npm - @innvoid/getmarket-sdk - Versions diffs - 0.2.8 → 0.2.9 - Mend

@innvoid/getmarket-sdk 0.2.8 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/chunk-HNOUEVHW.js +410 -0
package/dist/chunk-HNOUEVHW.js.map +1 -0
package/dist/index.cjs +217 -276
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +4 -10
package/dist/index.d.ts +4 -10
package/dist/index.js +192 -17
package/dist/index.js.map +1 -1
package/dist/middlewares/index.cjs +88 -329
package/dist/middlewares/index.cjs.map +1 -1
package/dist/middlewares/index.d.cts +34 -40
package/dist/middlewares/index.d.ts +34 -40
package/dist/middlewares/index.js +1 -1
package/package.json +2 -2
package/dist/chunk-DT3AM34L.js +0 -662
package/dist/chunk-DT3AM34L.js.map +0 -1

package/dist/middlewares/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/middlewares/index.ts","../../src/headers/constants.ts","../../src/headers/parse.ts","../../src/middlewares/parseHeaders.ts","../../src/middlewares/requestId.ts","../../src/middlewares/internalAuth.ts","../../src/middlewares/respond.ts","../../src/middlewares/authorization.ts","../../src/auth/jwt.ts","../../src/auth/middleware.ts","../../src/auth/authentication.ts","../../src/middlewares/guards.ts"],"sourcesContent":["// packages/sdk/src/middlewares/index.ts\nexport {default as parseHeaders} from \"./parseHeaders\";\nexport {default as requestId} from \"./requestId\";\nexport {default as internalAuth} from \"./internalAuth\";\n\nexport {sendOk, sendError} from \"./respond\";\n\nexport * from \"./authorization\";\nexport * from \"./guards\";\n","// packages/sdk/src/constants.ts\nexport const HEADER_REQUEST_ID = \"x-request-id\";\n\nexport const HEADER_COMPANY_UID = \"x-company\";\nexport const HEADER_BRANCH_UID = \"x-branch\";\nexport const HEADER_EMPLOYEE_UID = \"x-employee-uid\";\n\nexport const HEADER_INTERNAL_API_KEY = \"x-internal-api-key\";\nexport const HEADER_AUTHORIZATION = \"authorization\";\n","// packages/sdk/src/parse.ts\nimport {\n HEADER_BRANCH_UID,\n HEADER_COMPANY_UID,\n HEADER_EMPLOYEE_UID,\n HEADER_REQUEST_ID,\n} from \"./constants\";\n\nexport type RequestContext = {\n requestId?: string \| null;\n company_uid?: string \| null;\n branch_uid?: string \| null;\n employee_uid?: string \| null;\n};\n\nfunction normalizeHeaderValue(v: unknown): string \| null {\n if (typeof v !== \"string\") return null;\n const s = v.trim();\n if (!s) return null;\n\n // ✅ NO-LEGACY: bloquea JSON en headers\n if (s.startsWith(\"{\") \|\| s.startsWith(\"[\") \|\| s.includes('\"')) return null;\n\n // Evitar valores demasiado cortos (basura)\n if (s.length < 6) return null;\n\n return s;\n}\n\n/*\n Lee header aunque venga en mayúsculas/minúsculas (Express suele bajar a lower-case).\n /\nfunction h(headers: Record<string, any>, key: string): unknown {\n return headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];\n}\n\n/\n ✅ NO-LEGACY:\n * - x-company: <UID>\n * - x-branch: <UID>\n * - x-employee-uid: <UID> (opcional; NO reemplaza JWT)\n * - x-request-id: string (opcional)\n /\nexport function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext {\n return {\n requestId: normalizeHeaderValue(h(headers, HEADER_REQUEST_ID)) ?? null,\n company_uid: normalizeHeaderValue(h(headers, HEADER_COMPANY_UID)) ?? null,\n branch_uid: normalizeHeaderValue(h(headers, HEADER_BRANCH_UID)) ?? null,\n employee_uid: normalizeHeaderValue(h(headers, HEADER_EMPLOYEE_UID)) ?? null,\n };\n}\n","// sdk/src/middlewares/parseHeaders.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {getRequestContextFromHeaders} from \"../headers\";\n\n/\n ✅ NO-LEGACY / ESTÁNDAR:\n * - Lee SOLO x-company y x-branch (UIDs planos)\n * - Setea req.context = { company_uid, branch_uid }\n * - NO toca req.auth (auth lo setea authentication/requireAuth)\n /\nexport default function parseHeaders(req: Request, _res: Response, next: NextFunction) {\n (req as any).context = getRequestContextFromHeaders(req.headers as any);\n next();\n}\n","// middlewares/requestId.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {randomUUID, randomBytes} from \"crypto\";\n\nexport const REQUEST_ID_HEADER = \"x-request-id\";\nexport const REQUEST_ID_HEADER_ALT = \"x-requestid\";\nexport const RESPONSE_REQUEST_ID_HEADER = \"X-Request-Id\";\n\n// Si quieres IDs más cortos (opcional). Por defecto usamos UUID.\nfunction nanoidLike(len = 21) {\n return randomBytes(16).toString(\"base64url\").slice(0, len);\n}\n\nexport default function requestId(req: Request, res: Response, next: NextFunction) {\n const headerId = (req.headers[REQUEST_ID_HEADER] \|\| req.headers[REQUEST_ID_HEADER_ALT]) as\n \| string\n \| undefined;\n\n // ✅ estándar único: usa UUID (o cambia a nanoidLike() si prefieres corto)\n const id = headerId?.trim() \|\| randomUUID();\n\n // ✅ estándar único (no legacy)\n (req as any).requestId = id;\n res.locals.requestId = id;\n\n // ✅ respuesta\n res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);\n\n next();\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport fs from \"fs\";\nimport crypto from \"crypto\";\nimport {sendError} from \"./respond\";\nimport {HEADER_INTERNAL_API_KEY} from \"../headers\";\n\nfunction readSecretFile(path?: string): string \| null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\nfunction splitKeys(v?: string \| null): string[] {\n if (!v) return [];\n return v.split(\",\").map((s) => s.trim()).filter(Boolean);\n}\n\nfunction getExpectedKeys(): string[] {\n const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);\n const envKey = (process.env.INTERNAL_API_KEY \|\| \"\").trim();\n const raw = fileKey \|\| envKey;\n return splitKeys(raw);\n}\n\nfunction extractToken(req: Request): string \| null {\n const apiKey = (req.header(HEADER_INTERNAL_API_KEY) \|\| \"\").trim();\n return apiKey \|\| null;\n}\n\nfunction safeEquals(a: string, b: string): boolean {\n const aa = Buffer.from(a);\n const bb = Buffer.from(b);\n if (aa.length !== bb.length) return false;\n return crypto.timingSafeEqual(aa, bb);\n}\n\nexport default function internalAuth(req: Request, res: Response, next: NextFunction) {\n const token = extractToken(req);\n\n if (!token) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);\n }\n\n const expectedKeys = getExpectedKeys();\n if (expectedKeys.length === 0) {\n return sendError(\n req,\n res,\n 500,\n \"MISCONFIGURED_INTERNAL_AUTH\",\n \"Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)\"\n );\n }\n\n const ok = expectedKeys.some((k) => safeEquals(token, k));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Invalid internal api key\");\n }\n\n return next();\n}\n","// packages/sdk/src/middleware/respond.ts\nimport type {Request, Response} from \"express\";\n\nexport function sendOk<T>(_req: Request, res: Response, data: T, statusCode = 200) {\n return res.status(statusCode).json({ok: true, data, requestId: res.locals?.requestId ?? null});\n}\n\nexport function sendError(\n _req: Request,\n res: Response,\n statusCode: number,\n code: string,\n message: string,\n details?: any\n) {\n return res.status(statusCode).json({\n ok: false,\n error: {code, message, ...(details !== undefined ? {details} : {})},\n requestId: res.locals?.requestId ?? null,\n });\n}\n","// packages/sdk/src/middlewares/authorization.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {sendError} from \"./respond\";\n\ntype AuthRole = string \| { code?: string; name?: string };\ntype AuthPermission = string \| { code?: string; name?: string };\n\ntype AuthShape = {\n roles?: AuthRole[];\n permissions?: AuthPermission[];\n denied_permissions?: AuthPermission[];\n};\n\nfunction getAuth(req: Request): AuthShape {\n return ((req as any).auth ?? {}) as AuthShape;\n}\n\nfunction normalizeCode(v: any): string \| null {\n if (!v) return null;\n if (typeof v === \"string\") return v;\n if (typeof v === \"object\") return v.code \|\| v.name \|\| null;\n return null;\n}\n\nfunction rolesSet(auth: AuthShape): Set<string> {\n const out = new Set<string>();\n for (const r of auth.roles \|\| []) {\n const c = normalizeCode(r);\n if (c) out.add(c);\n }\n return out;\n}\n\nfunction permsSet(list?: AuthPermission[]): Set<string> {\n const out = new Set<string>();\n for (const p of list \|\| []) {\n const c = normalizeCode(p);\n if (c) out.add(c);\n }\n return out;\n}\n\n/\n 401 si no existe req.auth (contexto auth).\n * Útil para proteger rutas donde SIEMPRE debe existir auth.\n /\nexport function requireAuthContext() {\n return (req: Request, res: Response, next: NextFunction) => {\n if (!(req as any).auth) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n return next();\n };\n}\n\n/\n Helper: SYS_ADMIN bypass (por defecto activo)\n /\nfunction isSysAdmin(auth: AuthShape, sysAdminRole: string) {\n const have = rolesSet(auth);\n return have.has(sysAdminRole);\n}\n\n/\n Requiere TODOS los permisos indicados.\n * Regla: denied_permissions siempre gana sobre permissions.\n \n options:\n * - sysAdminBypass: default true\n * - sysAdminRole: default \"SYS_ADMIN\"\n /\nexport function requirePermissions(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n // deny gana siempre\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const missing = perms.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions\", {\n missing,\n mode: \"ALL\",\n });\n }\n\n return next();\n };\n}\n\n/\n Requiere AL MENOS 1 permiso de la lista (ANY/OR).\n * Regla: denied_permissions siempre gana.\n /\nexport function requireAnyPermission(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n // deny gana siempre (si alguno requerido está denegado explícitamente)\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const ok = perms.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n required: perms,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\n/\n Requiere al menos 1 rol (ANY/OR).\n * options:\n * - sysAdminBypass: default true\n * - sysAdminRole: default \"SYS_ADMIN\"\n /\nexport function requireRoles(\n roles: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n // SYS_ADMIN bypass aplica también aquí\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const have = rolesSet(auth);\n if (!roles.some((r) => have.has(r))) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {\n required: roles,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\n/\n Requiere (roles ANY) OR (permissions ANY).\n * deny_permissions siempre gana sobre permissions.\n /\nexport function requireRolesOrAnyPermission(\n roles: string[],\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const haveRoles = rolesSet(auth);\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n // deny gana siempre (si cualquiera de los permisos evaluados está denegado explícitamente)\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const okRole = roles.some((r) => haveRoles.has(r));\n const okPerm = perms.some((p) => allow.has(p));\n\n if (!okRole && !okPerm) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Access denied\", {\n roles,\n permissions: perms,\n mode: \"ROLES_OR_PERMS_ANY\",\n });\n }\n\n return next();\n };\n}\n","import fs from \"fs\";\nimport jwt, {JwtPayload} from \"jsonwebtoken\";\n\nfunction readFileIfExists(path?: string): string \| null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\nexport function getBearerToken(req: any): string \| null {\n const auth = String(req?.headers?.authorization \|\| \"\");\n if (!auth.startsWith(\"Bearer \")) return null;\n const token = auth.slice(7).trim();\n return token.length ? token : null;\n}\n\nexport function normalizeUid(v: any): string \| null {\n const s = String(v ?? \"\").trim();\n return s.length ? s : null;\n}\n\n/\n ✅ Keys centralizadas:\n * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub\n * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY\n /\nexport function readRs256PublicKey(): string {\n const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);\n if (fromFile) return fromFile;\n\n const fromEnv = String(\n process.env.AUTH_JWT_PUBLIC_KEY \|\| process.env.AUTH_RSA_PUBLIC_KEY \|\| \"\"\n )\n .replace(/\\\\n/g, \"\\n\")\n .trim();\n\n if (fromEnv) return fromEnv;\n\n throw new Error(\n \"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)\"\n );\n}\n\nexport function verifyBackendJwtRS256(raw: string): JwtPayload {\n const publicKey = readRs256PublicKey();\n\n const audience =\n process.env.JWT_AUDIENCE \|\|\n process.env.AUTH_JWT_AUDIENCE \|\|\n \"getmarket.api\";\n\n const issuer =\n process.env.JWT_ISSUER \|\|\n process.env.AUTH_JWT_ISSUER \|\|\n \"getmarket-auth\";\n\n return jwt.verify(raw, publicKey, {\n algorithms: [\"RS256\"],\n audience,\n issuer,\n }) as JwtPayload;\n}\n\nexport function extractEmployeeUid(decoded: any): string \| null {\n const direct =\n normalizeUid(decoded?.employee_uid) ??\n normalizeUid(decoded?.employee?.uid);\n\n if (direct) return direct;\n\n const sub = normalizeUid(decoded?.sub);\n if (!sub) return null;\n\n const match = /^emp:(.+)$/i.exec(sub);\n return match?.[1] ? normalizeUid(match[1]) : null;\n}\n\nexport function extractCustomerUid(decoded: any): string \| null {\n const direct =\n normalizeUid(decoded?.customer_uid) ??\n normalizeUid(decoded?.customer?.uid);\n\n if (direct) return direct;\n\n const sub = normalizeUid(decoded?.sub);\n if (!sub) return null;\n\n const match = /^cus:(.+)$/i.exec(sub);\n return match?.[1] ? normalizeUid(match[1]) : null;\n}\n","import type {NextFunction, Response} from \"express\";\nimport type {AuthContext, AuthMiddlewareOptions} from \"./types\";\nimport {\n extractCustomerUid,\n extractEmployeeUid,\n getBearerToken,\n normalizeUid,\n verifyBackendJwtRS256,\n} from \"./jwt\";\n\nexport function createAuthMiddleware(opts: AuthMiddlewareOptions) {\n const {\n subject,\n allowFirebaseIdToken = false,\n requireSubject = true,\n hydrate,\n } = opts;\n\n return async (req: any, res: Response, next: NextFunction) => {\n const token = getBearerToken(req);\n\n if (!token) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_MISSING_TOKEN\",\n message: \"Missing Authorization Bearer token\",\n });\n }\n\n const headerCtx = (req as any).context \|\| {};\n const company_uid = normalizeUid(headerCtx.company_uid);\n const branch_uid = normalizeUid(headerCtx.branch_uid);\n\n try {\n const decoded: any = verifyBackendJwtRS256(token);\n\n const baseCtx: AuthContext = {\n tokenType: \"backend\",\n subject,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions)\n ? decoded.permissions\n : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions)\n ? decoded.denied_permissions\n : [],\n session: {\n jti: decoded?.jti,\n device_id: decoded?.device_id,\n expires_at: decoded?.exp,\n },\n };\n\n if (subject === \"employee\") {\n baseCtx.employee_uid = extractEmployeeUid(decoded) ?? undefined;\n } else {\n baseCtx.customer_uid = extractCustomerUid(decoded) ?? undefined;\n }\n\n const hydrated = await hydrate({\n decoded,\n req,\n subject,\n company_uid,\n branch_uid,\n });\n\n Object.assign(baseCtx, hydrated);\n\n if (subject === \"employee\" && !baseCtx.employee_uid) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMPLOYEE_UID_MISSING\",\n message:\n \"employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)\",\n });\n }\n\n if (subject === \"customer\" && !baseCtx.customer_uid) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_CUSTOMER_UID_MISSING\",\n message:\n \"customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)\",\n });\n }\n\n if (requireSubject) {\n if (subject === \"employee\" && !baseCtx.employee) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMPLOYEE_NOT_FOUND\",\n message: \"Employee not resolved by hydrator\",\n });\n }\n\n if (subject === \"customer\" && !baseCtx.customer) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_CUSTOMER_NOT_FOUND\",\n message: \"Customer not resolved by hydrator\",\n });\n }\n }\n\n (req as any).auth = baseCtx;\n return next();\n } catch {\n if (!allowFirebaseIdToken) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n\n try {\n const {default: admin} = await import(\"firebase-admin\");\n const firebaseDecoded = await admin.auth().verifyIdToken(token);\n\n if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMAIL_NOT_VERIFIED\",\n message: \"Email not verified\",\n });\n }\n\n (req as any).auth = {\n tokenType: \"backend\",\n subject,\n firebase: firebaseDecoded,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n companies: [],\n roles: [],\n permissions: [],\n denied_permissions: [],\n } satisfies AuthContext;\n\n return next();\n } catch {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n }\n };\n}\n","import {createAuthMiddleware} from \"./middleware\";\nimport {\n extractCustomerUid,\n extractEmployeeUid,\n normalizeUid,\n} from \"./jwt\";\n\n/\n Wrappers simples sobre el middleware oficial.\n * Sirven como fachada reusable en micros que todavía no declaran\n * un hydrator propio más rico.\n /\n\nfunction deriveCompanyBranch(decoded: any, companyUid: string \| null, branchUid: string \| null) {\n const companiesFromToken = Array.isArray(decoded?.companies)\n ? decoded.companies\n : [];\n\n const company =\n decoded?.company ??\n (companyUid\n ? companiesFromToken.find((c: any) => c?.uid === companyUid)\n : null) ??\n null;\n\n const branch =\n decoded?.branch ??\n (branchUid && company?.branches\n ? (company.branches \|\| []).find((b: any) => b?.uid === branchUid)\n : null) ??\n null;\n\n return {\n companiesFromToken,\n company,\n branch,\n };\n}\n\nexport const authEmployeeRequired = createAuthMiddleware({\n subject: \"employee\",\n allowFirebaseIdToken: false,\n requireSubject: false,\n hydrate: async ({decoded, company_uid, branch_uid}) => {\n const employee_uid =\n extractEmployeeUid(decoded) ??\n normalizeUid(decoded?.employee?.uid);\n\n const {companiesFromToken, company, branch} = deriveCompanyBranch(\n decoded,\n company_uid,\n branch_uid\n );\n\n const employee =\n decoded?.employee && typeof decoded.employee === \"object\"\n ? decoded.employee\n : employee_uid\n ? {uid: employee_uid, email: decoded?.email ?? null}\n : undefined;\n\n return {\n employee_uid: employee_uid ?? undefined,\n employee,\n companies: companiesFromToken,\n company,\n branch,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions)\n ? decoded.denied_permissions\n : [],\n };\n },\n});\n\nexport const authCustomerRequired = createAuthMiddleware({\n subject: \"customer\",\n allowFirebaseIdToken: false,\n requireSubject: false,\n hydrate: async ({decoded, company_uid, branch_uid}) => {\n const customer_uid =\n extractCustomerUid(decoded) ??\n normalizeUid(decoded?.customer?.uid);\n\n const {companiesFromToken, company, branch} = deriveCompanyBranch(\n decoded,\n company_uid,\n branch_uid\n );\n\n const customer =\n decoded?.customer && typeof decoded.customer === \"object\"\n ? decoded.customer\n : customer_uid\n ? {uid: customer_uid}\n : undefined;\n\n return {\n customer_uid: customer_uid ?? undefined,\n customer,\n companies: companiesFromToken,\n company,\n branch,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions)\n ? decoded.denied_permissions\n : [],\n };\n },\n});\n\nexport const authEmployeeAllowFirebase = createAuthMiddleware({\n subject: \"employee\",\n allowFirebaseIdToken: true,\n requireSubject: false,\n hydrate: async ({decoded, company_uid, branch_uid}) => {\n const employee_uid =\n extractEmployeeUid(decoded) ??\n normalizeUid(decoded?.employee?.uid);\n\n const {companiesFromToken, company, branch} = deriveCompanyBranch(\n decoded,\n company_uid,\n branch_uid\n );\n\n const employee =\n decoded?.employee && typeof decoded.employee === \"object\"\n ? decoded.employee\n : employee_uid\n ? {uid: employee_uid, email: decoded?.email ?? null}\n : undefined;\n\n return {\n employee_uid: employee_uid ?? undefined,\n employee,\n companies: companiesFromToken,\n company,\n branch,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions)\n ? decoded.denied_permissions\n : [],\n };\n },\n});\n\nexport const authCustomerAllowFirebase = createAuthMiddleware({\n subject: \"customer\",\n allowFirebaseIdToken: true,\n requireSubject: false,\n hydrate: async ({decoded, company_uid, branch_uid}) => {\n const customer_uid =\n extractCustomerUid(decoded) ??\n normalizeUid(decoded?.customer?.uid);\n\n const {companiesFromToken, company, branch} = deriveCompanyBranch(\n decoded,\n company_uid,\n branch_uid\n );\n\n const customer =\n decoded?.customer && typeof decoded.customer === \"object\"\n ? decoded.customer\n : customer_uid\n ? {uid: customer_uid}\n : undefined;\n\n return {\n customer_uid: customer_uid ?? undefined,\n customer,\n companies: companiesFromToken,\n company,\n branch,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions)\n ? decoded.denied_permissions\n : [],\n };\n },\n});\n","// packages/sdk/src/middlewares/guards.ts\nimport type {Request, Response, NextFunction, RequestHandler} from \"express\";\nimport parseHeaders from \"./parseHeaders\";\nimport {authEmployeeRequired} from \"../auth\";\nimport {sendError} from \"./respond\";\n\ntype RoleShape = string \| { code?: string; name?: string };\ntype PermShape = string \| { code?: string; name?: string };\n\nfunction normalizeRole(r: RoleShape): string \| null {\n if (!r) return null;\n if (typeof r === \"string\") return r;\n return r.code \|\| r.name \|\| null;\n}\n\nfunction normalizePerm(p: PermShape): string \| null {\n if (!p) return null;\n if (typeof p === \"string\") return p;\n return p.code \|\| p.name \|\| null;\n}\n\nfunction isSysAdmin(roles: RoleShape[] \| undefined): boolean {\n if (!Array.isArray(roles)) return false;\n return roles.some((r) => normalizeRole(r) === \"SYS_ADMIN\");\n}\n\nfunction getAuth(req: Request) {\n return ((req as any).auth ?? {}) as {\n roles?: RoleShape[];\n permissions?: PermShape[];\n denied_permissions?: PermShape[];\n };\n}\n\nfunction permissionSets(auth: ReturnType<typeof getAuth>) {\n const allow = new Set<string>((auth.permissions ?? []).map(normalizePerm).filter(Boolean) as string[]);\n const deny = new Set<string>((auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean) as string[]);\n return {allow, deny};\n}\n\nfunction roleSet(auth: ReturnType<typeof getAuth>) {\n return new Set<string>((auth.roles ?? []).map(normalizeRole).filter(Boolean) as string[]);\n}\n\n/\n ✅ SysAdmin bypass OR (ANY) permissions\n * - Si tiene alguno de los permisos => OK\n * - denied_permissions gana siempre\n /\nexport function allowSysAdminOrAnyPermission(...perms: string[]): RequestHandler[] {\n const required = (perms ?? []).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {denied: p});\n }\n }\n\n const ok = required.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ANY)\", {required});\n }\n\n return next();\n },\n ];\n}\n\n/\n ✅ SysAdmin bypass OR (ALL) permissions (AND)\n /\nexport function allowSysAdminOrPermissionsAll(...perms: string[]): RequestHandler[] {\n const required = (perms ?? []).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {denied: p});\n }\n }\n\n const missing = required.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ALL)\", {required, missing});\n }\n\n return next();\n },\n ];\n}\n\n/\n ✅ SysAdmin bypass OR roles (ANY)\n /\nexport function allowSysAdminOrRoles(...roles: string[]): RequestHandler[] {\n const required = (roles ?? []).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const have = roleSet(auth);\n\n const ok = required.some((r) => have.has(r));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {required});\n }\n\n return next();\n },\n ];\n}\n\n/\n ✅ SYS_ADMIN bypass OR (ANY) roles OR (ANY) permissions\n * - denied_permissions siempre gana\n /\nexport function allowSysAdminOrRolesOrAnyPermission(\n roles: string \| string[],\n permissions: string \| string[]\n): RequestHandler[] {\n const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);\n const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);\n\n return [\n parseHeaders,\n authEmployeeRequired,\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n if (isSysAdmin(auth.roles)) return next();\n\n const {allow, deny} = permissionSets(auth);\n for (const p of requiredPerms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied: ${p}`, {permission: p});\n }\n }\n\n const haveRoles = roleSet(auth);\n if (requiredRoles.some((r) => haveRoles.has(r))) return next();\n\n if (requiredPerms.some((p) => allow.has(p))) return next();\n\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n roles: requiredRoles,\n permissions: requiredPerms,\n mode: \"ROLES_OR_ANY_PERMISSION\",\n });\n },\n ];\n}\n\n/\n ✅ Helper específico Auth:\n * Rol AUTH_ADMIN o permiso fino (y SYS_ADMIN bypass)\n */\nexport function allowAuthAdminOrPerm(permission: string): RequestHandler[] {\n return allowSysAdminOrRolesOrAnyPermission([\"AUTH_ADMIN\"], [permission]);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCO,IAAM,oBAAoB;AAE1B,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AAC1B,IAAM,sBAAsB;AAE5B,IAAM,0BAA0B;;;ACQvC,SAAS,qBAAqB,GAA2B;AACrD,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,IAAI,EAAE,KAAK;AACjB,MAAI,CAAC,EAAG,QAAO;AAGf,MAAI,EAAE,WAAW,GAAG,KAAK,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,EAAG,QAAO;AAGtE,MAAI,EAAE,SAAS,EAAG,QAAO;AAEzB,SAAO;AACX;AAKA,SAAS,EAAE,SAA8B,KAAsB;AAC3D,SAAO,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC,KAAK,QAAQ,IAAI,YAAY,CAAC;AAClF;AASO,SAAS,6BAA6B,SAA8C;AACvF,SAAO;AAAA,IACH,WAAW,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IAClE,aAAa,qBAAqB,EAAE,SAAS,kBAAkB,CAAC,KAAK;AAAA,IACrE,YAAY,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IACnE,cAAc,qBAAqB,EAAE,SAAS,mBAAmB,CAAC,KAAK;AAAA,EAC3E;AACJ;;;ACxCe,SAAR,aAA8B,KAAc,MAAgB,MAAoB;AACnF,EAAC,IAAY,UAAU,6BAA6B,IAAI,OAAc;AACtE,OAAK;AACT;;;ACXA,oBAAsC;AAE/B,IAAM,oBAAoB;AAC1B,IAAM,wBAAwB;AAC9B,IAAM,6BAA6B;AAO3B,SAAR,UAA2B,KAAc,KAAe,MAAoB;AAC/E,QAAM,WAAY,IAAI,QAAQ,iBAAiB,KAAK,IAAI,QAAQ,qBAAqB;AAKrF,QAAM,KAAK,UAAU,KAAK,SAAK,0BAAW;AAG1C,EAAC,IAAY,YAAY;AACzB,MAAI,OAAO,YAAY;AAGvB,MAAI,UAAU,4BAA4B,EAAE;AAE5C,OAAK;AACT;;;AC5BA,gBAAe;AACf,IAAAA,iBAAmB;;;ACCZ,SAAS,OAAU,MAAe,KAAe,MAAS,aAAa,KAAK;AAC/E,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK,EAAC,IAAI,MAAM,MAAM,WAAW,IAAI,QAAQ,aAAa,KAAI,CAAC;AACjG;AAEO,SAAS,UACZ,MACA,KACA,YACA,MACA,SACA,SACF;AACE,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK;AAAA,IAC/B,IAAI;AAAA,IACJ,OAAO,EAAC,MAAM,SAAS,GAAI,YAAY,SAAY,EAAC,QAAO,IAAI,CAAC,EAAE;AAAA,IAClE,WAAW,IAAI,QAAQ,aAAa;AAAA,EACxC,CAAC;AACL;;;ADdA,SAAS,eAAe,MAA8B;AAClD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,UAAAC,QAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,UAAU,GAA6B;AAC5C,MAAI,CAAC,EAAG,QAAO,CAAC;AAChB,SAAO,EAAE,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAC3D;AAEA,SAAS,kBAA4B;AACjC,QAAM,UAAU,eAAe,QAAQ,IAAI,qBAAqB;AAChE,QAAM,UAAU,QAAQ,IAAI,oBAAoB,IAAI,KAAK;AACzD,QAAM,MAAM,WAAW;AACvB,SAAO,UAAU,GAAG;AACxB;AAEA,SAAS,aAAa,KAA6B;AAC/C,QAAM,UAAU,IAAI,OAAO,uBAAuB,KAAK,IAAI,KAAK;AAChE,SAAO,UAAU;AACrB;AAEA,SAAS,WAAW,GAAW,GAAoB;AAC/C,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,MAAI,GAAG,WAAW,GAAG,OAAQ,QAAO;AACpC,SAAO,eAAAC,QAAO,gBAAgB,IAAI,EAAE;AACxC;AAEe,SAAR,aAA8B,KAAc,KAAe,MAAoB;AAClF,QAAM,QAAQ,aAAa,GAAG;AAE9B,MAAI,CAAC,OAAO;AACR,WAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,6BAA6B,uBAAuB,GAAG;AAAA,EAC3G;AAEA,QAAM,eAAe,gBAAgB;AACrC,MAAI,aAAa,WAAW,GAAG;AAC3B,WAAO;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ;AAAA,EACJ;AAEA,QAAM,KAAK,aAAa,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,CAAC;AACxD,MAAI,CAAC,IAAI;AACL,WAAO,UAAU,KAAK,KAAK,KAAK,aAAa,0BAA0B;AAAA,EAC3E;AAEA,SAAO,KAAK;AAChB;;;AEnDA,SAAS,QAAQ,KAAyB;AACtC,SAAS,IAAY,QAAQ,CAAC;AAClC;AAEA,SAAS,cAAc,GAAuB;AAC1C,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO,EAAE,QAAQ,EAAE,QAAQ;AACtD,SAAO;AACX;AAEA,SAAS,SAAS,MAA8B;AAC5C,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,KAAK,SAAS,CAAC,GAAG;AAC9B,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EACpB;AACA,SAAO;AACX;AAEA,SAAS,SAAS,MAAsC;AACpD,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,QAAQ,CAAC,GAAG;AACxB,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EACpB;AACA,SAAO;AACX;AAMO,SAAS,qBAAqB;AACjC,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,QAAI,CAAE,IAAY,MAAM;AACpB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IAC1E;AACA,WAAO,KAAK;AAAA,EAChB;AACJ;AAKA,SAAS,WAAW,MAAiB,cAAsB;AACvD,QAAM,OAAO,SAAS,IAAI;AAC1B,SAAO,KAAK,IAAI,YAAY;AAChC;AAUO,SAAS,mBACZ,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAG7C,eAAW,KAAK,OAAO;AACnB,UAAI,KAAK,IAAI,CAAC,GAAG;AACb,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACpE,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,UAAM,UAAU,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACjD,QAAI,QAAQ,QAAQ;AAChB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,uBAAuB;AAAA,QAChE;AAAA,QACA,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;AAMO,SAAS,qBACZ,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAG7C,eAAW,KAAK,OAAO;AACnB,UAAI,KAAK,IAAI,CAAC,GAAG;AACb,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACpE,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,UAAM,KAAK,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AACzC,QAAI,CAAC,IAAI;AACL,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAC9D,UAAU;AAAA,QACV,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;AAQO,SAAS,aACZ,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAGxB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,OAAO,SAAS,IAAI;AAC1B,QAAI,CAAC,MAAM,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,GAAG;AACjC,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB;AAAA,QAC7D,UAAU;AAAA,QACV,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;AAMO,SAAS,4BACZ,OACA,OACA,SACF;AACE,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,YAAY,SAAS,IAAI;AAC/B,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAG7C,eAAW,KAAK,OAAO;AACnB,UAAI,KAAK,IAAI,CAAC,GAAG;AACb,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACpE,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC;AACjD,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAE7C,QAAI,CAAC,UAAU,CAAC,QAAQ;AACpB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,iBAAiB;AAAA,QAC1D;AAAA,QACA,aAAa;AAAA,QACb,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;;;AC7NA,IAAAC,aAAe;AACf,0BAA8B;AAE9B,SAAS,iBAAiB,MAA8B;AACtD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACF,UAAM,IAAI,WAAAC,QAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,eAAe,KAAyB;AACtD,QAAM,OAAO,OAAO,KAAK,SAAS,iBAAiB,EAAE;AACrD,MAAI,CAAC,KAAK,WAAW,SAAS,EAAG,QAAO;AACxC,QAAM,QAAQ,KAAK,MAAM,CAAC,EAAE,KAAK;AACjC,SAAO,MAAM,SAAS,QAAQ;AAChC;AAEO,SAAS,aAAa,GAAuB;AAClD,QAAM,IAAI,OAAO,KAAK,EAAE,EAAE,KAAK;AAC/B,SAAO,EAAE,SAAS,IAAI;AACxB;AAOO,SAAS,qBAA6B;AAC3C,QAAM,WAAW,iBAAiB,QAAQ,IAAI,mBAAmB;AACjE,MAAI,SAAU,QAAO;AAErB,QAAM,UAAU;AAAA,IACd,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,uBAAuB;AAAA,EACxE,EACG,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAER,MAAI,QAAS,QAAO;AAEpB,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;AAEO,SAAS,sBAAsB,KAAyB;AAC7D,QAAM,YAAY,mBAAmB;AAErC,QAAM,WACJ,QAAQ,IAAI,gBACZ,QAAQ,IAAI,qBACZ;AAEF,QAAM,SACJ,QAAQ,IAAI,cACZ,QAAQ,IAAI,mBACZ;AAEF,SAAO,oBAAAC,QAAI,OAAO,KAAK,WAAW;AAAA,IAChC,YAAY,CAAC,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEO,SAAS,mBAAmB,SAA6B;AAC9D,QAAM,SACJ,aAAa,SAAS,YAAY,KAClC,aAAa,SAAS,UAAU,GAAG;AAErC,MAAI,OAAQ,QAAO;AAEnB,QAAM,MAAM,aAAa,SAAS,GAAG;AACrC,MAAI,CAAC,IAAK,QAAO;AAEjB,QAAM,QAAQ,cAAc,KAAK,GAAG;AACpC,SAAO,QAAQ,CAAC,IAAI,aAAa,MAAM,CAAC,CAAC,IAAI;AAC/C;AAEO,SAAS,mBAAmB,SAA6B;AAC9D,QAAM,SACJ,aAAa,SAAS,YAAY,KAClC,aAAa,SAAS,UAAU,GAAG;AAErC,MAAI,OAAQ,QAAO;AAEnB,QAAM,MAAM,aAAa,SAAS,GAAG;AACrC,MAAI,CAAC,IAAK,QAAO;AAEjB,QAAM,QAAQ,cAAc,KAAK,GAAG;AACpC,SAAO,QAAQ,CAAC,IAAI,aAAa,MAAM,CAAC,CAAC,IAAI;AAC/C;;;ACnFO,SAAS,qBAAqB,MAA6B;AAChE,QAAM;AAAA,IACJ;AAAA,IACA,uBAAuB;AAAA,IACvB,iBAAiB;AAAA,IACjB;AAAA,EACF,IAAI;AAEJ,SAAO,OAAO,KAAU,KAAe,SAAuB;AAC5D,UAAM,QAAQ,eAAe,GAAG;AAEhC,QAAI,CAAC,OAAO;AACV,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,UAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,UAAM,cAAc,aAAa,UAAU,WAAW;AACtD,UAAM,aAAa,aAAa,UAAU,UAAU;AAEpD,QAAI;AACF,YAAM,UAAe,sBAAsB,KAAK;AAEhD,YAAM,UAAuB;AAAA,QAC3B,WAAW;AAAA,QACX;AAAA,QACA,aAAa,eAAe;AAAA,QAC5B,YAAY,cAAc;AAAA,QAC1B,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,QACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAC3C,QAAQ,cACR,CAAC;AAAA,QACL,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IACzD,QAAQ,qBACR,CAAC;AAAA,QACL,SAAS;AAAA,UACP,KAAK,SAAS;AAAA,UACd,WAAW,SAAS;AAAA,UACpB,YAAY,SAAS;AAAA,QACvB;AAAA,MACF;AAEA,UAAI,YAAY,YAAY;AAC1B,gBAAQ,eAAe,mBAAmB,OAAO,KAAK;AAAA,MACxD,OAAO;AACL,gBAAQ,eAAe,mBAAmB,OAAO,KAAK;AAAA,MACxD;AAEA,YAAM,WAAW,MAAM,QAAQ;AAAA,QAC7B;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AAED,aAAO,OAAO,SAAS,QAAQ;AAE/B,UAAI,YAAY,cAAc,CAAC,QAAQ,cAAc;AACnD,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SACE;AAAA,QACJ,CAAC;AAAA,MACH;AAEA,UAAI,YAAY,cAAc,CAAC,QAAQ,cAAc;AACnD,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SACE;AAAA,QACJ,CAAC;AAAA,MACH;AAEA,UAAI,gBAAgB;AAClB,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC/C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YAC1B,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACX,CAAC;AAAA,QACH;AAEA,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC/C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YAC1B,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACX,CAAC;AAAA,QACH;AAAA,MACF;AAEA,MAAC,IAAY,OAAO;AACpB,aAAO,KAAK;AAAA,IACd,QAAQ;AACN,UAAI,CAAC,sBAAsB;AACzB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAEA,UAAI;AACF,cAAM,EAAC,SAAS,MAAK,IAAI,MAAM,OAAO,gBAAgB;AACtD,cAAM,kBAAkB,MAAM,MAAM,KAAK,EAAE,cAAc,KAAK;AAE9D,YAAI,gBAAgB,SAAS,gBAAgB,mBAAmB,OAAO;AACrE,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YAC1B,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACX,CAAC;AAAA,QACH;AAEA,QAAC,IAAY,OAAO;AAAA,UAClB,WAAW;AAAA,UACX;AAAA,UACA,UAAU;AAAA,UACV,aAAa,eAAe;AAAA,UAC5B,YAAY,cAAc;AAAA,UAC1B,WAAW,CAAC;AAAA,UACZ,OAAO,CAAC;AAAA,UACR,aAAa,CAAC;AAAA,UACd,oBAAoB,CAAC;AAAA,QACvB;AAEA,eAAO,KAAK;AAAA,MACd,QAAQ;AACN,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;;;AC3IA,SAAS,oBAAoB,SAAc,YAA2B,WAA0B;AAC9F,QAAM,qBAAqB,MAAM,QAAQ,SAAS,SAAS,IACvD,QAAQ,YACR,CAAC;AAEL,QAAM,UACJ,SAAS,YACR,aACG,mBAAmB,KAAK,CAAC,MAAW,GAAG,QAAQ,UAAU,IACzD,SACJ;AAEF,QAAM,SACJ,SAAS,WACR,aAAa,SAAS,YAClB,QAAQ,YAAY,CAAC,GAAG,KAAK,CAAC,MAAW,GAAG,QAAQ,SAAS,IAC9D,SACJ;AAEF,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEO,IAAM,uBAAuB,qBAAqB;AAAA,EACvD,SAAS;AAAA,EACT,sBAAsB;AAAA,EACtB,gBAAgB;AAAA,EAChB,SAAS,OAAO,EAAC,SAAS,aAAa,WAAU,MAAM;AACrD,UAAM,eACJ,mBAAmB,OAAO,KAC1B,aAAa,SAAS,UAAU,GAAG;AAErC,UAAM,EAAC,oBAAoB,SAAS,OAAM,IAAI;AAAA,MAC5C;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,UAAM,WACJ,SAAS,YAAY,OAAO,QAAQ,aAAa,WAC7C,QAAQ,WACR,eACE,EAAC,KAAK,cAAc,OAAO,SAAS,SAAS,KAAI,IACjD;AAER,WAAO;AAAA,MACL,cAAc,gBAAgB;AAAA,MAC9B;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,MACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,MAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IACzD,QAAQ,qBACR,CAAC;AAAA,IACP;AAAA,EACF;AACF,CAAC;AAEM,IAAM,uBAAuB,qBAAqB;AAAA,EACvD,SAAS;AAAA,EACT,sBAAsB;AAAA,EACtB,gBAAgB;AAAA,EAChB,SAAS,OAAO,EAAC,SAAS,aAAa,WAAU,MAAM;AACrD,UAAM,eACJ,mBAAmB,OAAO,KAC1B,aAAa,SAAS,UAAU,GAAG;AAErC,UAAM,EAAC,oBAAoB,SAAS,OAAM,IAAI;AAAA,MAC5C;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,UAAM,WACJ,SAAS,YAAY,OAAO,QAAQ,aAAa,WAC7C,QAAQ,WACR,eACE,EAAC,KAAK,aAAY,IAClB;AAER,WAAO;AAAA,MACL,cAAc,gBAAgB;AAAA,MAC9B;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,MACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,MAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IACzD,QAAQ,qBACR,CAAC;AAAA,IACP;AAAA,EACF;AACF,CAAC;AAEM,IAAM,4BAA4B,qBAAqB;AAAA,EAC5D,SAAS;AAAA,EACT,sBAAsB;AAAA,EACtB,gBAAgB;AAAA,EAChB,SAAS,OAAO,EAAC,SAAS,aAAa,WAAU,MAAM;AACrD,UAAM,eACJ,mBAAmB,OAAO,KAC1B,aAAa,SAAS,UAAU,GAAG;AAErC,UAAM,EAAC,oBAAoB,SAAS,OAAM,IAAI;AAAA,MAC5C;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,UAAM,WACJ,SAAS,YAAY,OAAO,QAAQ,aAAa,WAC7C,QAAQ,WACR,eACE,EAAC,KAAK,cAAc,OAAO,SAAS,SAAS,KAAI,IACjD;AAER,WAAO;AAAA,MACL,cAAc,gBAAgB;AAAA,MAC9B;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,MACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,MAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IACzD,QAAQ,qBACR,CAAC;AAAA,IACP;AAAA,EACF;AACF,CAAC;AAEM,IAAM,4BAA4B,qBAAqB;AAAA,EAC5D,SAAS;AAAA,EACT,sBAAsB;AAAA,EACtB,gBAAgB;AAAA,EAChB,SAAS,OAAO,EAAC,SAAS,aAAa,WAAU,MAAM;AACrD,UAAM,eACJ,mBAAmB,OAAO,KAC1B,aAAa,SAAS,UAAU,GAAG;AAErC,UAAM,EAAC,oBAAoB,SAAS,OAAM,IAAI;AAAA,MAC5C;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,UAAM,WACJ,SAAS,YAAY,OAAO,QAAQ,aAAa,WAC7C,QAAQ,WACR,eACE,EAAC,KAAK,aAAY,IAClB;AAER,WAAO;AAAA,MACL,cAAc,gBAAgB;AAAA,MAC9B;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,MACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,MAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IACzD,QAAQ,qBACR,CAAC;AAAA,IACP;AAAA,EACF;AACF,CAAC;;;AChLD,SAAS,cAAc,GAA6B;AAChD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC/B;AAEA,SAAS,cAAc,GAA6B;AAChD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC/B;AAEA,SAASC,YAAW,OAAyC;AACzD,MAAI,CAAC,MAAM,QAAQ,KAAK,EAAG,QAAO;AAClC,SAAO,MAAM,KAAK,CAAC,MAAM,cAAc,CAAC,MAAM,WAAW;AAC7D;AAEA,SAASC,SAAQ,KAAc;AAC3B,SAAS,IAAY,QAAQ,CAAC;AAKlC;AAEA,SAAS,eAAe,MAAkC;AACtD,QAAM,QAAQ,IAAI,KAAa,KAAK,eAAe,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO,CAAa;AACrG,QAAM,OAAO,IAAI,KAAa,KAAK,sBAAsB,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO,CAAa;AAC3G,SAAO,EAAC,OAAO,KAAI;AACvB;AAEA,SAAS,QAAQ,MAAkC;AAC/C,SAAO,IAAI,KAAa,KAAK,SAAS,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO,CAAa;AAC5F;AAOO,SAAS,gCAAgC,OAAmC;AAC/E,QAAM,YAAY,SAAS,CAAC,GAAG,OAAO,OAAO;AAE7C,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOA,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACtB,YAAI,KAAK,IAAI,CAAC,GAAG;AACb,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI,EAAC,QAAQ,EAAC,CAAC;AAAA,QACvF;AAAA,MACJ;AAEA,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAC5C,UAAI,CAAC,IAAI;AACL,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B,EAAC,SAAQ,CAAC;AAAA,MACxF;AAEA,aAAO,KAAK;AAAA,IAChB;AAAA,EACJ;AACJ;AAKO,SAAS,iCAAiC,OAAmC;AAChF,QAAM,YAAY,SAAS,CAAC,GAAG,OAAO,OAAO;AAE7C,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOC,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACtB,YAAI,KAAK,IAAI,CAAC,GAAG;AACb,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI,EAAC,QAAQ,EAAC,CAAC;AAAA,QACvF;AAAA,MACJ;AAEA,YAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACpD,UAAI,QAAQ,QAAQ;AAChB,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B,EAAC,UAAU,QAAO,CAAC;AAAA,MACjG;AAEA,aAAO,KAAK;AAAA,IAChB;AAAA,EACJ;AACJ;AAKO,SAAS,wBAAwB,OAAmC;AACvE,QAAM,YAAY,SAAS,CAAC,GAAG,OAAO,OAAO;AAE7C,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOC,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,OAAO,QAAQ,IAAI;AAEzB,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;AAC3C,UAAI,CAAC,IAAI;AACL,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB,EAAC,SAAQ,CAAC;AAAA,MAC/E;AAEA,aAAO,KAAK;AAAA,IAChB;AAAA,EACJ;AACJ;AAMO,SAAS,oCACZ,OACA,aACgB;AAChB,QAAM,iBAAiB,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAC7E,QAAM,iBAAiB,MAAM,QAAQ,WAAW,IAAI,cAAc,CAAC,WAAW,GAAG,OAAO,OAAO;AAE/F,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA,CAAC,KAAc,KAAe,SAAuB;AACjD,YAAM,OAAOC,SAAQ,GAAG;AACxB,UAAID,YAAW,KAAK,KAAK,EAAG,QAAO,KAAK;AAExC,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AACzC,iBAAW,KAAK,eAAe;AAC3B,YAAI,KAAK,IAAI,CAAC,GAAG;AACb,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,WAAW,CAAC,IAAI,EAAC,YAAY,EAAC,CAAC;AAAA,QAChF;AAAA,MACJ;AAEA,YAAM,YAAY,QAAQ,IAAI;AAC9B,UAAI,cAAc,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC,EAAG,QAAO,KAAK;AAE7D,UAAI,cAAc,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC,EAAG,QAAO,KAAK;AAEzD,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAC9D,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,MACV,CAAC;AAAA,IACL;AAAA,EACJ;AACJ;AAMO,SAAS,qBAAqB,YAAsC;AACvE,SAAO,oCAAoC,CAAC,YAAY,GAAG,CAAC,UAAU,CAAC;AAC3E;","names":["import_crypto","fs","crypto","import_fs","fs","jwt","isSysAdmin","getAuth"]}
1	+ {"version":3,"sources":["../../src/middlewares/index.ts","../../src/headers/constants.ts","../../src/headers/parse.ts","../../src/middlewares/parseHeaders.ts","../../src/middlewares/requestId.ts","../../src/middlewares/internalAuth.ts","../../src/middlewares/respond.ts","../../src/middlewares/authorization.ts","../../src/middlewares/guards.ts"],"sourcesContent":["export { default as parseHeaders } from \"./parseHeaders\";\nexport { default as requestId } from \"./requestId\";\nexport { default as internalAuth } from \"./internalAuth\";\n\nexport { sendOk, sendError } from \"./respond\";\n\n// authorization.ts\nexport {\n requireAuthContext,\n requirePermissions,\n requireAnyPermission,\n requireRoles,\n requireRolesOrAnyPermission,\n} from \"./authorization\";\n\n// guards.ts\nexport {\n allowSysAdminOrAnyPermission,\n allowSysAdminOrPermissionsAll,\n allowSysAdminOrRoles,\n allowSysAdminOrRolesOrAnyPermission,\n allowAuthAdminOrPerm,\n} from \"./guards\";\n","// packages/sdk/src/constants.ts\nexport const HEADER_REQUEST_ID = \"x-request-id\";\n\nexport const HEADER_COMPANY_UID = \"x-company\";\nexport const HEADER_BRANCH_UID = \"x-branch\";\nexport const HEADER_EMPLOYEE_UID = \"x-employee-uid\";\n\nexport const HEADER_INTERNAL_API_KEY = \"x-internal-api-key\";\nexport const HEADER_AUTHORIZATION = \"authorization\";\n","// packages/sdk/src/parse.ts\nimport {\n HEADER_BRANCH_UID,\n HEADER_COMPANY_UID,\n HEADER_EMPLOYEE_UID,\n HEADER_REQUEST_ID,\n} from \"./constants\";\n\nexport type RequestContext = {\n requestId?: string \| null;\n company_uid?: string \| null;\n branch_uid?: string \| null;\n employee_uid?: string \| null;\n};\n\nfunction normalizeHeaderValue(v: unknown): string \| null {\n if (typeof v !== \"string\") return null;\n const s = v.trim();\n if (!s) return null;\n\n // ✅ NO-LEGACY: bloquea JSON en headers\n if (s.startsWith(\"{\") \|\| s.startsWith(\"[\") \|\| s.includes('\"')) return null;\n\n // Evitar valores demasiado cortos (basura)\n if (s.length < 6) return null;\n\n return s;\n}\n\n/*\n Lee header aunque venga en mayúsculas/minúsculas (Express suele bajar a lower-case).\n /\nfunction h(headers: Record<string, any>, key: string): unknown {\n return headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];\n}\n\n/\n ✅ NO-LEGACY:\n * - x-company: <UID>\n * - x-branch: <UID>\n * - x-employee-uid: <UID> (opcional; NO reemplaza JWT)\n * - x-request-id: string (opcional)\n /\nexport function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext {\n return {\n requestId: normalizeHeaderValue(h(headers, HEADER_REQUEST_ID)) ?? null,\n company_uid: normalizeHeaderValue(h(headers, HEADER_COMPANY_UID)) ?? null,\n branch_uid: normalizeHeaderValue(h(headers, HEADER_BRANCH_UID)) ?? null,\n employee_uid: normalizeHeaderValue(h(headers, HEADER_EMPLOYEE_UID)) ?? null,\n };\n}\n","// sdk/src/middlewares/parseHeaders.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {getRequestContextFromHeaders} from \"../headers\";\n\n/\n ✅ NO-LEGACY / ESTÁNDAR:\n * - Lee SOLO x-company y x-branch (UIDs planos)\n * - Setea req.context = { company_uid, branch_uid }\n * - NO toca req.auth (auth lo setea authentication/requireAuth)\n /\nexport default function parseHeaders(req: Request, _res: Response, next: NextFunction) {\n (req as any).context = getRequestContextFromHeaders(req.headers as any);\n next();\n}\n","// middlewares/requestId.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {randomUUID, randomBytes} from \"crypto\";\n\nexport const REQUEST_ID_HEADER = \"x-request-id\";\nexport const REQUEST_ID_HEADER_ALT = \"x-requestid\";\nexport const RESPONSE_REQUEST_ID_HEADER = \"X-Request-Id\";\n\n// Si quieres IDs más cortos (opcional). Por defecto usamos UUID.\nfunction nanoidLike(len = 21) {\n return randomBytes(16).toString(\"base64url\").slice(0, len);\n}\n\nexport default function requestId(req: Request, res: Response, next: NextFunction) {\n const headerId = (req.headers[REQUEST_ID_HEADER] \|\| req.headers[REQUEST_ID_HEADER_ALT]) as\n \| string\n \| undefined;\n\n // ✅ estándar único: usa UUID (o cambia a nanoidLike() si prefieres corto)\n const id = headerId?.trim() \|\| randomUUID();\n\n // ✅ estándar único (no legacy)\n (req as any).requestId = id;\n res.locals.requestId = id;\n\n // ✅ respuesta\n res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);\n\n next();\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport fs from \"fs\";\nimport crypto from \"crypto\";\nimport {sendError} from \"./respond\";\nimport {HEADER_INTERNAL_API_KEY} from \"../headers\";\n\nfunction readSecretFile(path?: string): string \| null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\nfunction splitKeys(v?: string \| null): string[] {\n if (!v) return [];\n return v.split(\",\").map((s) => s.trim()).filter(Boolean);\n}\n\nfunction getExpectedKeys(): string[] {\n const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);\n const envKey = (process.env.INTERNAL_API_KEY \|\| \"\").trim();\n const raw = fileKey \|\| envKey;\n return splitKeys(raw);\n}\n\nfunction extractToken(req: Request): string \| null {\n const apiKey = (req.header(HEADER_INTERNAL_API_KEY) \|\| \"\").trim();\n return apiKey \|\| null;\n}\n\nfunction safeEquals(a: string, b: string): boolean {\n const aa = Buffer.from(a);\n const bb = Buffer.from(b);\n if (aa.length !== bb.length) return false;\n return crypto.timingSafeEqual(aa, bb);\n}\n\nexport default function internalAuth(req: Request, res: Response, next: NextFunction) {\n const token = extractToken(req);\n\n if (!token) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);\n }\n\n const expectedKeys = getExpectedKeys();\n if (expectedKeys.length === 0) {\n return sendError(\n req,\n res,\n 500,\n \"MISCONFIGURED_INTERNAL_AUTH\",\n \"Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)\"\n );\n }\n\n const ok = expectedKeys.some((k) => safeEquals(token, k));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Invalid internal api key\");\n }\n\n return next();\n}\n","// packages/sdk/src/middleware/respond.ts\nimport type {Request, Response} from \"express\";\n\nexport function sendOk<T>(_req: Request, res: Response, data: T, statusCode = 200) {\n return res.status(statusCode).json({ok: true, data, requestId: res.locals?.requestId ?? null});\n}\n\nexport function sendError(\n _req: Request,\n res: Response,\n statusCode: number,\n code: string,\n message: string,\n details?: any\n) {\n return res.status(statusCode).json({\n ok: false,\n error: {code, message, ...(details !== undefined ? {details} : {})},\n requestId: res.locals?.requestId ?? null,\n });\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport {sendError} from \"./respond\";\n\ntype AuthRole = string \| { code?: string; name?: string };\ntype AuthPermission = string \| { code?: string; name?: string };\n\ntype AuthShape = {\n roles?: AuthRole[];\n permissions?: AuthPermission[];\n denied_permissions?: AuthPermission[];\n};\n\nfunction getAuth(req: Request): AuthShape {\n return ((req as any).auth ?? {}) as AuthShape;\n}\n\nfunction hasAuthContext(req: Request): boolean {\n return !!(req as any).auth;\n}\n\nfunction normalizeCode(v: any): string \| null {\n if (!v) return null;\n if (typeof v === \"string\") return v;\n if (typeof v === \"object\") return v.code \|\| v.name \|\| null;\n return null;\n}\n\nfunction rolesSet(auth: AuthShape): Set<string> {\n const out = new Set<string>();\n for (const r of auth.roles \|\| []) {\n const c = normalizeCode(r);\n if (c) out.add(c);\n }\n return out;\n}\n\nfunction permsSet(list?: AuthPermission[]): Set<string> {\n const out = new Set<string>();\n for (const p of list \|\| []) {\n const c = normalizeCode(p);\n if (c) out.add(c);\n }\n return out;\n}\n\nexport function requireAuthContext() {\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n return next();\n };\n}\n\nfunction isSysAdmin(auth: AuthShape, sysAdminRole: string) {\n const have = rolesSet(auth);\n return have.has(sysAdminRole);\n}\n\nexport function requirePermissions(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const missing = perms.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions\", {\n missing,\n mode: \"ALL\",\n });\n }\n\n return next();\n };\n}\n\nexport function requireAnyPermission(\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const ok = perms.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n required: perms,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\nexport function requireRoles(\n roles: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const have = rolesSet(auth);\n if (!roles.some((r) => have.has(r))) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {\n required: roles,\n mode: \"ANY\",\n });\n }\n\n return next();\n };\n}\n\nexport function requireRolesOrAnyPermission(\n roles: string[],\n perms: string[],\n options?: { sysAdminBypass?: boolean; sysAdminRole?: string }\n) {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n\n return (req: Request, res: Response, next: NextFunction) => {\n if (!hasAuthContext(req)) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n\n const auth = getAuth(req);\n\n if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();\n\n const haveRoles = rolesSet(auth);\n const allow = permsSet(auth.permissions);\n const deny = permsSet(auth.denied_permissions);\n\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const okRole = roles.some((r) => haveRoles.has(r));\n const okPerm = perms.some((p) => allow.has(p));\n\n if (!okRole && !okPerm) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Access denied\", {\n roles,\n permissions: perms,\n mode: \"ROLES_OR_PERMS_ANY\",\n });\n }\n\n return next();\n };\n}\n","import type {Request, Response, NextFunction, RequestHandler} from \"express\";\nimport parseHeaders from \"./parseHeaders\";\nimport {sendError} from \"./respond\";\n\ntype RoleShape = string \| { code?: string; name?: string };\ntype PermShape = string \| { code?: string; name?: string };\n\ntype GuardOptions = {\n /\n Middleware(s) de autenticación del microservicio.\n * Ej:\n * allowSysAdminOrAnyPermission([\"sale.read\"], { auth: authEmployeeRequired })\n /\n auth?: RequestHandler \| RequestHandler[];\n\n /\n Si true, agrega parseHeaders automáticamente.\n * Default: true\n /\n includeParseHeaders?: boolean;\n\n /\n Rol que representa SysAdmin.\n * Default: SYS_ADMIN\n /\n sysAdminRole?: string;\n\n /\n Si false, desactiva bypass por SysAdmin.\n * Default: true\n /\n sysAdminBypass?: boolean;\n};\n\nfunction normalizeRole(r: RoleShape): string \| null {\n if (!r) return null;\n if (typeof r === \"string\") return r;\n return r.code \|\| r.name \|\| null;\n}\n\nfunction normalizePerm(p: PermShape): string \| null {\n if (!p) return null;\n if (typeof p === \"string\") return p;\n return p.code \|\| p.name \|\| null;\n}\n\nfunction getAuth(req: Request) {\n return ((req as any).auth ?? {}) as {\n roles?: RoleShape[];\n permissions?: PermShape[];\n denied_permissions?: PermShape[];\n };\n}\n\nfunction roleSet(auth: ReturnType<typeof getAuth>) {\n return new Set<string>(\n (auth.roles ?? []).map(normalizeRole).filter(Boolean) as string[]\n );\n}\n\nfunction permissionSets(auth: ReturnType<typeof getAuth>) {\n const allow = new Set<string>(\n (auth.permissions ?? []).map(normalizePerm).filter(Boolean) as string[]\n );\n const deny = new Set<string>(\n (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean) as string[]\n );\n return {allow, deny};\n}\n\nfunction normalizeHandlers(auth?: RequestHandler \| RequestHandler[]): RequestHandler[] {\n if (!auth) return [];\n return Array.isArray(auth) ? auth : [auth];\n}\n\nfunction buildBaseChain(options?: GuardOptions): RequestHandler[] {\n const chain: RequestHandler[] = [];\n\n if (options?.includeParseHeaders !== false) {\n chain.push(parseHeaders);\n }\n\n chain.push(...normalizeHandlers(options?.auth));\n\n return chain;\n}\n\nfunction hasSysAdmin(auth: ReturnType<typeof getAuth>, options?: GuardOptions): boolean {\n const sysAdminBypass = options?.sysAdminBypass !== false;\n if (!sysAdminBypass) return false;\n\n const sysAdminRole = options?.sysAdminRole \|\| \"SYS_ADMIN\";\n return roleSet(auth).has(sysAdminRole);\n}\n\n/\n Exige que exista req.auth.\n * Útil cuando auth ya fue montado antes y quieres validar contexto.\n /\nexport function requireAuthContext(options?: GuardOptions): RequestHandler[] {\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n if (!(req as any).auth) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n return next();\n },\n ];\n}\n\n/\n SYS_ADMIN bypass OR ANY permission\n /\nexport function allowSysAdminOrAnyPermission(\n perms: string[] \| string,\n options?: GuardOptions\n): RequestHandler[] {\n const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const ok = required.some((p) => allow.has(p));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ANY)\", {\n required,\n mode: \"ANY\",\n });\n }\n\n return next();\n },\n ];\n}\n\n/\n SYS_ADMIN bypass OR ALL permissions\n /\nexport function allowSysAdminOrPermissionsAll(\n perms: string[] \| string,\n options?: GuardOptions\n): RequestHandler[] {\n const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const {allow, deny} = permissionSets(auth);\n\n for (const p of required) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const missing = required.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions (ALL)\", {\n required,\n missing,\n mode: \"ALL\",\n });\n }\n\n return next();\n },\n ];\n}\n\n/\n SYS_ADMIN bypass OR ANY role\n /\nexport function allowSysAdminOrRoles(\n roles: string[] \| string,\n options?: GuardOptions\n): RequestHandler[] {\n const required = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const have = roleSet(auth);\n const ok = required.some((r) => have.has(r));\n\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {\n required,\n mode: \"ANY\",\n });\n }\n\n return next();\n },\n ];\n}\n\n/\n SYS_ADMIN bypass OR (roles ANY) OR (permissions ANY)\n * denied_permissions siempre gana\n /\nexport function allowSysAdminOrRolesOrAnyPermission(\n roles: string \| string[],\n permissions: string \| string[],\n options?: GuardOptions\n): RequestHandler[] {\n const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);\n const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);\n\n return [\n ...buildBaseChain(options),\n (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n if (hasSysAdmin(auth, options)) return next();\n\n const {allow, deny} = permissionSets(auth);\n const haveRoles = roleSet(auth);\n\n for (const p of requiredPerms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied permission: ${p}`, {\n denied: p,\n });\n }\n }\n\n const okRole = requiredRoles.some((r) => haveRoles.has(r));\n if (okRole) return next();\n\n const okPerm = requiredPerms.some((p) => allow.has(p));\n if (okPerm) return next();\n\n return sendError(req, res, 403, \"FORBIDDEN\", \"Permission denied\", {\n roles: requiredRoles,\n permissions: requiredPerms,\n mode: \"ROLES_OR_ANY_PERMISSION\",\n });\n },\n ];\n}\n\n/\n Helper típico para AUTH backoffice\n */\nexport function allowAuthAdminOrPerm(\n permission: string,\n options?: GuardOptions\n): RequestHandler[] {\n return allowSysAdminOrRolesOrAnyPermission([\"AUTH_ADMIN\"], [permission], options);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCO,IAAM,oBAAoB;AAE1B,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AAC1B,IAAM,sBAAsB;AAE5B,IAAM,0BAA0B;;;ACQvC,SAAS,qBAAqB,GAA2B;AACrD,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,IAAI,EAAE,KAAK;AACjB,MAAI,CAAC,EAAG,QAAO;AAGf,MAAI,EAAE,WAAW,GAAG,KAAK,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,EAAG,QAAO;AAGtE,MAAI,EAAE,SAAS,EAAG,QAAO;AAEzB,SAAO;AACX;AAKA,SAAS,EAAE,SAA8B,KAAsB;AAC3D,SAAO,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC,KAAK,QAAQ,IAAI,YAAY,CAAC;AAClF;AASO,SAAS,6BAA6B,SAA8C;AACvF,SAAO;AAAA,IACH,WAAW,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IAClE,aAAa,qBAAqB,EAAE,SAAS,kBAAkB,CAAC,KAAK;AAAA,IACrE,YAAY,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IACnE,cAAc,qBAAqB,EAAE,SAAS,mBAAmB,CAAC,KAAK;AAAA,EAC3E;AACJ;;;ACxCe,SAAR,aAA8B,KAAc,MAAgB,MAAoB;AACnF,EAAC,IAAY,UAAU,6BAA6B,IAAI,OAAc;AACtE,OAAK;AACT;;;ACXA,oBAAsC;AAE/B,IAAM,oBAAoB;AAC1B,IAAM,wBAAwB;AAC9B,IAAM,6BAA6B;AAO3B,SAAR,UAA2B,KAAc,KAAe,MAAoB;AAC/E,QAAM,WAAY,IAAI,QAAQ,iBAAiB,KAAK,IAAI,QAAQ,qBAAqB;AAKrF,QAAM,KAAK,UAAU,KAAK,SAAK,0BAAW;AAG1C,EAAC,IAAY,YAAY;AACzB,MAAI,OAAO,YAAY;AAGvB,MAAI,UAAU,4BAA4B,EAAE;AAE5C,OAAK;AACT;;;AC5BA,gBAAe;AACf,IAAAA,iBAAmB;;;ACCZ,SAAS,OAAU,MAAe,KAAe,MAAS,aAAa,KAAK;AAC/E,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK,EAAC,IAAI,MAAM,MAAM,WAAW,IAAI,QAAQ,aAAa,KAAI,CAAC;AACjG;AAEO,SAAS,UACZ,MACA,KACA,YACA,MACA,SACA,SACF;AACE,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK;AAAA,IAC/B,IAAI;AAAA,IACJ,OAAO,EAAC,MAAM,SAAS,GAAI,YAAY,SAAY,EAAC,QAAO,IAAI,CAAC,EAAE;AAAA,IAClE,WAAW,IAAI,QAAQ,aAAa;AAAA,EACxC,CAAC;AACL;;;ADdA,SAAS,eAAe,MAA8B;AAClD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,UAAAC,QAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,UAAU,GAA6B;AAC5C,MAAI,CAAC,EAAG,QAAO,CAAC;AAChB,SAAO,EAAE,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAC3D;AAEA,SAAS,kBAA4B;AACjC,QAAM,UAAU,eAAe,QAAQ,IAAI,qBAAqB;AAChE,QAAM,UAAU,QAAQ,IAAI,oBAAoB,IAAI,KAAK;AACzD,QAAM,MAAM,WAAW;AACvB,SAAO,UAAU,GAAG;AACxB;AAEA,SAAS,aAAa,KAA6B;AAC/C,QAAM,UAAU,IAAI,OAAO,uBAAuB,KAAK,IAAI,KAAK;AAChE,SAAO,UAAU;AACrB;AAEA,SAAS,WAAW,GAAW,GAAoB;AAC/C,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,MAAI,GAAG,WAAW,GAAG,OAAQ,QAAO;AACpC,SAAO,eAAAC,QAAO,gBAAgB,IAAI,EAAE;AACxC;AAEe,SAAR,aAA8B,KAAc,KAAe,MAAoB;AAClF,QAAM,QAAQ,aAAa,GAAG;AAE9B,MAAI,CAAC,OAAO;AACR,WAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,6BAA6B,uBAAuB,GAAG;AAAA,EAC3G;AAEA,QAAM,eAAe,gBAAgB;AACrC,MAAI,aAAa,WAAW,GAAG;AAC3B,WAAO;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ;AAAA,EACJ;AAEA,QAAM,KAAK,aAAa,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,CAAC;AACxD,MAAI,CAAC,IAAI;AACL,WAAO,UAAU,KAAK,KAAK,KAAK,aAAa,0BAA0B;AAAA,EAC3E;AAEA,SAAO,KAAK;AAChB;;;AEpDA,SAAS,QAAQ,KAAyB;AACxC,SAAS,IAAY,QAAQ,CAAC;AAChC;AAEA,SAAS,eAAe,KAAuB;AAC7C,SAAO,CAAC,CAAE,IAAY;AACxB;AAEA,SAAS,cAAc,GAAuB;AAC5C,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO,EAAE,QAAQ,EAAE,QAAQ;AACtD,SAAO;AACT;AAEA,SAAS,SAAS,MAA8B;AAC9C,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,KAAK,SAAS,CAAC,GAAG;AAChC,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EAClB;AACA,SAAO;AACT;AAEA,SAAS,SAAS,MAAsC;AACtD,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,QAAQ,CAAC,GAAG;AAC1B,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,EAAG,KAAI,IAAI,CAAC;AAAA,EAClB;AACA,SAAO;AACT;AAEO,SAAS,qBAAqB;AACnC,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AACA,WAAO,KAAK;AAAA,EACd;AACF;AAEA,SAAS,WAAW,MAAiB,cAAsB;AACzD,QAAM,OAAO,SAAS,IAAI;AAC1B,SAAO,KAAK,IAAI,YAAY;AAC9B;AAEO,SAAS,mBACd,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAE7C,eAAW,KAAK,OAAO;AACrB,UAAI,KAAK,IAAI,CAAC,GAAG;AACf,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACtE,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,UAAU,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACjD,QAAI,QAAQ,QAAQ;AAClB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,uBAAuB;AAAA,QAClE;AAAA,QACA,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;AAEO,SAAS,qBACd,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAE7C,eAAW,KAAK,OAAO;AACrB,UAAI,KAAK,IAAI,CAAC,GAAG;AACf,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACtE,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,KAAK,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AACzC,QAAI,CAAC,IAAI;AACP,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAChE,UAAU;AAAA,QACV,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;AAEO,SAAS,aACd,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,OAAO,SAAS,IAAI;AAC1B,QAAI,CAAC,MAAM,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,GAAG;AACnC,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB;AAAA,QAC/D,UAAU;AAAA,QACV,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;AAEO,SAAS,4BACd,OACA,OACA,SACA;AACA,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,QAAM,eAAe,SAAS,gBAAgB;AAE9C,SAAO,CAAC,KAAc,KAAe,SAAuB;AAC1D,QAAI,CAAC,eAAe,GAAG,GAAG;AACxB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IACxE;AAEA,UAAM,OAAO,QAAQ,GAAG;AAExB,QAAI,kBAAkB,WAAW,MAAM,YAAY,EAAG,QAAO,KAAK;AAElE,UAAM,YAAY,SAAS,IAAI;AAC/B,UAAM,QAAQ,SAAS,KAAK,WAAW;AACvC,UAAM,OAAO,SAAS,KAAK,kBAAkB;AAE7C,eAAW,KAAK,OAAO;AACrB,UAAI,KAAK,IAAI,CAAC,GAAG;AACf,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,UACtE,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC;AACjD,UAAM,SAAS,MAAM,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAE7C,QAAI,CAAC,UAAU,CAAC,QAAQ;AACtB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,iBAAiB;AAAA,QAC5D;AAAA,QACA,aAAa;AAAA,QACb,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;;;AC7KA,SAAS,cAAc,GAA6B;AAClD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC7B;AAEA,SAAS,cAAc,GAA6B;AAClD,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,SAAO,EAAE,QAAQ,EAAE,QAAQ;AAC7B;AAEA,SAASC,SAAQ,KAAc;AAC7B,SAAS,IAAY,QAAQ,CAAC;AAKhC;AAEA,SAAS,QAAQ,MAAkC;AACjD,SAAO,IAAI;AAAA,KACR,KAAK,SAAS,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO;AAAA,EACtD;AACF;AAEA,SAAS,eAAe,MAAkC;AACxD,QAAM,QAAQ,IAAI;AAAA,KACf,KAAK,eAAe,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO;AAAA,EAC5D;AACA,QAAM,OAAO,IAAI;AAAA,KACd,KAAK,sBAAsB,CAAC,GAAG,IAAI,aAAa,EAAE,OAAO,OAAO;AAAA,EACnE;AACA,SAAO,EAAC,OAAO,KAAI;AACrB;AAEA,SAAS,kBAAkB,MAA4D;AACrF,MAAI,CAAC,KAAM,QAAO,CAAC;AACnB,SAAO,MAAM,QAAQ,IAAI,IAAI,OAAO,CAAC,IAAI;AAC3C;AAEA,SAAS,eAAe,SAA0C;AAChE,QAAM,QAA0B,CAAC;AAEjC,MAAI,SAAS,wBAAwB,OAAO;AAC1C,UAAM,KAAK,YAAY;AAAA,EACzB;AAEA,QAAM,KAAK,GAAG,kBAAkB,SAAS,IAAI,CAAC;AAE9C,SAAO;AACT;AAEA,SAAS,YAAY,MAAkC,SAAiC;AACtF,QAAM,iBAAiB,SAAS,mBAAmB;AACnD,MAAI,CAAC,eAAgB,QAAO;AAE5B,QAAM,eAAe,SAAS,gBAAgB;AAC9C,SAAO,QAAQ,IAAI,EAAE,IAAI,YAAY;AACvC;AAqBO,SAAS,6BACd,OACA,SACkB;AAClB,QAAM,YAAY,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAExE,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOC,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACxB,YAAI,KAAK,IAAI,CAAC,GAAG;AACf,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,YACtE,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AAC5C,UAAI,CAAC,IAAI;AACP,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B;AAAA,UACxE;AAAA,UACA,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AACF;AAKO,SAAS,8BACd,OACA,SACkB;AAClB,QAAM,YAAY,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAExE,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOA,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AAEzC,iBAAW,KAAK,UAAU;AACxB,YAAI,KAAK,IAAI,CAAC,GAAG;AACf,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,YACtE,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACpD,UAAI,QAAQ,QAAQ;AAClB,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,6BAA6B;AAAA,UACxE;AAAA,UACA;AAAA,UACA,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AACF;AAKO,SAAS,qBACd,OACA,SACkB;AAClB,QAAM,YAAY,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAExE,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOA,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,OAAO,QAAQ,IAAI;AACzB,YAAM,KAAK,SAAS,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;AAE3C,UAAI,CAAC,IAAI;AACP,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB;AAAA,UAC/D;AAAA,UACA,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AACF;AAMO,SAAS,oCACd,OACA,aACA,SACkB;AAClB,QAAM,iBAAiB,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,GAAG,OAAO,OAAO;AAC7E,QAAM,iBAAiB,MAAM,QAAQ,WAAW,IAAI,cAAc,CAAC,WAAW,GAAG,OAAO,OAAO;AAE/F,SAAO;AAAA,IACL,GAAG,eAAe,OAAO;AAAA,IACzB,CAAC,KAAc,KAAe,SAAuB;AACnD,YAAM,OAAOA,SAAQ,GAAG;AAExB,UAAI,YAAY,MAAM,OAAO,EAAG,QAAO,KAAK;AAE5C,YAAM,EAAC,OAAO,KAAI,IAAI,eAAe,IAAI;AACzC,YAAM,YAAY,QAAQ,IAAI;AAE9B,iBAAW,KAAK,eAAe;AAC7B,YAAI,KAAK,IAAI,CAAC,GAAG;AACf,iBAAO,UAAU,KAAK,KAAK,KAAK,aAAa,sBAAsB,CAAC,IAAI;AAAA,YACtE,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,SAAS,cAAc,KAAK,CAAC,MAAM,UAAU,IAAI,CAAC,CAAC;AACzD,UAAI,OAAQ,QAAO,KAAK;AAExB,YAAM,SAAS,cAAc,KAAK,CAAC,MAAM,MAAM,IAAI,CAAC,CAAC;AACrD,UAAI,OAAQ,QAAO,KAAK;AAExB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,qBAAqB;AAAA,QAChE,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAKO,SAAS,qBACd,YACA,SACkB;AAClB,SAAO,oCAAoC,CAAC,YAAY,GAAG,CAAC,UAAU,GAAG,OAAO;AAClF;","names":["import_crypto","fs","crypto","getAuth","getAuth"]}

package/dist/middlewares/index.d.cts CHANGED Viewed

@@ -15,73 +15,67 @@ declare function internalAuth(req: Request, res: Response, next: NextFunction):
 declare function sendOk<T>(_req: Request, res: Response, data: T, statusCode?: number): Response<any, Record<string, any>>;
 declare function sendError(_req: Request, res: Response, statusCode: number, code: string, message: string, details?: any): Response<any, Record<string, any>>;
-/**
- * 401 si no existe req.auth (contexto auth).
- * Útil para proteger rutas donde SIEMPRE debe existir auth.
- */
 declare function requireAuthContext(): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere TODOS los permisos indicados.
- * Regla: denied_permissions siempre gana sobre permissions.
- *
- * options:
- *  - sysAdminBypass: default true
- *  - sysAdminRole: default "SYS_ADMIN"
- */
 declare function requirePermissions(perms: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere AL MENOS 1 permiso de la lista (ANY/OR).
- * Regla: denied_permissions siempre gana.
- */
 declare function requireAnyPermission(perms: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere al menos 1 rol (ANY/OR).
- * options:
- *  - sysAdminBypass: default true
- *  - sysAdminRole: default "SYS_ADMIN"
- */
 declare function requireRoles(roles: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere (roles ANY) OR (permissions ANY).
- * deny_permissions siempre gana sobre permissions.
- */
 declare function requireRolesOrAnyPermission(roles: string[], perms: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+type GuardOptions = {
+    /**
+     * Middleware(s) de autenticación del microservicio.
+     * Ej:
+     *   allowSysAdminOrAnyPermission(["sale.read"], { auth: authEmployeeRequired })
+     */
+    auth?: RequestHandler | RequestHandler[];
+    /**
+     * Si true, agrega parseHeaders automáticamente.
+     * Default: true
+     */
+    includeParseHeaders?: boolean;
+    /**
+     * Rol que representa SysAdmin.
+     * Default: SYS_ADMIN
+     */
+    sysAdminRole?: string;
+    /**
+     * Si false, desactiva bypass por SysAdmin.
+     * Default: true
+     */
+    sysAdminBypass?: boolean;
+};
 /**
- * ✅ SysAdmin bypass OR (ANY) permissions
- * - Si tiene alguno de los permisos => OK
- * - denied_permissions gana siempre
+ * SYS_ADMIN bypass OR ANY permission
  */
-declare function allowSysAdminOrAnyPermission(...perms: string[]): RequestHandler[];
+declare function allowSysAdminOrAnyPermission(perms: string[] | string, options?: GuardOptions): RequestHandler[];
 /**
- * ✅ SysAdmin bypass OR (ALL) permissions (AND)
+ * SYS_ADMIN bypass OR ALL permissions
  */
-declare function allowSysAdminOrPermissionsAll(...perms: string[]): RequestHandler[];
+declare function allowSysAdminOrPermissionsAll(perms: string[] | string, options?: GuardOptions): RequestHandler[];
 /**
- * ✅ SysAdmin bypass OR roles (ANY)
+ * SYS_ADMIN bypass OR ANY role
  */
-declare function allowSysAdminOrRoles(...roles: string[]): RequestHandler[];
+declare function allowSysAdminOrRoles(roles: string[] | string, options?: GuardOptions): RequestHandler[];
 /**
- * ✅ SYS_ADMIN bypass OR (ANY) roles OR (ANY) permissions
- * - denied_permissions siempre gana
+ * SYS_ADMIN bypass OR (roles ANY) OR (permissions ANY)
+ * denied_permissions siempre gana
  */
-declare function allowSysAdminOrRolesOrAnyPermission(roles: string | string[], permissions: string | string[]): RequestHandler[];
+declare function allowSysAdminOrRolesOrAnyPermission(roles: string | string[], permissions: string | string[], options?: GuardOptions): RequestHandler[];
 /**
- * ✅ Helper específico Auth:
- * Rol AUTH_ADMIN o permiso fino (y SYS_ADMIN bypass)
+ * Helper típico para AUTH backoffice
  */
-declare function allowAuthAdminOrPerm(permission: string): RequestHandler[];
+declare function allowAuthAdminOrPerm(permission: string, options?: GuardOptions): RequestHandler[];
 export { allowAuthAdminOrPerm, allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, allowSysAdminOrRolesOrAnyPermission, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk };

package/dist/middlewares/index.d.ts CHANGED Viewed

@@ -15,73 +15,67 @@ declare function internalAuth(req: Request, res: Response, next: NextFunction):
 declare function sendOk<T>(_req: Request, res: Response, data: T, statusCode?: number): Response<any, Record<string, any>>;
 declare function sendError(_req: Request, res: Response, statusCode: number, code: string, message: string, details?: any): Response<any, Record<string, any>>;
-/**
- * 401 si no existe req.auth (contexto auth).
- * Útil para proteger rutas donde SIEMPRE debe existir auth.
- */
 declare function requireAuthContext(): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere TODOS los permisos indicados.
- * Regla: denied_permissions siempre gana sobre permissions.
- *
- * options:
- *  - sysAdminBypass: default true
- *  - sysAdminRole: default "SYS_ADMIN"
- */
 declare function requirePermissions(perms: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere AL MENOS 1 permiso de la lista (ANY/OR).
- * Regla: denied_permissions siempre gana.
- */
 declare function requireAnyPermission(perms: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere al menos 1 rol (ANY/OR).
- * options:
- *  - sysAdminBypass: default true
- *  - sysAdminRole: default "SYS_ADMIN"
- */
 declare function requireRoles(roles: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
-/**
- * Requiere (roles ANY) OR (permissions ANY).
- * deny_permissions siempre gana sobre permissions.
- */
 declare function requireRolesOrAnyPermission(roles: string[], perms: string[], options?: {
     sysAdminBypass?: boolean;
     sysAdminRole?: string;
 }): (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+type GuardOptions = {
+    /**
+     * Middleware(s) de autenticación del microservicio.
+     * Ej:
+     *   allowSysAdminOrAnyPermission(["sale.read"], { auth: authEmployeeRequired })
+     */
+    auth?: RequestHandler | RequestHandler[];
+    /**
+     * Si true, agrega parseHeaders automáticamente.
+     * Default: true
+     */
+    includeParseHeaders?: boolean;
+    /**
+     * Rol que representa SysAdmin.
+     * Default: SYS_ADMIN
+     */
+    sysAdminRole?: string;
+    /**
+     * Si false, desactiva bypass por SysAdmin.
+     * Default: true
+     */
+    sysAdminBypass?: boolean;
+};
 /**
- * ✅ SysAdmin bypass OR (ANY) permissions
- * - Si tiene alguno de los permisos => OK
- * - denied_permissions gana siempre
+ * SYS_ADMIN bypass OR ANY permission
  */
-declare function allowSysAdminOrAnyPermission(...perms: string[]): RequestHandler[];
+declare function allowSysAdminOrAnyPermission(perms: string[] | string, options?: GuardOptions): RequestHandler[];
 /**
- * ✅ SysAdmin bypass OR (ALL) permissions (AND)
+ * SYS_ADMIN bypass OR ALL permissions
  */
-declare function allowSysAdminOrPermissionsAll(...perms: string[]): RequestHandler[];
+declare function allowSysAdminOrPermissionsAll(perms: string[] | string, options?: GuardOptions): RequestHandler[];
 /**
- * ✅ SysAdmin bypass OR roles (ANY)
+ * SYS_ADMIN bypass OR ANY role
  */
-declare function allowSysAdminOrRoles(...roles: string[]): RequestHandler[];
+declare function allowSysAdminOrRoles(roles: string[] | string, options?: GuardOptions): RequestHandler[];
 /**
- * ✅ SYS_ADMIN bypass OR (ANY) roles OR (ANY) permissions
- * - denied_permissions siempre gana
+ * SYS_ADMIN bypass OR (roles ANY) OR (permissions ANY)
+ * denied_permissions siempre gana
  */
-declare function allowSysAdminOrRolesOrAnyPermission(roles: string | string[], permissions: string | string[]): RequestHandler[];
+declare function allowSysAdminOrRolesOrAnyPermission(roles: string | string[], permissions: string | string[], options?: GuardOptions): RequestHandler[];
 /**
- * ✅ Helper específico Auth:
- * Rol AUTH_ADMIN o permiso fino (y SYS_ADMIN bypass)
+ * Helper típico para AUTH backoffice
  */
-declare function allowAuthAdminOrPerm(permission: string): RequestHandler[];
+declare function allowAuthAdminOrPerm(permission: string, options?: GuardOptions): RequestHandler[];
 export { allowAuthAdminOrPerm, allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, allowSysAdminOrRolesOrAnyPermission, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk };

package/dist/middlewares/index.js CHANGED Viewed

@@ -14,7 +14,7 @@ import {
   requireRolesOrAnyPermission,
   sendError,
   sendOk
-} from "../chunk-DT3AM34L.js";
+} from "../chunk-HNOUEVHW.js";
 import "../chunk-KXXIMSON.js";
 export {
   allowAuthAdminOrPerm,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@innvoid/getmarket-sdk",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "private": false,
   "type": "module",
   "sideEffects": false,
@@ -88,7 +88,7 @@
     "typecheck": "tsc -p tsconfig.json --noEmit"
   },
   "dependencies": {
-    "@innvoid/getmarket-contracts": "^0.1.16",
+    "@innvoid/getmarket-contracts": "^0.1.17",
     "axios": "^1.13.5",
     "firebase-admin": "^13.6.1",
     "jsonwebtoken": "^9.0.2",