@jskit-ai/auth-core 0.1.4

package/package.descriptor.mjs

@@ -0,0 +1,95 @@
+export default Object.freeze({
+  "packageVersion": 1,
+  "packageId": "@jskit-ai/auth-core",
+  "version": "0.1.4",
+  "dependsOn": [
+    "@jskit-ai/value-app-config-shared"
+  ],
+  "capabilities": {
+    "provides": [
+      "auth.access",
+      "auth.policy"
+    ],
+    "requires": []
+  },
+  "runtime": {
+    "server": {
+      "providerEntrypoint": "src/server/providers/AccessCoreServiceProvider.js",
+      "providers": [
+        {
+          "entrypoint": "src/server/providers/AccessCoreServiceProvider.js",
+          "export": "AccessCoreServiceProvider"
+        },
+        {
+          "entrypoint": "src/server/providers/FastifyAuthPolicyServiceProvider.js",
+          "export": "FastifyAuthPolicyServiceProvider"
+        }
+      ]
+    },
+    "client": {
+      "providers": [
+        {
+          "entrypoint": "src/client/providers/AccessCoreClientProvider.js",
+          "export": "AccessCoreClientProvider"
+        },
+        {
+          "entrypoint": "src/client/providers/FastifyAuthPolicyClientProvider.js",
+          "export": "FastifyAuthPolicyClientProvider"
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "apiSummary": {
+      "surfaces": [
+        {
+          "subpath": "./client",
+          "summary": "Exports client auth access APIs plus AccessCoreClientProvider/FastifyAuthPolicyClientProvider."
+        },
+        {
+          "subpath": "./server",
+          "summary": "Exports server auth access and Fastify auth policy providers plus server auth utility modules."
+        },
+        {
+          "subpath": "./shared",
+          "summary": "Exports shared auth client helpers (createApi and runAuthSignOutFlow), with structured subpaths at ./shared/authApi and ./shared/signOutFlow."
+        }
+      ],
+      "containerTokens": {
+        "server": [
+          "auth.access"
+        ],
+        "client": [
+          "auth.access.client"
+        ]
+      }
+    }
+  },
+  "mutations": {
+    "dependencies": {
+      "runtime": {
+        "@jskit-ai/kernel": "0.1.4",
+        "@fastify/cookie": "^11.0.2",
+        "@fastify/csrf-protection": "^7.1.0",
+        "@fastify/rate-limit": "^10.3.0"
+      },
+      "dev": {}
+    },
+    "packageJson": {
+      "scripts": {}
+    },
+    "procfile": {},
+    "files": [],
+    "text": [
+      {
+        "file": ".env",
+        "op": "upsert-env",
+        "key": "AUTH_PROFILE_MODE",
+        "value": "standalone",
+        "reason": "Default auth profile mode to standalone when users-core is not installed.",
+        "category": "runtime-config",
+        "id": "auth-profile-mode"
+      }
+    ]
+  }
+});

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@jskit-ai/auth-core",
+  "version": "0.1.4",
+  "type": "module",
+  "scripts": {
+    "test": "node --test"
+  },
+  "exports": {
+    "./server/providers/AccessCoreServiceProvider": "./src/server/providers/AccessCoreServiceProvider.js",
+    "./server/providers/FastifyAuthPolicyServiceProvider": "./src/server/providers/FastifyAuthPolicyServiceProvider.js",
+    "./server/utils": "./src/server/utils.js",
+    "./server/validators": "./src/server/validators.js",
+    "./server/inviteTokens": "./src/server/inviteTokens.js",
+    "./server/membershipAccess": "./src/server/membershipAccess.js",
+    "./server/lib/index": "./src/server/lib/index.js",
+    "./server/lib/plugin": "./src/server/lib/plugin.js",
+    "./server/lib/routeMeta": "./src/server/lib/routeMeta.js",
+    "./server/lib/tokens": "./src/server/lib/tokens.js",
+    "./client": "./src/client/index.js",
+    "./client/authApi": "./src/client/authApi.js",
+    "./client/signOutFlow": "./src/client/signOutFlow.js",
+    "./shared": "./src/shared/index.js",
+    "./shared/authApi": "./src/shared/authApi.js",
+    "./shared/signOutFlow": "./src/shared/signOutFlow.js",
+    "./shared/authPaths": "./src/shared/authPaths.js",
+    "./shared/authConstraints": "./src/shared/authConstraints.js",
+    "./shared/authMethods": "./src/shared/authMethods.js",
+    "./shared/oauthProviders": "./src/shared/oauthProviders.js",
+    "./shared/oauthCallbackParams": "./src/shared/oauthCallbackParams.js",
+    "./shared/inputNormalization": "./src/shared/inputNormalization.js",
+    "./shared/inviteTokens": "./src/shared/inviteTokens.js",
+    "./shared/commands/authRegisterCommand": "./src/shared/commands/authRegisterCommand.js",
+    "./shared/commands/authLoginPasswordCommand": "./src/shared/commands/authLoginPasswordCommand.js",
+    "./shared/commands/authLoginOtpRequestCommand": "./src/shared/commands/authLoginOtpRequestCommand.js",
+    "./shared/commands/authLoginOtpVerifyCommand": "./src/shared/commands/authLoginOtpVerifyCommand.js",
+    "./shared/commands/authLoginOAuthStartCommand": "./src/shared/commands/authLoginOAuthStartCommand.js",
+    "./shared/commands/authLoginOAuthCompleteCommand": "./src/shared/commands/authLoginOAuthCompleteCommand.js",
+    "./shared/commands/authPasswordResetRequestCommand": "./src/shared/commands/authPasswordResetRequestCommand.js",
+    "./shared/commands/authPasswordRecoveryCompleteCommand": "./src/shared/commands/authPasswordRecoveryCompleteCommand.js",
+    "./shared/commands/authPasswordResetCommand": "./src/shared/commands/authPasswordResetCommand.js",
+    "./shared/commands/authLogoutCommand": "./src/shared/commands/authLogoutCommand.js",
+    "./shared/commands/authSessionReadCommand": "./src/shared/commands/authSessionReadCommand.js"
+  },
+  "dependencies": {
+    "@jskit-ai/kernel": "0.1.4",
+    "@fastify/cookie": "^11.0.2",
+    "@fastify/csrf-protection": "^7.1.0",
+    "@fastify/rate-limit": "^10.3.0",
+    "typebox": "^1.0.81"
+  }
+}

package/src/client/authApi.js

@@ -0,0 +1 @@
+export { createApi } from "../shared/authApi.js";

package/src/client/index.js

@@ -0,0 +1,2 @@
+export { AccessCoreClientProvider } from "./providers/AccessCoreClientProvider.js";
+export { FastifyAuthPolicyClientProvider } from "./providers/FastifyAuthPolicyClientProvider.js";

package/src/client/providers/AccessCoreClientProvider.js

@@ -0,0 +1,23 @@
+import { createApi as createAuthApi } from "../authApi.js";
+import { runAuthSignOutFlow } from "../signOutFlow.js";
+
+const CLIENT_API = Object.freeze({
+  createAuthApi,
+  runAuthSignOutFlow
+});
+
+class AccessCoreClientProvider {
+  static id = "auth.access.client";
+
+  register(app) {
+    if (!app || typeof app.singleton !== "function") {
+      throw new Error("AccessCoreClientProvider requires application singleton().");
+    }
+
+    app.singleton("auth.access.client", () => CLIENT_API);
+  }
+
+  boot() {}
+}
+
+export { AccessCoreClientProvider };

package/src/client/providers/FastifyAuthPolicyClientProvider.js

@@ -0,0 +1,13 @@
+class FastifyAuthPolicyClientProvider {
+  static id = "auth.policy.client";
+
+  register(app) {
+    if (!app || typeof app.singleton !== "function") {
+      throw new Error("FastifyAuthPolicyClientProvider requires application singleton().");
+    }
+  }
+
+  boot() {}
+}
+
+export { FastifyAuthPolicyClientProvider };

package/src/client/signOutFlow.js

@@ -0,0 +1 @@
+export { runAuthSignOutFlow } from "../shared/signOutFlow.js";

package/src/server/inviteTokens.js

@@ -0,0 +1,41 @@
+import crypto from "node:crypto";
+import {
+  OPAQUE_INVITE_TOKEN_HASH_PREFIX,
+  normalizeInviteToken,
+  isSha256Hex,
+  encodeInviteTokenHash,
+  decodeInviteTokenHash
+} from "../shared/inviteTokens.js";
+
+function buildInviteToken() {
+  return crypto.randomBytes(24).toString("hex");
+}
+
+function hashInviteToken(token) {
+  return crypto.createHash("sha256").update(normalizeInviteToken(token)).digest("hex");
+}
+
+function resolveInviteTokenHash(inviteToken) {
+  const normalizedToken = normalizeInviteToken(inviteToken);
+  if (!normalizedToken) {
+    return "";
+  }
+
+  const decodedTokenHash = decodeInviteTokenHash(normalizedToken);
+  if (decodedTokenHash) {
+    return decodedTokenHash;
+  }
+
+  return hashInviteToken(normalizedToken);
+}
+
+export {
+  OPAQUE_INVITE_TOKEN_HASH_PREFIX,
+  normalizeInviteToken,
+  isSha256Hex,
+  buildInviteToken,
+  hashInviteToken,
+  encodeInviteTokenHash,
+  decodeInviteTokenHash,
+  resolveInviteTokenHash
+};

package/src/server/lib/actionContextContributor.js

@@ -0,0 +1,36 @@
+import { normalizeText } from "@jskit-ai/kernel/shared/support/normalize";
+
+function normalizePermissions(value) {
+  const source = Array.isArray(value) ? value : [];
+  return source.map((entry) => normalizeText(entry)).filter(Boolean);
+}
+
+function createAuthActionContextContributor() {
+  return Object.freeze({
+    contributorId: "auth.policy.request-context",
+    contribute({ request } = {}) {
+      const contribution = {};
+      const permissions = normalizePermissions(request?.permissions);
+
+      if (request?.user) {
+        contribution.actor = request.user;
+      }
+
+      if (request?.workspace) {
+        contribution.workspace = request.workspace;
+      }
+
+      if (request?.membership) {
+        contribution.membership = request.membership;
+      }
+
+      if (permissions.length > 0) {
+        contribution.permissions = permissions;
+      }
+
+      return contribution;
+    }
+  });
+}
+
+export { createAuthActionContextContributor };

package/src/server/lib/authPolicySupport.js

@@ -0,0 +1,38 @@
+import { asObject } from "./objectUtils.js";
+
+function assertFunction(value, name) {
+  if (typeof value !== "function") {
+    throw new Error(`${name} is required.`);
+  }
+  return value;
+}
+
+function assertAuthPolicyDeps(deps = {}) {
+  const source = asObject(deps);
+  const resolveActor = assertFunction(source.resolveActor, "resolveActor");
+  const hasPermission = assertFunction(source.hasPermission, "hasPermission");
+
+  return {
+    resolveActor,
+    resolveContext: typeof source.resolveContext === "function" ? source.resolveContext : null,
+    hasPermission,
+    onPolicyDenied: typeof source.onPolicyDenied === "function" ? source.onPolicyDenied : null
+  };
+}
+
+function normalizeActorResolution(result) {
+  const source = asObject(result);
+  const actor = Object.hasOwn(source, "actor")
+    ? source.actor
+    : Object.hasOwn(source, "profile")
+      ? source.profile
+      : null;
+
+  return {
+    authenticated: Boolean(source.authenticated),
+    actor,
+    transientFailure: Boolean(source.transientFailure)
+  };
+}
+
+export { assertAuthPolicyDeps, normalizeActorResolution };

package/src/server/lib/errors.js

@@ -0,0 +1,20 @@
+const AUTH_POLICY_DENY_REASONS = Object.freeze({
+  AUTH_UPSTREAM_UNAVAILABLE: "auth_upstream_unavailable",
+  UNAUTHENTICATED: "unauthenticated",
+  OWNER_UNRESOLVED: "owner_unresolved",
+  FORBIDDEN_OWNER_MISMATCH: "forbidden_owner_mismatch",
+  INVALID_AUTH_POLICY: "invalid_auth_policy",
+  FORBIDDEN_PERMISSION: "forbidden_permission"
+});
+
+function createAuthPolicyError(status, message, { code = "AUTH_POLICY_ERROR" } = {}) {
+  const normalizedStatus = Number(status) || 500;
+  const error = new Error(String(message || "Request failed."));
+  error.name = "AuthPolicyError";
+  error.status = normalizedStatus;
+  error.statusCode = normalizedStatus;
+  error.code = String(code || "AUTH_POLICY_ERROR");
+  return error;
+}
+
+export { AUTH_POLICY_DENY_REASONS, createAuthPolicyError };

package/src/server/lib/index.js

@@ -0,0 +1,3 @@
+export { authPolicyPlugin } from "./plugin.js";
+export { withAuthPolicy, mergeAuthPolicy } from "./routeMeta.js";
+export { AUTH_POLICY_CONTEXT_RESOLVER_TOKEN } from "./tokens.js";

package/src/server/lib/objectUtils.js

@@ -0,0 +1,5 @@
+function asObject(value) {
+  return value && typeof value === "object" ? value : {};
+}
+
+export { asObject };

package/src/server/lib/plugin.js

@@ -0,0 +1,247 @@
+import fastifyCookie from "@fastify/cookie";
+import fastifyCsrfProtection from "@fastify/csrf-protection";
+import fastifyRateLimit from "@fastify/rate-limit";
+import { safeRequestUrl } from "@jskit-ai/kernel/server/runtime/requestUrl";
+
+import { assertAuthPolicyDeps, normalizeActorResolution } from "./authPolicySupport.js";
+import { AUTH_POLICY_DENY_REASONS, createAuthPolicyError } from "./errors.js";
+import { AUTH_POLICIES, CONTEXT_POLICIES, resolveAuthPolicyMeta } from "./routeMeta.js";
+
+const DEFAULT_API_PREFIX = "/api/";
+const DEFAULT_RATE_LIMIT_PLUGIN_OPTIONS = Object.freeze({
+  global: false
+});
+const DEFAULT_UNSAFE_METHODS = Object.freeze(["POST", "PUT", "PATCH", "DELETE"]);
+
+function normalizeUnsafeMethods(methodsValue) {
+  const source = Array.isArray(methodsValue) ? methodsValue : DEFAULT_UNSAFE_METHODS;
+  return new Set(source.map((method) => String(method || "").trim().toUpperCase()).filter(Boolean));
+}
+
+function normalizeApiPrefix(value) {
+  const normalized = String(value || "").trim();
+  return normalized || DEFAULT_API_PREFIX;
+}
+
+function normalizeRateLimitPluginOptions(value) {
+  if (!value || typeof value !== "object") {
+    return {
+      ...DEFAULT_RATE_LIMIT_PLUGIN_OPTIONS
+    };
+  }
+
+  return value;
+}
+
+function resolveRouteConfig(request) {
+  if (!request?.routeOptions || typeof request.routeOptions !== "object") {
+    return {};
+  }
+
+  const routeConfig = request.routeOptions.config;
+  if (!routeConfig || typeof routeConfig !== "object") {
+    return {};
+  }
+
+  return routeConfig;
+}
+
+function enforceCsrfProtection(fastify, request, reply) {
+  return new Promise((resolve, reject) => {
+    fastify.csrfProtection(request, reply, (error) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve();
+    });
+  });
+}
+
+function resolveCsrfToken(request) {
+  return request.headers["csrf-token"] || request.headers["x-csrf-token"] || request.headers["x-xsrf-token"] || null;
+}
+
+function resolveOwnerValue(meta, request) {
+  if (typeof meta.ownerResolver === "function") {
+    return meta.ownerResolver({
+      req: request,
+      res: request.raw,
+      url: safeRequestUrl(request),
+      params: request.params || {},
+      user: request.user || null
+    });
+  }
+
+  if (typeof meta.ownerParam === "string" && meta.ownerParam) {
+    return request.params ? request.params[meta.ownerParam] : null;
+  }
+
+  return null;
+}
+
+function notifyPolicyDenied(onPolicyDenied, payload) {
+  if (typeof onPolicyDenied !== "function") {
+    return;
+  }
+  onPolicyDenied(payload);
+}
+
+function authPolicyPlugin(deps = {}, options = {}) {
+  const { resolveActor, resolveContext, hasPermission, onPolicyDenied } = assertAuthPolicyDeps(deps);
+  const apiPrefix = normalizeApiPrefix(options.apiPrefix);
+  const unsafeMethods = normalizeUnsafeMethods(options.unsafeMethods);
+  const rateLimitPluginOptions = normalizeRateLimitPluginOptions(options.rateLimitPluginOptions);
+  const nodeEnv = String(options.nodeEnv || "").trim();
+  const csrfCookieOpts =
+    options.csrfCookieOpts && typeof options.csrfCookieOpts === "object" ? options.csrfCookieOpts : {};
+  const resolveCsrfTokenFn = typeof options.resolveCsrfToken === "function" ? options.resolveCsrfToken : resolveCsrfToken;
+  const createError =
+    typeof options.createError === "function"
+      ? options.createError
+      : (status, message) => createAuthPolicyError(status, message);
+
+  return async function registerAuthPolicyPlugin(fastify) {
+    await fastify.register(fastifyCookie);
+    await fastify.register(fastifyRateLimit, rateLimitPluginOptions);
+    await fastify.register(fastifyCsrfProtection, {
+      getToken: resolveCsrfTokenFn,
+      cookieOpts: {
+        path: "/",
+        sameSite: "lax",
+        secure: nodeEnv === "production",
+        httpOnly: true,
+        ...csrfCookieOpts
+      }
+    });
+
+    fastify.decorateRequest("user", null);
+    fastify.decorateRequest("workspace", null);
+    fastify.decorateRequest("membership", null);
+    fastify.decorateRequest("permissions", null);
+
+    fastify.addHook("preHandler", async (request, reply) => {
+      const pathname = request?.raw?.url || request?.url || "/";
+      if (!String(pathname).startsWith(apiPrefix)) {
+        return;
+      }
+
+      const meta = resolveAuthPolicyMeta(resolveRouteConfig(request));
+      if (meta.csrfProtection && unsafeMethods.has(String(request?.method || "").toUpperCase())) {
+        await enforceCsrfProtection(fastify, request, reply);
+      }
+
+      if (meta.authPolicy === AUTH_POLICIES.PUBLIC) {
+        return;
+      }
+
+      const actorResolution = normalizeActorResolution(await resolveActor(request, reply, meta));
+      if (actorResolution.transientFailure) {
+        notifyPolicyDenied(onPolicyDenied, {
+          reason: AUTH_POLICY_DENY_REASONS.AUTH_UPSTREAM_UNAVAILABLE,
+          statusCode: 503,
+          request,
+          meta,
+          actor: actorResolution.actor,
+          context: null
+        });
+        throw createError(503, "Authentication service temporarily unavailable. Please retry.");
+      }
+
+      if (!actorResolution.authenticated) {
+        notifyPolicyDenied(onPolicyDenied, {
+          reason: AUTH_POLICY_DENY_REASONS.UNAUTHENTICATED,
+          statusCode: 401,
+          request,
+          meta,
+          actor: actorResolution.actor,
+          context: null
+        });
+        throw createError(401, "Authentication required.");
+      }
+
+      request.user = actorResolution.actor;
+      request.workspace = null;
+      request.membership = null;
+      request.permissions = [];
+
+      if (meta.authPolicy === AUTH_POLICIES.OWN) {
+        const ownerValue = await resolveOwnerValue(meta, request);
+        const userValue = request?.user ? request.user[meta.userField] : null;
+
+        if (ownerValue == null || userValue == null) {
+          notifyPolicyDenied(onPolicyDenied, {
+            reason: AUTH_POLICY_DENY_REASONS.OWNER_UNRESOLVED,
+            statusCode: 400,
+            request,
+            meta,
+            actor: actorResolution.actor,
+            context: null
+          });
+          throw createError(400, "Route owner could not be resolved.");
+        }
+
+        if (String(ownerValue) !== String(userValue)) {
+          notifyPolicyDenied(onPolicyDenied, {
+            reason: AUTH_POLICY_DENY_REASONS.FORBIDDEN_OWNER_MISMATCH,
+            statusCode: 403,
+            request,
+            meta,
+            actor: actorResolution.actor,
+            context: null
+          });
+          throw createError(403, "Forbidden.");
+        }
+      } else if (meta.authPolicy !== AUTH_POLICIES.REQUIRED) {
+        notifyPolicyDenied(onPolicyDenied, {
+          reason: AUTH_POLICY_DENY_REASONS.INVALID_AUTH_POLICY,
+          statusCode: 500,
+          request,
+          meta,
+          actor: actorResolution.actor,
+          context: null
+        });
+        throw createError(500, "Invalid route auth policy configuration.");
+      }
+
+      let context = null;
+      if (resolveContext && (meta.contextPolicy !== CONTEXT_POLICIES.NONE || meta.permission)) {
+        context = await resolveContext({
+          request,
+          actor: actorResolution.actor,
+          meta
+        });
+        const normalizedContext = context && typeof context === "object" ? context : {};
+        request.workspace = normalizedContext.workspace || null;
+        request.membership = normalizedContext.membership || null;
+        request.permissions = Array.isArray(normalizedContext.permissions) ? normalizedContext.permissions : [];
+      }
+
+      if (meta.permission) {
+        const allowed = await Promise.resolve(
+          hasPermission({
+            permission: meta.permission,
+            permissions: request.permissions,
+            request,
+            actor: actorResolution.actor,
+            context,
+            meta
+          })
+        );
+        if (!allowed) {
+          notifyPolicyDenied(onPolicyDenied, {
+            reason: AUTH_POLICY_DENY_REASONS.FORBIDDEN_PERMISSION,
+            statusCode: 403,
+            request,
+            meta,
+            actor: actorResolution.actor,
+            context
+          });
+          throw createError(403, "Forbidden.");
+        }
+      }
+    });
+  };
+}
+
+export { authPolicyPlugin };

package/src/server/lib/routeMeta.js

@@ -0,0 +1,64 @@
+import { asObject } from "./objectUtils.js";
+
+const AUTH_POLICIES = Object.freeze({
+  PUBLIC: "public",
+  REQUIRED: "required",
+  OWN: "own"
+});
+
+const CONTEXT_POLICIES = Object.freeze({
+  NONE: "none",
+  OPTIONAL: "optional",
+  REQUIRED: "required"
+});
+
+const DEFAULT_AUTH_POLICY_META = Object.freeze({
+  authPolicy: AUTH_POLICIES.PUBLIC,
+  contextPolicy: CONTEXT_POLICIES.NONE,
+  surface: "",
+  permission: "",
+  ownerParam: null,
+  userField: "id",
+  ownerResolver: null,
+  csrfProtection: true
+});
+
+function resolveAuthPolicyMeta(input = {}) {
+  const source = asObject(input);
+  return {
+    authPolicy: source.authPolicy || AUTH_POLICIES.PUBLIC,
+    contextPolicy: source.contextPolicy || CONTEXT_POLICIES.NONE,
+    surface: String(source.surface || "").trim(),
+    permission: String(source.permission || "").trim(),
+    ownerParam: typeof source.ownerParam === "string" && source.ownerParam ? source.ownerParam : null,
+    userField: source.userField || "id",
+    ownerResolver: typeof source.ownerResolver === "function" ? source.ownerResolver : null,
+    csrfProtection: source.csrfProtection !== false
+  };
+}
+
+function withAuthPolicy(meta = {}) {
+  return {
+    config: resolveAuthPolicyMeta(meta)
+  };
+}
+
+function mergeAuthPolicy(routeOptions = {}, meta = {}) {
+  const sourceRouteOptions = asObject(routeOptions);
+  const sourceConfig = asObject(sourceRouteOptions.config);
+  const sourceMeta = asObject(meta);
+  const normalizedMeta = resolveAuthPolicyMeta({
+    ...sourceConfig,
+    ...sourceMeta
+  });
+
+  return {
+    ...sourceRouteOptions,
+    config: {
+      ...sourceConfig,
+      ...normalizedMeta
+    }
+  };
+}
+
+export { AUTH_POLICIES, CONTEXT_POLICIES, DEFAULT_AUTH_POLICY_META, resolveAuthPolicyMeta, withAuthPolicy, mergeAuthPolicy };

package/src/server/lib/routeVisibilityResolver.js

@@ -0,0 +1,25 @@
+import { normalizeOpaqueId } from "@jskit-ai/kernel/shared/support/normalize";
+
+function createAuthRouteVisibilityResolver() {
+  return Object.freeze({
+    resolverId: "auth.policy.visibility",
+    resolve({ visibility, context, request } = {}) {
+      if (visibility !== "user") {
+        return {};
+      }
+
+      const actor = context?.actor || request?.user || null;
+      const userOwnerId = normalizeOpaqueId(actor?.id);
+      if (userOwnerId == null) {
+        return {};
+      }
+
+      return {
+        userOwnerId,
+        requiresActorScope: true
+      };
+    }
+  });
+}
+
+export { createAuthRouteVisibilityResolver };