy.guard");
+const check_policies_decorator_1 = require("./decorators/check-policies.decorator");
+const ability_decorator_1 = require("./decorators/ability.decorator");
+function buildAbility(role, userId) {
+    const { can, cannot, build } = new ability_1.AbilityBuilder(ability_1.createMongoAbility);
+    if (role === 'admin') {
+        can('manage', 'all');
+    }
+    else {
+        can('read', 'Post');
+        can('update', 'Post', { authorId: userId });
+        cannot('delete', 'Post');
+    }
+    return build();
+}
+class TestAbilityFactory extends ability_factory_1.AbilityFactory {
+    createForUser(user) {
+        return buildAbility(user['role'], user['id']);
+    }
+}
+// ---------------------------------------------------------------------------
+// Helper: build a mock ExecutionContext
+// ---------------------------------------------------------------------------
+function makeCtx(user) {
+    return {
+        switchToHttp: () => ({
+            getRequest: () => ({ user }),
+            getResponse: () => ({}),
+            getContext: () => ({}),
+        }),
+    };
+}
+// ---------------------------------------------------------------------------
+// CaslService
+// ---------------------------------------------------------------------------
+describe('CaslService', () => {
+    const mockContainer = core_1.Container;
+    beforeEach(() => {
+        casl_service_1.CaslService.factoryClass = undefined;
+        jest.clearAllMocks();
+    });
+    it('throws when no factory is configured', () => {
+        const svc = new casl_service_1.CaslService();
+        expect(() => svc.createForUser({ id: '1', role: 'user' })).toThrow('CaslService: no AbilityFactory registered');
+    });
+    it('resolves the factory from the DI container and calls createForUser', () => {
+        const factory = new TestAbilityFactory();
+        mockContainer.getInstance.mockReturnValue({
+            resolve: jest.fn().mockReturnValue(factory),
+        });
+        casl_service_1.CaslService.configure(TestAbilityFactory);
+        const svc = new casl_service_1.CaslService();
+        const user = { id: 'user-1', role: 'admin' };
+        const ability = svc.createForUser(user);
+        expect(ability.can('manage', 'all')).toBe(true);
+    });
+    it('returns an ability respecting conditions for regular users', () => {
+        const factory = new TestAbilityFactory();
+        mockContainer.getInstance.mockReturnValue({
+            resolve: jest.fn().mockReturnValue(factory),
+        });
+        casl_service_1.CaslService.configure(TestAbilityFactory);
+        const svc = new casl_service_1.CaslService();
+        const user = { id: 'user-1', role: 'user' };
+        const ability = svc.createForUser(user);
+        expect(ability.can('read', 'Post')).toBe(true);
+        expect(ability.can('delete', 'Post')).toBe(false);
+        // own post — use subject() helper so CASL knows the subject type
+        expect(ability.can('update', (0, ability_1.subject)('Post', { authorId: 'user-1' }))).toBe(true);
+        // someone else's post
+        expect(ability.can('update', (0, ability_1.subject)('Post', { authorId: 'other-user' }))).toBe(false);
+    });
+});
+// ---------------------------------------------------------------------------
+// CaslModule.forRoot
+// ---------------------------------------------------------------------------
+describe('CaslModule.forRoot', () => {
+    afterEach(() => {
+        casl_service_1.CaslService.factoryClass = undefined;
+    });
+    it('configures the factory class on CaslService', () => {
+        casl_module_1.CaslModule.forRoot({ abilityFactory: TestAbilityFactory });
+        expect(casl_service_1.CaslService.factoryClass).toBe(TestAbilityFactory);
+    });
+    it('returns the CaslModule class (for HazelModule imports)', () => {
+        const result = casl_module_1.CaslModule.forRoot({ abilityFactory: TestAbilityFactory });
+        expect(result).toBe(casl_module_1.CaslModule);
+    });
+});
+// ---------------------------------------------------------------------------
+// PoliciesGuard
+// ---------------------------------------------------------------------------
+describe('PoliciesGuard', () => {
+    const mockContainer = core_1.Container;
+    beforeEach(() => {
+        casl_service_1.CaslService.factoryClass = undefined;
+        jest.clearAllMocks();
+    });
+    function setupFactory() {
+        const factory = new TestAbilityFactory();
+        mockContainer.getInstance.mockReturnValue({
+            resolve: jest.fn().mockReturnValue(factory),
+        });
+        casl_service_1.CaslService.configure(TestAbilityFactory);
+        return new casl_service_1.CaslService();
+    }
+    it('returns true when no handlers are provided', async () => {
+        const casl = setupFactory();
+        const Guard = (0, policy_guard_1.PoliciesGuard)();
+        const guard = new Guard(casl);
+        const ctx = makeCtx({ id: '1', role: 'user' });
+        await expect(guard.canActivate(ctx)).resolves.toBe(true);
+    });
+    it('returns true when all function handlers pass', async () => {
+        const casl = setupFactory();
+        const Guard = (0, policy_guard_1.PoliciesGuard)((ability) => ability.can('read', 'Post'));
+        const guard = new Guard(casl);
+        const ctx = makeCtx({ id: '1', role: 'user' });
+        await expect(guard.canActivate(ctx)).resolves.toBe(true);
+    });
+    it('throws 403 when a handler returns false', async () => {
+        const casl = setupFactory();
+        const Guard = (0, policy_guard_1.PoliciesGuard)((ability) => ability.can('delete', 'Post'));
+        const guard = new Guard(casl);
+        const ctx = makeCtx({ id: '1', role: 'user' });
+        await expect(guard.canActivate(ctx)).rejects.toMatchObject({ status: 403 });
+    });
+    it('throws 401 when req.user is missing', async () => {
+        const casl = setupFactory();
+        const Guard = (0, policy_guard_1.PoliciesGuard)((ability) => ability.can('read', 'Post'));
+        const guard = new Guard(casl);
+        const ctx = makeCtx(undefined);
+        await expect(guard.canActivate(ctx)).rejects.toMatchObject({ status: 401 });
+    });
+    it('works with a class-instance (IPolicyHandler) handler', async () => {
+        const casl = setupFactory();
+        const classHandler = {
+            handle: jest.fn().mockResolvedValue(true),
+        };
+        const Guard = (0, policy_guard_1.PoliciesGuard)(classHandler);
+        const guard = new Guard(casl);
+        const ctx = makeCtx({ id: '1', role: 'user' });
+        await expect(guard.canActivate(ctx)).resolves.toBe(true);
+        expect(classHandler.handle).toHaveBeenCalledTimes(1);
+    });
+    it('admin passes all checks', async () => {
+        const casl = setupFactory();
+        const Guard = (0, policy_guard_1.PoliciesGuard)((ability) => ability.can('read', 'Post'), (ability) => ability.can('delete', 'Post'), (ability) => ability.can('create', 'Post'));
+        const guard = new Guard(casl);
+        const ctx = makeCtx({ id: 'admin-1', role: 'admin' });
+        await expect(guard.canActivate(ctx)).resolves.toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// @CheckPolicies decorator
+// ---------------------------------------------------------------------------
+describe('@CheckPolicies decorator', () => {
+    it('registers a PoliciesGuard on the method metadata under hazel:guards', () => {
+        class TestController {
+            getAll() {
+                return [];
+            }
+        }
+        __decorate([
+            (0, check_policies_decorator_1.CheckPolicies)((ability) => ability.can('read', 'Post')),
+            __metadata("design:type", Function),
+            __metadata("design:paramtypes", []),
+            __metadata("design:returntype", void 0)
+        ], TestController.prototype, "getAll", null);
+        const guards = Reflect.getMetadata('hazel:guards', TestController.prototype, 'getAll');
+        expect(Array.isArray(guards)).toBe(true);
+        expect(guards).toHaveLength(1);
+    });
+    it('appends to existing guards without overwriting them', () => {
+        // Pre-register a guard manually the way @UseGuards would
+        class MockGuard {
+        }
+        class TestController {
+            dummy() { }
+        }
+        Reflect.defineMetadata('hazel:guards', [MockGuard], TestController.prototype, 'dummy');
+        // Now apply CheckPolicies
+        const decorator = (0, check_policies_decorator_1.CheckPolicies)((ability) => ability.can('read', 'Post'));
+        const descriptor = Object.getOwnPropertyDescriptor(TestController.prototype, 'dummy');
+        decorator(TestController.prototype, 'dummy', descriptor);
+        const guards = Reflect.getMetadata('hazel:guards', TestController.prototype, 'dummy');
+        expect(guards).toHaveLength(2);
+        expect(guards[0]).toBe(MockGuard);
+    });
+});
+// ---------------------------------------------------------------------------
+// @Ability() decorator
+// ---------------------------------------------------------------------------
+describe('@Ability() decorator', () => {
+    const INJECT_KEY = 'hazel:inject';
+    it('stores a custom injection on the method metadata', () => {
+        class TestController {
+            getTask(_ability) {
+                return _ability;
+            }
+        }
+        __decorate([
+            __param(0, (0, ability_decorator_1.Ability)()),
+            __metadata("design:type", Function),
+            __metadata("design:paramtypes", [Object]),
+            __metadata("design:returntype", void 0)
+        ], TestController.prototype, "getTask", null);
+        const injections = Reflect.getMetadata(INJECT_KEY, TestController, 'getTask');
+        expect(Array.isArray(injections)).toBe(true);
+        expect(injections).toHaveLength(1);
+        const inj = injections[0];
+        expect(inj.type).toBe('custom');
+        expect(typeof inj.resolve).toBe('function');
+    });
+    it('resolve() calls CaslService.createForUser with context.user', () => {
+        const mockAbility = { can: jest.fn() };
+        const mockCaslSvc = { createForUser: jest.fn().mockReturnValue(mockAbility) };
+        const mockContainer = { resolve: jest.fn().mockReturnValue(mockCaslSvc) };
+        class TestController {
+            getTask(_ability) {
+                return _ability;
+            }
+        }
+        __decorate([
+            __param(0, (0, ability_decorator_1.Ability)()),
+            __metadata("design:type", Function),
+            __metadata("design:paramtypes", [Object]),
+            __metadata("design:returntype", void 0)
+        ], TestController.prototype, "getTask", null);
+        const injections = Reflect.getMetadata(INJECT_KEY, TestController, 'getTask');
+        const context = { user: { sub: 'u1', role: 'admin' } };
+        const result = injections[0].resolve(null, context, mockContainer);
+        expect(mockContainer.resolve).toHaveBeenCalledWith(casl_service_1.CaslService);
+        expect(mockCaslSvc.createForUser).toHaveBeenCalledWith({ sub: 'u1', role: 'admin' });
+        expect(result).toBe(mockAbility);
+    });
+    it('resolve() falls back to empty user object when context.user is undefined', () => {
+        const mockCaslSvc = { createForUser: jest.fn().mockReturnValue({}) };
+        const mockContainer = { resolve: jest.fn().mockReturnValue(mockCaslSvc) };
+        class TestController {
+            getTask(_ability) {
+                return _ability;
+            }
+        }
+        __decorate([
+            __param(0, (0, ability_decorator_1.Ability)()),
+            __metadata("design:type", Function),
+            __metadata("design:paramtypes", [Object]),
+            __metadata("design:returntype", void 0)
+        ], TestController.prototype, "getTask", null);
+        const injections = Reflect.getMetadata(INJECT_KEY, TestController, 'getTask');
+        injections[0].resolve(null, {}, mockContainer);
+        expect(mockCaslSvc.createForUser).toHaveBeenCalledWith({});
+    });
+    it('throws when used outside a method parameter', () => {
+        expect(() => {
+            const decorator = (0, ability_decorator_1.Ability)();
+            decorator({}, undefined, 0);
+        }).toThrow('@Ability() must be used on a method parameter');
+    });
+    it('does not overwrite existing injections at other parameter indices', () => {
+        class TestController {
+            getTask(_ability, _id) {
+                return _ability;
+            }
+        }
+        __decorate([
+            __param(0, (0, ability_decorator_1.Ability)()),
+            __metadata("design:type", Function),
+            __metadata("design:paramtypes", [Object, String]),
+            __metadata("design:returntype", void 0)
+        ], TestController.prototype, "getTask", null);
+        // Only index 0 should be set; index 1 is unset
+        const injections = Reflect.getMetadata(INJECT_KEY, TestController, 'getTask');
+        expect(injections[0]).toBeDefined();
+        expect(injections[1]).toBeUndefined();
+    });
+});
+// ---------------------------------------------------------------------------
+// AbilityFactory abstract class
+// ---------------------------------------------------------------------------
+describe('AbilityFactory', () => {
+    it('can be extended and createForUser can be implemented', () => {
+        const factory = new TestAbilityFactory();
+        const ability = factory.createForUser({ id: 'u1', role: 'admin' });
+        expect(ability.can('manage', 'all')).toBe(true);
+    });
+});

package/dist/decorators/ability.decorator.d.ts

@@ -0,0 +1,32 @@
+import 'reflect-metadata';
+/**
+ * Parameter decorator that injects the current user's CASL ability directly
+ * into a controller method parameter.
+ *
+ * Requires `JwtAuthGuard` (or any guard that sets `req.user`) to run before
+ * the route handler, and `CaslModule.forRoot()` to be configured.
+ *
+ * The ability is resolved once per request by calling
+ * `CaslService.createForUser(context.user)`.  No need to inject `CaslService`
+ * into your services — pass the pre-built ability down instead.
+ *
+ * @example
+ * ```ts
+ * import { UseGuards } from '@hazeljs/core';
+ * import { JwtAuthGuard } from '@hazeljs/auth';
+ * import { Ability } from '@hazeljs/casl';
+ * import type { AppAbility } from './casl/app-ability.factory';
+ *
+ * @UseGuards(JwtAuthGuard, RoleGuard('user'))
+ * @Patch('/:id')
+ * update(
+ *   @Ability() ability: AppAbility,
+ *   @Param('id') id: string,
+ *   @Body() dto: UpdateTaskDto,
+ * ) {
+ *   return this.tasksService.update(ability, id, dto);
+ * }
+ * ```
+ */
+export declare function Ability(): ParameterDecorator;
+//# sourceMappingURL=ability.decorator.d.ts.map

package/dist/decorators/ability.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ability.decorator.d.ts","sourceRoot":"","sources":["../../src/decorators/ability.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAM1B;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAgB,OAAO,IAAI,kBAAkB,CA6B5C"}

package/dist/decorators/ability.decorator.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Ability = Ability;
+require("reflect-metadata");
+const casl_service_1 = require("../casl.service");
+const INJECT_METADATA_KEY = 'hazel:inject';
+/**
+ * Parameter decorator that injects the current user's CASL ability directly
+ * into a controller method parameter.
+ *
+ * Requires `JwtAuthGuard` (or any guard that sets `req.user`) to run before
+ * the route handler, and `CaslModule.forRoot()` to be configured.
+ *
+ * The ability is resolved once per request by calling
+ * `CaslService.createForUser(context.user)`.  No need to inject `CaslService`
+ * into your services — pass the pre-built ability down instead.
+ *
+ * @example
+ * ```ts
+ * import { UseGuards } from '@hazeljs/core';
+ * import { JwtAuthGuard } from '@hazeljs/auth';
+ * import { Ability } from '@hazeljs/casl';
+ * import type { AppAbility } from './casl/app-ability.factory';
+ *
+ * @UseGuards(JwtAuthGuard, RoleGuard('user'))
+ * @Patch('/:id')
+ * update(
+ *   @Ability() ability: AppAbility,
+ *   @Param('id') id: string,
+ *   @Body() dto: UpdateTaskDto,
+ * ) {
+ *   return this.tasksService.update(ability, id, dto);
+ * }
+ * ```
+ */
+function Ability() {
+    return (target, propertyKey, parameterIndex) => {
+        if (!propertyKey) {
+            throw new Error('@Ability() must be used on a method parameter');
+        }
+        const constructor = target.constructor;
+        const injections = Reflect.getMetadata(INJECT_METADATA_KEY, constructor, propertyKey) ?? [];
+        injections[parameterIndex] = {
+            type: 'custom',
+            // Called by the router with (req, context, container) after guards have run.
+            resolve: (_req, context, container) => {
+                const user = (context.user ?? {});
+                const caslSvc = container.resolve(casl_service_1.CaslService);
+                return caslSvc.createForUser(user);
+            },
+        };
+        Reflect.defineMetadata(INJECT_METADATA_KEY, injections, constructor, propertyKey);
+    };
+}

package/dist/decorators/check-policies.decorator.d.ts

@@ -0,0 +1,31 @@
+import 'reflect-metadata';
+import type { AnyAbility } from '@casl/ability';
+import type { AnyPolicyHandler } from '../types';
+/**
+ * Shorthand method decorator that registers one or more CASL policy handlers
+ * directly on the route — equivalent to `@UseGuards(PoliciesGuard(...handlers))`.
+ *
+ * Accepts both **function** handlers and **class-instance** handlers that
+ * implement `IPolicyHandler`.
+ *
+ * > Requires `JwtAuthGuard` (or any guard that sets `req.user`) to run first,
+ * > and `CaslModule.forRoot()` to be configured.
+ *
+ * @example
+ * ```ts
+ * // Function handler (inline, no DI needed)
+ * @CheckPolicies((ability: AppAbility) => ability.can('read', 'Post'))
+ * @Get('/')
+ * list() { ... }
+ *
+ * // Multiple handlers — all must pass
+ * @CheckPolicies(
+ *   (ability: AppAbility) => ability.can('read',   'Post'),
+ *   (ability: AppAbility) => ability.can('update', 'Post'),
+ * )
+ * @Get('/:id/edit')
+ * editForm() { ... }
+ * ```
+ */
+export declare function CheckPolicies<A extends AnyAbility>(...handlers: AnyPolicyHandler<A>[]): MethodDecorator;
+//# sourceMappingURL=check-policies.decorator.d.ts.map

package/dist/decorators/check-policies.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-policies.decorator.d.ts","sourceRoot":"","sources":["../../src/decorators/check-policies.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAGjD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,UAAU,EAChD,GAAG,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAAE,GACjC,eAAe,CAWjB"}

package/dist/decorators/check-policies.decorator.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CheckPolicies = CheckPolicies;
+require("reflect-metadata");
+const policy_guard_1 = require("../policy.guard");
+/**
+ * Shorthand method decorator that registers one or more CASL policy handlers
+ * directly on the route — equivalent to `@UseGuards(PoliciesGuard(...handlers))`.
+ *
+ * Accepts both **function** handlers and **class-instance** handlers that
+ * implement `IPolicyHandler`.
+ *
+ * > Requires `JwtAuthGuard` (or any guard that sets `req.user`) to run first,
+ * > and `CaslModule.forRoot()` to be configured.
+ *
+ * @example
+ * ```ts
+ * // Function handler (inline, no DI needed)
+ * @CheckPolicies((ability: AppAbility) => ability.can('read', 'Post'))
+ * @Get('/')
+ * list() { ... }
+ *
+ * // Multiple handlers — all must pass
+ * @CheckPolicies(
+ *   (ability: AppAbility) => ability.can('read',   'Post'),
+ *   (ability: AppAbility) => ability.can('update', 'Post'),
+ * )
+ * @Get('/:id/edit')
+ * editForm() { ... }
+ * ```
+ */
+function CheckPolicies(...handlers) {
+    const guardClass = (0, policy_guard_1.PoliciesGuard)(...handlers);
+    // `target` is the class prototype; `propertyKey` is the method name.
+    // This mirrors the exact metadata key/target pair that @UseGuards uses for
+    // method-level guards, and that the HazelJS router reads.
+    return (target, propertyKey, descriptor) => {
+        const existing = Reflect.getMetadata('hazel:guards', target, propertyKey) ?? [];
+        Reflect.defineMetadata('hazel:guards', [...existing, guardClass], target, propertyKey);
+        return descriptor;
+    };
+}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export { AbilityFactory } from './ability.factory';
+export { CaslService } from './casl.service';
+export { CaslModule } from './casl.module';
+export type { CaslModuleOptions } from './casl.module';
+export { PoliciesGuard } from './policy.guard';
+export { CheckPolicies } from './decorators/check-policies.decorator';
+export { Ability } from './decorators/ability.decorator';
+export type { PolicyHandler, IPolicyHandler, AnyPolicyHandler } from './types';
+export { AbilityBuilder, createMongoAbility, subject } from '@casl/ability';
+export type { MongoAbility, AnyAbility } from '@casl/ability';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,YAAY,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,gCAAgC,CAAC;AACzD,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAK/E,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC5E,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.subject = exports.createMongoAbility = exports.AbilityBuilder = exports.Ability = exports.CheckPolicies = exports.PoliciesGuard = exports.CaslModule = exports.CaslService = exports.AbilityFactory = void 0;
+var ability_factory_1 = require("./ability.factory");
+Object.defineProperty(exports, "AbilityFactory", { enumerable: true, get: function () { return ability_factory_1.AbilityFactory; } });
+var casl_service_1 = require("./casl.service");
+Object.defineProperty(exports, "CaslService", { enumerable: true, get: function () { return casl_service_1.CaslService; } });
+var casl_module_1 = require("./casl.module");
+Object.defineProperty(exports, "CaslModule", { enumerable: true, get: function () { return casl_module_1.CaslModule; } });
+var policy_guard_1 = require("./policy.guard");
+Object.defineProperty(exports, "PoliciesGuard", { enumerable: true, get: function () { return policy_guard_1.PoliciesGuard; } });
+var check_policies_decorator_1 = require("./decorators/check-policies.decorator");
+Object.defineProperty(exports, "CheckPolicies", { enumerable: true, get: function () { return check_policies_decorator_1.CheckPolicies; } });
+var ability_decorator_1 = require("./decorators/ability.decorator");
+Object.defineProperty(exports, "Ability", { enumerable: true, get: function () { return ability_decorator_1.Ability; } });
+// Re-export the most commonly used @casl/ability symbols so applications
+// that depend only on @hazeljs/casl do not need @casl/ability as a direct
+// dependency in their own package.json.
+var ability_1 = require("@casl/ability");
+Object.defineProperty(exports, "AbilityBuilder", { enumerable: true, get: function () { return ability_1.AbilityBuilder; } });
+Object.defineProperty(exports, "createMongoAbility", { enumerable: true, get: function () { return ability_1.createMongoAbility; } });
+Object.defineProperty(exports, "subject", { enumerable: true, get: function () { return ability_1.subject; } });

package/dist/policy.guard.d.ts

@@ -0,0 +1,36 @@
+import { CanActivate, Type } from '@hazeljs/core';
+import type { AnyAbility } from '@casl/ability';
+import type { AnyPolicyHandler } from './types';
+/**
+ * Factory that returns a guard running all provided policy handlers against
+ * the current user's CASL ability.  Every handler must return `true`; if any
+ * returns `false` the guard throws a 403.
+ *
+ * Must be placed **after** `JwtAuthGuard` (or any guard that sets `req.user`).
+ * Requires `CaslModule.forRoot()` to be configured.
+ *
+ * Accepts both function handlers and class-instance handlers:
+ *
+ * @example
+ * ```ts
+ * // Inline function handler
+ * @UseGuards(JwtAuthGuard, PoliciesGuard((ability: AppAbility) => ability.can('read', 'Post')))
+ * @Get('/')
+ * list() { ... }
+ *
+ * // Class-instance handler (dependencies resolved manually or via new)
+ * @UseGuards(JwtAuthGuard, PoliciesGuard(new CanCreatePost()))
+ * @Post('/')
+ * create() { ... }
+ * ```
+ *
+ * Prefer the `@CheckPolicies()` decorator for cleaner syntax:
+ *
+ * ```ts
+ * @CheckPolicies((ability: AppAbility) => ability.can('read', 'Post'))
+ * @Get('/')
+ * list() { ... }
+ * ```
+ */
+export declare function PoliciesGuard<A extends AnyAbility>(...handlers: AnyPolicyHandler<A>[]): Type<CanActivate>;
+//# sourceMappingURL=policy.guard.d.ts.map

package/dist/policy.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.guard.d.ts","sourceRoot":"","sources":["../src/policy.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAoB,IAAI,EAAE,MAAM,eAAe,CAAC;AAChF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,KAAK,EAAE,gBAAgB,EAAiC,MAAM,SAAS,CAAC;AAY/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,UAAU,EAChD,GAAG,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAAE,GACjC,IAAI,CAAC,WAAW,CAAC,CAqCnB"}

package/dist/policy.guard.js

@@ -0,0 +1,87 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PoliciesGuard = PoliciesGuard;
+const core_1 = require("@hazeljs/core");
+const casl_service_1 = require("./casl.service");
+function isClassHandler(handler) {
+    return (typeof handler === 'object' &&
+        handler !== null &&
+        typeof handler.handle === 'function');
+}
+/**
+ * Factory that returns a guard running all provided policy handlers against
+ * the current user's CASL ability.  Every handler must return `true`; if any
+ * returns `false` the guard throws a 403.
+ *
+ * Must be placed **after** `JwtAuthGuard` (or any guard that sets `req.user`).
+ * Requires `CaslModule.forRoot()` to be configured.
+ *
+ * Accepts both function handlers and class-instance handlers:
+ *
+ * @example
+ * ```ts
+ * // Inline function handler
+ * @UseGuards(JwtAuthGuard, PoliciesGuard((ability: AppAbility) => ability.can('read', 'Post')))
+ * @Get('/')
+ * list() { ... }
+ *
+ * // Class-instance handler (dependencies resolved manually or via new)
+ * @UseGuards(JwtAuthGuard, PoliciesGuard(new CanCreatePost()))
+ * @Post('/')
+ * create() { ... }
+ * ```
+ *
+ * Prefer the `@CheckPolicies()` decorator for cleaner syntax:
+ *
+ * ```ts
+ * @CheckPolicies((ability: AppAbility) => ability.can('read', 'Post'))
+ * @Get('/')
+ * list() { ... }
+ * ```
+ */
+function PoliciesGuard(...handlers) {
+    let PoliciesGuardMixin = class PoliciesGuardMixin {
+        constructor(casl) {
+            this.casl = casl;
+        }
+        async canActivate(context) {
+            if (handlers.length === 0)
+                return true;
+            const req = context.switchToHttp().getRequest();
+            const user = req.user;
+            if (!user) {
+                throw Object.assign(new Error('Unauthorized'), { status: 401 });
+            }
+            const ability = this.casl.createForUser(user);
+            for (const handler of handlers) {
+                let result;
+                if (isClassHandler(handler)) {
+                    result = await handler.handle(ability);
+                }
+                else {
+                    result = handler(ability);
+                }
+                if (!result) {
+                    throw Object.assign(new Error('Insufficient permissions for this action'), {
+                        status: 403,
+                    });
+                }
+            }
+            return true;
+        }
+    };
+    PoliciesGuardMixin = __decorate([
+        (0, core_1.Injectable)(),
+        __metadata("design:paramtypes", [casl_service_1.CaslService])
+    ], PoliciesGuardMixin);
+    return PoliciesGuardMixin;
+}

package/dist/types.d.ts

@@ -0,0 +1,32 @@
+import type { AnyAbility } from '@casl/ability';
+/**
+ * A function-style policy handler.  Receives the current user's ability and
+ * returns `true` if the action is allowed.
+ *
+ * @example
+ * ```ts
+ * const canReadPost: PolicyHandler<AppAbility> =
+ *   (ability) => ability.can('read', 'Post');
+ * ```
+ */
+export type PolicyHandler<A extends AnyAbility = AnyAbility> = (ability: A) => boolean;
+/**
+ * Class-style policy handler.  Implement this interface and pass the class to
+ * `@CheckPolicies()` when you need constructor-injected dependencies.
+ *
+ * @example
+ * ```ts
+ * @Injectable()
+ * export class CanCreatePost implements IPolicyHandler<AppAbility> {
+ *   handle(ability: AppAbility) {
+ *     return ability.can('create', 'Post');
+ *   }
+ * }
+ * ```
+ */
+export interface IPolicyHandler<A extends AnyAbility = AnyAbility> {
+    handle(ability: A): boolean | Promise<boolean>;
+}
+/** Union of the two supported handler shapes. */
+export type AnyPolicyHandler<A extends AnyAbility = AnyAbility> = PolicyHandler<A> | IPolicyHandler<A>;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD;;;;;;;;;GASG;AACH,MAAM,MAAM,aAAa,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,OAAO,CAAC;AAEvF;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,cAAc,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU;IAC/D,MAAM,CAAC,OAAO,EAAE,CAAC,GAAG,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAChD;AAED,iDAAiD;AACjD,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAC1D,aAAa,CAAC,CAAC,CAAC,GAChB,cAAc,CAAC,CAAC,CAAC,CAAC"}

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hazeljs/casl",
-  "version": "0.7.8",
+  "version": "0.8.0",
   "description": "Attribute-level (resource-level) authorization for HazelJS via CASL",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -52,5 +52,5 @@
   "peerDependencies": {
     "@hazeljs/core": ">=0.2.0-beta.0"
   },
-  "gitHead": "906cacdc08d52c4616831b888748f1d1887edb80"
+  "gitHead": "e0ed98ca074dd4f7472816d3c32ef576900dcca6"
 }